- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
- VOID CalcChar(PUNICODE_STRING logFileUnicodeString, LONG *XorChar, LONG *AnSChar)
- {
- OBJECT_ATTRIBUTES objectAttributes;
- IO_STATUS_BLOCK iostatus;
- HANDLE hfile;
- NTSTATUS ntStatus;
- FILE_STANDARD_INFORMATION fsi;
- PUCHAR pBuffer;
- ULONG i=0,y1=0,y2=0;
- //初始化objectAttributes
- InitializeObjectAttributes(&objectAttributes,
- logFileUnicodeString,
- OBJ_CASE_INSENSITIVE,//对大小写敏感
- NULL,
- NULL);
- //创建文件
- ntStatus = ZwCreateFile(&hfile,
- GENERIC_READ,
- &objectAttributes,
- &iostatus,
- NULL,
- FILE_ATTRIBUTE_NORMAL,
- FILE_SHARE_READ,
- FILE_OPEN,//即使存在该文件,也创建
- FILE_SYNCHRONOUS_IO_NONALERT,
- NULL,
- 0 );
- if (!NT_SUCCESS(ntStatus))
- {
- dprintf("The file is not exist!\n");
- return;
- }
- //读取文件长度
- ntStatus = ZwQueryInformationFile(hfile,
- &iostatus,
- &fsi,
- sizeof(FILE_STANDARD_INFORMATION),
- FileStandardInformation);
- dprintf("The program want to read %d bytes\n",fsi.EndOfFile.QuadPart);
- //为读取的文件分配缓冲区
- pBuffer = (PUCHAR)ExAllocatePool(PagedPool, (LONG)fsi.EndOfFile.QuadPart);
- //读取文件
- ZwReadFile(hfile,NULL,
- NULL,NULL,
- &iostatus,
- pBuffer,
- (LONG)fsi.EndOfFile.QuadPart,
- NULL,NULL);
- dprintf("The program really read %d bytes\n",iostatus.Information);
- //异或计算
- for(i=0;i<iostatus.Information;i++)
- y1=y1^(LONG)(*(pBuffer+i));
- *XorChar=y1;
- //加减计算
- for(i=0;i<iostatus.Information;i++)
- {
- if(i%2==0)
- y2=y2+(LONG)(*(pBuffer+i));
- else
- y2=y2-(LONG)(*(pBuffer+i));
- }
- *AnSChar=y2;
- //关闭文件句柄
- ZwClose(hfile);
- //释放缓冲区
- ExFreePool(pBuffer);
- }
- char *cs(char *str1, char *str2) //connect string
- {
- long newstrlen=strlen(str1)+strlen(str2)+1;
- char *newstr=(char*)ExAllocatePool(NonPagedPool, newstrlen);
- memcpy(newstr,str1,strlen(str1));
- memcpy(newstr+strlen(str1),str2,strlen(str2)+1);
- return newstr;
- }
- LONG VerifyCaller(void)
- {
- PEPROCESS cur_ep;
- char cur_pp[260];
- char *nt_cur_pp;
- ANSI_STRING asCur_pp;
- UNICODE_STRING usCur_pp;
- LONG xorc, ansc;
- cur_ep=PsGetCurrentProcess();
- GetFullPathByEprocess((ULONG)cur_ep, cur_pp);
- nt_cur_pp=cs("\\??\",cur_pp);
- DbgPrint("%s",nt_cur_pp);
- RtlInitAnsiString(&asCur_pp, nt_cur_pp);
- RtlAnsiStringToUnicodeString(&usCur_pp, &asCur_pp, TRUE);
- DbgPrint("%wZ",&usCur_pp);
- CalcChar(&usCur_pp, &xorc, &ansc);
- DbgPrint("XorChar: %ld; AnSChar: %ld",xorc,ansc);
- //这个就是事先算好的合法程序的特征码,【必须】固化在驱动里!
- if(xorc==186 && ansc==136176)
- return 1;
- else
- return 0;
- }
复制代码 |
|