“可过pg”的驱动伪装与隐藏 | 宜武汇-ag真人国际厅网站

//获取注册表项基本信息

status = ntquerykey(keyhandle, keybasicinformation, p, length, &length);

 

//从注册表键中获取驱动路径 放入 destination

//例:\??\c:\users\nihao\desktop\kernel_pdb_frame_r0.sys

status = iopbuildfulldriverpath(&v38, keyhandle, &destination);

 

//这个函数非常重要!返回driverobject.driversection 和 驱动基地址 baseaddress

//通过这个函数就能直接安装一个可运行的驱动了,待会分析

status = mmloadsystemimageex(&destination, 0, 0, 0, &driversection, &baseaddress);

 

//创建一个新的driverobject

object_attributes obj_att = { 0 };

obj_att.length = 0x30;

obj_att.attributes = 0x250;

obj_att.objectname = &objectname;// l"\\driver\\test_drv" "\\driver\\"串接 服务名

status = obcreateobjectex(kegetcurrentthread()->previousmode,

                              iodriverobjecttype,

                             &obj_att,// pobject_attributes

                             0,

                             &out,//这个是一个ulong64 类型 没啥用

                             0x1a0,

                             0,

                             0,

                             &driverobject,//返回新的 driverobject

                             0i64);

 

 

//填充driverobject

memset(driverobject, 0, 0x1a0ui64);

driverobject->driverextension = &driverobject[1];// 准备填充 driver_object

*&driverobject[1].type = driverobject;

returnlength = 28;

memset64(driverobject->majorfunction, iopinvaliddevicerequest, 0x1cui64);

v18 = baseaddress;//mmloadsystemimageex返回的基地址

v19 = baseaddress;

*&driverobject->type = 0x1500004; // type = 4,size = 0x150

v20 = rtlimagentheader(v19);

*v40 = v20->optionalheader.minorimageversion | (v20->optionalheader.majorimageversion << 16);

v21 = &v18[v20->optionalheader.addressofentrypoint];

if ( (v20->optionalheader.dllcharacteristics & 0x2000) == 0 )

    driverobject->flags |= 2u;

driverobject->driverinit = v21;//driverentry 啦

driverobject->driversection = driversection;//mmloadsystemimageex 返回的driversection

driverobject->driverstart = v18;//基地址

driverobject->driversize = v20->optionalheader.sizeofimage;

 

//将driverobject添加入全局object

status = obinsertobjectex(driverobject, 0i64, 1i64, 0, 0, 0i64, &handle);// 加入object

 

//继续填充driverobject

status = obreferenceobjectbyhandle(handle,0,iodriverobjecttype,

                        kegetcurrentthread()->previousmode,

                        &driverobject,

                        0i64);//测试一下能不能通过handle获得driverobject ?!

zwclose(handle);

driverobject->hardwaredatabase = pcmregistrymachinehardwaredescriptionsystemname;

driverobject->drivername.buffer = exallocatepool(nonpagedpool, objectname.maximumlength);

driverobject->drivername.length = objectname.length;

driverobject->drivername.maximumlength = objectname.maximumlength;

memcpy(driverobject->drivername.buffer, objectname.buffer, objectname.maximumlength);

//这里的 objectname 就是 l"\\driver\\test_drv"  "\\driver\\"串接 服务名

 

//调用driverentry

status = zwqueryobject(hregistry, 1, pstr, 0x1000, &ntqueryobjreturnlen);//拿到注册表路径

driverobject->driverinit(driverobject,pstr);//刚好对应driverentry的两个参数

 

//提交驱动申请的设备(如果驱动有注册设备)

iopreadydeviceobjects(driverobject);//不调用这个函数的话,设备无法打开

 

//收尾工作

原文链接:https://bbs.kanxue.com/thread-276912.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/可过pg的驱动伪装与隐藏/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图