|
特邀体验者
- 帖子:4192
- 注册:
2007-11-06
- 来自:
|
发表于:
2010-12-01 12:56
|
只看楼主
短消息
资料
通过ZwSetSystemInformation和ZwLoadDriver加载驱动
ps: 更常见的通过SCM加载驱动的代码就不表了,其实最后就是调用ZwLoadDriver.
最后附上Windows NT 2000 Native API Reference里的几段相关的文字:
SystemLoadAndCallImage
Unlike ZwLoadDriver,which loads the module in the context of the system process,ZwSetSystemInformation loads the module and invokes the entry point in the context of the current process.
ZwLoadDriver
SeLoadDriverPrivilege is required to load a driver.
StartService directs the Service Control Manager process to
The Win32 function
execute this function on behalf of the caller.
”riverServiceName of the form
The Service Control Managerprocess provides a
°
\Registry\Machine\System\8urrent8ontrolSet\Services\Tcpip.°
程序代码如下:
ZwSetSystemInformation方式,代码修改自http://www.xfocus.net/articles/200309/619.html复制内容到剪贴板代码:
#include <stdio.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef unsigned long NTSTATUS;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
int main(int argc, char *argv[])
{
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
UNICODE_STRING TmpBuff;
char szDrvFullPath[256],szTmp[256];
int iBuffLen;
printf("Load driver with ZwSetSystemInformation( )\r\n");
printf("Date: 8th May 2007\r\n");
printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>\r\n\r\n");
if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0)
{
printf("Usage: %s <DriverPath>\r\n", argv[0]);
exit(-1);
}
// 从ntll.dll获取函数
if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) )
{
printf( "GetProcAddress(\"RtlInitUnicodeString\") Error:%d\n", GetLastError() );
exit(1);
}
if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) )
{
printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
exit(1);
}
if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) )
{
printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
exit(1);
}
GetFullPathName(argv[1], 256, szTmp, NULL);
printf("Loading driver: %s\r\n", szTmp);
iBuffLen = sprintf(szDrvFullPath, "\\??\\%s", szTmp);
szDrvFullPath[iBuffLen]=0;
TmpBuff.Buffer = (PVOID)szDrvFullPath;
TmpBuff.Length = iBuffLen;
RtlAnsiStringToUnicodeString(&(GregsImage.ModuleName),&TmpBuff,1);
if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) )) //加载进内核空间
{
printf("Driver: %s loaded.\r\n", szDrvFullPath);
}
else
{
printf("Driver: %s not loaded.\r\n", szDrvFullPath);
}
return true;
}
ZwLoadDriver方式,代码修改自:http://blog.donews.com/zwell/articles/59141.aspx复制内容到剪贴板代码:
#include <stdio.h>
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;
typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;
// 申明ntdll中使用的函数
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
typedef DWORD (CALLBACK* RTLFREEUNICODESTRING)(PVOID);
RTLFREEUNICODESTRING RtlFreeUnicodeString;
typedef DWORD (CALLBACK* ZWLOADDRIVER)(PVOID);
ZWLOADDRIVER ZwLoadDriver;
int LoadDriver(char * szDrvName, char * szDrvPath)
{
//修改注册表启动驱动程序
char szSubKey[200], szDrvFullPath[256];
LSA_UNICODE_STRING buf1;
LSA_UNICODE_STRING buf2;
int iBuffLen;
HKEY hkResult;
char Data[4];
DWORD dwOK;
iBuffLen = sprintf(szSubKey,"System\\CurrentControlSet\\Services\\%s",szDrvName);
szSubKey[iBuffLen]=0;
dwOK = RegCreateKey(HKEY_LOCAL_MACHINE,szSubKey,&hkResult);
if(dwOK!=ERROR_SUCCESS)
return false;
Data[0]=1;
Data[1]=0;
Data[2]=0;
Data[3]=0;
dwOK=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4);
dwOK=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4);
dwOK=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4);
GetFullPathName(szDrvPath, 256, szDrvFullPath, NULL);
printf("Loading driver: %s\r\n", szDrvFullPath);
iBuffLen = sprintf(szSubKey,"\\??\\%s",szDrvFullPath);
szSubKey[iBuffLen]=0;
dwOK=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)szSubKey,iBuffLen);
RegCloseKey(hkResult);
iBuffLen = sprintf(szSubKey,"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s",szDrvName);
szSubKey[iBuffLen]=0;
buf2.Buffer = (PVOID)szSubKey;
buf2.Length = iBuffLen;
RtlAnsiStringToUnicodeString(&buf1,&buf2,1);
//加载驱动程序
dwOK = ZwLoadDriver(&buf1);
RtlFreeUnicodeString(&buf1);
iBuffLen=sprintf(szSubKey,"%s%s\\Enum","System\\CurrentControlSet\\Services\\",szDrvName);
szSubKey[iBuffLen]=0;
//删除注册表项
RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
iBuffLen=sprintf(szSubKey,"%s%s\\Security","System\\CurrentControlSet\\Services\\",szDrvName);
szSubKey[iBuffLen]=0;
RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
iBuffLen=sprintf(szSubKey,"%s%s","System\\CurrentControlSet\\Services\\",szDrvName);
szSubKey[iBuffLen]=0;
RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
iBuffLen=sprintf(szSubKey,"\\\\.\\%s",szDrvName);
szSubKey[iBuffLen]=0;
return true;
}
int main(int argc, char *argv[])
{
printf("Load driver with ZwLoadDriver( )\r\n");
printf("Date: 8th May 2007\r\n");
printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>\r\n\r\n");
if(argc != 3)
{
printf("Usage: %s <DriverFilename> <DriverPath>\r\n", argv[0]);
exit(-1);
}
HMODULE hNtdll = NULL;
hNtdll = LoadLibrary( "ntdll.dll" );
//从ntdll.dll里获取函数
if ( !hNtdll )
{
printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
return false;
}
RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING)
GetProcAddress( hNtdll, "RtlAnsiStringToUnicodeString");
RtlFreeUnicodeString = (RTLFREEUNICODESTRING)
GetProcAddress( hNtdll, "RtlFreeUnicodeString");
ZwLoadDriver = (ZWLOADDRIVER)
GetProcAddress( hNtdll, "ZwLoadDriver");
//注册驱动程序
if(LoadDriver(argv[1], argv[2]) == false) return false;
return true;
}
|
用户系统信息:Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.33 Safari/534.3 SE 2.X MetaSr 1.0
|
