源代码如下,mydriver.c:
#include "ntddk.h"
VOID CleanUp(IN PDRIVER_OBJECT pDriverObject);
NTSTATUS DriverEntry(IN PDRIVER_OBJECT TheDriverObject, IN PUNICODE_STRING TheRegistryPath)
{
DbgPrint("This is my first driver baby!!");
TheDriverObject->DriverUnload = CleanUp;
return STATUS_SUCCESS;
}
// This is the UnLoad Routine
VOID CleanUp(IN PDRIVER_OBJECT pDriverObject)
{
DbgPrint("CleanUp routine called");
}
在C盘新建一个目录rootkit,然后把mydriver.c放到该目录,新建一个文件,名为SOURCES,无扩展名,内容如下:
TARGETNAME=MYDRIVER
TARGETPATH=OBJ
TARGETTYPE=DRIVER
SOURCES=mydriver.c然后点击“开始”-“所有程序”-“Windows Driver Kits”-“WDK 7600.16385.1”-“Build Environments”-“Windows XP”-“x86 Checked Build Environment”:
OACR monitor running already
C:\WINDDK\7600.16385.1>cd C:\rootkit
C:\rootkit>build
BUILD: Compile and Link for x86
BUILD: Loading c:\winddk\7600.16385.1\build.dat...
BUILD: Computing Include file dependencies:
BUILD: Start time: Sun Jul 21 14:34:00 2013
BUILD: Examining c:\rootkit directory for files to compile.
c:\rootkit Invalidating OACR warning log for 'root:x86chk'
BUILD: Saving c:\winddk\7600.16385.1\build.dat...
BUILD: Compiling and Linking c:\rootkit directory
Configuring OACR for 'root:x86chk' - <OACR on>
_NT_TARGET_VERSION SET TO WINXP
Compiling - mydriver.c
Linking Executable - objchk_wxp_x86\i386\mydriver.sys
BUILD: Finish time: Sun Jul 21 14:34:10 2013
BUILD: Done
3 files compiled
1 executable built
C:\rootkit>在目录C:\rootkit\objchk_wxp_x86\i386,生成了MYDRIVER.sys,还有其他一些文件。
准备一台XP的虚拟机,把MYDRIVER.sys放到虚拟机里。
在http://www.osronline.com/article.cfm?article=157下载osrloader,先要用电子邮件进行注册。
在http://download.sysinternals.com/files/DebugView.zip下载debugview。
把osrloader和debugview都放到XP虚拟机里,然后打开debugview,用osrloader加载MYDRIVER.sys,并且注册服务,启动服务,这时,并不会输出DbgPrint里的信息,因为还没重启XP。重启XP后,就会看到输出了:
2867
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
