HOOK SSDT Hide Process （四）

Enum Process Under Ring3

taskmgr.exe 就是通过以下方式 Enum Process 的

#include  < stdlib.h >
#include  < stdio.h >
#include  < windows.h >

typedef  long  NTSTATUS;

//
//  Unicode strings are counted 16-bit character strings. If they are
//  NULL terminated, Length does not include trailing NULL.
//

typedef  struct  _UNICODE_STRING
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;

} UNICODE_STRING,  * PUNICODE_STRING;

//
//  Thread priority
//

typedef LONG KPRIORITY;

// -----------------------------------------------------------------------------
//  Query system information

typedef  enum  _SYSTEM_INFORMATION_CLASS
{
    SystemBasicInformation,                  //  0x00 SYSTEM_BASIC_INFORMATION
    SystemProcessorInformation,              //  0x01 SYSTEM_PROCESSOR_INFORMATION
    SystemPerformanceInformation,            //  0x02
    SystemTimeOfDayInformation,              //  0x03
    SystemPathInformation,                   //  0x04
    SystemProcessInformation,                //  0x05
    SystemCallCountInformation,              //  0x06
    SystemDeviceInformation,                 //  0x07
    SystemProcessorPerformanceInformation,   //  0x08
    SystemFlagsInformation,                  //  0x09
    SystemCallTimeInformation,               //  0x0A
    SystemModuleInformation,                 //  0x0B SYSTEM_MODULE_INFORMATION
    SystemLocksInformation,                  //  0x0C
    SystemStackTraceInformation,             //  0x0D
    SystemPagedPoolInformation,              //  0x0E
    SystemNonPagedPoolInformation,           //  0x0F
    SystemHandleInformation,                 //  0x10
    SystemObjectInformation,                 //  0x11
    SystemPageFileInformation,               //  0x12
    SystemVdmInstemulInformation,            //  0x13
    SystemVdmBopInformation,                 //  0x14
    SystemFileCacheInformation,              //  0x15
    SystemPoolTagInformation,                //  0x16
    SystemInterruptInformation,              //  0x17
    SystemDpcBehaviorInformation,            //  0x18
    SystemFullMemoryInformation,             //  0x19
    SystemLoadGdiDriverInformation,          //  0x1A
    SystemUnloadGdiDriverInformation,        //  0x1B
    SystemTimeAdjustmentInformation,         //  0x1C
    SystemSummaryMemoryInformation,          //  0x1D
    SystemNextEventIdInformation,            //  0x1E
    SystemEventIdsInformation,               //  0x1F
    SystemCrashDumpInformation,              //  0x20
    SystemExceptionInformation,              //  0x21
    SystemCrashDumpStateInformation,         //  0x22
    SystemKernelDebuggerInformation,         //  0x23
    SystemContextSwitchInformation,          //  0x24
    SystemRegistryQuotaInformation,          //  0x25
    SystemExtendServiceTableInformation,     //  0x26
    SystemPrioritySeperation,                //  0x27
    SystemPlugPlayBusInformation,            //  0x28
    SystemDockInformation,                   //  0x29
     // SystemPowerInformation,                //  0x2A
     // SystemProcessorSpeedInformation,       //  0x2B
     // SystemCurrentTimeZoneInformation,      //  0x2C
     // SystemLookasideInformation             //  0x2D

} SYSTEM_INFORMATION_CLASS,  * PSYSTEM_INFORMATION_CLASS;

//
//  Process information
//  NtQuerySystemInformation with SystemProcessInformation
//

typedef  struct  _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER SpareLi1;
    LARGE_INTEGER SpareLi2;
    LARGE_INTEGER SpareLi3;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    ULONG_PTR UniqueProcessId;
    ULONG_PTR InheritedFromUniqueProcessId;
    ULONG HandleCount;
     //  Next part is platform dependent

} SYSTEM_PROCESS_INFORMATION,  * PSYSTEM_PROCESS_INFORMATION;

typedef NTSTATUS ( * PNFNtQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength
    );

PNFNtQuerySystemInformation pNtQuerySystemInformation;

BOOL LoadNTDLL()
{
    HMODULE hMod  =  GetModuleHandle( " ntdll.dll " );

     if  (hMod  ==  NULL)
    {
        hMod  =  LoadLibrary( " ntdll.dll " );
         if  (hMod  ==  NULL)
        {
            printf( " LoadLibrary Error: %d\n " , GetLastError());
             return  FALSE;
        }
    }

    pNtQuerySystemInformation  =  (PNFNtQuerySystemInformation)GetProcAddress(hMod,  " NtQuerySystemInformation " );

     if ( pNtQuerySystemInformation  ==  NULL )
    {
        printf( " GetProcAddress for NtQuerySystemInformation Error: %d\n " , GetLastError());
         return  FALSE;
    }

    ULONG dwNumberBytes  =   0x8000 ;
     char *  pBuf  =  ( char * )malloc(dwNumberBytes);
    PSYSTEM_PROCESS_INFORMATION pProcessInfo  =  (PSYSTEM_PROCESS_INFORMATION)pBuf;
    ULONG dwReturn  =   0 ;

    pNtQuerySystemInformation(SystemProcessInformation, pProcessInfo, dwNumberBytes,  & dwReturn);

     return  TRUE;
}

int  main()
{
     if (  ! LoadNTDLL() )
    {
        printf( " LoadNTDLL Error!\n " );
         return   0 ;
    }

    printf( " test\n " );
     return   0 ;
}

运行后，出现
Debug Error
File: chkesp.c
line: 42

出现这个错误通常有两种情况
1. 参数个数错
2. 函数的调用方式错

详细检查之下
typedef NTSTATUS
 (*PNFNtQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength
    );

这里的写法有问题，少写了 __stdcall 的调用方式

typedef NTSTATUS
 (NTAPI *PNFNtQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength
    );

这样的写法就OK了