May 08, 2007
使用ZwSetSystemInformation加载驱动
#include <windows.h>
#include <stdio.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef unsigned long NTSTATUS;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
int main(int argc, char *argv[])
{
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
UNICODE_STRING TmpBuff;
char szDrvFullPath[256],szTmp[256];
int iBuffLen;
printf("Load driver with ZwSetSystemInformation( )\r\n");
printf("Date: 8th May 2007\r\n");
printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>\r\n\r\n");
if(argc != 2 || stricmp(argv[1], "-h") ==0 || stricmp(argv[1], "-?") ==0 || stricmp(argv[1], "/?") ==0)
{
printf("Usage: %s <DriverPath>\r\n", argv[0]);
exit(-1);
}
// 从ntll.dll获取函数
if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlInitUnicodeString" )) )
{
printf( "GetProcAddress(\"RtlInitUnicodeString\") Error:%d\n", GetLastError() );
exit(1);
}
if( !(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION) GetProcAddress( GetModuleHandle("ntdll.dll"), "ZwSetSystemInformation" )) )
{
printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
exit(1);
}
if( !(RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING) GetProcAddress( GetModuleHandle("ntdll.dll"), "RtlAnsiStringToUnicodeString" )) )
{
printf( "GetProcAddress(\"ZwSetSystemInformation\") Error:%d\n", GetLastError() );
exit(1);
}
GetFullPathName(argv[1], 256, szTmp, NULL);
printf("Loading driver: %s\r\n", szTmp);
iBuffLen = sprintf(szDrvFullPath, "\\??\\%s", szTmp);
szDrvFullPath[iBuffLen]=0;
TmpBuff.Buffer = (PVOID)szDrvFullPath;
TmpBuff.Length = iBuffLen;
RtlAnsiStringToUnicodeString(&(GregsImage.ModuleName),&TmpBuff,1);
if( NT_SUCCESS( ZwSetSystemInformation( SystemLoadAndCallImage, &GregsImage, sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) )) //加载进内核空间
{
printf("Driver: %s loaded.\r\n", szDrvFullPath);
}
else
{
printf("Driver: %s not loaded.\r\n", szDrvFullPath);
}
return true;
}
△
