From a0b5d569550c4644eeb5df9ee38cbae4d22a1247 Mon Sep 17 00:00:00 2001
From: VeroFess <coderzeng@hotmail.com>
Date: Wed, 23 Nov 2022 13:10:20 +0800
Subject: [PATCH] Add NtQueryObject Hook

---
 SbieHide/LibEntry.cpp | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/SbieHide/LibEntry.cpp b/SbieHide/LibEntry.cpp
index 0471dde..ba572f1 100644
--- a/SbieHide/LibEntry.cpp
+++ b/SbieHide/LibEntry.cpp
@@ -17,6 +17,8 @@
 
 typedef NTSTATUS(NTAPI* NtQueryVirtualMemoryType)(_In_ HANDLE ProcessHandle, _In_opt_ PVOID BaseAddress, _In_ MEMORY_INFORMATION_CLASS MemoryInformationClass, _Out_writes_bytes_(MemoryInformationLength) PVOID MemoryInformation, _In_ SIZE_T MemoryInformationLength, _Out_opt_ PSIZE_T ReturnLength);
 NtQueryVirtualMemoryType NtQueryVirtualMemorySaved = nullptr;
+typedef NTSTATUS(NTAPI* NtQueryObjectType)(_In_opt_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength);
+NtQueryObjectType NtQueryObjectSaved = nullptr;
 
 VOID EraseModuleNameFromPeb(PCWCH ModuleToHide) {
 	PPEB                      ProcessEnvironmentBlock = nullptr;
@@ -70,6 +72,35 @@ NTSTATUS NTAPI NtQueryVirtualMemoryProxy(_In_ HANDLE ProcessHandle, _In_opt_ PVO
 	return Status;
 }
 
+NTSTATUS NTAPI NtQueryObjectProxy(_In_opt_ HANDLE Handle, _In_ OBJECT_INFORMATION_CLASS ObjectInformationClass, _Out_writes_bytes_opt_(ObjectInformationLength) PVOID ObjectInformation, _In_ ULONG ObjectInformationLength, _Out_opt_ PULONG ReturnLength) {
+	NTSTATUS Status = STATUS_SUCCESS;
+
+	Status = NtQueryObjectSaved(Handle, ObjectInformationClass, ObjectInformation, ObjectInformationLength, ReturnLength);
+
+	if (NT_SUCCESS(Status) && ObjectInformationClass == ObjectNameInformation) {
+		UNICODE_STRING ObjectName = {};
+
+		if (!NT_SUCCESS(RtlUpcaseUnicodeString(&ObjectName, &reinterpret_cast<POBJECT_NAME_INFORMATION>(ObjectInformation)->Name, TRUE))) {
+			return Status;
+		}
+
+		if (ObjectName.Buffer == NULL || ObjectName.Length == 0) {
+			RtlFreeUnicodeString(&ObjectName);
+			return Status;
+		}
+
+		if ((wcsstr(ObjectName.Buffer, L"SBIEDLL") != 0) || (wcsstr(ObjectName.Buffer, L"SBIEHIDE") != 0)) {
+			RtlZeroMemory(reinterpret_cast<POBJECT_NAME_INFORMATION>(ObjectInformation)->Name.Buffer, reinterpret_cast<POBJECT_NAME_INFORMATION>(ObjectInformation)->Name.MaximumLength);
+			reinterpret_cast<POBJECT_NAME_INFORMATION>(ObjectInformation)->Name.Length = 0;
+		}
+
+		RtlFreeUnicodeString(&ObjectName);
+
+		return STATUS_ACCESS_DENIED;
+	}
+
+	return Status;
+}
 
 
 BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
@@ -89,6 +120,14 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
 			return FALSE;
 		}
 
+		if (MH_CreateHook(NtQueryObject, NtQueryObjectProxy, reinterpret_cast<PVOID*>(&NtQueryObjectSaved)) != MH_OK) {
+			return FALSE;
+		}
+
+		if (MH_EnableHook(NtQueryObject) != MH_OK) {
+			return FALSE;
+		}
+
 		EraseModuleNameFromPeb(L"SbieHide.dll");
 		EraseModuleNameFromPeb(L"SbieDll.dll");
 		break;