使用ZwLoadDriver加载驱动

Published on 2007 - 05 - 08

#include <windows.h>
#
include <stdio.h>

typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} LSA_UNICODE_STRING
, *PLSA_UNICODE_STRING;

typedef LSA_UNICODE_STRING UNICODE_STRING
, *PUNICODE_STRING;

// 申明ntdll中使用的函数
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
typedef DWORD (
CALLBACK* RTLFREEUNICODESTRING)(PVOID);
RTLFREEUNICODESTRING RtlFreeUnicodeString;
typedef DWORD (
CALLBACK* ZWLOADDRIVER)(PVOID);
ZWLOADDRIVER ZwLoadDriver;

int LoadDriver(char
* szDrvName, char * szDrvPath)
{
//修改注册表启动驱动程序
char szSubKey[200], szDrvFullPath[256];
LSA_UNICODE_STRING buf1;
LSA_UNICODE_STRING buf2;
int iBuffLen;
HKEY hkResult;
char Data[
4];
DWORD dwOK;
iBuffLen
= sprintf(szSubKey,"System\\CurrentControlSet\\Services\\%s",szDrvName);
szSubKey[iBuffLen]
=0;
dwOK
= RegCreateKey(HKEY_LOCAL_MACHINE,szSubKey,&hkResult);
if(dwOK!=ERROR_SUCCESS)
return false;
Data[
0]=1;
Data[
1]=0;
Data[
2]=0;
Data[
3]=0;
dwOK
=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4);
dwOK
=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4);
dwOK
=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4);
GetFullPathName(szDrvPath
, 256, szDrvFullPath, NULL);
printf("Loading driver: %s\r\n", szDrvFullPath);
iBuffLen
= sprintf(szSubKey,"\\??\\%s",szDrvFullPath);
szSubKey[iBuffLen]
=0;
dwOK
=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)szSubKey,iBuffLen);
RegCloseKey(hkResult);
iBuffLen
= sprintf(szSubKey,"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s",szDrvName);
szSubKey[iBuffLen]
=0;
buf2
.Buffer = (PVOID)szSubKey;
buf2
.Length = iBuffLen;
RtlAnsiStringToUnicodeString(
&buf1,&buf2,1);
//加载驱动程序
dwOK = ZwLoadDriver(&buf1);
RtlFreeUnicodeString(
&buf1);
iBuffLen
=sprintf(szSubKey,"%s%s\\Enum","System\\CurrentControlSet\\Services\\",szDrvName);
szSubKey[iBuffLen]
=0;
//删除注册表项
RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
iBuffLen
=sprintf(szSubKey,"%s%s\\Security","System\\CurrentControlSet\\Services\\",szDrvName);
szSubKey[iBuffLen]
=0;
RegDeleteKey(HKEY_LOCAL_MACHINE
,szSubKey);
iBuffLen
=sprintf(szSubKey,"%s%s","System\\CurrentControlSet\\Services\\",szDrvName);
szSubKey[iBuffLen]
=0;
RegDeleteKey(HKEY_LOCAL_MACHINE
,szSubKey);
iBuffLen
=sprintf(szSubKey,"\\\\.\\%s",szDrvName);
szSubKey[iBuffLen]
=0;
return true;
}

int main(int argc
, char *argv[])
{
printf("Load driver with ZwLoadDriver( )\r\n");
printf("Date: 8th May 2007\r\n");
printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>\r\n\r\n");
if(argc != 3)
{
printf("Usage: %s <DriverFilename> <DriverPath>\r\n", argv[0]);
exit(-1);
}
HMODULE hNtdll
= NULL;
hNtdll
= LoadLibrary( "ntdll.dll" );

//从ntdll.dll里获取函数
if ( !hNtdll )
{
printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
return false;
}

RtlAnsiStringToUnicodeString
= (RTLANSISTRINGTOUNICODESTRING)
GetProcAddress( hNtdll
, "RtlAnsiStringToUnicodeString");
RtlFreeUnicodeString
= (RTLFREEUNICODESTRING)
GetProcAddress( hNtdll
, "RtlFreeUnicodeString");
ZwLoadDriver
= (ZWLOADDRIVER)
GetProcAddress( hNtdll
, "ZwLoadDriver");

//注册驱动程序
if(LoadDriver(argv[1], argv[2]) == false) return false;
return true;
}
Comments
Write a Comment