枚举移除LoadImageNotifyRoutine
2016-11-11 19:02
561 查看
#include <ntddk.h> #include <Ntstrsafe.h> #ifdef _WIN64 #define PSP_MAX_LOAD_IMAGE_NOTIFY 64 #else #define PSP_MAX_LOAD_IMAGE_NOTIFY 8 #endif ULONG_PTR PspLoadImageNotifyRoutine; ULONG_PTR PspLoadImageNotifyRoutineCount; DWORD g_OsVersion; //系统版本 //操作系统版本 #define WINXP 51 #define WIN7 61 #define WIN8 62 #define WIN81 63 #define WIN10 100 //获取系统版本 BOOLEAN GetOsVer(void); //获取PspLoadImageNotifyRoutineCount ULONG_PTR GetPspLoadImageNotifyRoutineCount(void); //获取PspLoadImageNotifyRoutine ULONG_PTR GetPspLoadImageNotifyRoutine(void); //枚举移除LoadImageNotifyRoutine NTSTATUS EnumRemoveLoadImageNotifyRoutine(void); VOID loadImageNotifyRoutine(PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo); VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) { PsRemoveLoadImageNotifyRoutine(loadImageNotifyRoutine); return; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { DriverObject->DriverUnload = DriverUnload; PsSetLoadImageNotifyRoutine(loadImageNotifyRoutine); DbgBreakPoint(); //枚举移除LoadImageNotifyRoutine EnumRemoveLoadImageNotifyRoutine(); return STATUS_SUCCESS; } VOID loadImageNotifyRoutine( PUNICODE_STRING FullImageName, HANDLE ProcessId, PIMAGE_INFO ImageInfo) { return; } //枚举移除LoadImageNotifyRoutine NTSTATUS EnumRemoveLoadImageNotifyRoutine(void) { ULONG i; PVOID MagicPtr, NotifyAddr; //获取系统版本 if (GetOsVer() == FALSE)return STATUS_UNSUCCESSFUL; //获取PspLoadImageNotifyRoutineCount PspLoadImageNotifyRoutineCount=GetPspLoadImageNotifyRoutineCount(); if (PspLoadImageNotifyRoutineCount <= 0 || PspLoadImageNotifyRoutineCount>PSP_MAX_LOAD_IMAGE_NOTIFY)return STATUS_UNSUCCESSFUL; //获取PspLoadImageNotifyRoutine PspLoadImageNotifyRoutine=GetPspLoadImageNotifyRoutine(); if (PspLoadImageNotifyRoutine == NULL)return STATUS_UNSUCCESSFUL; #ifdef _WIN64 for (i = 0; i < PspLoadImageNotifyRoutineCount; i++) { MagicPtr = (PVOID)((PUCHAR)PspLoadImageNotifyRoutine + i * sizeof(ULONG_PTR)); if (MagicPtr==NULL)continue; NotifyAddr = *(PULONG_PTR)(MagicPtr); if (NotifyAddr==NULL)continue; if (MmIsAddressValid(NotifyAddr) && NotifyAddr != 0) { NotifyAddr = *(PULONG_PTR)(((ULONG_PTR)NotifyAddr & 0xfffffffffffffff0ui64) + sizeof(EX_RUNDOWN_REF)); DbgPrint("LoadImageNotify at %llx", NotifyAddr); PsRemoveLoadImageNotifyRoutine(NotifyAddr); } } #else for (i = 0; i < PspLoadImageNotifyRoutineCount; i++) { //PEX_CALLBACK_ROUTINE_BLOCK Point = (PEX_CALLBACK_ROUTINE_BLOCK)((Ref->Value >> 3) << 3); MagicPtr = (PVOID)((PUCHAR)PspLoadImageNotifyRoutine + i * sizeof(ULONG_PTR)); if (MagicPtr == NULL)continue; NotifyAddr = *(PULONG_PTR)(MagicPtr); if (NotifyAddr == NULL)continue; if (MmIsAddressValid(NotifyAddr) && NotifyAddr != 0) { //NotifyAddr = (ULONG)(Point->Function) NotifyAddr = *(PULONG_PTR)(((ULONG_PTR)NotifyAddr & 0xfffffff8) + sizeof(EX_RUNDOWN_REF)); DbgPrint("LoadImageNotify at %x", NotifyAddr); PsRemoveLoadImageNotifyRoutine(NotifyAddr); } } #endif return STATUS_SUCCESS; } //获取PspLoadImageNotifyRoutineCount ULONG_PTR GetPspLoadImageNotifyRoutineCount(void) { //定义变量 ULONG_PTR i = 0; LONG OffsetAddr64 = 0; ULONG_PTR OffsetAddr = 0; ULONG_PTR RoutineCount = 0; PULONG_PTR pRoutineCountAdd = NULL; ULONG_PTR pRemoveLoadImageNotifyRoutine = NULL; UNICODE_STRING unstrFunc; RtlInitUnicodeString(&unstrFunc, L"PsRemoveLoadImageNotifyRoutine"); //获取函数地址 pRemoveLoadImageNotifyRoutine = (ULONG_PTR)MmGetSystemRoutineAddress(&unstrFunc); if (pRemoveLoadImageNotifyRoutine == NULL)return 0; #ifdef _WIN64 switch (g_OsVersion) { case WIN7: { //fffff800`040cb000 c3 ret //fffff800`040cb001 f044013d3795d6ff lock add dword ptr[nt!PspLoadImageNotifyRoutineCount(fffff800`03e34540)], r15d // ffd69537+7+fffff800040cb001 // fffff80003e34540-7-fffff800040cb001=ffd69537 for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0xc3 && *(PUCHAR)(i + 1) == 0xf0 && *(PUCHAR)(i + 2) == 0x44 && *(PUCHAR)(i + 3) == 0x01 && *(PUCHAR)(i + 4) == 0x3d) { RtlCopyMemory(&OffsetAddr64, (PUCHAR)(i + 5), sizeof(DWORD)); OffsetAddr = OffsetAddr64 + 9 + i; break; } } } break; case WIN8: case WIN81: case WIN10: { //fffff802`d0807275 c3 ret //fffff802`d0807276 f044012d8207d1ff lock add dword ptr[nt!PspLoadImageNotifyRoutineCount(fffff802`d0517a00)], r13d for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0xc3 && *(PUCHAR)(i + 1) == 0xf0 && *(PUCHAR)(i + 2) == 0x44 && *(PUCHAR)(i + 3) == 0x01 && *(PUCHAR)(i + 4) == 0x2d) { RtlCopyMemory(&OffsetAddr64, (PUCHAR)(i + 5), sizeof(DWORD)); OffsetAddr = OffsetAddr64 + 9 + i; break; } } } break; default: break; } #else switch (g_OsVersion) { case WINXP: { //805c7247 b8ffffffff mov eax,0FFFFFFFFh //805c724c b968b25580 mov ecx, offset nt!PspLoadImageNotifyRoutineCount(8055b268) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0xb8 && *(PUCHAR)(i + 1) == 0xff && *(PUCHAR)(i + 2) == 0xff && *(PUCHAR)(i + 3) == 0xff && *(PUCHAR)(i + 4) == 0xff && *(PUCHAR)(i + 5) == 0xb9) { RtlCopyMemory(&OffsetAddr,(PUCHAR)(i + 6),sizeof(ULONG_PTR)); break; } } } break; case WIN7: { //83f236a9 c20400 ret 4 //83f236ac b8a06bd883 mov eax, offset nt!PspLoadImageNotifyRoutineCount(83d86ba0) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0xc2 && *(PUCHAR)(i + 1) == 0x04 && *(PUCHAR)(i + 2) == 0x00 && *(PUCHAR)(i + 3) == 0xb8) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 4), sizeof(ULONG_PTR)); break; } } } break; case WIN8: case WIN81: { //817dccba c20400 ret 4 //817dccbd b960c95f81 mov ecx, offset nt!PspLoadImageNotifyRoutineCount(815fc960) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0xc2 && *(PUCHAR)(i + 1) == 0x04 && *(PUCHAR)(i + 2) == 0x00 && *(PUCHAR)(i + 3) == 0xb9) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 4), sizeof(ULONG_PTR)); break; } } } break; case WIN10: { //81af7c5a c20400 ret 4 //81af7c5d f0ff0dc82dba81 lock dec dword ptr[nt!PspLoadImageNotifyRoutineCount(81ba2dc8)] for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0xc2 && *(PUCHAR)(i + 1) == 0x04 && *(PUCHAR)(i + 2) == 0x00 && *(PUCHAR)(i + 3) == 0xf0 && *(PUCHAR)(i + 4) == 0xff && *(PUCHAR)(i + 5) == 0x0d) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 6), sizeof(ULONG_PTR)); break; } } } break; default: return 0; } #endif if (OffsetAddr && MmIsAddressValid(OffsetAddr)) { RoutineCount = *(PULONG)(OffsetAddr); //RoutineCount = *(PULONG_PTR)(OffsetAddr); } return RoutineCount; } //获取PspLoadImageNotifyRoutine ULONG_PTR GetPspLoadImageNotifyRoutine(void) { //定义变量 ULONG_PTR i = 0; LONG OffsetAddr64 = 0; ULONG_PTR OffsetAddr = 0; ULONG_PTR NotifyRoutine = 0; ULONG_PTR pRemoveLoadImageNotifyRoutine = NULL; UNICODE_STRING unstrFunc; RtlInitUnicodeString(&unstrFunc, L"PsRemoveLoadImageNotifyRoutine"); //获取函数地址 pRemoveLoadImageNotifyRoutine = (ULONG_PTR)MmGetSystemRoutineAddress(&unstrFunc); if (pRemoveLoadImageNotifyRoutine == NULL)return 0; #ifdef _WIN64 switch (g_OsVersion) { case WIN7: case WIN8: case WIN81: case WIN10: { //fffff800`040caf6e 488d0d8b95d6ff lea rcx, [nt!PspLoadImageNotifyRoutine(fffff800`03e34500)] //fffff800`03e34500=ffd6958b+7+ fffff800040caf6e for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0x48 && *(PUCHAR)(i + 1) == 0x8d && *(PUCHAR)(i + 2) == 0x0d) { RtlCopyMemory(&OffsetAddr64, (PUCHAR)(i + 3), sizeof(DWORD)); OffsetAddr = OffsetAddr64 + 7 + i; break; } } } break; default: break; } #else switch (g_OsVersion) { case WINXP: { //805c7200 33db xor ebx, ebx //805c7202 bf80b25580 mov edi, offset nt!PspLoadImageNotifyRoutine(8055b280) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0x33 && *(PUCHAR)(i + 1) == 0xdb && *(PUCHAR)(i + 2) == 0xbf) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR)); break; } } } break; case WIN7: { //83f23633 33db xor ebx, ebx //83f23635 c745fc806bd883 mov dword ptr[ebp - 4], offset nt!PspLoadImageNotifyRoutine(83d86b80) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0x33 && *(PUCHAR)(i + 1) == 0xdb && *(PUCHAR)(i + 2) == 0xc7 && *(PUCHAR)(i + 3) == 0x45 && *(PUCHAR)(i + 4) == 0xfc) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 5), sizeof(ULONG_PTR)); break; } } } break; case WIN8: { //817dcc48 8945fc mov dword ptr[ebp - 4], eax //817dcc4b be80c95f81 mov esi, offset nt!PspLoadImageNotifyRoutine(815fc980) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0x89 && *(PUCHAR)(i + 1) == 0x45 && *(PUCHAR)(i + 2) == 0xfc && *(PUCHAR)(i + 3) == 0xbe) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 4), sizeof(ULONG_PTR)); break; } } } break; case WIN81: { //8185f7c2 33c0 xor eax, eax //8185f7c4 bbe8d16081 mov ebx, offset nt!PspLoadImageNotifyRoutine(8160d1e8) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0x33 && *(PUCHAR)(i + 1) == 0xc0 && *(PUCHAR)(i + 2) == 0xbb) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR)); break; } } } break; case WIN10: { //81af7bdb 33c0 xor eax, eax //81af7bdd bb304a8681 mov ebx, offset nt!PspLoadImageNotifyRoutine(81864a30) for (i = pRemoveLoadImageNotifyRoutine; i < pRemoveLoadImageNotifyRoutine + 0xff; i++) { if (*(PUCHAR)i == 0x33 && *(PUCHAR)(i + 1) == 0xc0 && *(PUCHAR)(i + 2) == 0xbb) { RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR)); break; } } } break; default: break; } #endif if (OffsetAddr && MmIsAddressValid(OffsetAddr)) { NotifyRoutine = OffsetAddr; } return NotifyRoutine; } //获取系统版本 BOOLEAN GetOsVer(void) { ULONG dwMajorVersion = 0; ULONG dwMinorVersion = 0; PsGetVersion(&dwMajorVersion, &dwMinorVersion, NULL, NULL); if (dwMajorVersion == 5 && dwMinorVersion == 1) g_OsVersion = WINXP; else if (dwMajorVersion == 6 && dwMinorVersion == 1) g_OsVersion = WIN7; else if (dwMajorVersion == 6 && dwMinorVersion == 2) g_OsVersion = WIN8; else if (dwMajorVersion == 6 && dwMinorVersion == 3) g_OsVersion = WIN81; else if (dwMajorVersion == 10 && dwMinorVersion == 0) g_OsVersion = WIN10; else { g_OsVersion = 0; KdPrint(("未知版本")); return FALSE; } return TRUE; }
相关文章推荐
- 一个PsSetLoadImageNotifyRoutine回调内核注入DLL,支持xp ~ win7源码
- 枚举移除PsSetCreateProcessNotifyRoutine
- 在LoadImageNotifyRoutine中取加载进程名
- 一份全系统x86x64通用的镜像回调枚举(LoadImageNotify)
- 关于函数PsSetLoadImageNotifyRoutine的通知时机
- loadImageNotifyRoutine阻止驱动加载
- loadImageNotifyRoutine中拿全路径
- POJ 3600 Subimage Recognition【递归DFS + 模拟枚举】
- android-image: load large bitmap Efficiently
- FSDK_LoadImageFromFile
- Load image/css/js locally from Webview in Android Mobile app
- [RemotingFAQ]Load Remoting得到BadImageFormatException
- ios xcode Could not load the "MyImage.png" image referenced from a nib in the bundle with identifier
- Xcode—Could not load the "image.png" image
- Boadload和Image$$??$$Limit含义
- EGOImageLoading在UITableView滚动时无法加载图片do not load while scrolling
- PrjImageLazyLoad
- use notifyicon to minimize the image onto the toolbar
- 一些常用的第三方框架之ImageLoad
- Unhandled Exception: System.BadImageFormatException: Could not load file or assembly