From 862a5c0788026172107c452314310bc3639d6992 Mon Sep 17 00:00:00 2001 From: nganhkhoa Date: Thu, 27 Feb 2020 23:37:04 +0700 Subject: [PATCH] hide process call --- src/driver_state.rs | 33 +++++++++++++++++++++++++++------ src/ioctl_protocol.rs | 8 ++++++++ src/main.rs | 7 +++++-- 3 files changed, 40 insertions(+), 8 deletions(-) diff --git a/src/driver_state.rs b/src/driver_state.rs index bf19ad3..43984d0 100644 --- a/src/driver_state.rs +++ b/src/driver_state.rs @@ -11,7 +11,7 @@ use winapi::um::winioctl::{ use crate::pdb_store::{PdbStore}; use crate::windows::{WindowsFFI, WindowsVersion}; use crate::ioctl_protocol::{ - InputData, OffsetData, DerefAddr, ScanRange, + InputData, OffsetData, DerefAddr, ScanRange, HideProcess, OutputData, Nothing }; @@ -25,7 +25,8 @@ pub enum DriverAction { ScanPsActiveHead, ScanPool, ScanPoolRemote, - DereferenceAddress + DereferenceAddress, + HideProcess } impl DriverAction { @@ -36,7 +37,8 @@ impl DriverAction { DriverAction::ScanPsActiveHead => CTL_CODE(SIOCTL_TYPE, 0x902, METHOD_NEITHER, FILE_ANY_ACCESS), DriverAction::ScanPool => CTL_CODE(SIOCTL_TYPE, 0x903, METHOD_IN_DIRECT, FILE_ANY_ACCESS), DriverAction::ScanPoolRemote => CTL_CODE(SIOCTL_TYPE, 0x904, METHOD_IN_DIRECT, FILE_ANY_ACCESS), - DriverAction::DereferenceAddress => CTL_CODE(SIOCTL_TYPE, 0xA00, METHOD_OUT_DIRECT, FILE_ANY_ACCESS) + DriverAction::DereferenceAddress => CTL_CODE(SIOCTL_TYPE, 0xA00, METHOD_OUT_DIRECT, FILE_ANY_ACCESS), + DriverAction::HideProcess => CTL_CODE(SIOCTL_TYPE, 0xA01, METHOD_IN_DIRECT, FILE_ANY_ACCESS) } } } @@ -124,7 +126,9 @@ impl DriverState { self.eprocess_traverse_result.push(EprocessPoolChunk { pool_addr: 0, eprocess_addr: eprocess, - eprocess_name: n.to_string() + eprocess_name: n.to_string().trim_end_matches(char::from(0)) + .to_string() + }); }, _ => {} @@ -190,12 +194,14 @@ impl DriverState { let mut image_name = [0u8; 15]; self.deref_addr(try_eprocess_ptr + eprocess_name_offset, &mut image_name); // println!("_EPROCESS at 0x{:x} of {}", - // try_eprocess_ptr, std::str::from_utf8(&image_name).unwrap()); + // try_eprocess_ptr, std::str::from_utf8(&image_name).unwrap()); // TODO: save result self.pool_scan_result.push(EprocessPoolChunk { pool_addr, eprocess_addr: try_eprocess_ptr, - eprocess_name: std::str::from_utf8(&image_name).unwrap().to_string() + eprocess_name: std::str::from_utf8(&image_name).unwrap() + .to_string().trim_end_matches(char::from(0)) + .to_string() }); break; } @@ -206,6 +212,21 @@ impl DriverState { } } }, + DriverAction::HideProcess => { + let s = String::from("notepad.exe"); + let s_bytes = s.as_bytes(); + let mut name = [0u8; 15]; + for i in 0..s.len() { + name[i] = s_bytes[i]; + }; + let mut input = InputData { + hide_process: HideProcess { + name, + size: s.len() as u64 + } + }; + self.windows_ffi.device_io(code, &mut input, &mut Nothing); + } _ => {} }; } diff --git a/src/ioctl_protocol.rs b/src/ioctl_protocol.rs index 82f5ac7..22bbf99 100644 --- a/src/ioctl_protocol.rs +++ b/src/ioctl_protocol.rs @@ -78,11 +78,19 @@ impl ScanRange { } } +#[repr(C)] +#[derive(Debug, Copy, Clone)] +pub struct HideProcess { + pub name: [u8; 15], + pub size: u64 +} + #[repr(C)] pub union InputData { pub offset_value: OffsetData, pub deref_addr: DerefAddr, pub scan_range: ScanRange, + pub hide_process: HideProcess, } #[repr(C)] diff --git a/src/main.rs b/src/main.rs index 58977a3..7fbd2e3 100644 --- a/src/main.rs +++ b/src/main.rs @@ -17,6 +17,9 @@ fn main() { driver.interact(DriverAction::SetupOffset); driver.interact(DriverAction::GetKernelBase); + + driver.interact(DriverAction::HideProcess); + driver.interact(DriverAction::ScanPsActiveHead); driver.interact(DriverAction::ScanPoolRemote); @@ -25,7 +28,7 @@ fn main() { for result in &driver.eprocess_traverse_result { println!("- [{}] 0x{:x} {}", driver.pool_scan_result.contains(&result), - result.eprocess_addr, result.eprocess_name.trim_end_matches(char::from(0))); + result.eprocess_addr, result.eprocess_name); } println!("Pool tag (quick) scanning"); @@ -33,7 +36,7 @@ fn main() { for result in &driver.pool_scan_result { println!("- [{}] 0x{:x} 0x{:x} {}", driver.eprocess_traverse_result.contains(&result), - result.pool_addr, result.eprocess_addr, result.eprocess_name.trim_end_matches(char::from(0))); + result.pool_addr, result.eprocess_addr, result.eprocess_name); } println!("NtUnloadDriver() -> 0x{:x}", driver.shutdown());