Stealth mode first steps

2024-06-16 03:58:04 +00:00 · 2016-12-30 19:57:52 +03:00 · 2016-12-30 19:57:52 +03:00 · c3705478b1
commit c3705478b1
parent fbae5ffa57
2 changed files with 61 additions and 4 deletions
--- a/Hidden/Driver.c
+++ b/Hidden/Driver.c
@ -8,6 +8,7 @@
 #include "Device.h"
 #include "Driver.h"
 #include "Configs.h"
+#include "Helper.h"

 PDRIVER_OBJECT g_driverObject = NULL;

@ -27,13 +28,47 @@ BOOLEAN IsDriverEnabled()

 // =========================================================================================

-NTSTATUS InitializeStealthMode(PUNICODE_STRING RegistryPath)
+ULONGLONG g_hiddenRegConfigId = 0;
+ULONGLONG g_hiddenDriverFileId = 0;
+
+NTSTATUS InitializeStealthMode(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 {
+	PLDR_DATA_TABLE_ENTRY LdrEntry;
+	UNICODE_STRING normalized;
+	NTSTATUS status;
+
 	if (!CfgGetStealthState())
 		return STATUS_SUCCESS;
+	
+	LdrEntry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;

-	//TODO: implement me
-	UNREFERENCED_PARAMETER(RegistryPath);
+	normalized.Length = 0;
+	normalized.MaximumLength = LdrEntry->FullModuleName.Length + NORMALIZE_INCREAMENT;
+	normalized.Buffer = (PWCH)ExAllocatePool(PagedPool, normalized.MaximumLength);
+	
+	if (!normalized.Buffer)
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": error, can't allocate buffer\n");
+		return STATUS_MEMORY_NOT_ALLOCATED;
+	}
+
+	status = NormalizeDevicePath(&LdrEntry->FullModuleName, &normalized);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint("FsFilter1!" __FUNCTION__ ": path normalization failed with code:%08x, path:%wZ\n", status, &LdrEntry->FullModuleName);
+		ExFreePool(normalized.Buffer);
+		return status;
+	}
+
+	status = AddHiddenFile(&normalized, &g_hiddenDriverFileId);
+	if (!NT_SUCCESS(status))
+		DbgPrint("FsFilter1!" __FUNCTION__ ": can't hide self registry key\n");
+
+	ExFreePool(normalized.Buffer);
+
+	status = AddHiddenRegKey(RegistryPath, &g_hiddenRegConfigId);
+	if (!NT_SUCCESS(status))
+		DbgPrint("FsFilter1!" __FUNCTION__ ": can't hide self registry key\n");

 	return STATUS_SUCCESS;
 }
@ -80,7 +115,7 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 	if (!NT_SUCCESS(status))
 		DbgPrint("FsFilter1!" __FUNCTION__ ": can't create device\n");

-	status = InitializeStealthMode(RegistryPath);
+	status = InitializeStealthMode(DriverObject, RegistryPath);
 	if (!NT_SUCCESS(status))
 		DbgPrint("FsFilter1!" __FUNCTION__ ": can't activate stealth mode\n");

--- a/Hidden/Helper.h
+++ b/Hidden/Helper.h
@ -34,6 +34,28 @@ typedef struct _SYSTEM_PROCESS_INFORMATION {
 	LARGE_INTEGER   Reserved6[6];
 } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

+typedef struct _LDR_DATA_TABLE_ENTRY {
+	LIST_ENTRY     LoadOrder;
+	LIST_ENTRY     MemoryOrder;
+	LIST_ENTRY     InitializationOrder;
+	PVOID          ModuleBaseAddress;
+	PVOID          EntryPoint;
+	ULONG          ModuleSize;
+	UNICODE_STRING FullModuleName;
+	UNICODE_STRING ModuleName;
+	ULONG          Flags;
+	USHORT         LoadCount;
+	USHORT         TlsIndex;
+	union {
+		LIST_ENTRY Hash;
+		struct {
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		} s;
+	} u;
+	ULONG   TimeStamp;
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
 NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
 	_In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
 	_Inout_   PVOID                    SystemInformation,