hidetoolz不能使用的问题

Posted 2023-04-18

打开进程隐藏程序,报错.Error ZwLoadDriver 0xC0000022.系统的问题,哪个文件要修改下?

参考技术A -- 利用驱动程序隐藏任意进程，目录/文件，注册表，端口[转帖]
查找进程，目录/文件，注册表等操作系统将最终调用 ZwQueryDirectoryFile，ZwQuerySystemInformation，
ZwXXXValueKey 等函数。要想拦截这些函数达到隐藏目的，需先自己实现以上函数，并修改系统维护的一个
SYSCALL 表使之指向自己预先定义的函数。因 SYSCALL 表在用户层不可见，所以要写 DRIVE 在 RING 0 下
才可修改。--
查找端口用的是 TDI 查询。TDI 导出了两个设备 \\Device\\Tcp 与 \\Device\\Udp。我们可以利
用设备过滤驱动的方法写一个 DRIVE 把这两个设备的所有 IRP 包接管过来进行处理后再传给下层驱动。以达到
隐藏任意端口的目的。上述提到的方法不是新东西，是在N年前就已经有的老技术。俺衷诮 隼粗徊还 ?
充实下版面，灌灌水罢了。高手们还是别看了。下面是我 DRIVE 中隐藏任意进程，目录/文件，端口代码片段。
（注册表操作在 RegMon 中写的很详细，这里就不列出了） --
typedef struct _FILETIME

DWORD dwLowDateTime;
DWORD dwHighDateTime;
FILETIME;
typedef struct _DirEntry

DWORD dwLenToNext;
DWORD dwAttr;
FILETIME ftCreate, ftLastAccess, ftLastWrite;
DWORD dwUnknown[ 2 ];
DWORD dwFileSizeLow;
DWORD dwFileSizeHigh;
DWORD dwUnknown2[ 3 ];
WORD wNameLen;
WORD wUnknown;
DWORD dwUnknown3;
WORD wShortNameLen;
WCHAR swShortName[ 12 ];
WCHAR suName[ 1 ];
DirEntry, *PDirEntry; struct _SYSTEM_THREADS

LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
; --
struct _SYSTEM_PROCESSES

ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
;--
// 隐藏目录/文件
NTSTATUS HookZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK piostatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)

NTSTATUS rc;
CHAR aProcessName[80];
ANSI_STRING ansiFileName,ansiDirName;
UNICODE_STRING uniFileName;
PP_DIR ptr; WCHAR ParentDirectory[1024] = 0;
int BytesReturned;
PVOID Object;
--
// 执行旧的ZwQueryDirectoryFile函数
rc = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile))(
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);if(NT_SUCCESS(rc))

PDirEntry p;
PDirEntry pLast;
BOOL bLastOne;
int found;
p = (PDirEntry)FileInformationBuffer; // 将查找出来结果赋给结构
pLast = NULL;
--
do

bLastOne = !( p->dwLenToNext );
RtlInitUnicodeString(&uniFileName,p->suName);
RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);
RtlUpperString(&ansiFileName,&ansiDirName);
found=0;// 在链表中查找是否包含当前目录
for(ptr = list_head; ptr != NULL; ptr = ptr->next)

if (ptr->flag != PTR_HIDEDIR) continue;
if( RtlCompareMemory( ansiFileName.Buffer, ptr->name,strlen(ptr->name) ) == strlen(ptr->name))

found=1;
break;

//end for--
// 如果链表中包含当前目录，隐藏
if(found)

if(bLastOne)

if(p == (PDirEntry)FileInformationBuffer )

rc = 0x80000006; //隐藏

else
pLast->dwLenToNext = 0;
break;

else

int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer;
int iLeft = (DWORD)FileInformationBufferLength - iPos - p->dwLenToNext;
RtlCopyMemory( (PVOID)p, (PVOID)( (char *)p p->dwLenToNext ), (DWORD)iLeft );
continue;


pLast = p;
p = (PDirEntry)((char *)p p->dwLenToNext );
while( !bLastOne );
RtlFreeAnsiString(&ansiDirName);
RtlFreeAnsiString(&ansiFileName);

return(rc);
// 隐藏进程 NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
NTSTATUS rc;
ANSI_STRING process_name,process_uname,process_name1,process_name2;
BOOL g_hide_proc = TRUE;
CHAR aProcessName[80];
PP_DIR ptr;
int found;
// 执行旧的ZwQuerySystemInformation函数 rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength ); if(NT_SUCCESS(rc ))

if( g_hide_proc && (5 == SystemInformationClass))

// 将查找出来结果赋给结构
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
// 遍历进程
while(curr)
if((0 < process_name.Length) && (255 > process_name.Length))

found=0;
// 遍历链表
for (ptr=list_head;ptr!=NULL;ptr=ptr->next )

if (ptr->flag != PTR_HIDEPROC) continue ;if (memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)

found =1;
// 判断如果是隐藏进程名则覆盖掉此进程名
while(found)

if(prev)

if(curr->NextEntryDelta)

prev->NextEntryDelta = curr->NextEntryDelta;

else

prev->NextEntryDelta = 0;


else

if(curr->NextEntryDelta)

(char *)SystemInformation = curr->NextEntryDelta;

else

SystemInformation = NULL;

if(curr->NextEntryDelta)((char *)curr = curr->NextEntryDelta);
else

curr = NULL;break;

// 遍历链表
found = 0;
for (ptr=list_head;ptr!=NULL;ptr=ptr->next )

if (ptr->flag != PTR_HIDEPROC) continue ;if (memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)

found = 1;



if(curr != NULL)

prev = curr;
if(curr->NextEntryDelta) ((char *)curr = curr->NextEntry Delta);
else curr = NULL;




return(rc);

//隐藏端口
PDEVICE_OBJECT m_TcpgetDevice; PDEVICE_OBJECT TcpDevice;
UNICODE_STRING TcpDeviceName;
PDRIVER_OBJECT TcpDriver;
PDEVICE_OBJECT TcpgetDevice;
PDEVICE_OBJECT FilterDevice
PDRIVER_DISPATCH Empty;
NTSTATUS status; Empty = DriverObject->MajorFunction[IRP_MJ_CREATE]; RtlInitUnicodeString( &TcpDeviceName, L"\\Device\\Tcp"); //得到已有的设备指针 status = IoGetDeviceObjectPointer( &TcpDeviceName,
FILE_ALL_ACCESS,
&FileObject,
&TcpDevice
);
if(!NT_SUCCESS(status))

DbgPrint("IoGetDeviceObjectPointer error!\n");
return status;

DbgPrint("IoGetDeviceObjectPointer ok!\n");// 建立设备
status = IoCreateDevice( DriverObject,
sizeof(DEVICE_EXTENSION),
NULL,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&FilterDevice
);
if(!NT_SUCCESS(status))

return status;

// 加入设备
TcpgetDevice = IoAttachDeviceToDeviceStack( FilterDevice, TcpDevice); if(!TcpgetDevice)

IoDeleteDevice(FilterDevice);
DbgPrint("IoAttachDeviceToDeviceStack error!\n");
return STATUS_SUCCESS;
m_TcpgetDevice = TcpgetDevice;// 加到过滤函数中处理
for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i )

if((TcpDriver->MajorFunction[i]!=Empty)&&(DriverObject->MajorFunction[i]==Empty))

DriverObject->MajorFunction[i] = PassThrough;
ObDereferenceObject(FileObject); //这里是一个不懂的地方,原文也说明NTSTATUS PassThrough( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )

NTSTATUS status;
PIO_STACK_LOCATION pIrpStack; pIrpStack = IoGetCurrentIrpStackLocation( Irp );
//如是查询则完成 IRP
if ( pIrpStack->Parameters.DeviceIoControl.IoControlCode == QUERY_INFORMATION_EX)

//这里可以近一步判断某个端口 Irp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
//复制当前 IRP
IoCopyCurrentIrpStackLocationToNext(Irp);IoSetCompletionRoutine( Irp,
GenericCompletion,
NULL,
TRUE,
TRUE,
TRUE
);
//传递
return IoCallDriver( m_TcpgetDevice, Irp);

我不能使用 RTCVideoRenderer 的镜像属性。如何解决这个问题？

【中文标题】我不能使用 RTCVideoRenderer 的镜像属性。如何解决这个问题？

【英文标题】：i cant use RTCVideoRenderer's mirror property.. How resolve this problem?

【发布时间】：2021-01-09 16:53:11

【问题描述】：

我正在使用 Flutter、WebRTC 制作视频通话应用程序。

我的 IDE 是 Android Studio。

我正在使用 RTCVideoRenderer。

但我不能使用 renderVideo 属性..

我搜索了RTCVideoRenderer的用法。

此链接描述了可以使用的 renderVideo 属性。

但我不能使用 renderVideo 属性..

这是错误信息：

There isn’t a setter named 'renderVideo' in class 'RTCVideoRenderer'.  Try correcting the name to reference an existing setter, or declare the setter.

如何解决...这个问题？？？

我可以使用另一个属性..

【参考方案1】：

首先你初始化一个渲染器

 final _yourRenderer = RTCVideoRenderer();

当你想显示它时使用：

RTCVideoView(_yourRenderer, mirror: true,)