driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
- #define IMAGE_NT_SIGNATURE 0x00004550 // PE00
- typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
- USHORT e_magic; // Magic number
- USHORT e_cblp; // Bytes on last page of file
- USHORT e_cp; // Pages in file
- USHORT e_crlc; // Relocations
- USHORT e_cparhdr; // Size of header in paragraphs
- USHORT e_minalloc; // Minimum extra paragraphs needed
- USHORT e_maxalloc; // Maximum extra paragraphs needed
- USHORT e_ss; // Initial (relative) SS value
- USHORT e_sp; // Initial SP value
- USHORT e_csum; // Checksum
- USHORT e_ip; // Initial IP value
- USHORT e_cs; // Initial (relative) CS value
- USHORT e_lfarlc; // File address of relocation table
- USHORT e_ovno; // Overlay number
- USHORT e_res[4]; // Reserved words
- USHORT e_oemid; // OEM identifier (for e_oeminfo)
- USHORT e_oeminfo; // OEM information; e_oemid specific
- USHORT e_res2[10]; // Reserved words
- LONG e_lfanew; // File address of new exe header
- } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
- typedef struct _IMAGE_FILE_HEADER {
- USHORT Machine;
- USHORT NumberOfSections;
- ULONG TimeDateStamp;
- ULONG PointerToSymbolTable;
- ULONG NumberOfSymbols;
- USHORT SizeOfOptionalHeader;
- USHORT Characteristics;
- } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
- typedef struct _IMAGE_DATA_DIRECTORY {
- ULONG VirtualAddress;
- ULONG Size;
- } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
- #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
- typedef struct _IMAGE_OPTIONAL_HEADER {
- //
- // Standard fields.
- //
- USHORT Magic;
- UCHAR MajorLinkerVersion;
- UCHAR MinorLinkerVersion;
- ULONG SizeOfCode;
- ULONG SizeOfInitializedData;
- ULONG SizeOfUninitializedData;
- ULONG AddressOfEntryPoint;
- ULONG BaseOfCode;
- ULONG BaseOfData;
- //
- // NT additional fields.
- //
- ULONG ImageBase;
- ULONG SectionAlignment;
- ULONG FileAlignment;
- USHORT MajorOperatingSystemVersion;
- USHORT MinorOperatingSystemVersion;
- USHORT MajorImageVersion;
- USHORT MinorImageVersion;
- USHORT MajorSubsystemVersion;
- USHORT MinorSubsystemVersion;
- ULONG Win32VersionValue;
- ULONG SizeOfImage;
- ULONG SizeOfHeaders;
- ULONG CheckSum;
- USHORT Subsystem;
- USHORT DllCharacteristics;
- ULONG SizeOfStackReserve;
- ULONG SizeOfStackCommit;
- ULONG SizeOfHeapReserve;
- ULONG SizeOfHeapCommit;
- ULONG LoaderFlags;
- ULONG NumberOfRvaAndSizes;
- IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
- } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
- typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER;
- typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER;
- typedef struct _IMAGE_BASE_RELOCATION {
- ULONG VirtualAddress;
- ULONG SizeOfBlock;
- USHORT TypeOffset[1];
- } IMAGE_BASE_RELOCATION;
- typedef IMAGE_BASE_RELOCATION UNALIGNED * PIMAGE_BASE_RELOCATION;
- typedef struct _IMAGE_NT_HEADERS {
- ULONG Signature;
- IMAGE_FILE_HEADER FileHeader;
- IMAGE_OPTIONAL_HEADER32 OptionalHeader;
- } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
- typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS;
- typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS;
- typedef struct _IMAGE_EXPORT_DIRECTORY {
- ULONG Characteristics;
- ULONG TimeDateStamp;
- USHORT MajorVersion;
- USHORT MinorVersion;
- ULONG Name;
- ULONG Base;
- ULONG NumberOfFunctions;
- ULONG NumberOfNames;
- ULONG AddressOfFunctions; // RVA from base of image
- ULONG AddressOfNames; // RVA from base of image
- ULONG AddressOfNameOrdinals; // RVA from base of image
- } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
- #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
- #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
- #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
- #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
- #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
- #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
- #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
- // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
- #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
- #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
- #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
- #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
- #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
- #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
- #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
- #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
- #define IMAGE_SIZEOF_SHORT_NAME 8
- typedef struct _IMAGE_SECTION_HEADER {
- UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
- union {
- ULONG PhysicalAddress;
- ULONG VirtualSize;
- } Misc;
- ULONG VirtualAddress;
- ULONG SizeOfRawData;
- ULONG PointerToRawData;
- ULONG PointerToRelocations;
- ULONG PointerToLinenumbers;
- USHORT NumberOfRelocations;
- USHORT NumberOfLinenumbers;
- ULONG Characteristics;
- } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
- #define IMAGE_REL_BASED_ABSOLUTE 0
- #define IMAGE_REL_BASED_HIGH 1
- #define IMAGE_REL_BASED_LOW 2
- #define IMAGE_REL_BASED_HIGHLOW 3
- #define IMAGE_REL_BASED_HIGHADJ 4
- #define IMAGE_REL_BASED_MIPS_JMPADDR 5
- #define IMAGE_REL_BASED_MIPS_JMPADDR16 9
- #define IMAGE_REL_BASED_IA64_IMM64 9
- #define IMAGE_REL_BASED_DIR64 10
- #pragma pack(1)
- typedef struct ServiceDescriptorEntry {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
- unsigned int NumberOfServices;
- unsigned char *ParamTableBase;
- } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
- #pragma pack()
- EXTERN_C __declspec (dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
- EXTERN_C NTKERNELAPI PIMAGE_NT_HEADERS NTAPI RtlImageNtHeader(PVOID Base);
- EXTERN_C NTSYSAPI PVOID NTAPI RtlImageDirectoryEntryToData(
- PVOID BaseOfImage,
- BOOLEAN MappedAsImage,
- USHORT DirectoryEntry,
- PULONG Size
- );
复制代码 driver.cpp- #include "Driver.h"
- //global
- ULONG g_uImageBase, g_uKernelBase;
- PServiceDescriptorTableEntry_t g_pNewSSDT;
- BOOLEAN IsOpenPae()
- {
- ULONG uCr4 = 0;
- __asm
- {
- _emit 0x0f
- _emit 0x20
- _emit 0xe0
- mov uCr4, eax
- }
- if ((uCr4 & 0x00000020) == 0x00000020)
- {
- return TRUE;
- }
- else
- {
- return FALSE;
- }
- }
- PVOID MiFindExportedRoutineByName (IN PVOID DllBase,
- IN PANSI_STRING AnsiImageRoutineName)
- {
- USHORT OrdinalNumber;
- PULONG NameTableBase;
- PUSHORT NameOrdinalTableBase;
- PULONG Addr;
- LONG High;
- LONG Low;
- LONG Middle;
- LONG Result;
- ULONG ExportSize; // 保存表项的大小
- PVOID FunctionAddress;
- PIMAGE_EXPORT_DIRECTORY ExportDirectory;
- PAGED_CODE();
- ExportDirectory = (PIMAGE_EXPORT_DIRECTORY) RtlImageDirectoryEntryToData (
- DllBase,
- TRUE,
- IMAGE_DIRECTORY_ENTRY_EXPORT,
- &ExportSize);
- if (ExportDirectory == NULL) {
- return NULL;
- }
- NameTableBase = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNames);
- NameOrdinalTableBase = (PUSHORT)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfNameOrdinals);
-
- Low = 0;
- Middle = 0;
- High = ExportDirectory->NumberOfNames - 1;
- while (High >= Low) {
- Middle = (Low + High) >> 1;
- Result = strcmp (AnsiImageRoutineName->Buffer,
- (PCHAR)DllBase + NameTableBase[Middle]);
- if (Result < 0) {
- High = Middle - 1;
- }
- else if (Result > 0) {
- Low = Middle + 1;
- }
- else {
- break;
- }
- }
- // 如果High < Low,表明没有在EAT中找到这个函数;否则,返回此函数的索引
- if (High < Low) {
- return NULL;
- }
- OrdinalNumber = NameOrdinalTableBase[Middle];
- // 如果索引值大于EAT中已有的函数数量,则查找失败
- if ((ULONG)OrdinalNumber >= ExportDirectory->NumberOfFunctions) {
- return NULL;
- }
- Addr = (PULONG)((PCHAR)DllBase + (ULONG)ExportDirectory->AddressOfFunctions);
- FunctionAddress = (PVOID)((PCHAR)DllBase + Addr[OrdinalNumber]);
- ASSERT ((FunctionAddress <= (PVOID)ExportDirectory) ||
- (FunctionAddress >= (PVOID)((PCHAR)ExportDirectory + ExportSize)));
- return FunctionAddress;
- }
- VOID GetKernelFilePath(PWCHAR pszKernelName)
- {
- PWCHAR pszFileName = NULL;
- if (IsOpenPae())
- {
- pszFileName = L"\\SystemRoot\\system32\\ntkrnlpa.exe";
- }
- else
- {
- pszFileName = L"\\SystemRoot\\system32\\ntoskrnl.exe";
- }
- RtlCopyMemory(pszKernelName, pszFileName, wcslen(pszFileName) * sizeof(WCHAR) + sizeof(WCHAR));
- }
- ULONG GetKernelBase(ULONG uImageBase)
- {
- ANSI_STRING FuncName;
- RtlInitAnsiString(&FuncName, "NtOpenProcess");
- PVOID pFunc = MiFindExportedRoutineByName((PVOID)uImageBase, &FuncName);
- ULONG uKernelBase = (ULONG)NtOpenProcess - ((ULONG)pFunc - uImageBase);
- return uKernelBase;
- }
- PIMAGE_BASE_RELOCATION LdrProcessRelocationBlock(
- IN ULONG_PTR VA,
- IN ULONG SizeOfBlock,
- IN PUSHORT NextOffset,
- IN LONG_PTR Diff
- )
- {
- PUCHAR FixupVA;
- USHORT Offset;
- LONG Temp;
- ULONGLONG Value64;
- LONGLONG Temp64;
- while (SizeOfBlock--) {
- Offset = *NextOffset & (USHORT)0xfff;
- FixupVA = (PUCHAR)(VA + Offset);
- switch ((*NextOffset) >> 12) {
- case IMAGE_REL_BASED_HIGHLOW :
-
- *(LONG UNALIGNED *)FixupVA += (ULONG) Diff;
- break;
- case IMAGE_REL_BASED_HIGH :
-
- Temp = *(PUSHORT)FixupVA << 16;
- Temp += (ULONG) Diff;
- *(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
- break;
- case IMAGE_REL_BASED_HIGHADJ :
-
- Temp = *(PUSHORT)FixupVA << 16;
- ++NextOffset;
- --SizeOfBlock;
- Temp += (LONG)(*(PSHORT)NextOffset);
- Temp += (ULONG) Diff;
- Temp += 0x8000;
- *(PUSHORT)FixupVA = (USHORT)(Temp >> 16);
- break;
- case IMAGE_REL_BASED_LOW :
-
- Temp = *(PSHORT)FixupVA;
- Temp += (ULONG) Diff;
- *(PUSHORT)FixupVA = (USHORT)Temp;
- break;
- case IMAGE_REL_BASED_IA64_IMM64:
- FixupVA = (PUCHAR)((ULONG_PTR)FixupVA & ~(15));
- Value64 = (ULONGLONG)0;
- Value64+=Diff;
- break;
- case IMAGE_REL_BASED_DIR64:
- *(ULONG_PTR UNALIGNED *)FixupVA += Diff;
- break;
- case IMAGE_REL_BASED_MIPS_JMPADDR :
-
- Temp = (*(PULONG)FixupVA & 0x3ffffff) << 2;
- Temp += (ULONG) Diff;
- *(PULONG)FixupVA = (*(PULONG)FixupVA & ~0x3ffffff) |
- ((Temp >> 2) & 0x3ffffff);
- break;
- case IMAGE_REL_BASED_ABSOLUTE :
-
- break;
- case 6 :
-
- break;
- case 7 :
-
- break;
- case 8 :
- Temp64 = *(PUSHORT)FixupVA << 16;
- ++NextOffset;
- --SizeOfBlock;
- Temp64 += (LONG)((SHORT)NextOffset[1]);
- Temp64 <<= 16;
- Temp64 += (LONG)((USHORT)NextOffset[0]);
- Temp64 += Diff;
- Temp64 += 0x8000;
- Temp64 >>=16;
- Temp64 += 0x8000;
- *(PUSHORT)FixupVA = (USHORT)(Temp64 >> 16);
- ++NextOffset;
- --SizeOfBlock;
- break;
- default :
- return (PIMAGE_BASE_RELOCATION)NULL;
- }
- ++NextOffset;
- }
- return (PIMAGE_BASE_RELOCATION)NextOffset;
- }
- BOOLEAN LdrRelocateImage (
- IN PVOID NewBase,
- IN PUCHAR LoaderName
- )
- {
- LONG_PTR Diff;
- ULONG TotalCountBytes;
- ULONG_PTR VA;
- ULONG_PTR OldBase;
- ULONG SizeOfBlock;
- PUSHORT NextOffset;
- PIMAGE_NT_HEADERS NtHeaders;
- PIMAGE_BASE_RELOCATION NextBlock;
-
- NtHeaders = RtlImageNtHeader( NewBase );
- if ( NtHeaders ) {
- OldBase = NtHeaders->OptionalHeader.ImageBase;
- }
- else {
- return FALSE;
- }
- NextBlock = (PIMAGE_BASE_RELOCATION)RtlImageDirectoryEntryToData(
- NewBase, TRUE, IMAGE_DIRECTORY_ENTRY_BASERELOC, &TotalCountBytes);
- if (!NextBlock || !TotalCountBytes) {
- return FALSE;
- }
- while (TotalCountBytes) {
- SizeOfBlock = NextBlock->SizeOfBlock;
- TotalCountBytes -= SizeOfBlock;
- SizeOfBlock -= sizeof(IMAGE_BASE_RELOCATION);
- SizeOfBlock /= sizeof(USHORT);
- NextOffset = (PUSHORT)((PCHAR)NextBlock + sizeof(IMAGE_BASE_RELOCATION));
- VA = (ULONG_PTR)NewBase + NextBlock->VirtualAddress;
- Diff = (PCHAR)LoaderName - (PCHAR)OldBase;
- if ( !(NextBlock = LdrProcessRelocationBlock(VA,SizeOfBlock,NextOffset,Diff)) ) {
- return FALSE;
- }
- }
- return TRUE;
- }
- void SetNewSSDT(PVOID pNewImage, PVOID pOrigImage, PServiceDescriptorTableEntry_t *pNewServiceTable)
- {
- ULONG uIndex, uOffset;
- ULONG uNewKernelInc;
- PServiceDescriptorTableEntry_t pNewSSDT;
- uNewKernelInc = (ULONG) pNewImage - (ULONG) pOrigImage;
- pNewSSDT = (PServiceDescriptorTableEntry_t) ((ULONG)&KeServiceDescriptorTable + uNewKernelInc);
- if (!MmIsAddressValid(pNewSSDT))
- {
- return;
- }
- pNewSSDT->NumberOfServices = KeServiceDescriptorTable.NumberOfServices;
- uOffset = (ULONG)KeServiceDescriptorTable.ServiceTableBase - (ULONG)pOrigImage;
- pNewSSDT->ServiceTableBase = (unsigned int *)((ULONG)pNewImage + uOffset);
- if (!MmIsAddressValid(pNewSSDT->ServiceTableBase))
- {
- return;
- }
- for (uIndex = 0; uIndex < pNewSSDT->NumberOfServices; uIndex++)
- {
- pNewSSDT->ServiceTableBase[uIndex] += uNewKernelInc;
- }
- uOffset = (ULONG)KeServiceDescriptorTable.ParamTableBase - (ULONG)pOrigImage;
- pNewSSDT->ParamTableBase = (unsigned char *)((ULONG)pNewImage + uOffset);
- if (!MmIsAddressValid(pNewSSDT->ParamTableBase))
- {
- return;
- }
- RtlCopyMemory(pNewSSDT->ParamTableBase, KeServiceDescriptorTable.ParamTableBase, pNewSSDT->NumberOfServices * sizeof(CHAR));
- *pNewServiceTable = pNewSSDT;
- KdPrint(("set new ssdt success!\n"));
- }
- NTSTATUS LoadKernelFile(PULONG pKernelBase, PULONG pLoadImageBase)
- {
- WCHAR szKernelFullName[256];
- RtlZeroMemory(szKernelFullName, 256 * sizeof(WCHAR));
- GetKernelFilePath(szKernelFullName);
- NTSTATUS Status;
- HANDLE hFile;
- OBJECT_ATTRIBUTES ObjAttr;
- UNICODE_STRING usFileName;
- IO_STATUS_BLOCK IoStatusBlock;
- LARGE_INTEGER FileOffset;
- IMAGE_DOS_HEADER ImageDosHeader;
- IMAGE_NT_HEADERS ImageNtHeader;
- IMAGE_SECTION_HEADER *pImageSectionHeader;
- PVOID lpVirtualPointer;
- ULONG SectionVirtualAddress, SizeOfSection;
- ULONG PointerToRawData;
- ULONG uIndex;
- RtlInitUnicodeString(&usFileName, szKernelFullName);
- InitializeObjectAttributes(&ObjAttr, &usFileName, OBJ_CASE_INSENSITIVE, NULL, NULL);
- if (!MmIsAddressValid(szKernelFullName))
- {
- return STATUS_UNSUCCESSFUL;
- }
- Status = ZwCreateFile(&hFile, GENERIC_ALL, &ObjAttr, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL,
- FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("ZwCreateFile Failed:%X\n",Status));
- return Status;
- }
- FileOffset.QuadPart = 0;
- Status = ZwReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock, &ImageDosHeader, sizeof(IMAGE_DOS_HEADER),
- &FileOffset, NULL);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("read IMAGE_DOS_HEADER Failed:%X\n",Status));
- ZwClose(hFile);
- return Status;
- }
- FileOffset.QuadPart = ImageDosHeader.e_lfanew;
- Status = ZwReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock, &ImageNtHeader, sizeof(IMAGE_NT_HEADERS),
- &FileOffset, NULL);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("read IMAGE_NT_HEADERS Failed:%X\n",Status));
- ZwClose(hFile);
- return Status;
- }
- pImageSectionHeader = (IMAGE_SECTION_HEADER *)ExAllocatePool(PagedPool,
- sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections);
- if (pImageSectionHeader == 0)
- {
- KdPrint(("pImageSectionHeader is null!\n"));
- ZwClose(hFile);
- return STATUS_UNSUCCESSFUL;
- }
- FileOffset.QuadPart += sizeof(IMAGE_NT_HEADERS);
- Status = ZwReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock, pImageSectionHeader,
- sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections, &FileOffset, NULL);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("read IMAGE_SECTION_HEADER Failed:%X\n",Status));
- ZwClose(hFile);
- ExFreePool(pImageSectionHeader);
- return Status;
- }
- ULONG uSizeOfImage = ImageNtHeader.OptionalHeader.SizeOfImage;
- lpVirtualPointer = ExAllocatePool(PagedPool, ImageNtHeader.OptionalHeader.SizeOfImage);
- if (lpVirtualPointer == 0)
- {
- KdPrint(("lpVirtualPointer is null!\n"));
- ZwClose(hFile);
- ExFreePool(pImageSectionHeader);
- return STATUS_UNSUCCESSFUL;
- }
- memset(lpVirtualPointer, 0, ImageNtHeader.OptionalHeader.SizeOfImage);
- RtlCopyMemory(lpVirtualPointer, &ImageDosHeader, sizeof(IMAGE_DOS_HEADER));
- RtlCopyMemory((PVOID)((ULONG)lpVirtualPointer + ImageDosHeader.e_lfanew), &ImageNtHeader, sizeof(IMAGE_NT_HEADERS));
- RtlCopyMemory((PVOID)((ULONG)lpVirtualPointer + ImageDosHeader.e_lfanew + sizeof(IMAGE_NT_HEADERS)),
- pImageSectionHeader, sizeof(IMAGE_SECTION_HEADER) * ImageNtHeader.FileHeader.NumberOfSections);
- for (uIndex = 0; uIndex < ImageNtHeader.FileHeader.NumberOfSections; uIndex++)
- {
- SectionVirtualAddress = pImageSectionHeader[uIndex].VirtualAddress;
- SizeOfSection = pImageSectionHeader[uIndex].SizeOfRawData;
- PointerToRawData = pImageSectionHeader[uIndex].PointerToRawData;
- FileOffset.QuadPart = PointerToRawData;
- Status = ZwReadFile(hFile, NULL, NULL, NULL, &IoStatusBlock, (PVOID)((ULONG)lpVirtualPointer + SectionVirtualAddress),
- SizeOfSection, &FileOffset, NULL);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("read failed is pImageSectionHeader[%d]:%X\n",uIndex, Status));
- ZwClose(hFile);
- ExFreePool(pImageSectionHeader);
- ExFreePool(lpVirtualPointer);
- return Status;
- }
- }
-
-
- ULONG uKernelBase = GetKernelBase((ULONG)lpVirtualPointer);
- BOOLEAN bRet = LdrRelocateImage(lpVirtualPointer, (PUCHAR)uKernelBase);
- if (bRet)
- {
- SetNewSSDT(lpVirtualPointer, (PVOID)uKernelBase, &g_pNewSSDT);
- }
- *pKernelBase = uKernelBase;
- *pLoadImageBase = (ULONG)lpVirtualPointer;
- if (hFile != NULL)
- {
- ZwClose(hFile);
- }
- return Status;
- }
- void UnKernelFile(ULONG uLoadImageBase)
- {
- if (uLoadImageBase != 0)
- {
- ExFreePool((PVOID)uLoadImageBase);
- }
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
-
- LoadKernelFile(&g_uKernelBase, &g_uImageBase);
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- UnKernelFile(g_uImageBase);
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |