检测断开PsLoadedModuleList链的驱动
来源:互联网 发布:金域名都二手房 编辑:程序博客网 时间:2024/06/02 04:22
有空我还会写关于ssdt检测和修复的部分,我们可以把下面的例子在ssdt检测部分中加入,以解决一些rootkit隐藏了驱动,不能被成功枚举出来的问题PDIRECTORY_BASIC_INFORMATION pDriverBuffer = NULL;
pDriverBuffer = (PDIRECTORY_BASIC_INFORMATION)m_cSysInfo.QueryDirectoryObject(L"\\Driver", &uMemSize);
PVOID CNativeSysInfo::QueryDirectoryObject(PWSTR pwsDirPath, PULONG puMemSize)
{
NTSTATUS ntStatus;
UNICODE_STRING usDirPath;
OBJECT_ATTRIBUTES oa;
HANDLE hDir = NULL;
PVOID pBuffer = NULL;
ULONG uLength = 0x800;
ULONG uContext = 0;
ULONG uResult = 0;
// 判断函数是否存在
if(m_lpRtlInitUnicodeString == NULL ||
m_lpZwOpenDirectoryObject == NULL ||
m_lpZwQueryDirectoryObject == NULL ||
m_lpZwClose == NULL)
{
return NULL;
}
// 打开目录对象
m_lpRtlInitUnicodeString(&usDirPath, pwsDirPath);
InitializeObjectAttributes(&oa, &usDirPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = m_lpZwOpenDirectoryObject(&hDir, DIRECTORY_QUERY, &oa);
if(ntStatus != STATUS_SUCCESS)
{
TRACE(_T("ZwOpenDirectoryObject failed!"));
goto _exit;
}
// 查询目录对象
do
{
if(pBuffer)
VirtualFree(pBuffer, uLength, MEM_DECOMMIT);
uLength *= 2;
pBuffer = VirtualAlloc(NULL, uLength, MEM_COMMIT, PAGE_READWRITE);
if(pBuffer == NULL)
goto _exit;
ntStatus = m_lpZwQueryDirectoryObject(hDir, pBuffer, uLength, FALSE, TRUE, &uContext, &uResult);
} while(ntStatus == STATUS_MORE_ENTRIES || ntStatus == STATUS_BUFFER_TOO_SMALL);
// 判断查询是否成功完成
if(ntStatus == STATUS_SUCCESS)
{
if(puMemSize)
*puMemSize = uLength;
}
else
{
VirtualFree(pBuffer, uLength, MEM_DECOMMIT);
pBuffer = NULL;
}
_exit:
if(hDir)
{
m_lpZwClose(hDir);
hDir = NULL;
}
return pBuffer;
}
//然后把得到的结果和常规结果比较就可以找到隐藏驱动。隐藏驱动的相关信息可以通过下面的方式到。
PDRIVER_OBJECT pDrvObject = NULL;
RtlInitUnicodeString(&usDirPath, (PCWSTR)pvInBuf);
ntStatus = ObReferenceObjectByName(&usDirPath,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&pDrvObject);
//下面是一个隐藏驱动的例子,用上面的办法可以发现。
void _EraseDrvFromModList(PDRIVER_OBJECT pDrvObject)
{
PLDR_DATA_TABLE_ENTRY pOwen;
PLDR_DATA_TABLE_ENTRY pPrev;
PLDR_DATA_TABLE_ENTRY pNext;
pOwen = (PLDR_DATA_TABLE_ENTRY)pDrvObject->DriverSection;
pPrev = (PLDR_DATA_TABLE_ENTRY)pOwen->InLoadOrderModuleList.Blink;
pNext = (PLDR_DATA_TABLE_ENTRY)pOwen->InLoadOrderModuleList.Flink;
pPrev->InLoadOrderModuleList.Flink = (PLIST_ENTRY)pNext;
pNext->InLoadOrderModuleList.Blink = (PLIST_ENTRY)pPrev;
pOwen->InLoadOrderModuleList.Flink = (PLIST_ENTRY)pOwen;
pOwen->InLoadOrderModuleList.Blink = (PLIST_ENTRY)pOwen;
}
pDriverBuffer = (PDIRECTORY_BASIC_INFORMATION)m_cSysInfo.QueryDirectoryObject(L"\\Driver", &uMemSize);
PVOID CNativeSysInfo::QueryDirectoryObject(PWSTR pwsDirPath, PULONG puMemSize)
{
NTSTATUS ntStatus;
UNICODE_STRING usDirPath;
OBJECT_ATTRIBUTES oa;
HANDLE hDir = NULL;
PVOID pBuffer = NULL;
ULONG uLength = 0x800;
ULONG uContext = 0;
ULONG uResult = 0;
// 判断函数是否存在
if(m_lpRtlInitUnicodeString == NULL ||
m_lpZwOpenDirectoryObject == NULL ||
m_lpZwQueryDirectoryObject == NULL ||
m_lpZwClose == NULL)
{
return NULL;
}
// 打开目录对象
m_lpRtlInitUnicodeString(&usDirPath, pwsDirPath);
InitializeObjectAttributes(&oa, &usDirPath, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = m_lpZwOpenDirectoryObject(&hDir, DIRECTORY_QUERY, &oa);
if(ntStatus != STATUS_SUCCESS)
{
TRACE(_T("ZwOpenDirectoryObject failed!"));
goto _exit;
}
// 查询目录对象
do
{
if(pBuffer)
VirtualFree(pBuffer, uLength, MEM_DECOMMIT);
uLength *= 2;
pBuffer = VirtualAlloc(NULL, uLength, MEM_COMMIT, PAGE_READWRITE);
if(pBuffer == NULL)
goto _exit;
ntStatus = m_lpZwQueryDirectoryObject(hDir, pBuffer, uLength, FALSE, TRUE, &uContext, &uResult);
} while(ntStatus == STATUS_MORE_ENTRIES || ntStatus == STATUS_BUFFER_TOO_SMALL);
// 判断查询是否成功完成
if(ntStatus == STATUS_SUCCESS)
{
if(puMemSize)
*puMemSize = uLength;
}
else
{
VirtualFree(pBuffer, uLength, MEM_DECOMMIT);
pBuffer = NULL;
}
_exit:
if(hDir)
{
m_lpZwClose(hDir);
hDir = NULL;
}
return pBuffer;
}
//然后把得到的结果和常规结果比较就可以找到隐藏驱动。隐藏驱动的相关信息可以通过下面的方式到。
PDRIVER_OBJECT pDrvObject = NULL;
RtlInitUnicodeString(&usDirPath, (PCWSTR)pvInBuf);
ntStatus = ObReferenceObjectByName(&usDirPath,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&pDrvObject);
//下面是一个隐藏驱动的例子,用上面的办法可以发现。
void _EraseDrvFromModList(PDRIVER_OBJECT pDrvObject)
{
PLDR_DATA_TABLE_ENTRY pOwen;
PLDR_DATA_TABLE_ENTRY pPrev;
PLDR_DATA_TABLE_ENTRY pNext;
pOwen = (PLDR_DATA_TABLE_ENTRY)pDrvObject->DriverSection;
pPrev = (PLDR_DATA_TABLE_ENTRY)pOwen->InLoadOrderModuleList.Blink;
pNext = (PLDR_DATA_TABLE_ENTRY)pOwen->InLoadOrderModuleList.Flink;
pPrev->InLoadOrderModuleList.Flink = (PLIST_ENTRY)pNext;
pNext->InLoadOrderModuleList.Blink = (PLIST_ENTRY)pPrev;
pOwen->InLoadOrderModuleList.Flink = (PLIST_ENTRY)pOwen;
pOwen->InLoadOrderModuleList.Blink = (PLIST_ENTRY)pOwen;
}
- 检测断开PsLoadedModuleList链的驱动
- TCP连接异常断开的检测
- TCP连接异常断开的检测
- 检测非正常断开的TCP连接
- 核态获取PsLoadedModuleList地址的稳定方法
- 检测网络类型,断开
- 检测SOCKET是否断开
- TCP异常断开检测
- TCP异常断开检测
- 关于检测TCP非正常断开的问题
- 怎样及时检测出非正常断开的TCP连接
- 怎样及时检测出非正常断开的TCP连接
- socket选项自带的TCP异常断开检测
- 怎样及时检测出非正常断开的TCP连接
- Linux检测TCP连接断开的一种简单实现方法
- socket选项自带的TCP异常断开检测
- 怎样及时检测出非正常断开的TCP连接
- VC+ADO断开后重连的检测与实现
- 在C/C++代码中使用SSE等指令集的指令(2)参考手册
- python简明教程中__del__的疑问
- 在C/C++代码中使用SSE等指令集的指令(3)SSE指令集基础
- object-oriented pk object-based
- vi技巧
- 检测断开PsLoadedModuleList链的驱动
- 项目中的东西
- 在C/C++代码中使用SSE等指令集的指令(4)SSE指令集Intrinsic函数使用
- C# ini 文件操作
- CxImage的简单用法
- 在C/C++代码中使用SSE等指令集的指令(5)SSE进行加法运算简单的性能测试
- come on
- Windows Server 2003 下 Apache的配置
- 设计模式精解