通过ZwSetSystemInformation和ZwLoadDriver加载驱动
2008-03-24 21:01
555 查看
入手阶段,先收集了两个driver的loader的代码,两者都是通过从ntdll.dll的导出的内核函数进行动态的驱动加载,这两个方式都是通常比较常见的方式.我这里对收集到的代码进行了整理,分离,修改,并在我机器WinXP SP2+VS 2005下编译测试. ps: 更常见的通过SCM加载驱动的代码就不表了,其实最后就是调用ZwLoadDriver. 最后附上Windows NT 2000 Native API Reference里的几段相关的文字: SystemLoadAndCallImage Unlike ZwLoadDriver,which loads the module in the context of the system process,ZwSetSystemInformation loads the module and invokes the entry point in the context of the current process. ZwLoadDriver SeLoadDriverPrivilege is required to load a driver. StartService directs the Service Control Manager process to The Win32 function execute this function on behalf of the caller. ”riverServiceName of the form The Service Control Managerprocess provides a ° /Registry/Machine/System/8urrent8ontrolSet/Services/Tcpip.° 程序代码如下: ZwSetSystemInformation方式,代码修改自http://www.xfocus.net/articles/200309/619.html 复制内容到剪贴板 代码: #include <windows.h> #include <stdio.h> #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define SystemLoadAndCallImage 38 typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PVOID Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef unsigned long NTSTATUS; typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE { UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG); ZWSETSYSTEMINFORMATION ZwSetSystemInformation; typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR ); RTLINITUNICODESTRING RtlInitUnicodeString; typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD); RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString; int main(int argc, char *argv[]) { SYSTEM_LOAD_AND_CALL_IMAGE GregsImage; UNICODE_STRING TmpBuff; char szDrvFullPath[256],szTmp[256]; int iBuffLen; printf("Load driver with ZwSetSystemInformation( )/r/n"); printf("Date: 8th May 2007/r/n"); printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>/r/n/r/n"); if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0) { printf("Usage: %s <DriverPath>/r/n", argv[0]); exit(-1); } // 从ntll.dll获取函数 if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) ) { printf( "GetProcAddress(/"RtlInitUnicodeString/") Error:%d/n", GetLastError() ); exit(1); } if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) ) { printf( "GetProcAddress(/"ZwSetSystemInformation/") Error:%d/n", GetLastError() ); exit(1); } if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) ) { printf( "GetProcAddress(/"ZwSetSystemInformation/") Error:%d/n", GetLastError() ); exit(1); } GetFullPathName(argv[1], 256, szTmp, NULL); printf("Loading driver: %s/r/n", szTmp); iBuffLen = sprintf(szDrvFullPath, "//??//%s", szTmp); szDrvFullPath[iBuffLen]=0; TmpBuff.Buffer = (PVOID)szDrvFullPath; TmpBuff.Length = iBuffLen; RtlAnsiStringToUnicodeString(&(GregsImage.ModuleName),&TmpBuff,1); if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) )) //加载进内核空间 { printf("Driver: %s loaded./r/n", szDrvFullPath); } else { printf("Driver: %s not loaded./r/n", szDrvFullPath); } return true; } ZwLoadDriver方式,代码修改自:http://blog.donews.com/zwell/articles/59141.aspx 复制内容到剪贴板 代码: #include <windows.h> #include <stdio.h> typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PVOID Buffer; } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING; // 申明ntdll中使用的函数 typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD); RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString; typedef DWORD (CALLBACK* RTLFREEUNICODESTRING)(PVOID); RTLFREEUNICODESTRING RtlFreeUnicodeString; typedef DWORD (CALLBACK* ZWLOADDRIVER)(PVOID); ZWLOADDRIVER ZwLoadDriver; int LoadDriver(char * szDrvName, char * szDrvPath) { //修改注册表启动驱动程序 char szSubKey[200], szDrvFullPath[256]; LSA_UNICODE_STRING buf1; LSA_UNICODE_STRING buf2; int iBuffLen; HKEY hkResult; char Data[4]; DWORD dwOK; iBuffLen = sprintf(szSubKey,"System//CurrentControlSet//Services//%s",szDrvName); szSubKey[iBuffLen]=0; dwOK = RegCreateKey(HKEY_LOCAL_MACHINE,szSubKey,&hkResult); if(dwOK!=ERROR_SUCCESS) return false; Data[0]=1; Data[1]=0; Data[2]=0; Data[3]=0; dwOK=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4); dwOK=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4); dwOK=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4); GetFullPathName(szDrvPath, 256, szDrvFullPath, NULL); printf("Loading driver: %s/r/n", szDrvFullPath); iBuffLen = sprintf(szSubKey,"//??//%s",szDrvFullPath); szSubKey[iBuffLen]=0; dwOK=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)szSubKey,iBuffLen); RegCloseKey(hkResult); iBuffLen = sprintf(szSubKey,"//Registry//Machine//System//CurrentControlSet//Services//%s",szDrvName); szSubKey[iBuffLen]=0; buf2.Buffer = (PVOID)szSubKey; buf2.Length = iBuffLen; RtlAnsiStringToUnicodeString(&buf1,&buf2,1); //加载驱动程序 dwOK = ZwLoadDriver(&buf1); RtlFreeUnicodeString(&buf1); iBuffLen=sprintf(szSubKey,"%s%s//Enum","System//CurrentControlSet//Services//",szDrvName); szSubKey[iBuffLen]=0; //删除注册表项 RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey); iBuffLen=sprintf(szSubKey,"%s%s//Security","System//CurrentControlSet//Services//",szDrvName); szSubKey[iBuffLen]=0; RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey); iBuffLen=sprintf(szSubKey,"%s%s","System//CurrentControlSet//Services//",szDrvName); szSubKey[iBuffLen]=0; RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey); iBuffLen=sprintf(szSubKey,"////.//%s",szDrvName); szSubKey[iBuffLen]=0; return true; } int main(int argc, char *argv[]) { printf("Load driver with ZwLoadDriver( )/r/n"); printf("Date: 8th May 2007/r/n"); printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>/r/n/r/n"); if(argc != 3) { printf("Usage: %s <DriverFilename> <DriverPath>/r/n", argv[0]); exit(-1); } HMODULE hNtdll = NULL; hNtdll = LoadLibrary( "ntdll.dll" ); //从ntdll.dll里获取函数 if ( !hNtdll ) { printf( "LoadLibrary( NTDLL.DLL ) Error:%d/n", GetLastError() ); return false; } RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( hNtdll, "RtlAnsiStringToUnicodeString"); RtlFreeUnicodeString = (RTLFREEUNICODESTRING) GetProcAddress( hNtdll, "RtlFreeUnicodeString"); ZwLoadDriver = (ZWLOADDRIVER) GetProcAddress( hNtdll, "ZwLoadDriver"); //注册驱动程序 if(LoadDriver(argv[1], argv[2]) == false) return false; return true; } var tagarray = ['IIS','猎头','属主','手机号','数据恢复','Ghost','EasyRecovery','DataExplorer','Serv-U','Buffer','Office','WPS','Overflow','Microsoft','内核编程','逆向工程','DDoS','招聘'];var tagencarray = ['IIS','%E7%8C%8E%E5%A4%B4','%E5%B1%9E%E4%B8%BB','%E6%89%8B%E6%9C%BA%E5%8F%B7','%E6%95%B0%E6%8D%AE%E6%81%A2%E5%A4%8D','Ghost','EasyRecovery','DataExplorer','Serv-U','Buffer','Office','WPS','Overflow','Microsoft','%E5%86%85%E6%A0%B8%E7%BC%96%E7%A8%8B','%E9%80%86%E5%90%91%E5%B7%A5%E7%A8%8B','DDoS','%E6%8B%9B%E8%81%98'];parsetag(); http://www.phpweblog.net/GaRY/ | |
帖子150 精华6 积分5639 阅读权限100 性别男 在线时间189 小时 注册时间2005-2-4 最后登录2008-1-31 查看详细资料 | 引用 报告 回复 TOP 爱要怎么说出口 |
asm 运维管理组 E.S.T论坛版主 帖子1545 精华30 积分8760 阅读权限150 性别男 在线时间937 小时 注册时间2006-9-21 最后登录2008-3-24 发短消息 加为好友 当前离线 | 沙发 大 中 小 发表于 2007-5-8 22:15 只看该作者 一般我是通过SCM的方式加载的,丢个通用的KmdKit代码: ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; ; scp.asm ; ; Service Control Program for beeper.sys driver ; ; Written by Four-F (four-f@mail.ru) ; ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .386 .model flat, stdcall option casemap:none ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; I N C L U D E F I L E S ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: include /masm32/include/windows.inc include /masm32/include/kernel32.inc include /masm32/include/user32.inc include /masm32/include/advapi32.inc includelib /masm32/lib/kernel32.lib includelib /masm32/lib/user32.lib includelib /masm32/lib/advapi32.lib include /masm32/Macros/Strings.mac ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; C O D E ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .code start proc local hSCManager:HANDLE local hService:HANDLE local acDriverPath[MAX_PATH]:CHAR ; Open a handle to the SC Manager database invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE .if eax != NULL mov hSCManager, eax push eax invoke GetFullPathName, $CTA0("beeper.sys"), sizeof acDriverPath, addr acDriverPath, esp pop eax ; Register driver in SCM active database invoke CreateService, hSCManager, $CTA0("beeper"), $CTA0("Nice Melody Beeper"), / SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, / SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL .if eax != NULL mov hService, eax invoke StartService, hService, 0, NULL ; Here driver beeper.sys plays its nice melody ; and reports error to be removed from memory ; Remove driver from SCM database invoke DeleteService, hService invoke CloseServiceHandle, hService .else invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_ICONSTOP .endif invoke CloseServiceHandle, hSCManager .else invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), / NULL, MB_ICONSTOP .endif invoke ExitProcess, 0 start endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: end start |
相关文章推荐
- 通过ZwSetSystemInformation和ZwLoadDriver加载驱动(转)
- 使用ZwLoadDriver加载驱动
- ZwSetSystemInformation 动态加载驱动
- 对"ZwLoadDriver加载驱动" 的补充
- 使用ZwLoadDriver加载驱动
- ZwSetSystemInformation 动态加载驱动(转)
- ZwLoadDriver加载驱动
- Greg Hoglund大牛的ZwSetSystemInformation()加载驱动
- zwSetSystemInformation加载驱动
- ZwLoadDriver加载驱动
- ZwSetSystemInformation的SystemLoadAndCallImage 加载驱动的缺陷
- ZWSetSystemInformation加载驱动
- zwSetSystemInformation加载驱动
- SystemCrashDumpStateInformation加载驱动
- SystemCrashDumpStateInformation加载驱动
- Qt5 编译MySQL驱动,仍然加载失败,出现QMYSQL driver not loaded
- SQLite 解决:Could not load file or assembly 'System.Data.SQLite ... 试图加载格式不正确的程序
- odi mysql :Could not load JDBC driver class [com.mysql.jdbc.Driver] 代理时无法找到驱动
- [driver]简单地hello驱动加载
- ZwSetSystemInformation释疑