資源描述:
《阻止加載驅(qū)動(dòng) 方法》由會(huì)員上傳分享,免費(fèi)在線閱讀,更多相關(guān)內(nèi)容在行業(yè)資料-天天文庫(kù)。
1、阻止加載驅(qū)動(dòng)方法阻止加載驅(qū)動(dòng)方法http://www.sm998.com/read.php?tid=16關(guān)于驅(qū)動(dòng)的加載大概有幾種方法1在WINDOWS下動(dòng)態(tài)加載2在WINDOWS啟動(dòng)的時(shí)候加載3感染系統(tǒng)文件對(duì)于在WINDOWS啟動(dòng)的時(shí)候加載和感染系統(tǒng)文件我們暫時(shí)不討論,玩么只討論動(dòng)態(tài)加載一般的加載流程,是這樣的:打開(kāi)服務(wù)管理器->創(chuàng)建服務(wù)->啟動(dòng)服務(wù)->(系統(tǒng)加載驅(qū)動(dòng))這個(gè)過(guò)程系統(tǒng)最終會(huì)調(diào)用NtLoadDriver來(lái)加載驅(qū)動(dòng)(也可以用Ntdll.dll里面的NtSetSystemInformation來(lái)加載)而N
2、tLoadDriver會(huì)向系統(tǒng)插入一個(gè)作業(yè),然后等待另外一個(gè)系統(tǒng)線程來(lái)加載驅(qū)動(dòng),并等待驅(qū)動(dòng)的加載完成(NtSetSystemInformation也是一樣的),然后返回這樣我們就可以HOOKNtLoadDriver和NtSetSystemInformation來(lái)阻止驅(qū)動(dòng)加載,但是這個(gè)方法已經(jīng)用爛了,這里我HOOKNtCreateSection來(lái)阻止驅(qū)動(dòng)加載為什么HOOKNtCreateSection呢???因?yàn)樵诹硗庖粋€(gè)線程取得消息加載驅(qū)動(dòng)的時(shí)候會(huì)調(diào)用NtCreateSection來(lái)映射驅(qū)動(dòng)到內(nèi)核內(nèi)存空間(流程:
3、大概是這樣IoCreateFile(打開(kāi)驅(qū)動(dòng)文件,將它的第二個(gè)參數(shù)設(shè)置為FILE_EXECUTE
4、SYNCHRONIZE)->NtCreateSection(為驅(qū)動(dòng)在內(nèi)核內(nèi)存空間創(chuàng)建一個(gè)節(jié))->NtMapViewOfSection(映射驅(qū)動(dòng)到內(nèi)核內(nèi)存空間)->尋找驅(qū)動(dòng)的DriverEntry,并調(diào)用->ZwClose(關(guān)閉文件句柄)->然后通知NtLoadDriver(或者NtSetSystemInformation)驅(qū)動(dòng)加載完成->NtLoadDriver(或者NtSetSystemInformation)返回
5、用戶層,并通知用戶驅(qū)動(dòng)加載完成)在驅(qū)動(dòng)加載流程中,我們可以看到我們有很多機(jī)會(huì)劫持驅(qū)動(dòng)的加載我們可以HOOKNtCreateSection或者NtMapViewOfSection來(lái)阻止驅(qū)動(dòng)加載這里我采用HOOKNtCreateSection的辦法阻止驅(qū)動(dòng)加載以下為代碼#include//聲明用到的頭文件和結(jié)構(gòu)宏等#include"NtCreateSection.h"#ifDBG#defineDriversUnload(Address,p)Address->DriverUnload=p;#else
6、#defineDriversUnload(Address,p)Address->DriverUnload=NULL;#endiftypedefintBOOL;typedefunsignedintUINT;typedefunsignedlongDWORD;typedefunsignedshortWORD;typedefvoid*LPVOID;typedefunsignedcharBYTE;typedefDWORD*PDWORD;typedefBYTE*PBYTE;typedefWORD*PWORD;#define
7、PAGE_NOACCESS0x01#definePAGE_READONLY0x02#definePAGE_READWRITE0x04#definePAGE_WRITECOPY0x08#definePAGE_EXECUTE0x10#definePAGE_EXECUTE_READ0x20#definePAGE_EXECUTE_READWRITE0x40#definePAGE_EXECUTE_WRITECOPY0x80#definePAGE_GUARD0x100#definePAGE_NOCACHE0x200#defi
8、nePAGE_WRITECOMBINE0x400#defineMEM_COMMIT0x1000#defineMEM_RESERVE0x2000#defineMEM_DECOMMIT0x4000#defineMEM_RELEASE0x8000#defineMEM_FREE0x10000#defineMEM_PRIVATE0x20000#defineMEM_MAPPED0x40000#defineMEM_RESET0x80000#defineMEM_TOP_DOWN0x100000#defineMEM_4MB_PAG
9、ES0x80000000#defineSEC_FILE0x800000#defineSEC_IMAGE0x1000000#defineSEC_VLM0x2000000#defineSEC_RESERVE0x4000000#defineSEC_COMMIT0x8000000#defineSEC_NOCACHE0x10000000#defineMEM_IMAGESEC_IMA