修改pe入口方式拦截驱动加载
来源:互联网 发布:重庆招聘软件开发 编辑:程序博客网 时间:2024/05/18 07:43
通过修改pe入口方式拦截驱动加载,添加修改成退出代码。
这样即使驱动加载了,也会立即退出,代码细节地方自己修改一下。
调用方式:
StopDriver((PUCHAR)ImageInfo->ImageBase);
源文件:
#include <ntifs.h>#include "StopDriver.h"#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \((ULONG_PTR)(ntheader)+\FIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader) + \((ntheader))->FileHeader.SizeOfOptionalHeader \))NTSTATUS BasePlatform::StopDriver(PUCHAR Base){UCHAR SysPatchCode64[16] = { 0xb8, 0x22, 0x00, 0x00, 0xc0, 0xc3, 0x90 };UCHAR SysPatchCode32[16] = { 0xb8, 0x22, 0x00, 0x00, 0xc0, 0xc2, 0x08, 0x00, 0x90, 0x90 };PIMAGE_DOS_HEADER DosHeader;PIMAGE_NT_HEADERS NtHeader;PUCHAR AddressOEP;if (Base == NULL) return FALSE;DosHeader = (PIMAGE_DOS_HEADER)Base;if (!MmIsAddressValid(DosHeader)) return FALSE;if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE) return FALSE;NtHeader = (PIMAGE_NT_HEADERS)(Base + DosHeader->e_lfanew);if (!MmIsAddressValid(Base)) return FALSE;AddressOEP = (PUCHAR)(Base + NtHeader->OptionalHeader.AddressOfEntryPoint);//KdPrint(("Base:%x\n", Base));//KdPrint(("AddressOEP:%x\n", AddressOEP));if (NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386){KdPrint(("32位驱动\n", &AddressOEP));for (int i = 0; i < 10; i++)AddressOEP[i] = SysPatchCode32[i];return STATUS_SUCCESS;}else if (NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 || NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64){KdPrint(("64位驱动\n", &AddressOEP));for (int i = 0; i < 7; i++)AddressOEP[i] = SysPatchCode64[i];return STATUS_SUCCESS;}return STATUS_UNSUCCESSFUL;}
头文件:
<span style="font-size:18px;">#pragma once#if __cplusplus extern "C"{#endif #include <wdm.h> #include <windef.h> #ifdef __cplusplus }#endif //winnt.h中的定义 由于是WDM不能引用该文件 所以只有复制过来 #define SEC_IMAGE 0x1000000 #define IMAGE_DOS_SIGNATURE 0x5A4D //MZ #define IMAGE_NT_SIGNATURE 0x00004550 // PE00#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16#define IMAGE_SIZEOF_SHORT_NAME 8#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory#define IMAGE_DEBUG_TYPE_CODEVIEW 2#define NB10_SIG'01BN'#define RSDS_SIG'SDSR'#define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386#define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64 #define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8) //PE相关结构 typedef struct _IMAGE_FILE_HEADER {WORD Machine;WORD NumberOfSections;DWORD TimeDateStamp;DWORD PointerToSymbolTable;DWORD NumberOfSymbols;WORD SizeOfOptionalHeader;WORD Characteristics;} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;typedef struct _IMAGE_DATA_DIRECTORY {DWORD VirtualAddress;DWORD Size;} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;typedef struct _IMAGE_OPTIONAL_HEADER64 {WORD Magic;BYTE MajorLinkerVersion;BYTE MinorLinkerVersion;DWORD SizeOfCode;DWORD SizeOfInitializedData;DWORD SizeOfUninitializedData;DWORD AddressOfEntryPoint;DWORD BaseOfCode;ULONGLONG ImageBase;DWORD SectionAlignment;DWORD FileAlignment;WORD MajorOperatingSystemVersion;WORD MinorOperatingSystemVersion;WORD MajorImageVersion;WORD MinorImageVersion;WORD MajorSubsystemVersion;WORD MinorSubsystemVersion;DWORD Win32VersionValue;DWORD SizeOfImage;DWORD SizeOfHeaders;DWORD CheckSum;WORD Subsystem;WORD DllCharacteristics;ULONGLONG SizeOfStackReserve;ULONGLONG SizeOfStackCommit;ULONGLONG SizeOfHeapReserve;ULONGLONG SizeOfHeapCommit;DWORD LoaderFlags;DWORD NumberOfRvaAndSizes;IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64, IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;typedef struct _IMAGE_NT_HEADERS {DWORD Signature;IMAGE_FILE_HEADER FileHeader;IMAGE_OPTIONAL_HEADER32 OptionalHeader;} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;typedef struct _IMAGE_NT_HEADERS64 {DWORD Signature;IMAGE_FILE_HEADER FileHeader;IMAGE_OPTIONAL_HEADER64 OptionalHeader;} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD e_csum; // Checksum WORD e_ip; // Initial IP value WORD e_cs; // Initial (relative) CS value WORD e_lfarlc; // File address of relocation table WORD e_ovno; // Overlay number WORD e_res[4]; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2[10]; // Reserved words LONG e_lfanew; // File address of new exe header } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;typedef struct _IMAGE_SECTION_HEADER {BYTE Name[IMAGE_SIZEOF_SHORT_NAME];union {DWORD PhysicalAddress;DWORD VirtualSize;} Misc;DWORD VirtualAddress;DWORD SizeOfRawData;DWORD PointerToRawData;DWORD PointerToRelocations;DWORD PointerToLinenumbers;WORD NumberOfRelocations;WORD NumberOfLinenumbers;DWORD Characteristics;} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \((ULONG_PTR)(ntheader)+\FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + \((ntheader))->FileHeader.SizeOfOptionalHeader \))typedef struct _IMAGE_DEBUG_DIRECTORY {DWORD Characteristics;DWORD TimeDateStamp;WORD MajorVersion;WORD MinorVersion;DWORD Type;DWORD SizeOfData;DWORD AddressOfRawData;DWORD PointerToRawData;} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;</span>
0 0
- 修改pe入口方式拦截驱动加载
- 修改PE加载dll
- 拦截驱动加载
- 拦截驱动加载
- windbg拦截驱动加载
- PE文件加载和修改
- PE文件加载和修改
- PE文件加载和修改
- PE型感染病毒 —— 增加节点修改PE入口 (3)
- PE型感染病毒 —— 增加节点修改PE入口 (3)
- PE文件的加载和修改
- NT驱动加载方式
- linux驱动的入口函数module_init的加载和释放
- linux驱动的入口函数module_init的加载和释放
- linux驱动的入口函数module_init的加载和释放
- linux驱动的入口函数module_init的加载和释放
- linux驱动的入口函数module_init的加载和释放
- linux驱动的入口函数module_init的加载和释放
- Android实现网络多线程文件下载
- Spring-Bean的生命周期
- 射影几何:基本形有几种?
- 我对java集合框架一无所知①(2015年10月28日)
- android 工程lib 里的目录和文件
- 修改pe入口方式拦截驱动加载
- linux下apache tomcat的安装
- 自定义view1/12
- BSE:Bridge Software Engineer
- 在c语言中自定义了一个函数,在main中调用时提示找不到标识符
- 关于Android游戏开发的资料
- Codevs1198 国王游戏
- fusioncharts属性设置
- ofbiz--service