//禁止驱动加载
NTSTATUS DisEnableDriverLoading()
{
	int bRet;

	ulZwSetSystemInformationBase = GetSystemRoutineAddress(1,L"ZwSetSystemInformation");
	ulNtLoadDriverBase = GetSystemRoutineAddress(1,L"ZwLoadDriver");
	if (ulNtLoadDriverBase &&
		ulZwSetSystemInformationBase)
	{
		ulNtLoadDriverSize = SizeOfProc(ulNtLoadDriverBase);
		ulZwSetSystemInformationSize = SizeOfProc(ulZwSetSystemInformationBase);
	}

	ulSeSinglePrivilegeCheck = GetSystemRoutineAddress(1,L"SeSinglePrivilegeCheck");
	if (!ulSeSinglePrivilegeCheck ||
		!ulNtLoadDriverBase ||
		!ulZwSetSystemInformationBase)
	{
		return STATUS_UNSUCCESSFUL;
	}
	//计算reload后的地址，不然判断不对
	ulNtLoadDriverBase = ulNtLoadDriverBase - SystemKernelModuleBase+ImageModuleBase;
	ulZwSetSystemInformationBase = ulZwSetSystemInformationBase - SystemKernelModuleBase+ImageModuleBase;
	ulReloadSeSinglePrivilegeCheck = ulSeSinglePrivilegeCheck - SystemKernelModuleBase+ImageModuleBase;

	//hook reload SeSinglePrivilegeCheck

	bRet = HookFunctionByHeaderAddress(ulReloadSeSinglePrivilegeCheck,ulSeSinglePrivilegeCheck,SeSinglePrivilegeCheckHookZone,&SeSinglePrivilegeCheckPatchCodeLen,&SeSinglePrivilegeCheckRet);
	if(bRet)
	{
		bRet = FALSE;
		bRet = HookFunctionByHeaderAddress(
			NewSeSinglePrivilegeCheck,
			ulReloadSeSinglePrivilegeCheck,
			SeSinglePrivilegeCheckHookZone,
			&SeSinglePrivilegeCheckPatchCodeLen,
			&SeSinglePrivilegeCheckRet
			);
		if (bRet)
		{
			SeSinglePrivilegeCheckHooked = TRUE;
			//DbgPrint("hook SeSinglePrivilegeCheck success\n");
		}
	}
	return STATUS_SUCCESS;
}

//权限检查的时候返回失败来达到禁止加载驱动
BOOLEAN __stdcall NewSeSinglePrivilegeCheck(
	__in  LUID PrivilegeValue,
	__in  KPROCESSOR_MODE PreviousMode
	)
{
	ULONG ulPage;

	if (!bIsInitSuccess)
		goto _FunctionRet;

	//取返回地址
	[COLOR="Red"]_asm
	{
		mov eax,dword ptr[ebp+4]
		mov ulPage,eax
	}[/COLOR]
	//KdPrint(("ulPage:%08x\r\n",ulPage));
	//RPsGetCurrentProcess = ReLoadNtosCALL(L"PsGetCurrentProcess",SystemKernelModuleBase,ImageModuleBase);
	if (!RPsGetCurrentProcess)
	{
		goto _FunctionRet;
	}
	if (RPsGetCurrentProcess() == ProtectEProcess)
	{
		goto _FunctionRet;
	}

	[COLOR="red"]if (ulPage >= ulNtLoadDriverBase && ulPage <= ulNtLoadDriverBase+ulNtLoadDriverSize)
		return FALSE;[/COLOR]
	
	if (ulPage >= ulZwSetSystemInformationBase && ulPage <= ulZwSetSystemInformationBase+ulZwSetSystemInformationSize)
		return FALSE;

_FunctionRet:
	OldSeSinglePrivilegeCheck = (SeSinglePrivilegeCheck_1)SeSinglePrivilegeCheckHookZone;
	return OldSeSinglePrivilegeCheck(
		PrivilegeValue,
		PreviousMode
		);
}

#include <windows.h>
#include <stdio.h>

typedef struct _LSA_UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PVOID Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING; 

typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;

// 申明ntdll中使用的函数
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
typedef DWORD (CALLBACK* RTLFREEUNICODESTRING)(PVOID);
RTLFREEUNICODESTRING RtlFreeUnicodeString;
typedef DWORD (CALLBACK* ZWLOADDRIVER)(PVOID);
ZWLOADDRIVER ZwLoadDriver;

int LoadDriver(char * szDrvName, char * szDrvPath)
{
    //修改注册表启动驱动程序
    char szSubKey[200], szDrvFullPath[256];
    LSA_UNICODE_STRING buf1;
    LSA_UNICODE_STRING buf2;
    int iBuffLen;
    HKEY hkResult;
    char Data[4];
    DWORD dwOK;
    iBuffLen = sprintf(szSubKey,"System//CurrentControlSet//Services//%s",szDrvName);
    szSubKey[iBuffLen]=0;
    dwOK = RegCreateKey(HKEY_LOCAL_MACHINE,szSubKey,&hkResult);
    if(dwOK!=ERROR_SUCCESS)
        return false;
    Data[0]=1;
    Data[1]=0;
    Data[2]=0;
    Data[3]=0;
    dwOK=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4);
    dwOK=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4);
    dwOK=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4);
    GetFullPathName(szDrvPath, 256, szDrvFullPath, NULL);   
    printf("Loading driver: %s/r/n", szDrvFullPath);
    iBuffLen = sprintf(szSubKey,"//??//%s",szDrvFullPath);
    szSubKey[iBuffLen]=0;
    dwOK=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)szSubKey,iBuffLen);
    RegCloseKey(hkResult); 
    iBuffLen = sprintf(szSubKey,"//Registry//Machine//System//CurrentControlSet//Services//%s",szDrvName);
    szSubKey[iBuffLen]=0;
    buf2.Buffer = (PVOID)szSubKey;
    buf2.Length = iBuffLen;
    RtlAnsiStringToUnicodeString(&buf1,&buf2,1);
    //加载驱动程序
    dwOK = ZwLoadDriver(&buf1);
    RtlFreeUnicodeString(&buf1);
    iBuffLen=sprintf(szSubKey,"%s%s//Enum","System//CurrentControlSet//Services//",szDrvName);
    szSubKey[iBuffLen]=0;
    //删除注册表项
    RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
    iBuffLen=sprintf(szSubKey,"%s%s//Security","System//CurrentControlSet//Services//",szDrvName);
    szSubKey[iBuffLen]=0;
    RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
    iBuffLen=sprintf(szSubKey,"%s%s","System//CurrentControlSet//Services//",szDrvName);
    szSubKey[iBuffLen]=0;
    RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
    iBuffLen=sprintf(szSubKey,"////.//%s",szDrvName);
    szSubKey[iBuffLen]=0;
    return true;
}

int main(int argc, char *argv[])
{
    printf("Load driver with ZwLoadDriver( )/r/n");
    printf("Date: 8th May 2007/r/n");
    printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>/r/n/r/n");
    if(argc != 3)
    {
        printf("Usage: %s <DriverFilename> <DriverPath>/r/n", argv[0]);
        exit(-1);
    }
    HMODULE hNtdll = NULL;
    hNtdll = LoadLibrary( "ntdll.dll" ); 
    
    //从ntdll.dll里获取函数
    if ( !hNtdll )
    {
        printf( "LoadLibrary( NTDLL.DLL ) Error:%d/n", GetLastError() );
        return false;
    }

    RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING)
        GetProcAddress( hNtdll, "RtlAnsiStringToUnicodeString");
    RtlFreeUnicodeString = (RTLFREEUNICODESTRING)
        GetProcAddress( hNtdll, "RtlFreeUnicodeString");
    ZwLoadDriver = (ZWLOADDRIVER)
        GetProcAddress( hNtdll, "ZwLoadDriver");

    //注册驱动程序
    if(LoadDriver(argv[1], argv[2]) == false) return false;
    return true;
} 

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)