Inline Hook NtQueryDirectoryFile
Hola!
There are a lot of sample source codes available on Internet about hooking on NtQueryDirectoryFile/ZwQueryDirectoryFile to achieve Windows file hidding capabilities but there are mostly using driver.
It is nothing new anymore and has been discussed throughout the Internet and even the algorithm had been around a few years back. One of my favourite articlesHoly Father's Invisibility on NT boxes, How to become unseen on Windows NT has digged deeply on a few stealth techniques on Windows. One of these stealth techiques is file hidding.
A short demo video:
The source code can be downloaded here.
Update: [10/05/2010]
Alternative download link: http://www.4shared.com/file/7jaxJs2K/inline_hooks_ntquerydirectoryf.html
Please note that the program does not work under Vista/Windows 7. In order to hide files in Vista or higher OS, you have to use FileIdBothDirectoryInformation in FileInformationClass.
Signing off.
@x9090
11 comments:
Are u able to reupload the file to some site?
I'd be thankfull.
Hello,
Alternative download link is included.
~x9090
besides being incredibly bad coded, it also crashes my explorer.exe...anyway, thanks for the contribution.
Hello,
Thanks for your comment.
I understand that this is not very well coded and it is just my prototype on how to implement inline hook.
I'm trying to improve my coding skillz ;)
Btw, I only tested on WinXP sp2 and Windows 7. It is helpful if you can provide me the OS you are using.
Thanks!
It was working fine on my comp, I left it running while I was working other things and nothing bad happened with explorer.exe
BUT
My comp suddenly showed me "countdown untill reboot" error, exacly like that MSBLASTER worm that was exploiting RPC was doing(in case you remember).. I am not entirely sure that it was because of your program though.. OS tested was XP SP3..
Thank you for contributing this source code, because I am realy having trouble finding code for code injecting on the net..It's very rare..
Would you mind to implement the Win7 and vista support too,in your spare time?
Also, what I need most, and still can't find any solution to code injecting hook that will hook wininet.dll in order to grab HTTPS traffic of Internet Explorer...
You could add a donations button as I am quite confident that many people appriciate your work..
@Sale
As you can see from the source code, there is nothing to do with the RPC shutdown in the program. So I believe that was caused by something else.
For the Win7 implementation, it should not be hard and yes I'll try to implement that in future if I have spare time.
Yes, I'm trying to implement the hooking of wininet.dll to capture HTTP traffics by using injection in future but again no promise when it will be done ;)
Thanks for your appreciation anyway.
Br,
x9090
I tried hooking FileIdBothDirectoryInformation to hide files in vista & 7 but no success.
btw, it crashes on some windows versions because NT apis change on almost every new version of windows...the best idea to do this kind of hooking is to read the bytes you intend to replace, and make up the codecave based on this bytes before you write the jump to the original function.
hello,
how have u compiles the MyNtQueryDirectoryFile to get the bytes
0x55,
0x8B, 0xEC,
0x83, 0xE4, 0xF8,
0x83, 0xEC, 0x24,
Can you tell me how to compile NTSTATUS NTAPI MyNtQueryDirectoryFile to get the bytecodes
hey im trying it for windows 7 but its not working
Post a Comment