-
-
[原创]在回调中查找驱动加载进程
-
发表于:
2024-5-27 14:25
2131
-
普通进程加载驱动,一般都是通过服务加载,进程通信服务进程,服务进程通知系统进程来加载驱动.如果在回调中拦截驱动 ,当前进程都是系统进程,想要获取具体哪个进程加载,就要在回调中找到哪个进程在与服务进程通信,在win7以上都是通过alpc通信,在模块回调和minifter 回调中 遍历所有线程,看看哪个线程正在和服务通信,基本就能确定是哪里进程在加载驱动,通过调用ZwAlpcQueryInformation查询,(没有考虑进程自己调用ntloaddriver,这种需要往往所有线程插入apc ,回溯出哪个线程地址处于ntloaddriver与ntloaddriver+0x400 区间内),
NTSTATUS EnumSystemLoadingThreadffffffffffff(
PHANDLE pProcessId, //返回出进程id
HANDLE ServiceProcessId //服务进程 这个需要自己查找 //L"services.exe"
)
{
typedef struct _ALPC_THREAD_INFO
{
HANDLE hTread;
HANDLE Pid;
UNICODE_STRING AlpcName;
}ALPC_THREAD_INFO, *PALPC_THREAD_INFO; //这个是自己////逆//向ZwAlpcQueryInformation 自己编的结构体
PSYSTEM_PROCESS_INFORMATION SystemProcess;
PSYSTEM_PROCESS_INFORMATION pCurrent;
PSYSTEM_THREAD_INFORMATION Threads;
NTSTATUS rv = STATUS_UNSUCCESSFUL;
HANDLE ThreadId;
PETHREAD Thread;
ULONG i;
SystemProcess = GetProcessInformationssssssssssss();
if (SystemProcess == NULL)
{
return STATUS_UNSUCCESSFUL;
}
for (pCurrent = SystemProcess;
pCurrent != NULL;
pCurrent = pCurrent->NextEntryOffset == NULL ? NULL : (PSYSTEM_PROCESS_INFORMATION)((ULONG_PTR)pCurrent + pCurrent->NextEntryOffset))
{
if (pCurrent->UniqueProcessId == NULL || pCurrent->UniqueProcessId == (HANDLE)0x4)
continue;
Threads = (PSYSTEM_THREAD_INFORMATION)&pCurrent[1];
for (i = 0; i < pCurrent->NumberOfThreads; i++)
{
ThreadId = Threads[i].ClientId.UniqueThread;
if (ThreadId == PsGetCurrentThreadId())
continue;
if (!NT_SUCCESS(PsLookupThreadByThreadId(ThreadId, &Thread)))
continue;
HANDLE hTddddhread = 0;
rv = ObOpenObjectByPointer(Thread, 0, NULL, NULL, *PsThreadType, KernelMode, &hTddddhread);
if (!NT_SUCCESS(rv))
{
ObDereferenceObject(Thread);
continue;
}
UCHAR ddd[0x255] = { 0 };
ULONG leng = 0;
*(PHANDLE)ddd = hTddddhread;
PALPC_THREAD_INFO alpcinfo = (PALPC_THREAD_INFO)ddd;
//导出没有文档化 参数1 时间长了忘了 参数2 应该是功能码 长度稍微写大一点
rv = ZwAlpcQueryInformation(NULL, 4, (PUCHAR)alpcinfo, 0x255, &leng);
if (NT_SUCCESS(rv))
{
if (alpcinfo->Pid == ServiceProcessId) //
{
PEPROCESS loadProcess = IoThreadToProcess(Thread);
*pProcessId = (ULONG)PsGetProcessId(loadProcess);
ZwClose(hTddddhread);
ObDereferenceObject(Thread);
rv = STATUS_SUCCESS;
goto End;
}
}
ZwClose(hTddddhread);
ObDereferenceObject(Thread);
}
}
End:
if (SystemProcess)
{
ExFreePool(SystemProcess);
SystemProcess = 0;
}
return rv;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
