Saturday, April 24, 2010

[DOC] Inline Hook NtQueryDirectoryFile

Inline Hook NtQueryDirectoryFile


There are a lot of sample source codes available on Internet about hooking on NtQueryDirectoryFile/ZwQueryDirectoryFile to achieve Windows file hidding capabilities but there are mostly using driver.

It is nothing new anymore and has been discussed throughout the Internet and even the algorithm had been around a few years back. One of my favourite articlesHoly Father's Invisibility on NT boxes, How to become unseen on Windows NT has digged deeply on a few stealth techniques on Windows. One of these stealth techiques is file hidding.

A short demo video:

The source code can be downloaded here.

Update: [10/05/2010]

Alternative download link:

Please note that the program does not work under Vista/Windows 7. In order to hide files in Vista or higher OS, you have to use FileIdBothDirectoryInformation in FileInformationClass.

Signing off.


em3 said...

Are u able to reupload the file to some site?

I'd be thankfull.

x9090 said...


Alternative download link is included.


vonPY8n6 said...

besides being incredibly bad coded, it also crashes my explorer.exe...anyway, thanks for the contribution.

x9090 said...


Thanks for your comment.

I understand that this is not very well coded and it is just my prototype on how to implement inline hook.

I'm trying to improve my coding skillz ;)

Btw, I only tested on WinXP sp2 and Windows 7. It is helpful if you can provide me the OS you are using.


Sale said...

It was working fine on my comp, I left it running while I was working other things and nothing bad happened with explorer.exe
My comp suddenly showed me "countdown untill reboot" error, exacly like that MSBLASTER worm that was exploiting RPC was doing(in case you remember).. I am not entirely sure that it was because of your program though.. OS tested was XP SP3..

Thank you for contributing this source code, because I am realy having trouble finding code for code injecting on the net..It's very rare..

Would you mind to implement the Win7 and vista support too,in your spare time?

Also, what I need most, and still can't find any solution to code injecting hook that will hook wininet.dll in order to grab HTTPS traffic of Internet Explorer...

You could add a donations button as I am quite confident that many people appriciate your work..

x9090 said...


As you can see from the source code, there is nothing to do with the RPC shutdown in the program. So I believe that was caused by something else.

For the Win7 implementation, it should not be hard and yes I'll try to implement that in future if I have spare time.

Yes, I'm trying to implement the hooking of wininet.dll to capture HTTP traffics by using injection in future but again no promise when it will be done ;)

Thanks for your appreciation anyway.


Anonymous said...

I tried hooking FileIdBothDirectoryInformation to hide files in vista & 7 but no success.

Anonymous said...

btw, it crashes on some windows versions because NT apis change on almost every new version of windows...the best idea to do this kind of hooking is to read the bytes you intend to replace, and make up the codecave based on this bytes before you write the jump to the original function.

abhijit mohanta said...

how have u compiles the MyNtQueryDirectoryFile to get the bytes

0x8B, 0xEC,
0x83, 0xE4, 0xF8,
0x83, 0xEC, 0x24,

abhijit mohanta said...

Can you tell me how to compile NTSTATUS NTAPI MyNtQueryDirectoryFile to get the bytecodes

Anonymous said...

hey im trying it for windows 7 but its not working