How to hide yourself in Windows NT (2)

===== [7.2 global Hook] ================================ ====================================

The problem of enumeration process was solved when NtQuerySystemInformation API was mentioned earlier. The system has
Some local processes, so we can hook them up by rewriting the first instruction of the function. For each running
We must all do this. We need to allocate a piece of memory in the target process, and write the function we want to hook up here.
. Then we use the jmp command to rewrite the first command of these functions. This jump moves the execution
Our code. Therefore, when the hook function is called, The jmp command is executed immediately. We must
The first instruction to rewrite each function. We need them to call the original hook function. Save the command in
Section 3.2.3 of my article "hook up Windows APIs" is described.

First, open the target process through NtOpenProcess and obtain the handle. If we do not have sufficient permissions, this will
Failed.

NTSTATUS NtOpenProcess (
Out phandle ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
);

ProcessHandle is a pointer to the return handle. DesiredAccess should be set to PROCESS_ALL _
ACCESS. We can set the PID of the target process to the UniqueProcess value of the ClientId structure, Unique-
Thread should be 0. The opened handle can always be closed through the NtClose function.

# Define PROCESS_ALL_ACCESS 0x001F0FFF

Now we need to allocate memory for our code. This can be achieved through NtAllocateVirtualMemory.

NTSTATUS NtAllocateVirtualMemory (
In handle ProcessHandle,
In out pvoid BaseAddress,
In ulong ZeroBits,
In out pulong AllocationSize,
In ulong AllocationType,
In ulong Protect
);

ProcessHandle is the handle returned by NtOpenProcess. BaseAddress is a pointer to the beginning of the memory.
The allocated memory address is stored here. The input value can be NULL. AllocationSize refers to
Please refer to the memory size pointer. It is also used to return the actual size of the allocated memory. It is best to set AllocationType
Set it to MEM_TOP_DOWN and MEM_COMMIT, because it will be allocated a high address as close as possible to the dynamic link library.

# Define MEM_COMMIT 0x00001000
# Define MEM_TOP_DOWN 0x00100000

Then we can use NtWriteVirtualMemory to write our code.

NTSTATUS NtWriteVirtualMemory (
In handle ProcessHandle,
In pvoid BaseAddress,
In pvoid Buffer,
In ulong BufferLength,
Out pulong ReturnLength OPTIONAL
);

BaseAddress is the address returned by NtAllocateVirtualMemory. Buffer points to the number of bytes written by the function,
BufferLength is the number of bytes to write.

Now we need to hook up a single function. Only ntdll. dll is loaded by every process. So we check that
Is the function in ntdll. dll to be linked introduced by the process. However, this function (in other DLL) is in the memory.
The placement location is allocable, so rewriting on this address can easily cause errors in the target process. Why
Check whether the Library (where the function we want to hook up is stored) is loaded by the target process.

We need to use NtQueryInformationProcess to obtain the PEB (process environment block) of the target process ).

NTSTATUS NtQueryInformationProcess (
In handle ProcessHandle,
In processinfoclass ProcessInformationClass,
Out pvoid ProcessInformation,
In ulong ProcessInformationLength,
Out pulong ReturnLength OPTIONAL
);

Set ProcessInformationClass to ProcessBasicInformation. Then PROCESS_BASIC _
The INformATION structure is returned to the ProcessInformation buffer, and its size is specified by ProcessInformationLength.

# Define ProcessBasicInformation 0

Typedef struct _ PROCESS_BASIC_INformATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
KAFFINITY AffinityMask;
KPRIORITY BasePriority;
ULONG UniqueProcessId;
ULONG InheritedFromUniqueProcessId;
} PROCESS_BASIC_INformATION, * PPROCESS_BASIC_INformATION;

PebBaseAddress is what we want. The PebBaseAddress + 0x0c address is the PPEB_LDR_DATA address.
This can be obtained through the NtReadVirtualMemory call.

NTSTATUS NtReadVirtualMemory (
In handle ProcessHandle,
In pvoid BaseAddress,
Out pvoid Buffer,
In ulong BufferLength,
Out pulong ReturnLength OPTIONAL
);

The parameter is similar to the NtWriteVirtualMemory function.

In PPEB_LDR_DATA + 0x1c, It is the address of InInitializationOrderModuleList. This is process Loading
The list of linked libraries. We only care about part of this structure.

Typedef struct _ IN_INITIALIZATION_ORDER_MODULE_LIST {
PVOID Next,
PVOID Prev,
DWORD ImageBase,
DWORD ImageEntry,
DWORD ImageSize,
...
);

Next is a pointer to the Next record. Prev refers to the previous record, and the last record points to the first record.
ImageBase is the address of the module in memory, ImageEntry is the module entry, and ImageSize is its size.

For all the libraries we have hooks, we need to get its ImageBase (for example, using GetModuleHandle or Load-
Library ). We use each entry in ImageBase and InInitializationOrderModuleList
Comparison.

Now we are ready for the hook. Because we want to hook the running process, there is a possibility that our code
It may be rewritten and executed at the same time. This will cause an error, so we need to stop all threads in the target process first.
You can use the SystemProcessAndThreadsInformation of NtQuerySystemInformation described in section 4
Type to get the thread list. However, we need to describe the SYSTEM_THREADS structure used to store thread information.

Typedef struct _ SYSTEM_THREADS {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE State;
KWAIT_REASON WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;

For each thread, we need to get its handle through NtOpenThread. We need to use ClientId for it.

NTSTATUS NtOpenThread (
Out phandle ThreadHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
)

The handle we want to obtain is stored in ThreadHandle. Set DesiredAccess to THREAD_SUSPEND _
RESUME.

# Define THREAD_SUSPEND_RESUME 2

ThreadHandle is used to call NtSuspendThread.

NTSTATUS NtSuspendThread (
IN HANDLE