__int64 __fastcall DriverEntry(_QWORD *DriverObject1, __int64 a2) { unsigned __int16 *RegistryPath; // rdi struct _DRIVER_OBJECT *DriverObject; // rbx __int64 result; // rax RegistryPath = (unsigned __int16 *)a2; DriverObject1[13] = sub_1400013DC; DriverObject = (struct _DRIVER_OBJECT *)DriverObject1; if ( (_BYTE)KdDebuggerEnabled ) KdDisableDebugger(); result = GetWindowsVersion(); if ( (signed int)result >= 0 ) { result = sub_140003610(L"\\??\\HideToolz"); if ( (signed int)result < 0 ) { P = NewRegistryPath(RegistryPath); if ( P && (qword_14002C128 = (__int64)DriverObject, initDevice(DriverObject) >= 0) ) { if ( DriverObject->DeviceObject ) { DriverObject->MajorFunction[0] = (PDRIVER_DISPATCH)DispatchCommon;// IRP_MJ_CREATE DriverObject->MajorFunction[14] = (PDRIVER_DISPATCH)DispatchIoControl;// IRP_MJ_DEVICE_CONTROL DriverObject->MajorFunction[2] = (PDRIVER_DISPATCH)DispatchCommon;// IRP_MJ_CLOSE } sub_1400093B4(); RxInitializeTopLevelIrpPackage(); // ldr = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection; // ldr->Flags |= 0x20; // (经过我验证 "在链接器=>命令行添加 /INTEGRITYCHEC" 能达到相同的效果) *((_DWORD *)DriverObject->DriverSection + 26) |= 0x20u; IoRegisterDriverReinitialization(DriverObject, sub_1400013D0, 0i64); result = 0i64; } else { result = 3221225473i64; } } } return result; } signed __int64 __fastcall DispatchIoControl(__int64 a1, _IRP *pIrp) { _IO_STACK_LOCATION *v2; // rax _IRP *v3; // rdi __int64 v4; // rbx __int64 v5; // rbp KPROCESSOR_MODE v6; // al v2 = pIrp->Tail.Overlay.CurrentStackLocation; v3 = pIrp; v4 = v2->Parameters.Read.ByteOffset.LowPart; v5 = v2->Parameters.Create.Options; v6 = ExGetPreviousMode(); if ( v6 ) { if ( v6 ) JUMPOUT(&loc_1400039DC); // 这个部分看了下反汇编, 一大堆各种jump,qing是用什工具混淆的? JUMPOUT(&loc_1400039DC); } v3->IoStatus.Information = 0i64; v3->IoStatus.Status = 0xC0000001; IofCompleteRequest(v3, 0); return 0xC0000001i64; }
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
Thead
