- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|

#include "ntddk.h"
#include <windef.h>
typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
WORD e_magic; // Magic number
WORD e_cblp; // Bytes on last page of file
WORD e_cp; // Pages in file
WORD e_crlc; // Relocations
WORD e_cparhdr; // Size of header in paragraphs
WORD e_minalloc; // Minimum extra paragraphs needed
WORD e_maxalloc; // Maximum extra paragraphs needed
WORD e_ss; // Initial (relative) SS value
WORD e_sp; // Initial SP value
WORD e_csum; // Checksum
WORD e_ip; // Initial IP value
WORD e_cs; // Initial (relative) CS value
WORD e_lfarlc; // File address of relocation table
WORD e_ovno; // Overlay number
WORD e_res[4]; // Reserved words
WORD e_oemid; // OEM identifier (for e_oeminfo)
WORD e_oeminfo; // OEM information; e_oemid specific
WORD e_res2[10]; // Reserved words
LONG e_lfanew; // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
typedef struct _IMAGE_DATA_DIRECTORY {
DWORD VirtualAddress;
DWORD Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//
WORD Magic;
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint;
DWORD BaseOfCode;
DWORD BaseOfData;
//
// NT additional fields.
//
DWORD ImageBase;
DWORD SectionAlignment;
DWORD FileAlignment;
WORD MajorOperatingSystemVersion;
WORD MinorOperatingSystemVersion;
WORD MajorImageVersion;
WORD MinorImageVersion;
WORD MajorSubsystemVersion;
WORD MinorSubsystemVersion;
DWORD Win32VersionValue;
DWORD SizeOfImage;
DWORD SizeOfHeaders;
DWORD CheckSum;
WORD Subsystem;
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;
typedef struct _IMAGE_FILE_HEADER {
WORD Machine;
WORD NumberOfSections;
DWORD TimeDateStamp;
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD SizeOfOptionalHeader;
WORD Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader; // 0x18
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
PVOID GetDriverEntryByImageBase(PVOID ImageBase)
{
PIMAGE_DOS_HEADER pDOSHeader;
PIMAGE_NT_HEADERS pNTHeader;
PVOID pEntryPoint;
pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);
pEntryPoint = (PVOID)((ULONG64)ImageBase +
pNTHeader->OptionalHeader.AddressOfEntryPoint);
return pEntryPoint;
}
void DenyLoadDriver(PVOID DriverEntry)
{ULONG oldCr0;
//00000000L
UCHAR fuck[]="\xB8\x22\x00\x00\xC0\xC3"; // mov eax,c0000022h
//ret
//这里关CR0
__asm {
cli;
mov eax, cr0;
mov oldCr0, eax;
and eax, not 10000h;
mov cr0, eax
}
RtlCopyMemory(DriverEntry,fuck,sizeof(fuck));
//复制完了再开CR0
__asm {
mov eax, oldCr0;
mov cr0, eax;
sti;
}
}
VOID LoadImageNotifyRoutine
(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
)
{
PVOID pDrvEntry;
if(FullImageName!=NULL && MmIsAddressValid(FullImageName))//判断名字不为NULL和地址有效!
{
if(ProcessId==0)//如果是驱动程序
{
DbgPrint("[LoadImageNotifyX64]%wZ\n",FullImageName);
pDrvEntry=GetDriverEntryByImageBase(ImageInfo->ImageBase);//获取驱动的入口地址
DbgPrint("[LoadImageNotifyX64]DriverEntry: %p\n",pDrvEntry);
if(wcsstr(FullImageName->Buffer,L"EagleXNt.sys"))//如果驱动名是EagleXNt.sys
{
DenyLoadDriver(pDrvEntry);//写入代码 执行拦截驱动加载
}
}
}
}
void DriverUnload(PDRIVER_OBJECT obj){
PsRemoveLoadImageNotifyRoutine(LoadImageNotifyRoutine);//移除镜像加载 回调
}
NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING preg){
PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);//设置加载回调
obj->DriverUnload=DriverUnload;
return STATUS_SUCCESS;
} |
|