balance 发表于 2011-6-13 21:30

隐藏WDM驱动安装时弹出的进度窗口

WDM式的驱动,即安装时需要提供inf文件,区别于NT式驱动。WDM驱动提供PnP、电源管理等功能,但安装时总会弹出一个烦人的对话框显示安装进度。
   本文使用进程内钩子,HOOK MessageBoxW、MessageBeep、ShowWindow、SetForegroundWindow 来达到隐藏窗口目的。至于可以做什么不用我说了吧,见代码:

BYTE g_arrOldShowWindowBytes;

void __declspec(naked) hkMessageBox()
{
    __asm ret 10h
}

   void SetHook()
{
    HMODULE hUser32 = GetModuleHandle(_T("user32.dll"));
    if (hUser32 == NULL)
    {
      return;
    }
    FARPROC pMessageBeep = GetProcAddress(hUser32, "MessageBeep");
    if (pMessageBeep == NULL)
    {
      return;
    }
    FARPROC pMessageBoxW = GetProcAddress(hUser32, "MessageBoxW");
    if (pMessageBoxW == NULL)
    {
      return;
    }
    FARPROC pShowWindow = GetProcAddress(hUser32, "ShowWindow");
    if (pShowWindow == NULL)
    {
      return;
    }
    FARPROC pSetForegroundWindow = GetProcAddress(hUser32, "SetForegroundWindow");
    if (pSetForegroundWindow == NULL)
    {
      return;
    }
    DWORD dwWritten;
    BYTE arrBytes = {0xE9, 0,0,0,0};

    *(DWORD*)(arrBytes+1) = (DWORD)hkMessageBox - ((DWORD)pMessageBoxW + 5);
    WriteProcessMemory(GetCurrentProcess(), pMessageBeep, "\xc2\x04\x00", 3, &dwWritten);
    WriteProcessMemory(GetCurrentProcess(), pMessageBoxW, arrBytes, 5, &dwWritten);
    memcpy(g_arrOldShowWindowBytes, pShowWindow, 3);
    WriteProcessMemory(GetCurrentProcess(), pShowWindow, "\xc2\x08\x00", 3, &dwWritten);
    WriteProcessMemory(GetCurrentProcess(), pSetForegroundWindow, "\xc2\x04\x00", 3, &dwWritten);
}

void UnHook()
{
    HMODULE hUser32 = GetModuleHandle(_T("user32.dll"));
    if (hUser32 == NULL)
    {
      return;
    }
    FARPROC pMessageBeep = GetProcAddress(hUser32, "MessageBeep");
    if (pMessageBeep == NULL)
    {
      return;
    }
    FARPROC pMessageBoxW = GetProcAddress(hUser32, "MessageBoxW");
    if (pMessageBoxW == NULL)
    {
      return;
    }
    FARPROC pShowWindow = GetProcAddress(hUser32, "ShowWindow");
    if (pShowWindow == NULL)
    {
      return;
    }
    FARPROC pSetForegroundWindow = GetProcAddress(hUser32, "SetForegroundWindow");
    if (pSetForegroundWindow == NULL)
    {
      return;
    }
    DWORD dwWritten;

    WriteProcessMemory(GetCurrentProcess(), pMessageBeep, "\x8B\xFF\x55", 3, &dwWritten);
    WriteProcessMemory(GetCurrentProcess(), pMessageBoxW, "\x8B\xFF\x55\x8B\xEC", 5, &dwWritten);
    WriteProcessMemory(GetCurrentProcess(), pShowWindow, g_arrOldShowWindowBytes, 3, &dwWritten);
    WriteProcessMemory(GetCurrentProcess(), pSetForegroundWindow, "\x8B\xFF\x55", 3, &dwWritten);
}

    "\xc2\x04\x00" 、"\xc2\x08\x00" 分别是ret 4、ret 8的十六进制机器码;
   "\x8B\xFF\x55", 是mov edi,edi的十六进制机器码;
   "\x8B\xFF\x55\x8B\xEC"是mov edi,edi,push ebp,mov ebp,esp的十六进制机器码。
   不明白的用OD载入任意一个程序,ctrl+E 敲入十六进制看看吧。
   这样,进度条窗口调用MessageBeep、SetForegroundWindow就直接返回了,不会弹框了;
   对于MessageBox前面几个字节不是mov edi,edi,push ebp,mov ebp,esp,所以直接jmp到自己的处理函数了。

   在加载WDM驱动之前调用SetHook、加载完后UnHook。
页: [1]
查看完整版本: 隐藏WDM驱动安装时弹出的进度窗口