-
-
[求助]??如何卸蒌SYS?案呢?
-
发表于: 2007-1-18 15:21
-
以下是加蒌SYS?案的函?
bool load_sysfile()
??大??卸蒌函?怎??呢?
不?感激!
//----------------------------------------------------------------
// standard headers
//----------------------------------------------------------------
#include <windows.h>
#include <stdio.h>
//----------------------------------------------------------------
// stuff not found in header files
//----------------------------------------------------------------
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
PWSTR Buffer;
#endif // MIDL_PASS
} UNICODE_STRING, *PUNICODE_STRING;
typedef long NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef
NTSTATUS
(__stdcall *ZWSETSYSTEMINFORMATION)(
DWORD SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength
);
typedef
VOID
(__stdcall *RTLINITUNICODESTRING)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
#define SystemLoadAndCallImage 38
//----------------------------------------------------------------
// load a sys file as a driver using undocumented method
//----------------------------------------------------------------
bool load_sysfile()
{
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
WCHAR daPath[] = L"\\??\\C:\\ARCBOT.SYS";
//////////////////////////////////////////////////////////////
// get DLL entry points
//////////////////////////////////////////////////////////////
if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING)
GetProcAddress( GetModuleHandle("ntdll.dll")
,"RtlInitUnicodeString"
)))
{
return false;
}
if(!(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)
GetProcAddress(
GetModuleHandle("ntdll.dll")
,"ZwSetSystemInformation" )))
{
return false;
}
RtlInitUnicodeString(
&(GregsImage.ModuleName)
,daPath
);
if(
!NT_SUCCESS(
ZwSetSystemInformation(
SystemLoadAndCallImage
,&GregsImage
,sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))
{
return false;
}
return true;
}
bool unload_sysfile()
{
//??呃彦?怎?卸蒌呢?
}
bool load_sysfile()
??大??卸蒌函?怎??呢?
不?感激!
//----------------------------------------------------------------
// standard headers
//----------------------------------------------------------------
#include <windows.h>
#include <stdio.h>
//----------------------------------------------------------------
// stuff not found in header files
//----------------------------------------------------------------
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
PWSTR Buffer;
#endif // MIDL_PASS
} UNICODE_STRING, *PUNICODE_STRING;
typedef long NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef
NTSTATUS
(__stdcall *ZWSETSYSTEMINFORMATION)(
DWORD SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength
);
typedef
VOID
(__stdcall *RTLINITUNICODESTRING)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
#define SystemLoadAndCallImage 38
//----------------------------------------------------------------
// load a sys file as a driver using undocumented method
//----------------------------------------------------------------
bool load_sysfile()
{
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
WCHAR daPath[] = L"\\??\\C:\\ARCBOT.SYS";
//////////////////////////////////////////////////////////////
// get DLL entry points
//////////////////////////////////////////////////////////////
if( !(RtlInitUnicodeString = (RTLINITUNICODESTRING)
GetProcAddress( GetModuleHandle("ntdll.dll")
,"RtlInitUnicodeString"
)))
{
return false;
}
if(!(ZwSetSystemInformation = (ZWSETSYSTEMINFORMATION)
GetProcAddress(
GetModuleHandle("ntdll.dll")
,"ZwSetSystemInformation" )))
{
return false;
}
RtlInitUnicodeString(
&(GregsImage.ModuleName)
,daPath
);
if(
!NT_SUCCESS(
ZwSetSystemInformation(
SystemLoadAndCallImage
,&GregsImage
,sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))
{
return false;
}
return true;
}
bool unload_sysfile()
{
//??呃彦?怎?卸蒌呢?
}
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
?有啉?了
只能??一下Win32ASM了
|
|
|
这个加载方式无法卸载的.
|
