Saturday, April 24, 2010

[DOC] Inline Hook NtQueryDirectoryFile

Inline Hook NtQueryDirectoryFile


There are a lot of sample source codes available on Internet about hooking on NtQueryDirectoryFile/ZwQueryDirectoryFile to achieve Windows file hidding capabilities but there are mostly using driver.

It is nothing new anymore and has been discussed throughout the Internet and even the algorithm had been around a few years back. One of my favourite articlesHoly Father's Invisibility on NT boxes, How to become unseen on Windows NT has digged deeply on a few stealth techniques on Windows. One of these stealth techiques is file hidding.

A short demo video:

The source code can be downloaded here.

Update: [10/05/2010]

Alternative download link:

Please note that the program does not work under Vista/Windows 7. In order to hide files in Vista or higher OS, you have to use FileIdBothDirectoryInformation in FileInformationClass.

Signing off.