Click here to Skip to main content
15,895,746 members
Search within:


Articles / Desktop Programming / MFC
 

Driver to Hide Processes and Files

, ,
Rate me:
Please Sign up or sign in to vote.
4.57/5 (145 votes)
17 Aug 2009CPOL12 min read 660.5K   28.6K   369  
In this article, we describe the driver we created to hide processes and files in a system.
 
#include "userwork.h"
#include "FormatError.h"
#include "HandleGuard.h"
#include "AutoArray.h"
#include "scoped_action.h"

#include "Lm.h"

#ifndef _WIN32_WINNT
    #define _WIN32_WINNT 0x0500
    #include "Sddl.h"
    #undef _WIN32_WINNT
#else
    #include "Sddl.h"
#endif

#include "Mq.h"
#include <wchar.h>

#define BOOST_BIND_ENABLE_STDCALL
#include "boost/bind.hpp"

namespace utils
{
void GetSidByName(const std::wstring& userName,auto_array<BYTE>* sid) 
{
    if(userName.size() == 0)
        throw std::exception("User name can't be empty.");

    std::wstring domainName;

    DWORD dwSidBufferSize = 0;
    DWORD dwDomainBufferSize = 0;

    // Obtain SID and DomainName buffer size by passing NULL to pointer params
    SID_NAME_USE eSidType;
    LookupAccountNameW(NULL, // Local computer           
                      userName.c_str(),
                      NULL, 
                      &dwSidBufferSize, 
                      NULL, 
                      &dwDomainBufferSize,
                      &eSidType);

    if(GetLastError() != ERROR_INSUFFICIENT_BUFFER)
        throw std::runtime_error("Can't get user sid by name: " + GetLastErrorStr());

    // Create buffers for the SID and the domain name.
    sid->reset( new BYTE[dwSidBufferSize] );
    domainName.resize(dwDomainBufferSize);

    // Obtain the SID for the account name passed.
    if (!LookupAccountNameW(NULL, // Local computer            
                            userName.c_str(),
                            (PSID)sid->get(), 
                            &dwSidBufferSize, 
                            (LPWSTR)domainName.c_str(), 
                            &dwDomainBufferSize,
                            &eSidType))
    {
        throw std::runtime_error("Can't get user sid by name: " + GetLastErrorStr());
    }

    if (IsValidSid((PSID)sid->get()) == FALSE)
        throw std::exception("LookupAccountName() returned invalid SID");
}
void GetNameBySid(const auto_array<BYTE>& sid,std::wstring* userName) 
{
    std::wstring domainName;

    DWORD dwNameBufferSize = 0;
    DWORD dwDomainBufferSize = 0;

    // Obtain SID and DomainName buffer size by passing NULL to pointer params
    SID_NAME_USE eSidType;
    LookupAccountSidW(NULL, // Local computer            
                      (PSID)sid.get(),
                      NULL, 
                      &dwNameBufferSize, 
                      NULL, 
                      &dwDomainBufferSize,
                      &eSidType);

    if(GetLastError() != ERROR_INSUFFICIENT_BUFFER)
        throw std::runtime_error("Can't get user name by SID: " + GetLastErrorStr());

    // Create buffers for the name and the domain name.
    userName->resize(dwNameBufferSize);
    domainName.resize(dwDomainBufferSize);

    // Obtain the name for the account SID passed.
    if (!LookupAccountSidW(NULL,  // Local computer           
                           (PSID)sid.get(),
                           (LPWSTR)userName->c_str(),
                           &dwNameBufferSize, 
                           (LPWSTR)domainName.c_str(), 
                           &dwDomainBufferSize,
                           &eSidType))
    {
        throw std::runtime_error("Can't get user name by SID: " + GetLastErrorStr());
    }
}

void GetUserNames(UserNameSidList* userList)
{
    LPUSER_INFO_0 userInfo = NULL;
    DWORD dwEntriesRead = 0;
    DWORD dwTotalEntries = 0;
    DWORD dwResumeHandle = 0;

    NET_API_STATUS status;
    do 
    {
         status = NetUserEnum(NULL,
                              0,
                              FILTER_NORMAL_ACCOUNT, // global users
                              (LPBYTE*)&userInfo,
                              MAX_PREFERRED_LENGTH,
                              &dwEntriesRead,
                              &dwTotalEntries,
                              &dwResumeHandle);
        if ( (status != NERR_Success) && (status != ERROR_MORE_DATA) )
            throw std::runtime_error("Can't enum users: " + GetWinErrorText(status));
      
        NetHandleGuard guard(userInfo);

        //
        // Loop through the entries.
        //
        LPUSER_INFO_0 userInfoPtrCopy = userInfo;
        for (DWORD i = 0; (i < dwEntriesRead); ++i)
        {
            std::wstring userName(userInfoPtrCopy->usri0_name);
            auto_array<BYTE> sid;

            // Retrieve the SID of the user.
            GetSidByName(userName,&sid);

            LPWSTR sidString;
            if( !ConvertSidToStringSidW( (PSID)sid.get(),&sidString) )
                throw std::runtime_error("Can't convert SID to string: " + GetLastErrorStr());
            
            LocalHandleGuard guard(sidString);

            std::wstring sidStr((wchar_t*)sidString);
            userList->push_back(UserNameSidPair(userName,sidStr));

            ++userInfoPtrCopy;
        }
    }
    while (status == ERROR_MORE_DATA);
}
}//namespace utils

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Apriorit Inc
Chief Technology Officer Apriorit Inc.
United States United States
ApriorIT is a software research and development company specializing in cybersecurity and data management technology engineering. We work for a broad range of clients from Fortune 500 technology leaders to small innovative startups building unique solutions.

As Apriorit offers integrated research&development services for the software projects in such areas as endpoint security, network security, data security, embedded Systems, and virtualization, we have strong kernel and driver development skills, huge system programming expertise, and are reals fans of research projects.

Our specialty is reverse engineering, we apply it for security testing and security-related projects.

A separate department of Apriorit works on large-scale business SaaS solutions, handling tasks from business analysis, data architecture design, and web development to performance optimization and DevOps.

Official site: https://www.apriorit.com
Clutch profile: https://clutch.co/profile/apriorit
This is a Organisation

33 members

Written By
Ivan Romanenko
Software Developer Codedgers Inc
Ukraine Ukraine
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Written By
Sergey Popenko
Software Developer (Junior) ApriorIT
Ukraine Ukraine
Sergey Popenko.
22 years old.
The Driver Team`s software developer.
Master of the Applied Math faculty, the Dnipropetrovsk National University, Ukraine.

Comments and Discussions

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 21 Jan 2009

Article Copyright 2009 by Apriorit Inc, Ivan Romanenko, Sergey Popenko
Everything else Copyright © CodeProject, 1999-2024

Web03 2.8:2024-04-02:1