forked from zxd1994/vt-debuuger
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathHider.h
223 lines (183 loc) · 5.52 KB
/
Hider.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
#pragma once
#include "Pte.h"
#ifndef _NTIFS_H
#define _NTIFS_H
#include <ntifs.h>
#endif // !_NTIFS_H
enum HIDE_TYPE
{
HIDE_NT_QUERY_INFORMATION_PROCESS,
HIDE_NT_QUERY_SYSTEM_INFORMATION,
HIDE_NT_QUERY_INFORMATION_THREAD,
HIDE_NT_QUERY_INFORMATION_JOB_OBJECT,
HIDE_NT_QUERY_OBJECT,
HIDE_NT_QUERY_SYSTEM_TIME,
HIDE_NT_QUERY_PERFORMANCE_COUNTER,
HIDE_NT_CREATE_USER_PROCESS,
HIDE_NT_CREATE_PROCESS_EX,
HIDE_NT_CREATE_THREAD_EX,
HIDE_NT_SET_CONTEXT_THREAD,
HIDE_NT_GET_CONTEXT_THREAD,
HIDE_NT_OPEN_PROCESS,
HIDE_NT_OPEN_THREAD,
HIDE_NT_SET_INFORMATION_THREAD,
HIDE_NT_SYSTEM_DEBUG_CONTROL,
HIDE_NT_GET_NEXT_PROCESS,
HIDE_NT_YIELD_EXECUTION,
HIDE_NT_CREATE_FILE,
HIDE_NT_CONTINUE,
HIDE_NT_CLOSE,
HIDE_NT_USER_BUILD_HWND_LIST,
HIDE_NT_USER_FIND_WINDOW_EX,
HIDE_NT_USER_QUERY_WINDOW,
HIDE_NT_USER_GET_FOREGROUND_WINDOW,
HIDE_KUSER_SHARED_DATA,
HIDE_KI_EXCEPTION_DISPATCH,
HIDE_NT_SET_INFORMATION_PROCESS,
HIDE_LAST
};
typedef struct _HIDE_INFO
{
ULONG Pid;
BOOLEAN HookNtQueryInformationProcess;
BOOLEAN HookNtQuerySystemInformation;
BOOLEAN HookNtQueryInformationThread;
BOOLEAN HookNtQueryInformationJobObject;
BOOLEAN HookNtQueryObject;
BOOLEAN HookNtQuerySystemTime;
BOOLEAN HookNtQueryPerformanceCounter;
BOOLEAN HookNtCreateUserProcess;
BOOLEAN HookNtCreateProcessEx;
BOOLEAN HookNtCreateThreadEx;
BOOLEAN HookNtSetContextThread;
BOOLEAN HookNtGetContextThread;
BOOLEAN HookNtOpenProcess;
BOOLEAN HookNtOpenThread;
BOOLEAN HookNtSetInformationThread;
BOOLEAN HookNtSystemDebugControl;
BOOLEAN HookNtGetNextProcess;
BOOLEAN HookNtYieldExecution;
BOOLEAN HookNtCreateFile;
BOOLEAN HookNtContinue;
BOOLEAN HookNtClose;
BOOLEAN HookNtUserBuildHwndList;
BOOLEAN HookNtUserFindWindowEx;
BOOLEAN HookNtUserQueryWindow;
BOOLEAN HookNtUserGetForegroundWindow;
BOOLEAN HookKuserSharedData;
BOOLEAN HookKiDispatchException;
BOOLEAN HookNtSetInformationProcess;
BOOLEAN ClearPebBeingDebugged;
BOOLEAN ClearPebNtGlobalFlag;
BOOLEAN ClearHeapFlags;
BOOLEAN ClearKuserSharedData;
BOOLEAN ClearHideFromDebuggerFlag;
BOOLEAN ClearBypassProcessFreeze;
BOOLEAN ClearProcessBreakOnTerminationFlag;
BOOLEAN ClearThreadBreakOnTerminationFlag;
BOOLEAN SaveProcessDebugFlags;
BOOLEAN SaveProcessHandleTracing;
}HIDE_INFO, * PHIDE_INFO;
namespace Hider
{
extern BOOLEAN StopCounterThread;
extern LIST_ENTRY HiddenProcessesHead;
extern KGUARDED_MUTEX HiderMutex;
typedef struct _DEBUG_CONTEXT
{
ULONG64 DR0;
ULONG64 DR1;
ULONG64 DR2;
ULONG64 DR3;
ULONG64 DR6;
ULONG64 DR7;
ULONG64 DebugControl;
ULONG64 LastBranchFromRip;
ULONG64 LastBranchToRip;
ULONG64 LastExceptionFromRip;
ULONG64 LastExceptionToRip;
}DEBUG_CONTEXT,* PDEBUG_CONTEXT;
typedef struct _WOW64_DEBUG_CONTEXT
{
ULONG DR0;
ULONG DR1;
ULONG DR2;
ULONG DR3;
ULONG DR6;
ULONG DR7;
}WOW64_DEBUG_CONTEXT,*PWOW64_DEBUG_CONTEXT;
typedef struct _KUSD
{
// Pointer to new KuserSharedData
PKUSER_SHARED_DATA KuserSharedData;
// Pte of virtual page number 7FFE0
PTE* PteKuserSharedData;
// Page frame number of original KuserSharedData
ULONG OriginalKuserSharedDataPfn;
// Begin
ULONG64 BeginInterruptTime;
ULONG64 BeginSystemTime;
ULONG BeginLastSystemRITEventTickCount;
ULONG64 BeginTickCount;
ULONG64 BeginTimeUpdateLock;
ULONG64 BeginBaselineSystemQpc;
// Delta
ULONG64 DeltaInterruptTime;
ULONG64 DeltaSystemTime;
ULONG DeltaLastSystemRITEventTickCount;
ULONG64 DeltaTickCount;
ULONG64 DeltaTimeUpdateLock;
ULONG64 DeltaBaselineSystemQpc;
}KUSD, * PKUSD;
typedef struct _HIDDEN_THREAD
{
LIST_ENTRY HiddenThreadList;
PETHREAD ThreadObject;
WOW64_DEBUG_CONTEXT FakeWow64DebugContext;
DEBUG_CONTEXT FakeDebugContext;
BOOLEAN IsThreadHidden;
BOOLEAN BreakOnTermination;
}HIDDEN_THREAD, * PHIDDEN_THREAD;
typedef struct _HIDDEN_PROCESS
{
LIST_ENTRY HiddenProcessesList;
HIDDEN_THREAD HiddenThreads;
PEPROCESS DebuggerProcess;
PEPROCESS DebuggedProcess;
LARGE_INTEGER FakePerformanceCounter;
LARGE_INTEGER FakeSystemTime;
BOOLEAN HideTypes[HIDE_LAST];
BOOLEAN ProcessPaused;
BOOLEAN PebBeingDebuggedCleared;
BOOLEAN HeapFlagsCleared;
BOOLEAN PebNtGlobalFlagCleared;
BOOLEAN KUserSharedDataCleared;
BOOLEAN HideFromDebuggerFlagCleared;
BOOLEAN BypassProcessFreezeFlagCleared;
BOOLEAN ProcessHandleTracingEnabled;
BOOLEAN ProcessBreakOnTerminationCleared;
BOOLEAN ThreadBreakOnTerminationCleared;
BOOLEAN ProcessDebugFlagsSaved;
BOOLEAN ProcessHandleTracingSaved;
BOOLEAN ValueProcessBreakOnTermination;
BOOLEAN ValueProcessDebugFlags;
KUSD Kusd;
}HIDDEN_PROCESS, * PHIDDEN_PROCESS;
PHIDDEN_PROCESS QueryHiddenProcess(PEPROCESS DebuggedProcess);
PHIDDEN_THREAD AppendThreadList(PEPROCESS InterceptedProcess, PETHREAD ThreadObject);
BOOLEAN CreateEntry(PEPROCESS DebuggerProcess, PEPROCESS DebuggedProcess);
BOOLEAN RemoveEntry(PEPROCESS DebuggerProcess);
BOOLEAN IsHidden(PEPROCESS Process, HIDE_TYPE HideType);
BOOLEAN Hide(PHIDE_INFO HideInfo);
BOOLEAN IsDriverHandleHidden(PUNICODE_STRING SymLink);
BOOLEAN Initialize();
BOOLEAN StopCounterForProcess(PEPROCESS DebuggedProcess);
BOOLEAN ResumeCounterForProcess(PEPROCESS DebuggedProcess);
BOOLEAN IsDebuggerProcess(PEPROCESS DebuggerProcess);
BOOLEAN IsProcessNameBad(PUNICODE_STRING ProcessName);
BOOLEAN IsProcessWindowBad(PUNICODE_STRING WindowName);
BOOLEAN IsProcessWindowClassBad(PUNICODE_STRING WindowClassName);
VOID DeleteThreadList(PHIDDEN_PROCESS HiddenProcess);
VOID TruncateThreadList(PEPROCESS InterceptedProcess, PETHREAD ThreadObject);
VOID Uninitialize();
}