修改pe入口方式拦截驱动加载

通过修改pe入口方式拦截驱动加载，添加修改成退出代码。
这样即使驱动加载了，也会立即退出，代码细节地方自己修改一下。
调用方式：
StopDriver((PUCHAR)ImageInfo->ImageBase);
源文件：

#include <ntifs.h>#include "StopDriver.h"#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER)        \((ULONG_PTR)(ntheader)+\FIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader) + \((ntheader))->FileHeader.SizeOfOptionalHeader   \))NTSTATUS BasePlatform::StopDriver(PUCHAR Base){UCHAR SysPatchCode64[16] = { 0xb8, 0x22, 0x00, 0x00, 0xc0, 0xc3, 0x90 };UCHAR SysPatchCode32[16] = { 0xb8, 0x22, 0x00, 0x00, 0xc0, 0xc2, 0x08, 0x00, 0x90, 0x90 };PIMAGE_DOS_HEADER DosHeader;PIMAGE_NT_HEADERS NtHeader;PUCHAR AddressOEP;if (Base == NULL) return FALSE;DosHeader = (PIMAGE_DOS_HEADER)Base;if (!MmIsAddressValid(DosHeader)) return FALSE;if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE) return FALSE;NtHeader = (PIMAGE_NT_HEADERS)(Base + DosHeader->e_lfanew);if (!MmIsAddressValid(Base)) return FALSE;AddressOEP = (PUCHAR)(Base + NtHeader->OptionalHeader.AddressOfEntryPoint);//KdPrint(("Base:%x\n", Base));//KdPrint(("AddressOEP:%x\n", AddressOEP));if (NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_I386){KdPrint(("32位驱动\n", &AddressOEP));for (int i = 0; i < 10; i++)AddressOEP[i] = SysPatchCode32[i];return STATUS_SUCCESS;}else if (NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_IA64 || NtHeader->FileHeader.Machine == IMAGE_FILE_MACHINE_AMD64){KdPrint(("64位驱动\n", &AddressOEP));for (int i = 0; i < 7; i++)AddressOEP[i] = SysPatchCode64[i];return STATUS_SUCCESS;}return STATUS_UNSUCCESSFUL;}

头文件：

<span style="font-size:18px;">#pragma once#if __cplusplus  extern "C"{#endif  #include <wdm.h>  #include <windef.h>  #ifdef __cplusplus  }#endif //winnt.h中的定义 由于是WDM不能引用该文件 所以只有复制过来  #define SEC_IMAGE         0x1000000    #define IMAGE_DOS_SIGNATURE 0x5A4D //MZ #define IMAGE_NT_SIGNATURE  0x00004550  // PE00#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16#define IMAGE_SIZEOF_SHORT_NAME              8#define IMAGE_DIRECTORY_ENTRY_DEBUG           6   // Debug Directory#define IMAGE_DEBUG_TYPE_CODEVIEW         2#define NB10_SIG'01BN'#define RSDS_SIG'SDSR'#define IMAGE_FILE_MACHINE_I386              0x014c  // Intel 386#define IMAGE_FILE_MACHINE_IA64              0x0200  // Intel 64  #define IMAGE_FILE_MACHINE_AMD64             0x8664  // AMD64 (K8)  //PE相关结构  typedef struct _IMAGE_FILE_HEADER {WORD  Machine;WORD  NumberOfSections;DWORD TimeDateStamp;DWORD PointerToSymbolTable;DWORD NumberOfSymbols;WORD  SizeOfOptionalHeader;WORD  Characteristics;} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;typedef struct _IMAGE_DATA_DIRECTORY {DWORD VirtualAddress;DWORD Size;} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;typedef struct _IMAGE_OPTIONAL_HEADER64 {WORD        Magic;BYTE        MajorLinkerVersion;BYTE        MinorLinkerVersion;DWORD       SizeOfCode;DWORD       SizeOfInitializedData;DWORD       SizeOfUninitializedData;DWORD       AddressOfEntryPoint;DWORD       BaseOfCode;ULONGLONG   ImageBase;DWORD       SectionAlignment;DWORD       FileAlignment;WORD        MajorOperatingSystemVersion;WORD        MinorOperatingSystemVersion;WORD        MajorImageVersion;WORD        MinorImageVersion;WORD        MajorSubsystemVersion;WORD        MinorSubsystemVersion;DWORD       Win32VersionValue;DWORD       SizeOfImage;DWORD       SizeOfHeaders;DWORD       CheckSum;WORD        Subsystem;WORD        DllCharacteristics;ULONGLONG   SizeOfStackReserve;ULONGLONG   SizeOfStackCommit;ULONGLONG   SizeOfHeapReserve;ULONGLONG   SizeOfHeapCommit;DWORD       LoaderFlags;DWORD       NumberOfRvaAndSizes;IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64, IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;typedef struct _IMAGE_NT_HEADERS {DWORD                 Signature;IMAGE_FILE_HEADER     FileHeader;IMAGE_OPTIONAL_HEADER32 OptionalHeader;} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;typedef struct _IMAGE_NT_HEADERS64 {DWORD Signature;IMAGE_FILE_HEADER FileHeader;IMAGE_OPTIONAL_HEADER64 OptionalHeader;} IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header  WORD   e_magic;                     // Magic number  WORD   e_cblp;                      // Bytes on last page of file  WORD   e_cp;                        // Pages in file  WORD   e_crlc;                      // Relocations  WORD   e_cparhdr;                   // Size of header in paragraphs  WORD   e_minalloc;                  // Minimum extra paragraphs needed  WORD   e_maxalloc;                  // Maximum extra paragraphs needed  WORD   e_ss;                        // Initial (relative) SS value  WORD   e_sp;                        // Initial SP value  WORD   e_csum;                      // Checksum  WORD   e_ip;                        // Initial IP value  WORD   e_cs;                        // Initial (relative) CS value  WORD   e_lfarlc;                    // File address of relocation table  WORD   e_ovno;                      // Overlay number  WORD   e_res[4];                    // Reserved words  WORD   e_oemid;                     // OEM identifier (for e_oeminfo)  WORD   e_oeminfo;                   // OEM information; e_oemid specific  WORD   e_res2[10];                  // Reserved words  LONG   e_lfanew;                    // File address of new exe header  } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;typedef struct _IMAGE_SECTION_HEADER {BYTE  Name[IMAGE_SIZEOF_SHORT_NAME];union {DWORD PhysicalAddress;DWORD VirtualSize;} Misc;DWORD VirtualAddress;DWORD SizeOfRawData;DWORD PointerToRawData;DWORD PointerToRelocations;DWORD PointerToLinenumbers;WORD  NumberOfRelocations;WORD  NumberOfLinenumbers;DWORD Characteristics;} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER)        \((ULONG_PTR)(ntheader)+\FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + \((ntheader))->FileHeader.SizeOfOptionalHeader   \))typedef struct _IMAGE_DEBUG_DIRECTORY {DWORD   Characteristics;DWORD   TimeDateStamp;WORD    MajorVersion;WORD    MinorVersion;DWORD   Type;DWORD   SizeOfData;DWORD   AddressOfRawData;DWORD   PointerToRawData;} IMAGE_DEBUG_DIRECTORY, *PIMAGE_DEBUG_DIRECTORY;</span>