枚举BootDriverReinitialization

#include <ntddk.h>#include <Ntstrsafe.h>typedef struct _REINIT_PACKET {LIST_ENTRY ListEntry;PDRIVER_OBJECT DriverObject;PDRIVER_REINITIALIZE DriverReinitializationRoutine;PVOID Context;} REINIT_PACKET, *PREINIT_PACKET;DWORD                   g_OsVersion;                                            //系统版本  //操作系统版本  #define WINXP                   51  #define WIN7                    61  #define WIN8                    62  #define WIN81                   63  #define WIN10                   100  //获取系统版本  BOOLEAN GetOsVer(void);ULONG_PTR IopBootDriverReinitializeQueueHead;//获取IopBootDriverReinitializeQueueHeadULONG_PTR GetIopBootDriverReinitializeQueueHead(void);//枚举移除IoRegisterBootDriverReinitialization  NTSTATUS EnumRemoveBootDriverReinitialization(void);VOID Reinitialize(struct _DRIVER_OBJECT *DriverObject, PVOID Context, ULONG Count);VOID DriverUnload(IN PDRIVER_OBJECT DriverObject){return;}NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath){DriverObject->DriverUnload = DriverUnload;DbgBreakPoint();IoRegisterBootDriverReinitialization(DriverObject, Reinitialize, NULL);EnumRemoveBootDriverReinitialization();return STATUS_SUCCESS;}VOID Reinitialize(struct _DRIVER_OBJECT *DriverObject,PVOID Context,ULONG Count){KdPrint(("hehe\n"));return;}//枚举移除IoRegisterBootDriverReinitialization  NTSTATUS EnumRemoveBootDriverReinitialization(void){//定义变量PLIST_ENTRY entry;PREINIT_PACKET reinitEntry;//获取系统版本  if (GetOsVer() == FALSE)return STATUS_UNSUCCESSFUL;//获取IopBootDriverReinitializeQueueHeadIopBootDriverReinitializeQueueHead =GetIopBootDriverReinitializeQueueHead();if (IopBootDriverReinitializeQueueHead == NULL)return STATUS_UNSUCCESSFUL;while (!IsListEmpty(IopBootDriverReinitializeQueueHead)){entry = RemoveTailList(IopBootDriverReinitializeQueueHead);reinitEntry = CONTAINING_RECORD(entry, REINIT_PACKET, ListEntry);if (reinitEntry->DriverObject){reinitEntry->DriverObject->DriverExtension->Count++;reinitEntry->DriverObject->Flags &= ~DRVO_BOOTREINIT_REGISTERED;//reinitEntry->DriverReinitializationRoutine(reinitEntry->DriverObject, reinitEntry->Context, reinitEntry->DriverObject->DriverExtension->Count);}ExFreePool(reinitEntry);}return STATUS_SUCCESS;}//获取IopBootDriverReinitializeQueueHeadULONG_PTR GetIopBootDriverReinitializeQueueHead(void){//定义变量  ULONG_PTR i = 0;ULONG_PTR OffsetAddr = 0;ULONG_PTR NotifyRoutine = 0;LONG OffsetAddr64 = 0;UNICODE_STRING unstrFunc;ULONG_PTR  pIoRegisterBootDriverReinitialization;RtlInitUnicodeString(&unstrFunc, L"IoRegisterBootDriverReinitialization");//获取函数地址  pIoRegisterBootDriverReinitialization = (ULONG_PTR)MmGetSystemRoutineAddress(&unstrFunc);if (pIoRegisterBootDriverReinitialization == NULL)return NULL;#ifdef _WIN64switch (g_OsVersion){case WIN7:case WIN8:case WIN81:case WIN10:{//fffff800`040870c7 834b1020 or dword ptr[rbx + 10h], 20h//fffff800`040870cb 488d0d3e31e0ff  lea     rcx, [nt!IopBootDriverReinitializeQueueHead(fffff800`03e8a210)]for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++){if (*(PUCHAR)i == 0x83 && *(PUCHAR)(i + 3) == 0x20 && *(PUCHAR)(i + 4) == 0x48 && *(PUCHAR)(i + 5) == 0x8d && *(PUCHAR)(i + 6) == 0x0d){RtlCopyMemory(&OffsetAddr64, (PUCHAR)(i + 7), sizeof(DWORD));OffsetAddr = OffsetAddr64 + 11 + i;break;}}}break;default:break;}#elseswitch (g_OsVersion){case WINXP:{//8056a8bf 8bd0            mov     edx, eax//8056a8c1 b9f0285580      mov     ecx, offset nt!IopBootDriverReinitializeQueueHead(805528f0)for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++){if (*(PUCHAR)i == 0x8b && *(PUCHAR)(i + 1) == 0xd0 && *(PUCHAR)(i + 2) == 0xb9){RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR));break;}}}break;case WIN7:{//83db2398 8bf0            mov     esi, eax//83db239a bfe8c7da83      mov     edi, offset nt!IopBootDriverReinitializeQueueHead(83dac7e8)for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++){if (*(PUCHAR)i == 0x8b && *(PUCHAR)(i + 1) == 0xf0 && *(PUCHAR)(i + 2) == 0xbf){RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR));break;}}}break;case WIN8:{//8177a710 8bf1            mov     esi, ecx//8177a712 bf80e06081      mov     edi, offset nt!IopBootDriverReinitializeQueueHead(8160e080)for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++){if (*(PUCHAR)i == 0x8b && *(PUCHAR)(i + 1) == 0xf1 && *(PUCHAR)(i + 2) == 0xbf){RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR));break;}}}break;case WIN81:case WIN10:{//81781cf2 834e0820 or dword ptr[esi + 8], 20h//81781cf6 b9405d6081      mov     ecx, offset nt!IopBootDriverReinitializeQueueHead(81605d40)for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++){if (*(PUCHAR)i == 0x83 && *(PUCHAR)(i + 3) == 0x20 && *(PUCHAR)(i + 4) == 0xb9){RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 5), sizeof(ULONG_PTR));break;}}}break;default:break;}#endifif (OffsetAddr && MmIsAddressValid(OffsetAddr)){NotifyRoutine = OffsetAddr;}return NotifyRoutine;}//获取系统版本  BOOLEAN GetOsVer(void){ULONG    dwMajorVersion = 0;ULONG    dwMinorVersion = 0;PsGetVersion(&dwMajorVersion, &dwMinorVersion, NULL, NULL);if (dwMajorVersion == 5 && dwMinorVersion == 1)g_OsVersion = WINXP;else if (dwMajorVersion == 6 && dwMinorVersion == 1)g_OsVersion = WIN7;else if (dwMajorVersion == 6 && dwMinorVersion == 2)g_OsVersion = WIN8;else if (dwMajorVersion == 6 && dwMinorVersion == 3)g_OsVersion = WIN81;else if (dwMajorVersion == 10 && dwMinorVersion == 0)g_OsVersion = WIN10;else{g_OsVersion = 0;KdPrint(("未知版本"));return FALSE;}return TRUE;}