===== [1. directory] ============================================== ======================================
1. Directory
2. Introduction
3. File
3.1 NtQueryDirectoryFile
3.2 NtVdmControl
4. Process
5. Registry
5.1 NtEnumerateKey
5.2 NtEnumeratevalueKey
6. system services and drivers
7. Hook and expand
7.1 Permissions
7.2 global hook
7.3 New Process
7.4 DLL
8. Memory
9. Handle
9.1 name the handle and obtain the type
10. Port
10.1 Netstart, OpPorts, and FPort of WinXP
10.2 Win2k and NT4 OpPorts, Win2k FPort
11. Conclusion
===== [2. introduction] =================================================== ======================================
This document describes how to hide objects, files, services, and processes in Windows NT. These methods are built on
For more information about how to hook up Windows APIs, see my "hook up Windows APIs ".
All of these are self-developed when I write rootkit code, and all of them are very efficient when I write this article,
And it is easy to write. This is thanks to my efforts.
The hiding of any object mentioned in this document refers to skipping
Object naming process. In this way, this object is only the return value of this process, as if it does not exist.
The basic method (excluding the difference in description) is that we use the original call and the original function and then we change its output.
This document describes how to hide files, processes, keywords, registry key values, system services, and drivers,
Memory and handle allocated.
===== [3. file] ============================================== ======================================
There are many hidden files that make them invisible to the system. We only change the API technology and do not involve those modifications.
Component system technology. This is also easier because we do not need to know how many actual file systems work.
===== [3.1 NtQueryDirectoryFile] ============================== ======================
In Windows NT, searching for files in the directory is obtained through searching for this directory and all its subdirectories. Because
NtQueryDirectoryFile is used for enumeration files.
NTSTATUS NtQueryDirectoryFile (
In handle FileHandle,
In handle Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
In pvoid ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
Out pvoid FileInformation,
In ulong FileInformationLength,
IN FILE_INformATION_CLASS FileInformationClass,
In boolean ReturnSingleEntry,
IN PUNICODE_STRING FileName OPTIONAL,
In boolean RestartScan
);
The important parameters are FileHandle, FileInformation, and FileInformationClass. File-
Handle is the Handle of a directory object that can be obtained from NtOpenFile. FileInformation is
Pointer of allocated memory. The function writes the information you want here. FileInformationClass decides
The type of records written in FileInformation.
FileInformationClass is a variable Enumeration type, but we only need four values.
To enumerate the contents of a directory.
# Define FileDirectoryInformation 1
# Define FileFullDirectoryInformation 2
# Define FileBothDirectoryInformation 3
# Define FileNamesInformation 12
The record structure for writing FileDirectoryInformation into FileInformation is:
Typedef struct _ FILE_DIRECTORY_INformATION {
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName [1];
} FILE_DIRECTORY_INformATION, * PFILE_DIRECTORY_INformATION;
For FileFullDirectoryInformation:
Typedef struct _ FILE_FULL_DIRECTORY_INformATION {
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaInformationLength;
WCHAR FileName [1];
} FILE_FULL_DIRECTORY_INformATION, * PFILE_FULL_DIRECTORY_INformATION;
For FileBothDirectoryInformation:
Typedef struct _ FILE_BOTH_DIRECTORY_INformATION {
ULONG NextEntryOffset;
ULONG Unknown;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaInformationLength;
UCHAR AlternateNameLength;
WCHAR AlternateName [12];
WCHAR FileName [1];
} FILE_BOTH_DIRECTORY_INformATION, * PFILE_BOTH_DIRECTORY_INformATION;
For FileNamesInformation:
Typedef struct _ FILE_NAMES_INformATION {
ULONG NextEntryOffset;
ULONG Unknown;
ULONG FileNameLength;
WCHAR FileName [1];
} FILE_NAMES_INformATION, * PFILE_NAMES_INformATION;
This function writes a list of these structures in FileInformation. In these structure types, there are only three variables for me
Are very important.
NextEntryOffset is the length of the detail list item. The first item can be found at the address FileInformation + 0. Institute
The second item is at the offset FileInformation + NextEntryOffset of the first item. Next-
The EntryOffset field is 0.
FileName is the complete file name.
FileNameLength is the length of the file name.
If we want to hide a file, we need to identify the four types of structures and then record each returned record to us.
We need to compare the file name with the file name we want to hide. If we want to hide the first record
Move the subsequent structure according to the size of the first structure. This causes the first record to be overwritten. If we want to hide another
For a record, we can simply rewrite the NextEntryOffset field of the previous record. If we want to hide the last
Records, the NextEntryOff of the previous record