使用ZwSetSystemInformation加载驱动

Published on 2007 - 05 - 08

#include <windows.h>
#
include <stdio.h>
#
define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#
define SystemLoadAndCallImage 38

typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} UNICODE_STRING
, *PUNICODE_STRING;

typedef unsigned long NTSTATUS;

typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE
, *PSYSTEM_LOAD_AND_CALL_IMAGE;

typedef DWORD (
CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (
CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (
CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;

int main(int argc
, char *argv[])
{
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
UNICODE_STRING TmpBuff;
char szDrvFullPath[
256],szTmp[256];
int iBuffLen;

printf("Load driver with ZwSetSystemInformation( )\r\n");
printf("Date: 8th May 2007\r\n");
printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>\r\n\r\n");
if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0)
{
printf("Usage: %s <DriverPath>\r\n", argv[0]);
exit(-1);
}

// 从ntll.dll获取函数
if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) )
{
printf( "GetProcAddress(\"RtlInitUnicodeString\") Error:%d\n", GetLastError() );
exit(1);
}
if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) )
{
printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
exit(1);
}
if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) )
{
printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
exit(1);
}

GetFullPathName(argv[
1], 256, szTmp, NULL);
printf("Loading driver: %s\r\n", szTmp);
iBuffLen
= sprintf(szDrvFullPath, "\\??\\%s", szTmp);
szDrvFullPath[iBuffLen]
=0;
TmpBuff
.Buffer = (PVOID)szDrvFullPath;
TmpBuff
.Length = iBuffLen;
RtlAnsiStringToUnicodeString(
&(GregsImage.ModuleName),&TmpBuff,1);

if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) )) //加载进内核空间
{
printf("Driver: %s loaded.\r\n", szDrvFullPath);
}
else
{
printf("Driver: %s not loaded.\r\n", szDrvFullPath);
}
return true;
}
Comments
Write a Comment