我们可以通过未导出的函数 MiProcessLoaderEntry 将驱动从驱动链表中移除 其次再将驱动的痕迹擦去,一般来说可以过Ark工具(此方法唯一的缺点就是无法卸载驱动和无法使用异常处理函数) 0环驱动代码
include <Ntifs.h> // 未导出函数 // 用于增加或删除驱动链表中的某一元素 typedef VOID(pMiProcessLoaderEntry)( IN PVOID DataTableEntry, IN LOGICAL Insert ); pMiProcessLoaderEntry MiProcessLoaderEntry; VOID Unload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("卸载驱动\n"); } VOID ThreadProc(PVOID Context) { PDRIVER_OBJECT DriverObject = (PDRIVER_OBJECT)Context; LARGE_INTEGER timeOut = RtlConvertLongToLargeInteger(-10 1000 1000); KeDelayExecutionThread(KernelMode, FALSE, &timeOut); // 删除驱动 if (MiProcessLoaderEntry != NULL) { DbgPrint("隐藏驱动开始\n"); // 删除驱动 MiProcessLoaderEntry(DriverObject->DriverSection/LDR_DATA_TABLE_ENTRY驱动结构体/, FALSE/FALSE为从驱动链表中删除,TRUE为插入*/); // 删除驱动痕迹 DriverObject->DriverStart = NULL; // 驱动模块开始的基地址 DriverObject->DriverSize = 0; // 驱动的大小 DriverObject->DriverSection = NULL; // 驱动链表 DriverObject->DriverInit = NULL; // 驱动的初始化函数 DriverObject->DriverUnload = NULL; // 驱动的卸载函数 DriverObject->DeviceObject = NULL; // 驱动的设备对象 DbgPrint("隐藏驱动结束\n"); } while (TRUE) { DbgPrint("驱动正在运行\n"); KeDelayExecutionThread(KernelMode, FALSE, &timeOut); } PsTerminateSystemThread(0); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegeditPath) { DbgPrint("加载驱动\n"); NTSTATUS status = STATUS_SUCCESS; HANDLE hThrea? DriverObject->DriverUnload = Unloa? //if (SharedUserData->NtMajorVersion == 5) // 为XP系统的话 //{ MiProcessLoaderEntry = (pMiProcessLoaderEntry)0x8050eb06; // } // else // { //#ifdef X86 //#else //#endif // } // 必须额外开个线程执行 MiProcessLoaderEntry 函数,否则会蓝屏 PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, ThreadProc, DriverObject); return status; }
// 未导出函数 // 用于增加或删除驱动链表中的某一元素 typedef VOID(pMiProcessLoaderEntry)( IN PVOID DataTableEntry, IN LOGICAL Insert ); pMiProcessLoaderEntry MiProcessLoaderEntry; VOID Unload(IN PDRIVER_OBJECT DriverObject) { DbgPrint("卸载驱动\n"); } VOID ThreadProc(PVOID Context) { PDRIVER_OBJECT DriverObject = (PDRIVER_OBJECT)Context; LARGE_INTEGER timeOut = RtlConvertLongToLargeInteger(-10 1000 1000); KeDelayExecutionThread(KernelMode, FALSE, &timeOut); // 删除驱动 if (MiProcessLoaderEntry != NULL) { DbgPrint("隐藏驱动开始\n"); // 删除驱动 MiProcessLoaderEntry(DriverObject->DriverSection/LDR_DATA_TABLE_ENTRY驱动结构体/, FALSE/FALSE为从驱动链表中删除,TRUE为插入*/); // 删除驱动痕迹 DriverObject->DriverStart = NULL; // 驱动模块开始的基地址 DriverObject->DriverSize = 0; // 驱动的大小 DriverObject->DriverSection = NULL; // 驱动链表 DriverObject->DriverInit = NULL; // 驱动的初始化函数 DriverObject->DriverUnload = NULL; // 驱动的卸载函数 DriverObject->DeviceObject = NULL; // 驱动的设备对象 DbgPrint("隐藏驱动结束\n"); } while (TRUE) { DbgPrint("驱动正在运行\n"); KeDelayExecutionThread(KernelMode, FALSE, &timeOut); } PsTerminateSystemThread(0); } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegeditPath) { DbgPrint("加载驱动\n"); NTSTATUS status = STATUS_SUCCESS; HANDLE hThrea? DriverObject->DriverUnload = Unloa? //if (SharedUserData->NtMajorVersion == 5) // 为XP系统的话 //{ MiProcessLoaderEntry = (pMiProcessLoaderEntry)0x8050eb06; // } // else // { //#ifdef X86 //#else //#endif // } // 必须额外开个线程执行 MiProcessLoaderEntry 函数,否则会蓝屏 PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, ThreadProc, DriverObject); return status; }
您需要登录后才可以回帖
立即登录 立即注册
请登录您的账号,开始你的外挂旅途
没有帐号?用户注册
