win7 X86
驱动
#include <ntifs.h>
#define DEVICE_NAME L"\\Device\\wangliang"
#define SYM_NAME L"\\??\\wangliang"
#define _COMM_ID 0x12345678
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY exp;
ULONG un;
ULONG NonPagedDebugInfo;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Undefined5;
ULONG __Undefined6;
ULONG CheckSum;
ULONG TimeDateStamp;
} KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY;
NTKERNELAPI NTSTATUS ObReferenceObjectByName(
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID* Object
);
extern POBJECT_TYPE* IoDriverObjectType;
typedef struct _CommPackage {
ULONG64 id;
ULONG64 pid;
ULONG DllBase;
CHAR name[64];
CHAR name2[64];
}CommPackage, * PCommPackage;
typedef NTSTATUS(NTAPI* CommCallback)(PCommPackage package);
CommCallback gCommCallback = NULL;
NTSTATUS DefDispatch(DEVICE_OBJECT* DeviceObject, IRP* Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS ReadDispatch(DEVICE_OBJECT* DeviceObject, IRP* Irp)
{
//DbgBreakPoint();
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
LARGE_INTEGER ByteOffset = ioStack->Parameters.Read.ByteOffset;
int Length = ioStack->Parameters.Read.Length;
PCommPackage package = Irp->UserBuffer;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PVOID DllBase = NULL;
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)DeviceObject->DeviceExtension;
PKLDR_DATA_TABLE_ENTRY pre = (PKLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderLinks.Flink;
PKLDR_DATA_TABLE_ENTRY next = (PKLDR_DATA_TABLE_ENTRY)pre->InLoadOrderLinks.Flink;
if (package->pid > 1) {
ULONG64 i = (ULONG64)1;
for (; i < package->pid; i++) {
next = (PKLDR_DATA_TABLE_ENTRY)next->InLoadOrderLinks.Flink;
}
}
if (Length == sizeof(CommPackage) ) {
UNICODE_STRING driverName1 = next->FullDllName;
UNICODE_STRING driverName2 = next->BaseDllName;
PDRIVER_OBJECT Driver = NULL;
ANSI_STRING ansi_buffer_target = { 0 };
//DbgBreakPoint();
DllBase = next->DllBase;
package->DllBase = DllBase;
NTSTATUS status = ObReferenceObjectByName(&driverName1, FILE_ALL_ACCESS, 0, 0, *IoDriverObjectType, KernelMode, NULL, &Driver);//通过驱动的到驱动的对象
if (package->id == _COMM_ID) {
RtlUnicodeStringToAnsiString(&ansi_buffer_target, &driverName1, TRUE);
strcpy(package->name, ansi_buffer_target.Buffer);
RtlFreeAnsiString(&ansi_buffer_target);
RtlUnicodeStringToAnsiString(&ansi_buffer_target, &driverName2, TRUE);
strcpy(package->name2, ansi_buffer_target.Buffer);
RtlFreeAnsiString(&ansi_buffer_target);
}
};
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, 0);
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
IoDeleteSymbolicLink(&symName);
IoDeleteDevice(pDriver->DeviceObject);
DbgPrint("END\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
UNICODE_STRING unName = { 0 };
RtlInitUnicodeString(&unName, DEVICE_NAME);
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
PDEVICE_OBJECT pDevice = NULL;
NTSTATUS status = IoCreateDevice(pDriver, sizeof(PKLDR_DATA_TABLE_ENTRY)+1, &unName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);//创建一个驱动设备使用的设备对象
if (!NT_SUCCESS(status))
{
DbgPrint("[db]:%x\r\n", status);
return status;
}
memcpy(pDevice->DeviceExtension, ldr, sizeof(PKLDR_DATA_TABLE_ENTRY));
status = IoCreateSymbolicLink(&symName, &unName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevice);
DbgPrint("[db]:%x\r\n", status);
return status;
}
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
pDriver->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_READ] = ReadDispatch;
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
R3
#ifndef UNICODE
#define UNICODE
#endif
#ifndef _UNICODE
#define _UNICODE
#endif
#define _WIN32_WINNT 0x0500
#define WINVER 0x0500
#include <windows.h>
#include <Softpub.h>
#include <Wincrypt.h>
#include <stdio.h>
#include <tchar.h>
#include<psapi.h>
#pragma comment(lib, "Crypt32.lib")
#pragma comment(lib, "Wintrust.lib")
#pragma comment(lib, "Psapi.lib")
#define SYM_NAME "\\\\.\\wangliang"
typedef struct _CommPackage {
ULONG64 id;
ULONG64 pid;
ULONG DllBase;
CHAR name[64];
CHAR name2[64];
}CommPackage, * PCommPackage;
#define _COMM_ID 0x12345678
LPTSTR GetCertificateDescription(PCCERT_CONTEXT pCertCtx)
{
DWORD dwStrType;
DWORD dwCount;
LPTSTR szSubjectRDN = NULL;
dwStrType = CERT_X500_NAME_STR;
dwCount = CertGetNameString(pCertCtx,
CERT_NAME_RDN_TYPE,
0,
&dwStrType,
NULL,
0);
if (dwCount)
{
szSubjectRDN = (LPTSTR)LocalAlloc(0, dwCount * sizeof(TCHAR));
CertGetNameString(pCertCtx,
CERT_NAME_RDN_TYPE,
0,
&dwStrType,
szSubjectRDN,
dwCount);
}
return szSubjectRDN;
}
int main(int argc, _TCHAR* argv[])
{
CommPackage packag;
packag.id = _COMM_ID;
packag.pid = (ULONG64)1;
for (int i = 0; i < 64; i++) {
packag.name[i] = 0;
}
HANDLE hDevice = CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDevice == NULL || hDevice == INVALID_HANDLE_VALUE)
{
printf("%d", hDevice);
system("pause");
return 0;
}
DWORD p = 0;
ReadFile(hDevice, &packag, sizeof(CommPackage), &p, NULL);
char First[64] = {0};
strcpy_s(First, 64, packag.name);
printf("%s\r\n", packag.name);
do{
packag.pid = packag.pid + 1;
for (int i = 0; i < 64; i++) {
packag.name[i] = 0;
}
for (int i = 0; i < 64; i++) {
packag.name2[i] = 0;
}
ReadFile(hDevice, &packag, sizeof(CommPackage), &p, NULL);
printf("%s %s\r\n", packag.name, packag.name2);
char fullPath[256];
char fullPath2[256];
int j = 0;
for (int i = 0; i < 256; i++) {
fullPath[i] = 0;
fullPath2[i] = 0;
}
fullPath2[0] = 67;
fullPath2[1] = 58;
fullPath2[2] = 92;
fullPath2[3] = 87;
fullPath2[4] = 105;
fullPath2[5] = 110;
fullPath2[6] = 100;
fullPath2[7] = 111;
fullPath2[8] = 119;
fullPath2[9] = 115;
//_asm int 3;
GetDeviceDriverFileNameA(packag.DllBase, fullPath, sizeof(fullPath));
if (fullPath[0] == 92) {
if (fullPath[1] == 83) {
if (fullPath[2] == 121) {
if (fullPath[3] == 115) {
if (fullPath[4] == 116) {
if (fullPath[5] == 101) {
if (fullPath[6] == 109) {
if (fullPath[7] == 82) {
if (fullPath[8] == 111) {
if (fullPath[9] == 111) {
if (fullPath[10] == 116) {
if (fullPath[11] == 92) {
for (int i = 10; i < 240; i++) {
fullPath2[i] = fullPath[i + 1];
j = 1;
}
}
}
}
}
}
}
}
}
}
}
}
}
if (j == 0) {
int x = 0;
_asm int 3;
for (x = 0; x < 256; x++) {
if (65 <= fullPath[x] && fullPath[x] <= 90) {
break;
}
}
for (int i = 0; i+x < 256; i++) {
fullPath2[i] = fullPath[i+x];
}
}
//写的垃圾过滤。。
printf("Full path for driver file is: %s\n", fullPath2);
//_asm int 3;
GUID guidAction = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_FILE_INFO sWintrustFileInfo;
WINTRUST_DATA sWintrustData;
HRESULT hr;
if (argc != 2)
{
_tprintf(_T("Usage: VerifyExeSignature file_name\n"));
// return -1;
}
//_asm int 3;
int size_needed = MultiByteToWideChar(CP_UTF8, 0, fullPath2, strlen(fullPath2), NULL, 0); // 获取需要的空间大小
wchar_t* wstr = malloc(sizeof(wchar_t)*(size_needed + 1)); // 分配内存给wchar_t*
memset(wstr,0, size_needed+1);
MultiByteToWideChar(CP_UTF8, 0, fullPath2, strlen(fullPath2), wstr, size_needed); // 进行转换
wstr[size_needed] = L'\0'; // 添加结尾字符,形成一个null-terminated字符串
argv[1] = wstr;
memset((void*)&sWintrustFileInfo, 0x00, sizeof(WINTRUST_FILE_INFO));
memset((void*)&sWintrustData, 0x00, sizeof(WINTRUST_DATA));
sWintrustFileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO);
sWintrustFileInfo.pcwszFilePath = argv[1];
sWintrustFileInfo.hFile = NULL;
sWintrustData.cbStruct = sizeof(WINTRUST_DATA);
sWintrustData.dwUIChoice = WTD_UI_NONE;
sWintrustData.fdwRevocationChecks = WTD_REVOKE_NONE;
sWintrustData.dwUnionChoice = WTD_CHOICE_FILE;
sWintrustData.pFile = &sWintrustFileInfo;
sWintrustData.dwStateAction = WTD_STATEACTION_VERIFY;
hr = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);
if (TRUST_E_NOSIGNATURE == hr)
{
_tprintf(_T("No signature found on the file.\n"));
}
else if (TRUST_E_BAD_DIGEST == hr)
{
_tprintf(_T("The signature of the file is invalid\n"));
}
else if (TRUST_E_PROVIDER_UNKNOWN == hr)
{
_tprintf(_T("No trust provider on this machine can verify this type of files.\n"));
}
else if (S_OK != hr)
{
_tprintf(_T("WinVerifyTrust failed with error 0x%.8X\n"), hr);
}
else
{
_tprintf(_T("File signature is OK.\n"));
CRYPT_PROVIDER_DATA const* psProvData = NULL;
CRYPT_PROVIDER_SGNR* psProvSigner = NULL;
CRYPT_PROVIDER_CERT* psProvCert = NULL;
FILETIME localFt;
SYSTEMTIME sysTime;
psProvData = WTHelperProvDataFromStateData(sWintrustData.hWVTStateData);
if (psProvData)
{
psProvSigner = WTHelperGetProvSignerFromChain((PCRYPT_PROVIDER_DATA)psProvData, 0, FALSE, 0);
if (psProvSigner)
{
FileTimeToLocalFileTime(&psProvSigner->sftVerifyAsOf, &localFt);
FileTimeToSystemTime(&localFt, &sysTime);
_tprintf(_T("Signature Date = %.2d/%.2d/%.4d at %.2d:%2.d:%.2d\n"), sysTime.wDay, sysTime.wMonth, sysTime.wYear, sysTime.wHour, sysTime.wMinute, sysTime.wSecond);
psProvCert = WTHelperGetProvCertFromChain(psProvSigner, 0);
if (psProvCert)
{
LPTSTR szCertDesc = GetCertificateDescription(psProvCert->pCert);
if (szCertDesc)
{
_tprintf(_T("File Signer = %s\n"), szCertDesc);
LocalFree(szCertDesc);
}
}
if (psProvSigner->csCounterSigners)
{
_tprintf(_T("\n"));
// Timestamp
FileTimeToLocalFileTime(&psProvSigner->pasCounterSigners[0].sftVerifyAsOf, &localFt);
FileTimeToSystemTime(&localFt, &sysTime);
_tprintf(_T("Timestamp Date = %.2d/%.2d/%.4d at %.2d:%2.d:%.2d\n"), sysTime.wDay, sysTime.wMonth, sysTime.wYear, sysTime.wHour, sysTime.wMinute, sysTime.wSecond);
psProvCert = WTHelperGetProvCertFromChain(&psProvSigner->pasCounterSigners[0], 0);
if (psProvCert)
{
LPTSTR szCertDesc = GetCertificateDescription(psProvCert->pCert);
if (szCertDesc)
{
_tprintf(_T("Timestamp Signer = %s\n"), szCertDesc);
LocalFree(szCertDesc);
}
}
}
}
}
}
sWintrustData.dwUIChoice = WTD_UI_NONE;
sWintrustData.dwStateAction = WTD_STATEACTION_CLOSE;
WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);
Sleep(1000);
} while (strcmp(First, packag.name) != NULL);
CloseHandle(hDevice);
system("pause");
return 0;
}