[驱动开发]ZwSetSystemInformation 加载驱动

A- A+
流沙团 驱动开发 6089View 0 

#include <windows.h> 
#include <stdio.h> 
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 
#define SystemLoadAndCallImage 38 

typedef struct _UNICODE_STRING { 
  USHORT Length; 
  USHORT MaximumLength; 
  PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING; 

typedef unsigned long NTSTATUS; 

typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE 
{ 
  UNICODE_STRING ModuleName; 
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; 

typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;

int main(int argc, char *argv[])
{ 
  SYSTEM_LOAD_AND_CALL_IMAGE GregsImage; 
  UNICODE_STRING TmpBuff;
  char  szDrvFullPath[256],szTmp[256];
  int iBuffLen;
  
  printf("Load driver with ZwSetSystemInformation( )\r\n");
  printf("Date: 8th May 2007\r\n");
  printf("Modifed by: GyArmy <www.gyarmy.com>\r\n\r\n");
  if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0)
  {
    printf("Usage: %s <DriverPath>\r\n", argv[0]);
    exit(-1);
  }

  // 从ntll.dll获取函数
  if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) ) 
  {
    printf( "GetProcAddress(\"RtlInitUnicodeString\") Error:%d\n", GetLastError() );
    exit(1); 
  }
  if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) )
  {
    printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
    exit(1); 
  }
  if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) ) 
  {
    printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
    exit(1); 
  }

  GetFullPathName(argv[1], 256, szTmp, NULL);  
  printf("Loading driver: %s\r\n", szTmp);
  iBuffLen = sprintf(szDrvFullPath, "\\??\\%s", szTmp);
  szDrvFullPath[iBuffLen]=0;
  TmpBuff.Buffer = (PVOID)szDrvFullPath;
  TmpBuff.Length = iBuffLen;
  RtlAnsiStringToUnicodeString(&(GregsImage.ModuleName),&TmpBuff,1);

  if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) ))   //加载进内核空间
  { 
    printf("Driver: %s loaded.\r\n", szDrvFullPath); 
  } 
  else 
  { 
    printf("Driver: %s not loaded.\r\n", szDrvFullPath); 
  } 
  return true;
}

原文链接: [驱动开发]ZwSetSystemInformation 加载驱动 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( https://gyarmy.com/post-507.html )

发表评论

0则评论给“[驱动开发]ZwSetSystemInformation 加载驱动”