A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #9657  by __fastcall
 Fri Nov 11, 2011 5:23 pm
Ive just a little question , is it possible to hide a file in explorer by hooking SSDT functions ?
and when its possible could somebody give me a hint which SSDT functions i need to hook.
Thanx.
~__fastcall
 #9658  by xqrzd
 Fri Nov 11, 2011 7:03 pm
It's possible, but you have to bypass patch guard first, fyyre has some tools for that http://fyyre.ivory-tower.de
You would probably want to hook ZwQueryDirectoryFile, which if you only want to hide files in explorer.exe, could be done with user-mode inline hook: http://x9090.blogspot.com/2010/04/doc-i ... yfile.html
Probably the easiest way is to just write a FS filter driver.
 #9661  by __fastcall
 Fri Nov 11, 2011 8:59 pm
Are you sure that i need to bypass PatchGuard ? I thought it's for ring0 and i write an ring3 dll i'll inject in explorer which should hook the NtQueryDirectoryFile.
 #9678  by _Lynn
 Sat Nov 12, 2011 8:16 am
The system service descriptor table is a global structure in ntoskrnl, which is ring 0 as it were. If you have an x64 version of windows 7 you would need to bypass patchguard in other to write in a new function pointer, otherwise not. He means your other option would be to hook explorer from usermode with an inline hook on whatever native routine is responsible for this.