html5网站的优点,购物网站促销方案,wap文字游戏源码,网站可信认证对企业有哪些优势准备
source insight
从现在开始我们正式进入内核编程#xff0c;但是很多内核里面的结构和类型是需要我们额外声明的#xff0c;我们就需要一个工具来快速的阅读WIn内核源码。这里我贴出我所参考的博客
羽夏看Win系统内核——SourceInsight 配置 WRK - 寂静的羽夏 - 博客…准备
source insight
从现在开始我们正式进入内核编程但是很多内核里面的结构和类型是需要我们额外声明的我们就需要一个工具来快速的阅读WIn内核源码。这里我贴出我所参考的博客
羽夏看Win系统内核——SourceInsight 配置 WRK - 寂静的羽夏 - 博客园
就怕以后文章挂了我还是走一遍流程
首先安装好sourceinsight之后新建项目 WRK
WRKwindows Research Kernel 是微软公开的一部分 windows 内核源码用来供给开发人员学习。 下载地址http://www.awarenetwork.org/home/iqlord/other/wrk.rar
在上面的步骤后一路ok直到下面选择add Tree 然后关掉这个窗口按f7导入符号表这就完成了
理论准备
关于断链我之前已经写过了文章
R3隐藏导入表_loader函数导入表隐藏-CSDN博客
在R3中有这么一个结构
3: kd dt _PEB_LDR_DATA
nt!_PEB_LDR_DATA0x000 Length : Uint4B0x004 Initialized : UChar0x008 SsHandle : Ptr64 Void0x010 InLoadOrderModuleList : _LIST_ENTRY0x020 InMemoryOrderModuleList : _LIST_ENTRY0x030 InInitializationOrderModuleList : _LIST_ENTRY0x040 EntryInProgress : Ptr64 Void0x048 ShutdownInProgress : UChar0x050 ShutdownThreadId : Ptr64 Void我们复习一下这个结构中的InLoadOrderModuleListInMemoryOrderModuleListInInitializationOrderModuleList都指向了一个双向链表这个链表里面存储了我们模块信息如果我们给链表里面的节点断链那么就可以让其他软件在遍历链表的时候找不到我们的模块
现在在R0里面也是同理的只是结构变成了在WRK的ntldr.h这个头文件中且由于没有PNON_PAGED_DEBUG_INFO的定义所以还要补上一个。
typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;PVOID ExceptionTable;ULONG ExceptionTableSize;// ULONG padding on IA64PVOID GpValue;PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Unused5;PVOID SectionPointer;ULONG CheckSum;// ULONG padding on IA64PVOID LoadedImports;PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;typedef struct _NON_PAGED_DEBUG_INFO {USHORT Signature;USHORT Flags;ULONG Size;USHORT Machine;USHORT Characteristics;ULONG TimeDateStamp;ULONG CheckSum;ULONG SizeOfImage;ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;可以从上面的结构中看见R0中只保留了一个InLoadOrderLinks但是思路也是一样的
代码实现
在知道了上面所提到的内核中的两个结构之后我们首先要看下系统中的这个双向链表长什么样这里用一个DbgBreakPoint来断下
#includentifs.h
#includentstrsafe.h//要用RtlStringCbPrintfA就别忘了这个库typedef struct _NON_PAGED_DEBUG_INFO {USHORT Signature;USHORT Flags;ULONG Size;USHORT Machine;USHORT Characteristics;ULONG TimeDateStamp;ULONG CheckSum;ULONG SizeOfImage;ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;PVOID ExceptionTable;ULONG ExceptionTableSize;// ULONG padding on IA64PVOID GpValue;PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Unused5;PVOID SectionPointer;ULONG CheckSum;// ULONG padding on IA64PVOID LoadedImports;PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;VOID DriverUnload(PDRIVER_OBJECT DriverObject) {DbgPrint(Driver has benn Unloaded);}
int count 0;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;DbgBreakPoint();pDriver-DriverUnload DriverUnload;return STATUS_SUCCESS;
}同时在windbg中指定新的符号路径并使用.reload /f 命令重载符号表这样我们的调试就方便多了
如果没有符号表有些结构我们是没有办法展现出来的
首先来看看我们的pDriver这个结构
0: kd dt pDriver
Local var 0x903289e0 Type _DRIVER_OBJECT*
0x8be44160 0x000 Type : 0n40x002 Size : 0n1680x004 DeviceObject : (null) 0x008 Flags : 20x00c DriverStart : 0x9709c000 Void0x010 DriverSize : 0x60000x014 DriverSection : 0x8898b7b8 Void0x018 DriverExtension : 0x8be44208 _DRIVER_EXTENSION0x01c DriverName : _UNICODE_STRING \Driver\MyDriver20x024 HardwareDatabase : 0x841ab250 _UNICODE_STRING \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM0x028 FastIoDispatch : (null) 0x02c DriverInit : 0x970a0000 long MyDriver2!GsDriverEntry00x030 DriverStartIo : (null) 0x034 DriverUnload : (null) 0x038 MajorFunction : [28] 0x83ef4da3 long nt!IopInvalidDeviceRequest0着重关注两个值DriverStart和DriverInit分别是我们的模块基址和模块入口
之后我们根据之前得到的知识pDriver中的DriverSection就是我们的_KLDR_DATA_TABLE_ENTRY结构存放的地址我们在代码中把它转进变量ldr中dt看一下这里就可以看见DllBase和EntryPoint和我们的DriverStart和DriverInit相互对应
0: kd dt ldr
Local var 0x903289d4 Type _KLDR_DATA_TABLE_ENTRY*
0x8898b7b8 0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x83f89850 - 0x889a4e98 ]//Flink和Blink0x008 ExceptionTable : 0xffffffff Void0x00c ExceptionTableSize : 0xffffffff0x010 GpValue : 0x00000005 Void0x014 NonPagedDebugInfo : (null) 0x018 DllBase : 0x9709c000 Void0x01c EntryPoint : 0x970a0000 Void0x020 SizeOfImage : 0x60000x024 FullDllName : _UNICODE_STRING \??\C:\Users\su\Desktop\MyDriver2.sys0x02c BaseDllName : _UNICODE_STRING MyDriver2.sys0x034 Flags : 0x491040000x038 LoadCount : 10x03a __Unused5 : 00x03c SectionPointer : (null) 0x040 CheckSum : 0xab050x044 LoadedImports : 0x0034f110 Void0x048 PatchInformation : (null) 我们看见了第一个InLoadOrderLinks里面的双向链表所以我们用它给的Flink来访问链表里面的下一个节点由于我们的MyDriver2是最后一个加载的驱动所以它的下一个也就是我们的第一个驱动果不其然是我们的内核
0: kd dt PKLDR_DATA_TABLE_ENTRY 0x83f89850
MyDriver2!PKLDR_DATA_TABLE_ENTRY
0x86a4cc98 0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x86a4cc20 - 0x83f89850 ]0x008 ExceptionTable : 0x83eb7544 Void0x00c ExceptionTableSize : 0x120x010 GpValue : (null) 0x014 NonPagedDebugInfo : (null) 0x018 DllBase : 0x83e3f000 Void0x01c EntryPoint : 0x83f5e4d8 Void0x020 SizeOfImage : 0x4120000x024 FullDllName : _UNICODE_STRING \SystemRoot\system32\ntkrnlpa.exe0x02c BaseDllName : _UNICODE_STRING ntoskrnl.exe0x034 Flags : 0x80040000x038 LoadCount : 0x6b0x03a __Unused5 : 00x03c SectionPointer : (null) 0x040 CheckSum : 0x3c88ac0x044 LoadedImports : (null) 0x048 PatchInformation : (null) 所以我们稍微修改一下我们的代码
#includentifs.h
#includentstrsafe.h//要用RtlStringCbPrintfA就别忘了这个库typedef struct _NON_PAGED_DEBUG_INFO {USHORT Signature;USHORT Flags;ULONG Size;USHORT Machine;USHORT Characteristics;ULONG TimeDateStamp;ULONG CheckSum;ULONG SizeOfImage;ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;PVOID ExceptionTable;ULONG ExceptionTableSize;// ULONG padding on IA64PVOID GpValue;PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Unused5;PVOID SectionPointer;ULONG CheckSum;// ULONG padding on IA64PVOID LoadedImports;PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;VOID DriverUnload(PDRIVER_OBJECT DriverObject) {DbgPrint(Driver has benn Unloaded);}
int count 0;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY pre (PKLDR_DATA_TABLE_ENTRY)ldr-InLoadOrderLinks.Flink;PKLDR_DATA_TABLE_ENTRY next (PKLDR_DATA_TABLE_ENTRY)pre-InLoadOrderLinks.Flink;while (next ! pre){DbgPrint([%d] %wZ, count, next-BaseDllName);next (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;count;} pDriver-DriverUnload DriverUnload;return STATUS_SUCCESS;
}这样重新编译之后用DbgView可以看见我们确实遍历所有模块 那既然我们已经正确的找到这个双向链表了剩下的事情就好办多了使用我们之前驱动篇基础里面介绍过的API来初始化一个Unicode字符串然后用这个字符串去对比某个目标模块如果一致就按照链表断链的方式将其从双向链表中删除继续修改我们的代码
#includentifs.h
#includentstrsafe.h//要用RtlStringCbPrintfA就别忘了这个库typedef struct _NON_PAGED_DEBUG_INFO {USHORT Signature;USHORT Flags;ULONG Size;USHORT Machine;USHORT Characteristics;ULONG TimeDateStamp;ULONG CheckSum;ULONG SizeOfImage;ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;PVOID ExceptionTable;ULONG ExceptionTableSize;// ULONG padding on IA64PVOID GpValue;PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Unused5;PVOID SectionPointer;ULONG CheckSum;// ULONG padding on IA64PVOID LoadedImports;PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;VOID DriverUnload(PDRIVER_OBJECT DriverObject) {DbgPrint(Driver has benn Unloaded);}
int count 0;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY pre (PKLDR_DATA_TABLE_ENTRY)ldr-InLoadOrderLinks.Flink;PKLDR_DATA_TABLE_ENTRY next (PKLDR_DATA_TABLE_ENTRY)pre-InLoadOrderLinks.Flink;UNICODE_STRING target { 0 };RtlInitUnicodeString(target, Lsrv2.sys);while (next ! pre){//gPrint([%d] %wZ, count, next-BaseDllName);if (!RtlCompareUnicodeString(target, next-BaseDllName, TRUE)) {DbgPrint([db] target has been found,the num is %d\r\n,count);//RemoveEntryList(next);DbgBreakPoint();RemoveEntryList(next-InLoadOrderLinks);//这个api和直接操作链表断链是等价的//PKLDR_DATA_TABLE_ENTRY PreNode (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Blink;//PKLDR_DATA_TABLE_ENTRY NextNode (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;//PreNode-InLoadOrderLinks.Flink next-InLoadOrderLinks.Flink;//NextNode-InLoadOrderLinks.Blink next-InLoadOrderLinks.Blink;break;}next (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;count;} //DbgBreakPoint();//ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;//第二次遍历内核模块看看有没有真的断链pre (PKLDR_DATA_TABLE_ENTRY)ldr-InLoadOrderLinks.Flink;next (PKLDR_DATA_TABLE_ENTRY)pre-InLoadOrderLinks.Flink;DbgPrint(%wZ\r\n, pre-BaseDllName);DbgPrint(%wZ\r\n, next-BaseDllName);count 0;while (next ! pre){DbgPrint([] %d %wZ, count, next-BaseDllName);next (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;count;}pDriver-DriverUnload DriverUnload;return STATUS_SUCCESS;
}可以看见我们的模块在149在DbgView中向下翻可以看见149已经不是我们的模块了 继续深入的研究
这是真正的断掉了吗我打开了我的PChunter这种简单的断链即使已经没有办法被遍历出来还是没有办法逃过它的检测换句话说如果这是一个AV或者那些Anti-Cheat程序它还是有办法能找到你 这里我们就可以提到刚刚我们所强调的DriverInit和DriverSection我们不仅要断掉双向链表还要保证我们的驱动入口不被找到这里先暂时不考虑我们的后续怎么找到自己的驱动
ObReferenceObjectByName
介绍一个新的未导出的内核函数这里函数后面ByName是我们可以通过名字来查询驱动对象类似的还有句柄等等只是我们这里已经定义了字符串
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(__in PUNICODE_STRING ObjectName,__in ULONG Attributes,__in_opt PACCESS_STATE AccessState,__in_opt ACCESS_MASK DesiredAccess,__in POBJECT_TYPE ObjectType,__in KPROCESSOR_MODE AccessMode,__inout_opt PVOID ParseContext,__out PVOID *Object);
它的作用就是帮助我们去获取驱动对象的指针方便我们进行操作由于它未导出我们得先声明一下
我们修改我们的代码
#includentifs.h
#includentstrsafe.h//要用RtlStringCbPrintfA就别忘了这个库typedef struct _NON_PAGED_DEBUG_INFO {USHORT Signature;USHORT Flags;ULONG Size;USHORT Machine;USHORT Characteristics;ULONG TimeDateStamp;ULONG CheckSum;ULONG SizeOfImage;ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;PVOID ExceptionTable;ULONG ExceptionTableSize;// ULONG padding on IA64PVOID GpValue;PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Unused5;PVOID SectionPointer;ULONG CheckSum;// ULONG padding on IA64PVOID LoadedImports;PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;NTSTATUS ObReferenceObjectByName(__in PUNICODE_STRING ObjectName,__in ULONG Attributes,__in_opt PACCESS_STATE AccessState,__in_opt ACCESS_MASK DesiredAccess,__in POBJECT_TYPE ObjectType,__in KPROCESSOR_MODE AccessMode,__inout_opt PVOID ParseContext,__out PVOID *Object
);extern POBJECT_TYPE *IoDriverObjectType;VOID DriverUnload(PDRIVER_OBJECT DriverObject) {DbgPrint(Driver has benn Unloaded);}
int count 0;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY pre (PKLDR_DATA_TABLE_ENTRY)ldr-InLoadOrderLinks.Flink;PKLDR_DATA_TABLE_ENTRY next (PKLDR_DATA_TABLE_ENTRY)pre-InLoadOrderLinks.Flink;UNICODE_STRING target { 0 };RtlInitUnicodeString(target, Lsrv2.sys);UNICODE_STRING ObName { 0 };RtlInitUnicodeString(ObName, L\\FileSystem\\srv2);//这里如果不知道自己的驱动在什么路径可以在windbg中使用!drvobj srv2 1这个命令while (next ! pre){//gPrint([%d] %wZ, count, next-BaseDllName);if (!RtlCompareUnicodeString(target, next-BaseDllName, TRUE)) {PDRIVER_OBJECT TargetDriver NULL;NTSTATUS status ObReferenceObjectByName(ObName, FILE_ALL_ACCESS, 0, 0, *IoDriverObjectType, KernelMode, NULL, TargetDriver);DbgPrint([db] target has been found,the num is %d\r\n,count);//RemoveEntryList(next);DbgBreakPoint();if (NT_SUCCESS(status)) {TargetDriver-DriverSection NULL;//去除掉我们的驱动入口TargetDriver-DriverInit NULL;RemoveEntryList(next-InLoadOrderLinks);}//PKLDR_DATA_TABLE_ENTRY PreNode (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Blink;//PKLDR_DATA_TABLE_ENTRY NextNode (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;//PreNode-InLoadOrderLinks.Flink next-InLoadOrderLinks.Flink;//NextNode-InLoadOrderLinks.Blink next-InLoadOrderLinks.Blink;break;}next (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;count;} //DbgBreakPoint();//ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;//第二次遍历内核模块pre (PKLDR_DATA_TABLE_ENTRY)ldr-InLoadOrderLinks.Flink;next (PKLDR_DATA_TABLE_ENTRY)pre-InLoadOrderLinks.Flink;DbgPrint(%wZ\r\n, pre-BaseDllName);DbgPrint(%wZ\r\n, next-BaseDllName);count 0;while (next ! pre){DbgPrint([] %d %wZ\r\n, count, next-BaseDllName);next (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;count;}pDriver-DriverUnload DriverUnload;return STATUS_SUCCESS;
}按照这个运行之后再打开PCHunter这下是彻底被藏住了
1: kd g
Driver has benn Unloaded[db] target has been found,the num is 149//这次我们在149
Break instruction exception - code 80000003 (first chance)
Unable to load image MyDriver2.sys, Win32 error 0n2
MyDriver20x10bf:
9d17c0bf cc int 3我们马上就可以想到那能不能用这种方法隐藏自己呢
继续稍微修改我们的代码
#includentifs.h
#includentstrsafe.h//要用RtlStringCbPrintfA就别忘了这个库typedef struct _NON_PAGED_DEBUG_INFO {USHORT Signature;USHORT Flags;ULONG Size;USHORT Machine;USHORT Characteristics;ULONG TimeDateStamp;ULONG CheckSum;ULONG SizeOfImage;ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;PVOID ExceptionTable;ULONG ExceptionTableSize;// ULONG padding on IA64PVOID GpValue;PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Unused5;PVOID SectionPointer;ULONG CheckSum;// ULONG padding on IA64PVOID LoadedImports;PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;NTSTATUS ObReferenceObjectByName(__in PUNICODE_STRING ObjectName,__in ULONG Attributes,__in_opt PACCESS_STATE AccessState,__in_opt ACCESS_MASK DesiredAccess,__in POBJECT_TYPE ObjectType,__in KPROCESSOR_MODE AccessMode,__inout_opt PVOID ParseContext,__out PVOID *Object
);extern POBJECT_TYPE *IoDriverObjectType;VOID DriverUnload(PDRIVER_OBJECT DriverObject) {DbgPrint(Driver has benn Unloaded);}
int count 0;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY pre (PKLDR_DATA_TABLE_ENTRY)ldr-InLoadOrderLinks.Flink;PKLDR_DATA_TABLE_ENTRY next (PKLDR_DATA_TABLE_ENTRY)pre-InLoadOrderLinks.Flink;UNICODE_STRING target { 0 };RtlInitUnicodeString(target, LMyDriver2.sys);UNICODE_STRING ObName { 0 };RtlInitUnicodeString(ObName, L\\Driver\\MyDriver2);//这里路径改了while (next ! pre){//gPrint([%d] %wZ, count, next-BaseDllName);if (!RtlCompareUnicodeString(target, next-BaseDllName, TRUE)) {PDRIVER_OBJECT TargetDriver NULL;NTSTATUS status ObReferenceObjectByName(ObName, FILE_ALL_ACCESS, 0, 0, *IoDriverObjectType, KernelMode, NULL, TargetDriver);DbgPrint([db] target has been found,the num is %d\r\n,count);//RemoveEntryList(next);DbgBreakPoint();if (NT_SUCCESS(status)) {TargetDriver-DriverSection NULL;//去除掉我们的驱动入口TargetDriver-DriverInit NULL;RemoveEntryList(next-InLoadOrderLinks);}//PKLDR_DATA_TABLE_ENTRY PreNode (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Blink;//PKLDR_DATA_TABLE_ENTRY NextNode (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;//PreNode-InLoadOrderLinks.Flink next-InLoadOrderLinks.Flink;//NextNode-InLoadOrderLinks.Blink next-InLoadOrderLinks.Blink;DbgPrint(%d, status);break;}next (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;count;} //DbgBreakPoint();//ldr (PKLDR_DATA_TABLE_ENTRY)pDriver-DriverSection;//第二次遍历内核模块pre (PKLDR_DATA_TABLE_ENTRY)ldr-InLoadOrderLinks.Flink;next (PKLDR_DATA_TABLE_ENTRY)pre-InLoadOrderLinks.Flink;DbgPrint(%wZ\r\n, pre-BaseDllName);DbgPrint(%wZ\r\n, next-BaseDllName);count 0;while (next ! pre){DbgPrint([] %d %wZ\r\n, count, next-BaseDllName);next (PKLDR_DATA_TABLE_ENTRY)next-InLoadOrderLinks.Flink;count;}pDriver-DriverUnload DriverUnload;return STATUS_SUCCESS;
}一运行蓝屏了
*** Fatal System Error: 0x0000007e(0xC0000005,0x83FE1943,0x9BF03900,0x9BF03360)Break instruction exception - code 80000003 (first chance)A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.A fatal system error has occurred.For analysis of this file, run !analyze -v
nt!RtlpBreakWithStatusInstruction:
83e99110 cc int 3这是为什么呢因为我们在把驱动的入口给抹掉了但是还是有一些操作要用到这个驱动入口所以我们不能加载自己的一瞬间就把自己的入口抹掉还需要一点延时
线程延时
在内核中我们一般不使用sleep函数这其中当然也有sleep函数容易被Hook的原因
我们如果要想达成一个类似延时的效果可以在自己的驱动模块中起一个内核线程然后延时启动这个线程延时是为了保证所有之前用过的驱动入口都正确的运行后释放不知道怎么说描述不清楚
我们要新用到两个函数
NTSTATUS PsCreateSystemThread([out] PHANDLE ThreadHandle,[in] ULONG DesiredAccess,[in, optional] POBJECT_ATTRIBUTES ObjectAttributes,[in, optional] HANDLE ProcessHandle,[out, optional] PCLIENT_ID ClientId,[in] PKSTART_ROUTINE StartRoutine,[in, optional] PVOID StartContext
);NTSTATUS KeDelayExecutionThread([in] KPROCESSOR_MODE WaitMode,[in] BOOLEAN Alertable,[in] PLARGE_INTEGER Interval
);改进代码如下
#includentifs.h
#includentstrsafe.h//要用RtlStringCbPrintfA就别忘了这个库typedef struct _NON_PAGED_DEBUG_INFO {USHORT Signature;USHORT Flags;ULONG Size;USHORT Machine;USHORT Characteristics;ULONG TimeDateStamp;ULONG CheckSum;ULONG SizeOfImage;ULONGLONG ImageBase;
} NON_PAGED_DEBUG_INFO, *PNON_PAGED_DEBUG_INFO;typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;PVOID ExceptionTable;ULONG ExceptionTableSize;// ULONG padding on IA64PVOID GpValue;PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Unused5;PVOID SectionPointer;ULONG CheckSum;// ULONG padding on IA64PVOID LoadedImports;PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;NTSTATUS ObReferenceObjectByName(__in PUNICODE_STRING ObjectName,__in ULONG Attributes,__in_opt PACCESS_STATE AccessState,__in_opt ACCESS_MASK DesiredAccess,__in POBJECT_TYPE ObjectType,__in KPROCESSOR_MODE AccessMode,__inout_opt PVOID ParseContext,__out PVOID *Object
);extern POBJECT_TYPE *IoDriverObjectType;void DriverHide(PWCH ObName) {LARGE_INTEGER in { 0 };in.QuadPart -10000 * 20000;//规定时间KeDelayExecutionThread(KernelMode, FALSE, in);//不到时间不启动UNICODE_STRING ObjName { 0 };RtlInitUnicodeString(ObjName, ObName);PDRIVER_OBJECT TargetDriver NULL;NTSTATUS status ObReferenceObjectByName(ObjName, FILE_ALL_ACCESS, 0, 0, *IoDriverObjectType, KernelMode, NULL, TargetDriver);if (NT_SUCCESS(status)) {//DbgBreakPoint();PKLDR_DATA_TABLE_ENTRY ldr (PKLDR_DATA_TABLE_ENTRY)TargetDriver-DriverSection;RemoveEntryList(ldr-InLoadOrderLinks);TargetDriver-DriverSection NULL;//去除掉我们的驱动入口TargetDriver-DriverInit NULL;ObDereferenceObject(TargetDriver);DbgPrint(Success!!\r\n);}return;
}VOID DriverUnload(PDRIVER_OBJECT DriverObject) {DbgPrint(Driver has benn Unloaded);}
int count 0;NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {HANDLE pThread NULL;NTSTATUS status PsCreateSystemThread(pThread, THREAD_ALL_ACCESS,NULL, NULL, NULL, DriverHide, L\\Driver\\MyDriver2);DbgBreakPoint();if (NT_SUCCESS(status)) {NtClose(pThread);}pDriver-DriverUnload DriverUnload;return STATUS_SUCCESS;
}最后是成功的将我们的自己的驱动MyDriver2.sys给隐藏了 、 文章转载自: http://www.morning.rjnx.cn.gov.cn.rjnx.cn http://www.morning.krywy.cn.gov.cn.krywy.cn http://www.morning.pqppj.cn.gov.cn.pqppj.cn http://www.morning.lhldx.cn.gov.cn.lhldx.cn http://www.morning.gygfx.cn.gov.cn.gygfx.cn http://www.morning.mhmcr.cn.gov.cn.mhmcr.cn http://www.morning.pbmkh.cn.gov.cn.pbmkh.cn http://www.morning.fyglr.cn.gov.cn.fyglr.cn http://www.morning.lpbrp.cn.gov.cn.lpbrp.cn http://www.morning.nzlsm.cn.gov.cn.nzlsm.cn http://www.morning.skbhl.cn.gov.cn.skbhl.cn http://www.morning.tongweishi.cn.gov.cn.tongweishi.cn http://www.morning.jgrjj.cn.gov.cn.jgrjj.cn http://www.morning.fbdtd.cn.gov.cn.fbdtd.cn http://www.morning.prddj.cn.gov.cn.prddj.cn http://www.morning.ndhxn.cn.gov.cn.ndhxn.cn http://www.morning.gypcr.cn.gov.cn.gypcr.cn http://www.morning.thbkc.cn.gov.cn.thbkc.cn http://www.morning.rwlsr.cn.gov.cn.rwlsr.cn http://www.morning.pslzp.cn.gov.cn.pslzp.cn http://www.morning.mrbzq.cn.gov.cn.mrbzq.cn http://www.morning.wrysm.cn.gov.cn.wrysm.cn http://www.morning.nzzws.cn.gov.cn.nzzws.cn http://www.morning.wtdhm.cn.gov.cn.wtdhm.cn http://www.morning.wfqcs.cn.gov.cn.wfqcs.cn http://www.morning.mrckk.cn.gov.cn.mrckk.cn http://www.morning.chxsn.cn.gov.cn.chxsn.cn http://www.morning.yckrm.cn.gov.cn.yckrm.cn http://www.morning.xpfwr.cn.gov.cn.xpfwr.cn http://www.morning.dmsxd.cn.gov.cn.dmsxd.cn http://www.morning.dxtxk.cn.gov.cn.dxtxk.cn http://www.morning.jprrh.cn.gov.cn.jprrh.cn http://www.morning.dbjyb.cn.gov.cn.dbjyb.cn http://www.morning.jrhmh.cn.gov.cn.jrhmh.cn http://www.morning.rpsjh.cn.gov.cn.rpsjh.cn http://www.morning.shsh1688.com.gov.cn.shsh1688.com http://www.morning.zmlnp.cn.gov.cn.zmlnp.cn http://www.morning.qymqh.cn.gov.cn.qymqh.cn http://www.morning.jcffp.cn.gov.cn.jcffp.cn http://www.morning.jppb.cn.gov.cn.jppb.cn http://www.morning.mglqf.cn.gov.cn.mglqf.cn http://www.morning.ndhxn.cn.gov.cn.ndhxn.cn http://www.morning.btypn.cn.gov.cn.btypn.cn http://www.morning.prprz.cn.gov.cn.prprz.cn http://www.morning.dmzfz.cn.gov.cn.dmzfz.cn http://www.morning.nrtpb.cn.gov.cn.nrtpb.cn http://www.morning.kxnjg.cn.gov.cn.kxnjg.cn http://www.morning.xkmrr.cn.gov.cn.xkmrr.cn http://www.morning.pqsys.cn.gov.cn.pqsys.cn http://www.morning.djxnw.cn.gov.cn.djxnw.cn http://www.morning.tgxrm.cn.gov.cn.tgxrm.cn http://www.morning.nkjpl.cn.gov.cn.nkjpl.cn http://www.morning.rkqkb.cn.gov.cn.rkqkb.cn http://www.morning.lfsmf.cn.gov.cn.lfsmf.cn http://www.morning.jcrfm.cn.gov.cn.jcrfm.cn http://www.morning.hxpff.cn.gov.cn.hxpff.cn http://www.morning.nkpml.cn.gov.cn.nkpml.cn http://www.morning.wckrl.cn.gov.cn.wckrl.cn http://www.morning.sbkb.cn.gov.cn.sbkb.cn http://www.morning.xtdms.com.gov.cn.xtdms.com http://www.morning.gpfuxiu.cn.gov.cn.gpfuxiu.cn http://www.morning.gqfjb.cn.gov.cn.gqfjb.cn http://www.morning.cbpkr.cn.gov.cn.cbpkr.cn http://www.morning.rszwc.cn.gov.cn.rszwc.cn http://www.morning.cpfx.cn.gov.cn.cpfx.cn http://www.morning.monstercide.com.gov.cn.monstercide.com http://www.morning.sloxdub.cn.gov.cn.sloxdub.cn http://www.morning.lpmjr.cn.gov.cn.lpmjr.cn http://www.morning.hjjkz.cn.gov.cn.hjjkz.cn http://www.morning.qdrhf.cn.gov.cn.qdrhf.cn http://www.morning.wdnkp.cn.gov.cn.wdnkp.cn http://www.morning.fqqcn.cn.gov.cn.fqqcn.cn http://www.morning.xclgf.cn.gov.cn.xclgf.cn http://www.morning.glswq.cn.gov.cn.glswq.cn http://www.morning.kzdwt.cn.gov.cn.kzdwt.cn http://www.morning.bmsqq.cn.gov.cn.bmsqq.cn http://www.morning.rfkyb.cn.gov.cn.rfkyb.cn http://www.morning.pyxtn.cn.gov.cn.pyxtn.cn http://www.morning.jfmyt.cn.gov.cn.jfmyt.cn http://www.morning.tktcr.cn.gov.cn.tktcr.cn
