Hook System Service Hidden Port

Sometimes it is really interesting to write and debug a program. For example, this time, the program has been done well.

Netstat or other tools that list ports, such as fport or sysinternals Tcpview, call the API in Iphlpapi. dll to list ports. The API in Iphlpapi. dll eventually uses ZwDeviceIoControlFile to send IOCTL_TCP_QUERY_INFORMATION_EX to the device object DeviceTcp to obtain various information. Therefore, we only need to Hook the corresponding System Service, and then perform some processing on the obtained results to remove the port information that we do not want. However, the real problem is that IOCTL_TCP_QUERY_INFORMATION_EX has various structure definitions related to the port. The parameter meanings are currently (mostly) undisclosed and unknown, that is, unauthenticated ented. Uninitialized ented ?? I am familiar with ring3 debugging. I am familiar with ring0 debugging. I am familiar with Windows drivers. I am familiar with Windows. Who are I afraid. Uninitialized ented ?? Cool. What you need is unmarshented.

Through ring3 debugging, we can analyze how IOCTL_TCP_QUERY_INFORMATION_EX parameters are used in the Iphlpapi. dll, and combine some information in msdn to easily figure out the structure to be understood. Create a VC driver project using awx, and write the Hook part.

The methods used in this example to solve Hook running in various Windows versions have appeared in many places, and I don't know who came up with the first one, I saw this method for the first time in the source code of untitled ented Windows NT.

The following is the implementation source code, which is very simple. I will not talk much about it.

# If 0 // ========================================== ================================== Copyright (c) JIURL, All Rights Reserved ========================================================== ====================================== /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ Module Name: Jiurl_tcpioctl.h About: -This driver project is created by an AppWizard I wrote. Http://jiurl.yeah.net [HomePage] ~~~~~~~~~~~~~~~~~~~~~ [Email] jiurl@mail.china.com ~~~~~~~~~~~~~~~~~~~~ [Forum] http://jiurl.cosoft.org.cn/forum/index.php ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ -For paid customization of AppWizard, please send an email. Comments: All the content in this document is not public at present. It is the key to hiding the port. Uninitialized ented ?? Great! All you need is unmarshented. /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ # Endif // Jiurl // The IPSNMPInfo structure is defined according to RFC 2011 // Jiurl // Therefore, I define the TCPSNMPInfo structure according to RFC 2022, which is similar to IPSNMPInfo. // Jiurl // get the definition of some extensions through some analysis. Typedef struct TCPSNMPInfo { ULONG tcpsi_RtoAlgorithm; ULONG tcpsi_RtoMin; ULONG tcpsi_RtoMax; ULONG tcpsi_MaxConn; ULONG tcpsi_ActiveOpens; ULONG tcpsi_PassiveOpens; ULONG tcpsi_AttemptFails; ULONG tcpsi_EstabResets; ULONG tcpsi_CurrEstab; ULONG tcpsi_InSegs; ULONG tcpsi_OutSegs; ULONG tcpsi_RetransSegs; ULONG tcpsi_unknown1; ULONG tcpsi_unknown2; ULONG tcpsi_numconn; } TCPSNMPInfo; # Define tcpRtoAlgorithm_other 1 // none of the following # Define tcpRtoAlgorithm_constant 2 // a constant rto # Define tcpRtoAlgorithm_rsre 3/MIL-STD-1778, Appendix B # Define tcpRtoAlgorithm_vanj 4 // Van jacbsons algorithm # Define TCP_MIB_STATS_ID 1 # Define TCP_MIB_ADDRTABLE_ENTRY_ID 0x101 # Define TCP_MIB_ADDRTABLE_ENTRY_EX_ID 0x102 Typedef struct TCPAddrEntry { ULONG tae_ConnState; ULONG tae_ConnLocalAddress; ULONG tae_ConnLocalPort; ULONG tae_ConnRemAddress; ULONG tae_ConnRemPort; } TCPAddrEntry; # Define tcpConnState_closed 1 # Define tcpConnState_listen 2 # Define tcpConnState_synSent 3 # Define tcpConnState_synReceived 4 # Define tcpConnState_established 5 # Define tcpConnState_finWait1 6 # Define tcpConnState_finWait2 7 # Define tcpConnState_closeWait 8 # Define tcpConnState_lastAck 9 # Define tcpConnState_closing 10 # Define tcpConnState_timeWait 11 # Define tcpConnState_deleteTCB 12 Typedef struct TCPAddrExEntry { ULONG tae_ConnState; ULONG tae_ConnLocalAddress; ULONG tae_ConnLocalPort; ULONG tae_ConnRemAddress; ULONG tae_ConnRemPort; ULONG pid; } TCPAddrExEntry; # If 0 // ========================================== ================================== Copyright (c) JIURL, All Rights Reserved ========================================================== ====================================== /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ Module Name: JiurlPortHide. h About: -This driver project is created by an AppWizard I wrote. Http://jiurl.yeah.net [HomePage] ~~~~~~~~~~~~~~~~~~~~~ [Email] jiurl@mail.china.com ~~~~~~~~~~~~~~~~~~~~ [Forum] http://jiurl.cosoft.org.cn/forum/index.php ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ -For paid customization of AppWizard, please send an email. /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* /*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/ # Endif # Define PORTHIDE 139 # Pragma pack (1) Typedef struct ServiceDescriptorEntry { Unsigned int * ServiceTableBase; Unsigned int * ServiceCounterTableBase; // Used only in checked build Unsigned int NumberOfServices; Unsigned char * ParamTableBase; } ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t; # Pragma pack () _ Declspec (dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; NTSYSAPI NTSTATUS NTAPI ZwDeviceIoControlFile ( In handle FileHandle, In handle Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, In pvoid ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, In ulong IoControlCode, In pvoid InputBuffer OPTIONAL, In ulong InputBufferLength, Out pvoid OutputBuffer OPTIONAL, In ulong OutputBufferLength ); Typedef NTSTATUS (* ZWDEVICEIOCONTROLFILE )( In handle FileHandle, In handle Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, In pvoid ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, In ulong IoControlCode, In pvoid InputBuffer OPTIONAL, In ulong InputBufferLength, Out pvoid OutputBuffer OPTIONAL, In ulong OutputBufferLength ); ZWDEVICEIOCONTROLFILE OldZwDeviceIoControlFile; Void DriverUnload (IN PDRIVER_OBJECT DriverObject ); NTSTATUS DriverDispatch (IN PDEVICE_OBJECT DeviceObject, in pirp ); NTSTATUS NewZwDeviceIoControlFile ( In handle FileHandle, In handle Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, In pvoid ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, In ulong IoControlCode, In pvoid InputBuffer OPTIONAL, In ulong InputBufferLength, Out pvoid OutputBuffer OPTIONAL, In ulong OutputBufferLength ); // Jiurl // from addrconv. cpp # Define ntohs (s) (S)> 8) & 0x00FF) | (S) <8) & 0xFF00 )) // Jiurl // from tcpioctl. h tdiinfo. h tdistat. h # Define IOCTL_TCP_QUERY_INFORMATION_EX 0 x00120003 // * Structure of an entity ID. Typedef struct TDIEntityID { ULONG tei_entity; ULONG tei_instance; } TDIEntityID; // * Structure of an object ID. Typedef struct TDIObjectID { TDIEntityID toi_entity; ULONG toi_class; ULONG toi_type; ULONG toi_id; } TDIObjectID; # Define CONTEXT_SIZE 16 // // QueryInformationEx IOCTL. The return buffer is passed as the OutputBuffer // In the DeviceIoControl request. This structure is passed as // InputBuffer. // Struct tcp_request_query_information_ex { TDIObjectID ID; // object ID to query. ULONG_PTR Context [CONTEXT_SIZE/sizeof (ULONG_PTR)]; // multi-request context. Zeroed // For the first request. }; Typedef struct tcp_request_query_information_ex TCP_REQUEST_QUERY_INFORMATION_EX, * PTCP_REQUEST_QUERY_INFORMATION_EX; # Define CO_TL_ENTITY 0x400