具体问题就是驱动能被monitor加载 卸载 但是一执行其他操作 电脑就会蓝屏 出现错误为DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
我具体的代码是这样的:
#include<ntddk.h>
#include <windef.h>
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
#pragma pack(1)
typedef struct _TOP5CODE
{
BYTE E8;
ULONG address;//+8 88881234=B
}TOP5CODE,*PTOP5CODE;
#pragma pack( )
PEPROCESS processEPROCESS = NULL;
ANSI_STRING p_str1,p_str2;
BYTE *ObOpenObjectByPointerAddress = NULL; //ObOpenObjectByPointer的地址
BYTE *p_TpHookAddress = NULL;
BYTE *p_ReturnAddress = NULL;
BYTE *p_MyHookAddress = NULL;
#define 9J_EXE "9j.exe"
__declspec(naked) VOID Nakd_NtOpenProcess()
{
processEPROCESS = IoGetCurrentProcess();
RtlInitAnsiString(&p_str1,(PCSZ)((ULONG)processEPROCESS+0x174));
RtlInitAnsiString(&p_str2,9J_EXE);
if (RtlCompareString(&p_str1,&p_str2,TRUE) == 0)
{
__asm
{
push dword ptr [ebp-38h]
push dword ptr [ebp-24h]
push p_ReturnAddress
mov eax,p_TpHookAddress
jmp eax
}
}
else
{
__asm
{
push dword ptr [ebp-38h]
push dword ptr [ebp-24h]
push p_ReturnAddress
mov eax,ObOpenObjectByPointerAddress
jmp eax
}
}
}
NTSTATUS My_RecoveryHook_NtOpenProcess()
{
BYTE *NtOpenProcessAddress = NULL;
BYTE *p = NULL;
TOP5CODE *top5code = NULL;
BYTE JmpAddress[6] = {0xE9,0,0,0,0,0x90};
KIRQL Irql;
UNICODE_STRING Old_NtOpenProcess;
UNICODE_STRING Old_ObOpenObjectByPointerAddress;
int i=0;
RtlInitUnicodeString(&Old_NtOpenProcess,L"NtOpenProcess");
NtOpenProcessAddress = (BYTE*)MmGetSystemRoutineAddress(&Old_NtOpenProcess);
if (NtOpenProcessAddress == NULL)
{
KdPrint(("NtOpenProcess地址获取失败\n"));
}
RtlInitUnicodeString(&Old_ObOpenObjectByPointerAddress,L"ObOpenObjectByPointer");
ObOpenObjectByPointerAddress=(BYTE*)MmGetSystemRoutineAddress(&Old_ObOpenObjectByPointerAddress);
if (ObOpenObjectByPointerAddress == NULL)
{
KdPrint(("ObOpenObjectByPointer地址获取失败\n"));
}
p = NtOpenProcessAddress;
while (i<1000)
{
if ((*(p-7) == 0x50) &&
(*(p-6) == 0xff) &&
(*(p-5) == 0x75) &&
(*(p-4) == 0xc8) &&
(*(p-3) == 0xff) &&
(*(p-2) == 0x75) &&
(*(p-1) == 0xdc))
{
KdPrint(("%0X \n",(ULONG)p));
break;
}
i++;
p++;
}
top5code = (TOP5CODE*)p;
p_TpHookAddress = (BYTE*)((ULONG)p+5+top5code->address);
p_MyHookAddress = p-6;
p_ReturnAddress = p+5;
*(ULONG *)(JmpAddress+1)=(ULONG)Nakd_NtOpenProcess - ((ULONG)p_MyHookAddress+5);
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
Irql=KeRaiseIrqlToDpcLevel();
RtlCopyMemory(p_MyHookAddress,JmpAddress,6);
KeLowerIrql(Irql);
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
DbgPrint("Unhooker load");
My_RecoveryHook_NtOpenProcess();
DriverObject->DriverUnload = OnUnload;
return (1);
}
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unhooker unload!");
}
刚学驱动 参考别人的写了个驱动 出现这个问题 网上没找到原因 求大牛指教。。。
[课程]Linux pwn 探索篇!