拦截驱动加载

该博客介绍了如何在Windows环境中通过驱动程序实现对其他驱动加载的拦截。具体包括解析PE头来获取驱动入口地址,以及利用LoadImageNotifyRoutine回调函数在驱动加载时执行拦截逻辑,阻止特定驱动的加载。


#include "ntddk.h"

#include <windef.h>

typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header

WORD   e_magic;                     // Magic number

WORD   e_cblp;                      // Bytes on last page of file

WORD   e_cp;                        // Pages in file

WORD   e_crlc;                      // Relocations

WORD   e_cparhdr;                   // Size of header in paragraphs

WORD   e_minalloc;                  // Minimum extra paragraphs needed

WORD   e_maxalloc;                  // Maximum extra paragraphs needed

WORD   e_ss;                        // Initial (relative) SS value

WORD   e_sp;                        // Initial SP value

WORD   e_csum;                      // Checksum

WORD   e_ip;                        // Initial IP value

WORD   e_cs;                        // Initial (relative) CS value

WORD   e_lfarlc;                    // File address of relocation table

WORD   e_ovno;                      // Overlay number

WORD   e_res[4];                    // Reserved words

WORD   e_oemid;                     // OEM identifier (for e_oeminfo)

WORD   e_oeminfo;                   // OEM information; e_oemid specific

WORD   e_res2[10];                  // Reserved words

LONG   e_lfanew;                    // File address of new exe header

} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;


typedef struct _IMAGE_DATA_DIRECTORY {

DWORD   VirtualAddress;

DWORD   Size;

} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;


typedef struct _IMAGE_OPTIONAL_HEADER {

//

// Standard fields.

//


WORD    Magic;

BYTE    MajorLinkerVersion;

BYTE    MinorLinkerVersion;

DWORD   SizeOfCode;

DWORD   SizeOfInitializedData;

DWORD   SizeOfUninitializedData;

DWORD   AddressOfEntryPoint;

DWORD   BaseOfCode;

DWORD   BaseOfData;


//

// NT additional fields.

//


DWORD   ImageBase;

DWORD   SectionAlignment;

DWORD   FileAlignment;

WORD    MajorOperatingSystemVersion;

WORD    MinorOperatingSystemVersion;

WORD    MajorImageVersion;

WORD    MinorImageVersion;

WORD    MajorSubsystemVersion;

WORD    MinorSubsystemVersion;

DWORD   Win32VersionValue;

DWORD   SizeOfImage;

DWORD   SizeOfHeaders;

DWORD   CheckSum;

WORD    Subsystem;

WORD    DllCharacteristics;

DWORD   SizeOfStackReserve;

DWORD   SizeOfStackCommit;

DWORD   SizeOfHeapReserve;

DWORD   SizeOfHeapCommit;

DWORD   LoaderFlags;

DWORD   NumberOfRvaAndSizes;

IMAGE_DATA_DIRECTORY DataDirectory[16];

} IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;



typedef struct _IMAGE_FILE_HEADER {

WORD    Machine;

WORD    NumberOfSections;

DWORD   TimeDateStamp;

DWORD   PointerToSymbolTable;

DWORD   NumberOfSymbols;

WORD    SizeOfOptionalHeader;

WORD    Characteristics;

} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;


typedef struct _IMAGE_NT_HEADERS {

DWORD Signature;


IMAGE_FILE_HEADER FileHeader;

IMAGE_OPTIONAL_HEADER OptionalHeader; // 0x18

} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;


PVOID GetDriverEntryByImageBase(PVOID ImageBase)

{

PIMAGE_DOS_HEADER pDOSHeader;

PIMAGE_NT_HEADERS pNTHeader;

PVOID pEntryPoint;

pDOSHeader = (PIMAGE_DOS_HEADER)ImageBase;

pNTHeader = (PIMAGE_NT_HEADERS64)((ULONG64)ImageBase + pDOSHeader->e_lfanew);

pEntryPoint  =  (PVOID)((ULONG64)ImageBase  +

pNTHeader->OptionalHeader.AddressOfEntryPoint);

return pEntryPoint;

}

void DenyLoadDriver(PVOID DriverEntry)

{ULONG  oldCr0;

//00000000L

UCHAR fuck[]="\xB8\x22\x00\x00\xC0\xC3"; // mov eax,c0000022h

                           //ret

//这里关CR0

__asm {

cli;

mov eax, cr0;

mov oldCr0, eax;

and eax, not 10000h;

mov cr0, eax

}

RtlCopyMemory(DriverEntry,fuck,sizeof(fuck));

//复制完了再开CR0

__asm {

mov eax, oldCr0;

mov cr0, eax;

sti;

}

}

VOID LoadImageNotifyRoutine

(

__in_opt PUNICODE_STRING FullImageName,

__in HANDLE ProcessId,

__in PIMAGE_INFO ImageInfo

)

{

PVOID pDrvEntry;


if(FullImageName!=NULL && MmIsAddressValid(FullImageName))//判断名字不为NULL和地址有效!

{

if(ProcessId==0)//如果是驱动程序

{

DbgPrint("[LoadImageNotifyX64]%wZ\n",FullImageName);

pDrvEntry=GetDriverEntryByImageBase(ImageInfo->ImageBase);//获取驱动的入口地址

DbgPrint("[LoadImageNotifyX64]DriverEntry: %p\n",pDrvEntry);

if(wcsstr(FullImageName->Buffer,L"EagleXNt.sys"))//如果驱动名是EagleXNt.sys

{

DenyLoadDriver(pDrvEntry);//写入代码 执行拦截驱动加载

}

}

}

}


void DriverUnload(PDRIVER_OBJECT obj){


PsRemoveLoadImageNotifyRoutine(LoadImageNotifyRoutine);//移除镜像加载 回调

}

NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING preg){

PsSetLoadImageNotifyRoutine(LoadImageNotifyRoutine);//设置加载回调

obj->DriverUnload=DriverUnload;

return STATUS_SUCCESS;

}

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值