阅读:3248回复:19
通过驱动IoDeleteSymbolic连接符删除盘符实现隐藏逻缉盘不成功
欢迎协作解决
|
|
沙发#
发布于:2008-01-26 11:37
不知道,帮顶.
|
|
板凳#
发布于:2008-01-27 15:24
从卷管理器下面把磁盘摘了就行了~~
OBJECT TREE啊,object tree啊~ |
|
|
地板#
发布于:2008-02-19 09:38
从卷管理器怎么摘啊,您能具体提示一点吗
|
|
地下室#
发布于:2008-02-27 10:28
可以成功吧!我删过
|
|
驱动小牛
|
5楼#
发布于:2008-02-27 13:35
definedosdevice
|
|
6楼#
发布于:2008-02-27 19:57
你要知道磁盘是怎么被列举出来的?
知道之后就可以处理了~ |
|
|
7楼#
发布于:2008-02-27 20:10
NtQueryInformationProcess里有猫腻~嘿嘿~
|
|
|
8楼#
发布于:2008-02-27 20:28
ProcessDeviceMap
当然这样子好像不能在FindXXX下隐藏~ |
|
|
9楼#
发布于:2008-02-27 20:53
贴段我的代码,很粗糙的代码哦~
typedef NTSTATUS (*ZWQUERYINFORMATIONPROCESS)( IN HANDLE ProcessHandle, IN PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL ); ZWQUERYINFORMATIONPROCESS OldZwQueryInformationProcess; NTSTATUS NewZwQueryInformationProcess( IN HANDLE hProcess, IN PROCESSINFOCLASS ProcessInfoClass, OUT PVOID ProcessInfoBuffer, IN ULONG ProcessInfoBufferLength, OUT PULONG BytesReturned OPTIONAL) { NTSTATUS ntStatus; ULONG *mask; ntStatus = ((ZWQUERYINFORMATIONPROCESS)(OldZwQueryInformationProcess)) ( hProcess, ProcessInfoClass, ProcessInfoBuffer, ProcessInfoBufferLength, BytesReturned); if(NT_SUCCESS(ntStatus)&&ProcessInfoClass==ProcessDeviceMap) { mask = (ULONG *)ProcessInfoBuffer; *mask &= (0xFFFFFFFF^0x4);//隐藏C盘,第三位为0就是没有C盘 } return ntStatus; } |
|
|
10楼#
发布于:2008-02-27 21:26
注意要hook MOUNTMGR来处理ioctrolcode:
IOCTL_MOUNTMGR_QUERY_POINTS |
|
|
11楼#
发布于:2008-02-27 21:49
处理ioctrol的原因:
HANDLE __stdcall FindFirstVolumeW(void *a1, int a2) { HANDLE result; // eax@1 int v3; // eax@2 int v4; // esi@2 char v5; // zf@3 BOOL v6; // eax@3 int v7; // eax@10 HANDLE hObject; // [sp+24h] [bp-4h]@1 char InBuffer; // [sp+4h] [bp-24h]@2 DWORD BytesReturned; // [sp+20h] [bp-8h]@3 BOOL v11; // [sp+1Ch] [bp-Ch]@4 result = CreateFileW(L"\\\\.\\MountPointManager", 0, 3u, 0, 3u, 0x80u, (HANDLE)0xFFFFFFFF); hObject = result; if ( result != (HANDLE)-1 ) { memset(&InBuffer, 0, 0x18u); v3 = RtlAllocateHeap(*(_DWORD *)(*(_DWORD *)(*MK_FP(__FS__, 24) + 48) + 24), dword_77ECBF94, 32); v4 = v3; if ( v3 ) { v6 = DeviceIoControl(hObject, 0x6D0008u, &InBuffer, 0x18u, (LPVOID)v3, 0x20u, &BytesReturned, 0); v5 = v6 == 0; while ( 1 ) { v11 = v6; if ( !v5 ) break; if ( GetLastError() != 234 ) break; BytesReturned = *(_DWORD *)v4; RtlFreeHeap(*(_DWORD *)(*(_DWORD *)(*MK_FP(__FS__, 24) + 48) + 24), 0, v4); v7 = RtlAllocateHeap(*(_DWORD *)(*(_DWORD *)(*MK_FP(__FS__, 24) + 48) + 24), dword_77ECBF94, BytesReturned); v4 = v7; if ( !v7 ) goto LABEL_12; v6 = DeviceIoControl(hObject, 0x6D0008u, &InBuffer, 0x18u, (LPVOID)v7, BytesReturned, &BytesReturned, 0); v5 = v6 == 0; } CloseHandle(hObject); if ( v11 && FindNextVolumeW(v4, a1, a2) ) return (HANDLE)v4; RtlFreeHeap(*(_DWORD *)(*(_DWORD *)(*MK_FP(__FS__, 24) + 48) + 24), 0, v4); } else { LABEL_12: CloseHandle(hObject); SetLastError(8u); } result = (HANDLE)-1; } return result; } |
|
|
12楼#
发布于:2008-02-27 21:50
处理processdevicemap的原因:
GetLogicalDrives proc near var_24= dword ptr -24h 8B FF mov edi, edi 55 push ebp 8B EC mov ebp, esp 83 EC 24 sub esp, 24h 6A 00 push 0 6A 24 push 24h 8D 45 DC lea eax, [ebp+var_24] 50 push eax 6A 17 push 17h 6A FF push 0FFFFFFFFh FF 15 CC 10 E0 77 call ds:NtQueryInformationProcess 85 C0 test eax, eax 0F 8C 5E A5 03 00 jl loc_77E59422 |
|
|
13楼#
发布于:2008-03-04 17:35
老V的F5用的越来越好了,嘿嘿......
|
|
|
14楼#
发布于:2008-03-08 00:15
不行啊~生活啊~
|
|
|
15楼#
发布于:2008-03-11 15:35
非常感谢,真是好人,具有共产主义思想
|
|
16楼#
发布于:2008-03-11 16:49
killvxk,谢谢,你能否做一个控制程序面板程序隐藏C盘给我看一下呢,我不太会呢,谢谢
|
|
17楼#
发布于:2008-03-11 23:25
晕~~~很麻烦啊~麻烦啊~~
|
|
|
18楼#
发布于:2008-03-13 11:19
killvxk您好,您上面写的那个隐藏C盘对应的是驱动里的那个IRP_MJ_XXXX呀,谢谢您,快要成功了
|
|
19楼#
发布于:2008-03-13 15:19
今天终于通过编写驱动将它搞定,不过恢复又成了另一个问题,
|
|