From 206258a6fe16d89453726b7f930d0a5f929757c8 Mon Sep 17 00:00:00 2001 From: JKornev <8bit.dosninja@gmail.com> Date: Fri, 30 Jul 2021 22:44:18 +0300 Subject: [PATCH] Added a cache to routine that looks for ActiveProcessLinks offset --- Hidden/Helper.h | 9 +++++++++ Hidden/PsMonitor.c | 29 ++++++++++++++++------------- Hidden/PsTable.c | 9 --------- Hidden/todo.txt | 4 ++-- 4 files changed, 27 insertions(+), 24 deletions(-) diff --git a/Hidden/Helper.h b/Hidden/Helper.h index 0c08f30..b9a56cb 100644 --- a/Hidden/Helper.h +++ b/Hidden/Helper.h @@ -71,6 +71,15 @@ NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess( _Out_opt_ PULONG ReturnLength ); +_Must_inspect_result_ +_IRQL_requires_max_(APC_LEVEL) +NTKERNELAPI +NTSTATUS +PsLookupProcessByProcessId( + _In_ HANDLE ProcessId, + _Outptr_ PEPROCESS* Process +); + NTSTATUS QuerySystemInformation(SYSTEM_INFORMATION_CLASS Class, PVOID* InfoBuffer, PSIZE_T InfoSize); NTSTATUS QueryProcessInformation(PROCESSINFOCLASS Class, HANDLE ProcessId, PVOID* InfoBuffer, PSIZE_T InfoSize); VOID FreeInformation(PVOID Buffer); diff --git a/Hidden/PsMonitor.c b/Hidden/PsMonitor.c index 602be82..9878d72 100644 --- a/Hidden/PsMonitor.c +++ b/Hidden/PsMonitor.c @@ -24,6 +24,8 @@ PsRulesContext g_hideProcessRules; FAST_MUTEX g_processTableLock; KGUARDED_MUTEX g_activeProcListLock; +volatile ULONG g_activeProcessListOffset = 0; + typedef struct _ProcessListEntry { LPCWSTR path; ULONG inherit; @@ -48,15 +50,6 @@ CONST ProcessListEntry g_protectProcesses[] = { UNICODE_STRING g_csrssPath; WCHAR g_csrssPathBuffer[CSRSS_PAHT_BUFFER_SIZE]; -_Must_inspect_result_ -_IRQL_requires_max_(APC_LEVEL) -NTKERNELAPI -NTSTATUS -PsLookupProcessByProcessId( - _In_ HANDLE ProcessId, - _Outptr_ PEPROCESS* Process -); - BOOLEAN CheckProtectedOperation(HANDLE Source, HANDLE Destination) { ProcessTableEntry srcInfo, destInfo; @@ -199,21 +192,31 @@ BOOLEAN FindActiveProcessLinksOffset(PEPROCESS Process, ULONG* Offset) ULONG peak = 0x150; #endif HANDLE* ptr = (HANDLE*)Process; - HANDLE processId = PsGetProcessId(Process); + HANDLE processId; ULONG i; + if (g_activeProcessListOffset) + { + *Offset = g_activeProcessListOffset; + return TRUE; + } + + processId = PsGetProcessId(Process); + // EPROCESS ActiveProcessLinks field is next to UniqueProcessId // ... // + 0x0b4 UniqueProcessId : Ptr32 Void // + 0x0b8 ActiveProcessLinks : _LIST_ENTRY // + 0x0c0 Flags2 : Uint4B // ... - for (i = 10; i < peak / sizeof(HANDLE); i++) + for (i = 15; i < peak / sizeof(HANDLE); i++) { if (ptr[i] == processId) { - *Offset = sizeof(HANDLE) * (i + 1); - LogInfo("EPROCESS->ActiveProcessList offset is %x", *Offset); + ULONG offset = sizeof(HANDLE) * (i + 1); + InterlockedExchange((LONG volatile*)&g_activeProcessListOffset, offset); + LogInfo("EPROCESS->ActiveProcessList offset is %x", offset); + *Offset = offset; return TRUE; } } diff --git a/Hidden/PsTable.c b/Hidden/PsTable.c index accff29..2a64a40 100644 --- a/Hidden/PsTable.c +++ b/Hidden/PsTable.c @@ -8,15 +8,6 @@ RTL_AVL_TABLE g_processTable; RTL_AVL_TABLE g_hiddenProcessTable; FAST_MUTEX g_hiddenProcessTableLock; -_Must_inspect_result_ -_IRQL_requires_max_(APC_LEVEL) -NTKERNELAPI -NTSTATUS -PsLookupProcessByProcessId( - _In_ HANDLE ProcessId, - _Outptr_ PEPROCESS* Process -); - _Function_class_(RTL_AVL_COMPARE_ROUTINE) RTL_GENERIC_COMPARE_RESULTS CompareProcessTableEntry(struct _RTL_AVL_TABLE *Table, PVOID FirstStruct, PVOID SecondStruct) { diff --git a/Hidden/todo.txt b/Hidden/todo.txt index 058292c..4b798b9 100644 --- a/Hidden/todo.txt +++ b/Hidden/todo.txt @@ -73,7 +73,7 @@ - Реализовать сокрытие процессов + Сделать видимыми скрытые процессы после выгрузки и /unhide - Улучшить алгоритм поиска офсета - - Добавить конфигурацию в реестр + + Добавить конфигурацию в реестр - Реализовать сокрытие сервисов через scdb патч - Добавить тест для проверки сокрытия процессов -- Решить проблему с %tu принтом лога на 32-бит драйвере \ No newline at end of file ++ Решить проблему с %tu принтом лога на 32-бит драйвере \ No newline at end of file