374919318 发表于 2017-6-3 11:06:45

拦截驱动加载


#include "ntddk.h"
#include <windef.h>
typedef struct _IMAGE_DOS_HEADER {   // DOS .EXE header
WORDe_magic;         // Magic number
WORDe_cblp;         // Bytes on last page of file
WORDe_cp;            // Pages in file
WORDe_crlc;         // Relocations
WORDe_cparhdr;          // Size of header in paragraphs
WORDe_minalloc;         // Minimum extra paragraphs needed
WORDe_maxalloc;         // Maximum extra paragraphs needed
WORDe_ss;            // Initial (relative) SS value
WORDe_sp;            // Initial SP value
WORDe_csum;         // Checksum
WORDe_ip;            // Initial IP value
WORDe_cs;            // Initial (relative) CS value
WORDe_lfarlc;          // File address of relocation table
WORDe_ovno;         // Overlay number
WORDe_res;          // Reserved words
WORDe_oemid;         // OEM identifier (for e_oeminfo)
WORDe_oeminfo;          // OEM information; e_oemid specific
WORDe_res2;         // Reserved words
LONGe_lfanew;          // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;


typedef struct _IMAGE_DATA_DIRECTORY {
DWORDVirtualAddress;
DWORDSize;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;


typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//


WORDMagic;
BYTEMajorLinkerVersion;
BYTEMinorLinkerVersion;
DWORDSizeOfCode;
DWORDSizeOfInitializedData;
DWORDSizeOfUninitializedData;
DWORDAddressOfEntryPoint;
DWORDBaseOfCode;
DWORDBaseOfData;


//
// NT additional fields.
//


DWORDImageBase;
DWORDSectionAlignment;
DWORDFileAlignment;
WORDMajorOperatingSystemVersion;
WORDMinorOperatingSystemVersion;
WORDMajorImageVersion;
WORDMinorImageVersion;
WORDMajorSubsystemVersion;
WORDMinorSubsystemVersion;
DWORDWin32VersionValue;
DWORDSizeOfImage;
DWORDSizeOfHeaders;
DWORDCheckSum;
WORDSubsystem;
WORDDllCharacteristics;
DWORDSizeOfStackReserve;
DWORDSizeOfStackCommit;
DWORDSizeOfHeapReserve;
DWORDSizeOfHeapCommit;
DWORDLoaderFlags;
DWORDNumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory;
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;




typedef struct _IMAGE_FILE_HEADER {
WORDMachine;
WORDNumberOfSections;
DWORDTimeDateStamp;
DWORDPointerToSymbolTable;
DWORDNumberOfSymbols;
WORDSizeOfOptionalHeader;
WORDCharacteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;


typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;


IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader; // 0x18
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;


PVOID GetDriverEntryByImageBase(PVOID ImageBase)
{
PIMAGE_DOS_HEADER pDOSHeader;
PIMAGE_NT_HEADERS pNTHeader;
PVOID pEntryPoint;
pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);
pEntryPoint = (PVOID)((ULONG64)ImageBase +
pNTHeader->OptionalHeader.AddressOfEntryPoint);
return pEntryPoint;
}
void DenyLoadDriver(PVOID DriverEntry)
{ULONG oldCr0;
//00000000L
UCHAR fuck[]="\xB8\x22\x00\x00\xC0\xC3"; // mov eax,c0000022h
             //ret
//这里关CR0
__asm {
cli;
mov eax, cr0;
mov oldCr0, eax;
and eax, not 10000h;
mov cr0, eax
}

RtlCopyMemory(DriverEntry,fuck,sizeof(fuck));
//复制完了再开CR0
__asm {
mov eax, oldCr0;
mov cr0, eax;
sti;
}
}
VOID LoadImageNotifyRoutine
(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
)
{
PVOID pDrvEntry;


if(FullImageName!=NULL &amp;&amp; MmIsAddressValid(FullImageName))//判断名字不为NULL和地址有效!
{
if(ProcessId==0)//如果是驱动程序
{
DbgPrint("%wZ\n",FullImageName);
pDrvEntry=GetDriverEntryByImageBase(ImageInfo->ImageBase);//获取驱动的入口地址
DbgPrint("DriverEntry: %p\n",pDrvEntry);




if(wcsstr(FullImageName->Buffer,L"EagleXNt.sys"))//如果驱动名是EagleXNt.sys
{


DenyLoadDriver(pDrvEntry);//写入代码 执行拦截驱动加载
}
}
}
}


void DriverUnload(PDRIVER_OBJECT obj){


PsRemoveLoadImageNotifyRoutine(LoadImageNotifyRoutine);//移除镜像加载 回调
}
NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING preg){
PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);//设置加载回调
obj->DriverUnload=DriverUnload;

return STATUS_SUCCESS;
}

小生怕怕 发表于 2020-3-1 00:23:46

能留下你的联系方式吗?有需要
页: [1]
查看完整版本: 拦截驱动加载