R0注入DLL到R3进程

R0注入DLL到R3，貌似没有必要，也的确没有必要。以下代码只是为了验证R0调用NtQueueApcThread来注入DLL到R3进程中，没有什么神秘的东西，博大家一笑





#include <ntddk.h>

 

PVOIDpfn_BaseDispatchApc = NULL;

PVOIDpfn_LoadLibraryA = NULL;

PVOIDpszText_Kernel32 = NULL;

 

NTSTATUS (NTAPI* pfn_NtQueueApcThread)(

    __inHANDLE    ThreadHandle,

    __inPVOID     ApcRoutine,

    __in_optPVOID ApcArgument1,

    __in_optPVOID ApcArgument2,

    __in_optPVOID ApcArgument3

    );

     

VOIDLoadImageNotifyRoutine (

    IN PUNICODE_STRING  FullImageName,

    INHANDLE ProcessId, // where image is mapped

    IN PIMAGE_INFO  ImageInfo

    )

{   

    PWSTRptr = FullImageName->Buffer + FullImageName->Length/sizeof(WCHAR)-4;

     

    if( ptr > FullImageName->Buffer && _wcsicmp( ptr, L".exe") == 0 )

    {

        ptr -= 8;           

        if( ptr > FullImageName->Buffer && _wcsicmp( ptr, L"\\notepad.exe") == 0 );

        {

            pfn_NtQueueApcThread( ZwCurrentThread(),

                pfn_BaseDispatchApc,

                pfn_LoadLibraryA,

                pszText_Kernel32,

                NULL );

        }

    }       

}

 

VOIDDriverUnload(IN PDRIVER_OBJECT DriverObject)

{

    PsRemoveLoadImageNotifyRoutine( LoadImageNotifyRoutine );

}

 

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)

{

    //just for winxp

    KdBreakPoint();

     

    //填写kernel32!BaseDispatchApc//win7上是ntdll!RtlDispatchAPC

    (PVOID)pfn_BaseDispatchApc = (PVOID)0x7c82c0f6;

     

    //填写kernel32!LoadLibraryA

    (PVOID)pfn_LoadLibraryA = (PVOID)0x7c801d7b;

     

    //保证待Load的DLL的名称为text.dll，可以放到system目录下

    //填写kernel32的头部text字符的位置

    (PVOID)pszText_Kernel32 = (PVOID)0x7c8001e9;

     

    //填写nt!NtQueueApcThread   

    (PVOID)pfn_NtQueueApcThread = (PVOID)0x805d3756;

     

    DriverObject->DriverUnload = DriverUnload;

     

    returnPsSetLoadImageNotifyRoutine( LoadImageNotifyRoutine );

}