[驱动开发]ZwLoadDriver方式加载驱动

直接贴代码, 可以直接测试


#include <windows.h>
#include <stdio.h>

typedef struct _LSA_UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PVOID Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; 

typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;

// 申明ntdll中使用的函数
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
typedef DWORD (CALLBACK* RTLFREEUNICODESTRING)(PVOID);
RTLFREEUNICODESTRING RtlFreeUnicodeString;
typedef DWORD (CALLBACK* ZWLOADDRIVER)(PVOID);
ZWLOADDRIVER ZwLoadDriver;

int LoadDriver(char * szDrvName, char * szDrvPath)
{
  //修改注册表启动驱动程序
  char szSubKey[200], szDrvFullPath[256];
  LSA_UNICODE_STRING buf1;
  LSA_UNICODE_STRING buf2;
  int iBuffLen;
  HKEY hkResult;
  char Data[4];
  DWORD dwOK;
  iBuffLen = sprintf(szSubKey,"System\\CurrentControlSet\\Services\\%s",szDrvName);
  szSubKey[iBuffLen]=0;
  dwOK = RegCreateKey(HKEY_LOCAL_MACHINE,szSubKey,&hkResult);
  if(dwOK!=ERROR_SUCCESS)
    return false;
  Data[0]=1;
  Data[1]=0;
  Data[2]=0;
  Data[3]=0;
  dwOK=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4);
  dwOK=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4);
  dwOK=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4);
  GetFullPathName(szDrvPath, 256, szDrvFullPath, NULL);  
  printf("Loading driver: %s\r\n", szDrvFullPath);
  iBuffLen = sprintf(szSubKey,"\\??\\%s",szDrvFullPath);
  szSubKey[iBuffLen]=0;
  dwOK=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)szSubKey,iBuffLen);
  RegCloseKey(hkResult); 
  iBuffLen = sprintf(szSubKey,"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s",szDrvName);
  szSubKey[iBuffLen]=0;
  buf2.Buffer = (PVOID)szSubKey;
  buf2.Length = iBuffLen;
  RtlAnsiStringToUnicodeString(&buf1,&buf2,1);
  //加载驱动程序
  dwOK = ZwLoadDriver(&buf1);
  RtlFreeUnicodeString(&buf1);
  iBuffLen=sprintf(szSubKey,"%s%s\\Enum","System\\CurrentControlSet\\Services\\",szDrvName);
  szSubKey[iBuffLen]=0;
  //删除注册表项
  RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
  iBuffLen=sprintf(szSubKey,"%s%s\\Security","System\\CurrentControlSet\\Services\\",szDrvName);
  szSubKey[iBuffLen]=0;
  RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
  iBuffLen=sprintf(szSubKey,"%s%s","System\\CurrentControlSet\\Services\\",szDrvName);
  szSubKey[iBuffLen]=0;
  RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
  iBuffLen=sprintf(szSubKey,"\\\\.\\%s",szDrvName);
  szSubKey[iBuffLen]=0;
  return true;
}

int main(int argc, char *argv[])
{
  printf("Load driver with ZwLoadDriver( )\r\n");
  printf("Date: 8th May 2007\r\n");
  printf("Modifed by: Gyarmy <www.gyarmy.com>\r\n\r\n");
  if(argc != 3)
  {
    printf("Usage: %s <DriverFilename> <DriverPath>\r\n", argv[0]);
    exit(-1);
  }
  HMODULE hNtdll = NULL;
  hNtdll = LoadLibrary( "ntdll.dll" ); 
  
  //从ntdll.dll里获取函数
  if ( !hNtdll )
  {
    printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
    return false;
  }

  RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING)
    GetProcAddress( hNtdll, "RtlAnsiStringToUnicodeString");
  RtlFreeUnicodeString = (RTLFREEUNICODESTRING)
    GetProcAddress( hNtdll, "RtlFreeUnicodeString");
  ZwLoadDriver = (ZWLOADDRIVER)
    GetProcAddress( hNtdll, "ZwLoadDriver");

  //注册驱动程序
  if(LoadDriver(argv[1], argv[2]) == false) return false;
  return true;
}

原文链接: [驱动开发]ZwLoadDriver方式加载驱动 版权所有,转载时请注明出处,违者必究。
注明出处格式:流沙团 ( https://gyarmy.com/post-508.html )

发表评论

0则评论给“[驱动开发]ZwLoadDriver方式加载驱动”