From 861d6b30c316ebfb094b3efad2f38d00484cd6e7 Mon Sep 17 00:00:00 2001
From: gmh5225 <2315157@qq.com>
Date: Fri, 19 Aug 2022 22:45:19 +0800
Subject: [PATCH] hide world

---
 win32bro/Source.cpp | 72 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/win32bro/Source.cpp b/win32bro/Source.cpp
index a968a8a..c8e51c5 100644
--- a/win32bro/Source.cpp
+++ b/win32bro/Source.cpp
@@ -3,10 +3,82 @@
 
 #define dprintf(...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, __VA_ARGS__)
 
+EXTERN_C
+PLIST_ENTRY PsLoadedModuleList;
+
+typedef struct _KLDR_DATA_TABLE_ENTRY
+{
+    LIST_ENTRY InLoadOrderLinks;
+    PVOID ExceptionTable;
+    ULONG ExceptionTableSize;
+    // ULONG padding on IA64
+    PVOID GpValue;
+    /*PNON_PAGED_DEBUG_INFO*/ PVOID NonPagedDebugInfo;
+    PVOID DllBase;
+    PVOID EntryPoint;
+    ULONG SizeOfImage;
+    UNICODE_STRING FullDllName;
+    UNICODE_STRING BaseDllName;
+    ULONG Flags;
+    USHORT LoadCount;
+    USHORT __Unused5;
+    PVOID SectionPointer;
+    ULONG CheckSum;
+    // ULONG padding on IA64
+    PVOID LoadedImports;
+    PVOID PatchInformation;
+} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
+
 EXTERN_C
 NTSTATUS
 DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
 {
+    // find world
+    PKLDR_DATA_TABLE_ENTRY pSelfEntry = nullptr;
+    auto pNext = PsLoadedModuleList->Flink;
+    if (pNext != NULL)
+    {
+        while (pNext != PsLoadedModuleList)
+        {
+            auto pEntry = CONTAINING_RECORD(pNext, KLDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
+
+            auto pBase = pEntry->DllBase;
+            if (DriverObject->DriverStart == pBase)
+            {
+                pSelfEntry = pEntry;
+                dprintf("find world:%p\n", pSelfEntry);
+                break;
+            }
+
+            pNext = pNext->Flink;
+        }
+    }
+
+    // hide world
+    if (pSelfEntry)
+    {
+        KIRQL kIrql = KeRaiseIrqlToDpcLevel();
+        auto pPrevEntry = (PKLDR_DATA_TABLE_ENTRY)pSelfEntry->InLoadOrderLinks.Blink;
+        auto pNextEntry = (PKLDR_DATA_TABLE_ENTRY)pSelfEntry->InLoadOrderLinks.Flink;
+
+        if (pPrevEntry)
+        {
+            pPrevEntry->InLoadOrderLinks.Flink = pSelfEntry->InLoadOrderLinks.Flink;
+        }
+
+        if (pNextEntry)
+        {
+            pNextEntry->InLoadOrderLinks.Blink = pSelfEntry->InLoadOrderLinks.Blink;
+        }
+
+        pSelfEntry->InLoadOrderLinks.Flink = (PLIST_ENTRY)pSelfEntry;
+        pSelfEntry->InLoadOrderLinks.Blink = (PLIST_ENTRY)pSelfEntry;
+
+        KeLowerIrql(kIrql);
+
+        dprintf("hide world!\n");
+    }
+
     dprintf("end world!\n");
     return 0;
 }