zwSetSystemInformation加载驱动
2013-09-04 21:12
417 查看
转自http://blog.csdn.net/xiaocaiju/article/details/7583234
zwSetSystemInformation函数是个未公开的函数,调用38号会加载驱动,对应的第二个参数为SYSTEM_LOAD_AND_CALL_IMAGE结构体,第三个参数为SYSTEM_LOAD_AND_CALL_IMAGE结构体的长度..
[cpp]
view plaincopyprint?
#include <Windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
//typedef unsigned long NTSTATUS;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE,*PSYSTEM_LOAD_AND_CALL_IMAGE;
//声明三个函数的原型
typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, LONG );
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
//typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING, PCWSTR);
//RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID, DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
int main(int argc, char* argv)
{
SYSTEM_LOAD_AND_CALL_IMAGE gregsImage;
UNICODE_STRING TmpBuff;
char szDrvFullPath[256];
int iBufflen;
//手工加载这三个函数
//if (!(RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString")))
//{
// printf("GetProcAddrss error:%d\n", GetLastError());
// exit(-1);
//}
if (!(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlAnsiStringToUnicodeString")))
{
printf("GetProcAddrss error:%d\n", GetLastError());
exit(-1);
}
if (!(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwSetSystemInformation")))
{
printf("GetProcAddrss error:%d\n", GetLastError());
exit(-1);
}
//ring 0 访问磁盘时要用\\??\\%s 的方式, 以前出错时少了一个?
iBufflen = sprintf(szDrvFullPath, "\\??\\%s", "c:\\aaa.sys");
szDrvFullPath[iBufflen] = 0;
TmpBuff.Buffer = (PVOID)szDrvFullPath;
TmpBuff.Length = iBufflen;
RtlAnsiStringToUnicodeString(&(gregsImage.ModuleName), &TmpBuff, 1);
if (NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage, &gregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))
{
printf("drive %s was loaded....", szDrvFullPath);
}
else
{
printf("dirve load error...");
}
getchar();
return 1;
}
zwSetSystemInformation函数是个未公开的函数,调用38号会加载驱动,对应的第二个参数为SYSTEM_LOAD_AND_CALL_IMAGE结构体,第三个参数为SYSTEM_LOAD_AND_CALL_IMAGE结构体的长度..
[cpp]
view plaincopyprint?
#include <Windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
//typedef unsigned long NTSTATUS;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE,*PSYSTEM_LOAD_AND_CALL_IMAGE;
//声明三个函数的原型
typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, LONG );
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
//typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING, PCWSTR);
//RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID, DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
int main(int argc, char* argv)
{
SYSTEM_LOAD_AND_CALL_IMAGE gregsImage;
UNICODE_STRING TmpBuff;
char szDrvFullPath[256];
int iBufflen;
//手工加载这三个函数
//if (!(RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString")))
//{
// printf("GetProcAddrss error:%d\n", GetLastError());
// exit(-1);
//}
if (!(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlAnsiStringToUnicodeString")))
{
printf("GetProcAddrss error:%d\n", GetLastError());
exit(-1);
}
if (!(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwSetSystemInformation")))
{
printf("GetProcAddrss error:%d\n", GetLastError());
exit(-1);
}
//ring 0 访问磁盘时要用\\??\\%s 的方式, 以前出错时少了一个?
iBufflen = sprintf(szDrvFullPath, "\\??\\%s", "c:\\aaa.sys");
szDrvFullPath[iBufflen] = 0;
TmpBuff.Buffer = (PVOID)szDrvFullPath;
TmpBuff.Length = iBufflen;
RtlAnsiStringToUnicodeString(&(gregsImage.ModuleName), &TmpBuff, 1);
if (NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage, &gregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))
{
printf("drive %s was loaded....", szDrvFullPath);
}
else
{
printf("dirve load error...");
}
getchar();
return 1;
}
相关文章推荐
- zwSetSystemInformation加载驱动
- Greg Hoglund大牛的ZwSetSystemInformation()加载驱动
- ZWSetSystemInformation加载驱动
- 通过ZwSetSystemInformation和ZwLoadDriver加载驱动(转)
- ZwSetSystemInformation 动态加载驱动(转)
- 通过ZwSetSystemInformation和ZwLoadDriver加载驱动
- ZwSetSystemInformation 动态加载驱动
- ZwSetSystemInformation的SystemLoadAndCallImage 加载驱动的缺陷
- SystemCrashDumpStateInformation加载驱动
- SystemCrashDumpStateInformation加载驱动
- Linux内核驱动加载顺序 system.map
- ZwSetSystemInformation的使用
- 卡巴のZwSetSystemInformation的心寒
- 卡巴のZwSetSystemInformation的心寒
- ZwSetSystemInformation的使用
- n unhandled exception of type 'System.IO.FileNotFoundException' occurred in Unknown Module.Additional information: 未能加载文件或程序集“..
- ZWSETSYSTEMINFORMATION过卡巴
- ZwSetSystemInformation释疑
- System.Runtime.InteropServices.RuntimeInformation.dll 问题 mongoDB C# 驱动 问题
- C# wcf 注册window服务 报System.IO.FileNotFoundException: 未能加载文件或程序集“file:///C:\Windows\system32\***