拦截驱动加载
#include "ntddk.h"
#include <windef.h>
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORDe_magic; // Magic number
WORDe_cblp; // Bytes on last page of file
WORDe_cp; // Pages in file
WORDe_crlc; // Relocations
WORDe_cparhdr; // Size of header in paragraphs
WORDe_minalloc; // Minimum extra paragraphs needed
WORDe_maxalloc; // Maximum extra paragraphs needed
WORDe_ss; // Initial (relative) SS value
WORDe_sp; // Initial SP value
WORDe_csum; // Checksum
WORDe_ip; // Initial IP value
WORDe_cs; // Initial (relative) CS value
WORDe_lfarlc; // File address of relocation table
WORDe_ovno; // Overlay number
WORDe_res; // Reserved words
WORDe_oemid; // OEM identifier (for e_oeminfo)
WORDe_oeminfo; // OEM information; e_oemid specific
WORDe_res2; // Reserved words
LONGe_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
DWORDVirtualAddress;
DWORDSize;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
WORDMagic;
BYTEMajorLinkerVersion;
BYTEMinorLinkerVersion;
DWORDSizeOfCode;
DWORDSizeOfInitializedData;
DWORDSizeOfUninitializedData;
DWORDAddressOfEntryPoint;
DWORDBaseOfCode;
DWORDBaseOfData;
//
// NT additional fields.
//
DWORDImageBase;
DWORDSectionAlignment;
DWORDFileAlignment;
WORDMajorOperatingSystemVersion;
WORDMinorOperatingSystemVersion;
WORDMajorImageVersion;
WORDMinorImageVersion;
WORDMajorSubsystemVersion;
WORDMinorSubsystemVersion;
DWORDWin32VersionValue;
DWORDSizeOfImage;
DWORDSizeOfHeaders;
DWORDCheckSum;
WORDSubsystem;
WORDDllCharacteristics;
DWORDSizeOfStackReserve;
DWORDSizeOfStackCommit;
DWORDSizeOfHeapReserve;
DWORDSizeOfHeapCommit;
DWORDLoaderFlags;
DWORDNumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory;
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_FILE_HEADER {
WORDMachine;
WORDNumberOfSections;
DWORDTimeDateStamp;
DWORDPointerToSymbolTable;
DWORDNumberOfSymbols;
WORDSizeOfOptionalHeader;
WORDCharacteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader; // 0x18
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
PVOID GetDriverEntryByImageBase(PVOID ImageBase)
{
PIMAGE_DOS_HEADER pDOSHeader;
PIMAGE_NT_HEADERS pNTHeader;
PVOID pEntryPoint;
pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);
pEntryPoint = (PVOID)((ULONG64)ImageBase +
pNTHeader->OptionalHeader.AddressOfEntryPoint);
return pEntryPoint;
}
void DenyLoadDriver(PVOID DriverEntry)
{ULONG oldCr0;
//00000000L
UCHAR fuck[]="\xB8\x22\x00\x00\xC0\xC3"; // mov eax,c0000022h
//ret
//这里关CR0
__asm {
cli;
mov eax, cr0;
mov oldCr0, eax;
and eax, not 10000h;
mov cr0, eax
}
RtlCopyMemory(DriverEntry,fuck,sizeof(fuck));
//复制完了再开CR0
__asm {
mov eax, oldCr0;
mov cr0, eax;
sti;
}
}
VOID LoadImageNotifyRoutine
(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
)
{
PVOID pDrvEntry;
if(FullImageName!=NULL && MmIsAddressValid(FullImageName))//判断名字不为NULL和地址有效!
{
if(ProcessId==0)//如果是驱动程序
{
DbgPrint("%wZ\n",FullImageName);
pDrvEntry=GetDriverEntryByImageBase(ImageInfo->ImageBase);//获取驱动的入口地址
DbgPrint("DriverEntry: %p\n",pDrvEntry);
if(wcsstr(FullImageName->Buffer,L"EagleXNt.sys"))//如果驱动名是EagleXNt.sys
{
DenyLoadDriver(pDrvEntry);//写入代码 执行拦截驱动加载
}
}
}
}
void DriverUnload(PDRIVER_OBJECT obj){
PsRemoveLoadImageNotifyRoutine(LoadImageNotifyRoutine);//移除镜像加载 回调
}
NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING preg){
PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);//设置加载回调
obj->DriverUnload=DriverUnload;
return STATUS_SUCCESS;
} 能留下你的联系方式吗?有需要
页:
[1]