• 1270阅读
  • 2回复

拦截/阻止驱动加载 [复制链接]

上一主题 下一主题
离线天道酬勤
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-05-19
#include "ntddk.h"
#include <windef.h>
typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
WORD   e_magic;                     // Magic number
WORD   e_cblp;                      // Bytes on last page of file
WORD   e_cp;                        // Pages in file
WORD   e_crlc;                      // Relocations
WORD   e_cparhdr;                   // Size of header in paragraphs
WORD   e_minalloc;                  // Minimum extra paragraphs needed
WORD   e_maxalloc;                  // Maximum extra paragraphs needed
WORD   e_ss;                        // Initial (relative) SS value
WORD   e_sp;                        // Initial SP value
WORD   e_csum;                      // Checksum
WORD   e_ip;                        // Initial IP value
WORD   e_cs;                        // Initial (relative) CS value
WORD   e_lfarlc;                    // File address of relocation table
WORD   e_ovno;                      // Overlay number
WORD   e_res[4];                    // Reserved words
WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
WORD   e_oeminfo;                   // OEM information; e_oemid specific
WORD   e_res2[10];                  // Reserved words
LONG   e_lfanew;                    // File address of new exe header
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;


typedef struct _IMAGE_DATA_DIRECTORY {
DWORD   VirtualAddress;
DWORD   Size;
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;


typedef struct _IMAGE_OPTIONAL_HEADER {
//
// Standard fields.
//


WORD    Magic;
BYTE    MajorLinkerVersion;
BYTE    MinorLinkerVersion;
DWORD   SizeOfCode;
DWORD   SizeOfInitializedData;
DWORD   SizeOfUninitializedData;
DWORD   AddressOfEntryPoint;
DWORD   BaseOfCode;
DWORD   BaseOfData;


//
// NT additional fields.
//


DWORD   ImageBase;
DWORD   SectionAlignment;
DWORD   FileAlignment;
WORD    MajorOperatingSystemVersion;
WORD    MinorOperatingSystemVersion;
WORD    MajorImageVersion;
WORD    MinorImageVersion;
WORD    MajorSubsystemVersion;
WORD    MinorSubsystemVersion;
DWORD   Win32VersionValue;
DWORD   SizeOfImage;
DWORD   SizeOfHeaders;
DWORD   CheckSum;
WORD    Subsystem;
WORD    DllCharacteristics;
DWORD   SizeOfStackReserve;
DWORD   SizeOfStackCommit;
DWORD   SizeOfHeapReserve;
DWORD   SizeOfHeapCommit;
DWORD   LoaderFlags;
DWORD   NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory[16];
} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;




typedef struct _IMAGE_FILE_HEADER {
WORD    Machine;
WORD    NumberOfSections;
DWORD   TimeDateStamp;
DWORD   PointerToSymbolTable;
DWORD   NumberOfSymbols;
WORD    SizeOfOptionalHeader;
WORD    Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;


typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;


IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader; // 0x18
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;


PVOID GetDriverEntryByImageBase(PVOID ImageBase)
{
PIMAGE_DOS_HEADER pDOSHeader;
PIMAGE_NT_HEADERS pNTHeader;
PVOID pEntryPoint;
pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;
pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);
pEntryPoint  =  (PVOID)((ULONG64)ImageBase  +
pNTHeader->OptionalHeader.AddressOfEntryPoint);
return pEntryPoint;
}
void DenyLoadDriver(PVOID DriverEntry)
{ULONG  oldCr0;
//00000000L
UCHAR fuck[]="\xB8\x22\x00\x00\xC0\xC3"; // mov eax,c0000022h
                           //ret
//这里关CR0
__asm {
cli;
mov eax, cr0;
mov oldCr0, eax;
and eax, not 10000h;
mov cr0, eax
}

RtlCopyMemory(DriverEntry,fuck,sizeof(fuck));
//复制完了再开CR0
__asm {
mov eax, oldCr0;
mov cr0, eax;
sti;
}
}
VOID LoadImageNotifyRoutine
(
__in_opt PUNICODE_STRING FullImageName,
__in HANDLE ProcessId,
__in PIMAGE_INFO ImageInfo
)
{
PVOID pDrvEntry;


if(FullImageName!=NULL && MmIsAddressValid(FullImageName))//判断名字不为NULL和地址有效!
{
if(ProcessId==0)//如果是驱动程序
{
DbgPrint("[LoadImageNotifyX64]%wZ\n",FullImageName);
pDrvEntry=GetDriverEntryByImageBase(ImageInfo->ImageBase);//获取驱动的入口地址
DbgPrint("[LoadImageNotifyX64]DriverEntry: %p\n",pDrvEntry);




if(wcsstr(FullImageName->Buffer,L"EagleXNt.sys"))//如果驱动名是EagleXNt.sys
{


DenyLoadDriver(pDrvEntry);//写入代码 执行拦截驱动加载
}
}
}
}


void DriverUnload(PDRIVER_OBJECT obj){


PsRemoveLoadImageNotifyRoutine(LoadImageNotifyRoutine);//移除镜像加载 回调
}
NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING preg){
PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);//设置加载回调
obj->DriverUnload=DriverUnload;

return STATUS_SUCCESS;
}
离线mrassiant

只看该作者 沙发  发表于: 2016-05-19
    
离线siniu

只看该作者 板凳  发表于: 04-03
好好学习天天向上
快速回复
限100 字节
如果您在写长篇帖子又不马上发表,建议存为草稿
 
上一个 下一个