好友
阅读权限10
听众
最后登录1970-1-1
|
[C] 纯文本查看 复制代码 #include <NTDDK.H>
/*
1.遍历内核中所有的模块
2.实现断链,达到隐藏驱动的目的
*/
typedef struct{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
UINT32 SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32 Flags;
UINT16 LoadCount;
UINT16 TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
UINT32 CheckSum;
UINT32 TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
}LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
VOID UnloadDriver(PDRIVER_OBJECT pDriver)
{
DbgPrint("驱动已经被加载!\n");
}
NTSTATUS Traversingsys(PDRIVER_OBJECT pDriver);//遍历内核中所有的模块
HANDLE g_Thread;
VOID ThreadRun(_In_ PVOID StartContext)
{
DbgPrint("驱动开始隐藏~\n");
PDRIVER_OBJECT pDriver1 = (PDRIVER_OBJECT)StartContext;
pDriver1->DriverSize = 0;//当前模块的大小
pDriver1->DriverSection = NULL;//当前链节点指针
pDriver1->DriverExtension = NULL;//驱动程序的【DriverEntry例程】存储在驱动程序的【AddDevice例程】中。
pDriver1->DriverStart = NULL;//内存中起始位置
pDriver1->DriverInit = NULL;//sys文件的OEP
pDriver1->FastIoDispatch = NULL;//入口点
pDriver1->DriverStartIo = NULL;//入口点
ZwClose(g_Thread);
DbgPrint("驱动隐藏结束~\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver,PUNICODE_STRING pReg)
{
//遍历内核中所有的模块
Traversingsys(pDriver);
//隐藏内核中的驱动
PLDR_DATA_TABLE_ENTRY pCur = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
PLDR_DATA_TABLE_ENTRY pNext = pCur->InLoadOrderLinks.Flink;//下一个模块的地址
PLDR_DATA_TABLE_ENTRY pLast = pCur->InLoadOrderLinks.Blink;//上一个模块的地址
DbgPrint("开始断链........\n");
pLast->InLoadOrderLinks.Flink = pNext;
pNext->InLoadOrderLinks.Blink = pLast;
DbgPrint("断链已经完成!\n");
PsCreateSystemThread(&g_Thread, GENERIC_ALL, NULL, NULL, NULL, ThreadRun, pDriver);
pDriver->DriverUnload = UnloadDriver;
return STATUS_SUCCESS;
}
NTSTATUS Traversingsys(PDRIVER_OBJECT pDriver)
{
PLDR_DATA_TABLE_ENTRY pCur = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
PLDR_DATA_TABLE_ENTRY pNext = pCur;
ULONG num = 0;
do{
num += 1;
DbgPrint("第%d个模块名字:%wZ\n", num ,&(pNext->BaseDllName));
pNext = pNext->InLoadOrderLinks.Blink;
} while (pNext != pCur);
return STATUS_SUCCESS;
} |
免费评分
-
查看全部评分
|
发帖前要善用【论坛搜索】功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。 |
|
|
|
|
|
|
发表于 2021-3-5 18:37
