WIN10驱动断链会蓝屏?
typedef struct _NON_PAGED_DEBUG_INFO
{
USHORT Signature;
USHORT Flags;
ULONG Size;
USHORT Machine;
USHORT Characteristics;
ULONG TimeDateStamp;
ULONG CheckSum;
ULONG SizeOfImage;
ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;
typedef struct _KLDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
// ULONG padding on IA64
PVOID GpValue;
PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
// ULONG padding on IA64
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;//这个结构Blackbone 上抠的
PKLDR_DATA_TABLE_ENTRY entry = (PKLDR_DATA_TABLE_ENTRY)(pDriverObject->DriverSection);
//断链
INT64 P1 = (INT64)entry->InLoadOrderLinks.Flink;
INT64 P2 = (INT64)entry->InLoadOrderLinks.Blink;
entry->InLoadOrderLinks.Flink->Blink =(PLIST_ENTRY) P2;
entry->InLoadOrderLinks.Blink->Flink =(PLIST_ENTRY) P1;
entry->InLoadOrderLinks.Flink = (PLIST_ENTRY)entry;
entry->InLoadOrderLinks.Blink = (PLIST_ENTRY)entry;
断链代码应该没问题的吧?
他不是加载后就马上蓝屏,而是几率性的蓝屏,有时候十几分钟,有时候几个小时才蓝.
什么原因啊?
是WIN10的什么安全机制导致的?
但是感觉是某些条件下才出发的.
蓝屏代码 critical_structure_corruption
有时候还是 page_fault_in_nonpaged_area
会蓝屏。critical_structure_corruption就是PATCHGUARD x64没过PG,搞进程隐藏断链一类的事,蓝到你怀疑人生...
特征码自己找忘了这个哪个系统的了
#include"HideDiver.h"
#pragmawarning(disable:4047)
typedefNTSTATUS(__fastcall*MiProcessLoaderEntry)(PVOIDpDriverSection,intbLoad);
MiProcessLoaderEntryg_pfnMiProcessLoaderEntry=NULL;
PVOIDGetCallPoint(PVOIDpCallPoint)
{
ULONGdwOffset=0;
ULONG_PTRreturnAddress=0;
LARGE_INTEGERreturnAddressTemp={0};
PUCHARpFunAddress=NULL;
if(pCallPoint==NULL||!MmIsAddressValid(pCallPoint))
returnNULL;
pFunAddress=pCallPoint;
//函数偏移
RtlCopyMemory(&dwOffset,(PVOID)(pFunAddress+1),sizeof(ULONG));
//JMP向上跳转
if((dwOffset&0x10000000)==0x10000000)
{
dwOffset=dwOffset+5+pFunAddress;
returnAddressTemp.QuadPart=(ULONG_PTR)pFunAddress&0xFFFFFFFF00000000;
returnAddressTemp.LowPart=dwOffset;
returnAddress=returnAddressTemp.QuadPart;
return(PVOID)returnAddress;
}
returnAddress=(ULONG_PTR)dwOffset+5+pFunAddress;
return(PVOID)returnAddress;
}
PVOIDGetUndocumentFunctionAddress(INPUNICODE_STRINGpFunName,INPUCHARpStartAddress,INUCHAR*pFeatureCode,INULONGFeatureCodeNum,ULONGSerSize,UCHARSegCode,ULONGAddNum,BOOLEANByName)
{
ULONGdwIndex=0;
PUCHARpFunAddress=NULL;
ULONGdwCodeNum=0;
if(pFeatureCode==NULL)
returnNULL;
if(FeatureCodeNum>=15)
returnNULL;
if(SerSize>0x1024)
returnNULL;
if(ByName)
{
if(pFunName==NULL||!MmIsAddressValid(pFunName->Buffer))
returnNULL;
pFunAddress=(PUCHAR)MmGetSystemRoutineAddress(pFunName);
if(pFunAddress==NULL)
returnNULL;
}
else
{
if(pStartAddress==NULL||!MmIsAddressValid(pStartAddress))
returnNULL;
pFunAddress=pStartAddress;
}
for(dwIndex=0;dwIndex<SerSize;dwIndex++)
{
__try
{
if(pFunAddress==pFeatureCode||pFeatureCode==SegCode)
{
dwCodeNum++;
if(dwCodeNum==FeatureCodeNum)
returnpFunAddress+dwIndex-dwCodeNum+1+AddNum;
continue;
}
dwCodeNum=0;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return0;
}
}
return0;
}
NTSTATUSHideDriver(PDRIVER_OBJECTpTargetDriverObject)
{
UNICODE_STRINGusRoutie={0};
PUCHARpAddress=NULL;
UCHARcode=
"\xD8\xE8";
UCHARcode2=
"\x48\x8B\xCB\xE8\x60\x60\x60\x60\x8B";
/*
PAGE:000000014052ABE4488BD8 mov rbx,rax
PAGE:000000014052ABE7E84817F7FF call MiUnloadSystemImage
*/
if(pTargetDriverObject==NULL)
returnSTATUS_INVALID_PARAMETER;
RtlInitUnicodeString(&usRoutie,L"MmUnloadSystemImage");
pAddress=GetUndocumentFunctionAddress(&usRoutie,NULL,code,2,0x30,0x90,1,TRUE);
if(pAddress==NULL)
{
DbgPrint("MiUnloadSystemImage1faild!\n");
returnSTATUS_UNSUCCESSFUL;
}
pAddress=GetCallPoint(pAddress);
if(pAddress==NULL)
{
DbgPrint("MiUnloadSystemImage2faild!\n");
returnSTATUS_UNSUCCESSFUL;
}
/*
PAGE:000000014049C5CF488BCB mov rcx,rbx
PAGE:000000014049C5D2E83129C2FF call MiProcessLoaderEntry
PAGE:000000014049C5D78B05A3BCF0FF mov eax,cs:PerfGlobalGroupMask
PAGE:000000014049C5DDA804 test al,4
*/
pAddress=GetUndocumentFunctionAddress(NULL,pAddress,code2,9,0x300,0x60,3,FALSE);
if(pAddress==NULL)
{
DbgPrint("MiProcessLoaderEntry1faild!\n");
returnSTATUS_UNSUCCESSFUL;
}
g_pfnMiProcessLoaderEntry=(MiProcessLoaderEntry)GetCallPoint(pAddress);
if(g_pfnMiProcessLoaderEntry==NULL)
{
DbgPrint("MiProcessLoaderEntry2faild!\n");
returnSTATUS_UNSUCCESSFUL;
}
//DbgBreakPoint();
DbgPrint("0x%p\n",g_pfnMiProcessLoaderEntry);
/*////////////////////////////////隐藏驱动/////////////////////////////////*/
g_pfnMiProcessLoaderEntry(pTargetDriverObject->DriverSection,0);
pTargetDriverObject->DriverSection=NULL;
/*/////////////////////////////////////////////////////////////////////////*/
//破坏驱动对象特征
pTargetDriverObject->DriverStart=NULL;
pTargetDriverObject->DriverSize=NULL;
pTargetDriverObject->DriverUnload=NULL;
pTargetDriverObject->DriverInit=NULL;
pTargetDriverObject->DeviceObject=NULL;
returnSTATUS_SUCCESS;
}
pTargetDriverObject->DriverSection =NULL;这个一样蓝到怀疑人生。如果只想让pch扫不到的话:
//摘除驱动目录链表
//摘除设备目录链表
//摘除TypeList链表
//摘除模块链表
就可以了 初来乍到,认真回复 666666666666666666666666666666666666666666666666666 666666666666666666666666666666666666666666666666666 666666666666666666666666666666666666666666666666666 666666666666666666666666666666666666666666666666666
页:
[1]
2