S.l.e!ep.¢%

像打了激速一样,以四倍的速度运转,开心的工作
简单、开放、平等的公司文化;尊重个性、自由与个人价值;
posts - 1098, comments - 335, trackbacks - 0, articles - 1
  C++博客 :: 首页 :: 新随笔 :: 联系 :: 聚合  :: 管理

HOOK SSDT Hide Process (四)

Posted on 2009-10-25 20:55 S.l.e!ep.¢% 阅读(361) 评论(0)  编辑 收藏 引用 所属分类: RootKit
Enum Process Under Ring3

taskmgr.exe 就是通过以下方式 Enum Process 的

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>

typedef long NTSTATUS;

//
// Unicode strings are counted 16-bit character strings. If they are
// NULL terminated, Length does not include trailing NULL.
//

typedef struct _UNICODE_STRING
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;

} UNICODE_STRING, *PUNICODE_STRING;

//
// Thread priority
//

typedef LONG KPRIORITY;

//-----------------------------------------------------------------------------
// Query system information

typedef enum _SYSTEM_INFORMATION_CLASS
{
    SystemBasicInformation,                 // 0x00 SYSTEM_BASIC_INFORMATION
    SystemProcessorInformation,             // 0x01 SYSTEM_PROCESSOR_INFORMATION
    SystemPerformanceInformation,           // 0x02
    SystemTimeOfDayInformation,             // 0x03
    SystemPathInformation,                  // 0x04
    SystemProcessInformation,               // 0x05
    SystemCallCountInformation,             // 0x06
    SystemDeviceInformation,                // 0x07
    SystemProcessorPerformanceInformation,  // 0x08
    SystemFlagsInformation,                 // 0x09
    SystemCallTimeInformation,              // 0x0A
    SystemModuleInformation,                // 0x0B SYSTEM_MODULE_INFORMATION
    SystemLocksInformation,                 // 0x0C
    SystemStackTraceInformation,            // 0x0D
    SystemPagedPoolInformation,             // 0x0E
    SystemNonPagedPoolInformation,          // 0x0F
    SystemHandleInformation,                // 0x10
    SystemObjectInformation,                // 0x11
    SystemPageFileInformation,              // 0x12
    SystemVdmInstemulInformation,           // 0x13
    SystemVdmBopInformation,                // 0x14
    SystemFileCacheInformation,             // 0x15
    SystemPoolTagInformation,               // 0x16
    SystemInterruptInformation,             // 0x17
    SystemDpcBehaviorInformation,           // 0x18
    SystemFullMemoryInformation,            // 0x19
    SystemLoadGdiDriverInformation,         // 0x1A
    SystemUnloadGdiDriverInformation,       // 0x1B
    SystemTimeAdjustmentInformation,        // 0x1C
    SystemSummaryMemoryInformation,         // 0x1D
    SystemNextEventIdInformation,           // 0x1E
    SystemEventIdsInformation,              // 0x1F
    SystemCrashDumpInformation,             // 0x20
    SystemExceptionInformation,             // 0x21
    SystemCrashDumpStateInformation,        // 0x22
    SystemKernelDebuggerInformation,        // 0x23
    SystemContextSwitchInformation,         // 0x24
    SystemRegistryQuotaInformation,         // 0x25
    SystemExtendServiceTableInformation,    // 0x26
    SystemPrioritySeperation,               // 0x27
    SystemPlugPlayBusInformation,           // 0x28
    SystemDockInformation,                  // 0x29
    //SystemPowerInformation,               // 0x2A
    //SystemProcessorSpeedInformation,      // 0x2B
    //SystemCurrentTimeZoneInformation,     // 0x2C
    //SystemLookasideInformation            // 0x2D

} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

//
// Process information
// NtQuerySystemInformation with SystemProcessInformation
//

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER SpareLi1;
    LARGE_INTEGER SpareLi2;
    LARGE_INTEGER SpareLi3;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    ULONG_PTR UniqueProcessId;
    ULONG_PTR InheritedFromUniqueProcessId;
    ULONG HandleCount;
    // Next part is platform dependent

} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

typedef NTSTATUS (*PNFNtQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength
    );

PNFNtQuerySystemInformation pNtQuerySystemInformation;

BOOL LoadNTDLL()
{
    HMODULE hMod = GetModuleHandle("ntdll.dll");

    if (hMod == NULL)
    {
        hMod = LoadLibrary("ntdll.dll");
        if (hMod == NULL)
        {
            printf("LoadLibrary Error: %d\n", GetLastError());
            return FALSE;
        }
    }

    pNtQuerySystemInformation = (PNFNtQuerySystemInformation)GetProcAddress(hMod, "NtQuerySystemInformation");

    if( pNtQuerySystemInformation == NULL )
    {
        printf("GetProcAddress for NtQuerySystemInformation Error: %d\n", GetLastError());
        return FALSE;
    }

    ULONG dwNumberBytes = 0x8000;
    char* pBuf = (char*)malloc(dwNumberBytes);
    PSYSTEM_PROCESS_INFORMATION pProcessInfo = (PSYSTEM_PROCESS_INFORMATION)pBuf;
    ULONG dwReturn = 0;

    pNtQuerySystemInformation(SystemProcessInformation, pProcessInfo, dwNumberBytes, &dwReturn);

    return TRUE;
}

int main()
{
    if!LoadNTDLL() )
    {
        printf("LoadNTDLL Error!\n");
        return 0;
    }

    printf("test\n");
    return 0;
}


运行后,出现
Debug Error
File: chkesp.c
line: 42

出现这个错误通常有两种情况
1. 参数个数错
2. 函数的调用方式错

详细检查之下
typedef NTSTATUS
 (*PNFNtQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength
    );

这里的写法有问题,少写了 __stdcall 的调用方式

typedef NTSTATUS
 (NTAPI *PNFNtQuerySystemInformation)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength
    );

这样的写法就OK了


只有注册用户登录后才能发表评论。
网站导航: 博客园   IT新闻   BlogJava   知识库   博问   管理