通过修改pe入口方式拦截驱动加载,添加修改成退出代码。
这样即使驱动加载了,也会立即退出,代码细节地方自己修改一下。
调用方式:
StopDriver((PUCHAR)ImageInfo->ImageBase);
源文件:
#include <ntifs.h>
#include "StopDriver.h"
#define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
((ULONG_PTR)(ntheader)+\
FIELD_OFFSET(IMAGE_NT_HEADERS64, OptionalHeader) + \
((ntheader))->FileHeader.SizeOfOptionalHeader \
))
NTSTATUS BasePlatform::StopDriver(PUCHAR Base)
{
UCHAR SysPatchCode64[16] = { 0xb8, 0x22, 0x00, 0x00, 0xc0, 0xc3, 0x90 };
UCHAR SysPatchCode32[16] = { 0xb8, 0x22, 0x00, 0x00, 0xc0, 0xc2, 0x08, 0x00, 0x90, 0x90 };
PIMAGE_DOS_HEADER DosHeader;
PIMAGE_NT_HEADERS NtHeader;
PUCHAR AddressOEP;
if (Base == NULL) return FALSE;
DosHeader = (PIMAGE_DOS_HEADER)Base;
if (!MmIsAddressValid(DosHeader)) return FALSE;
if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE) return FALSE;
NtHeader = (PIMAGE_NT_HEADERS)(Base + DosHeader->e_lfanew);
if (!MmIsAddressValid(Base)) return FALSE;
AddressOEP = (PUCHAR)(Base + NtHeader->OptionalHeader.AddressOfEntryPoint);
//KdPrint(("Base:%x\n", Base));
//KdPrint(("AddressOEP:%x\n", AddressOEP));
if (NtHeader->FileHeader.Machine == I