与RKdemo12.sys一起工作的用户模式部分RKSTART.EXE分析

本文链接：https://blog.csdn.net/pureman_mega/article/details/78811477

在上一篇里说过这个.exe文件会实现驱动的驻留，那么来重点看一下这吧。

                              lea     eax, [esp+238h+var_210]
CODE:00401346                 mov     edx, ds:off_402008  ;要加载的驱动名
CODE:0040134C                 call    sub_401170
CODE:00401351                 mov     eax, ds:SourceString
CODE:00401356                 push    eax             ; SourceString
CODE:00401357                 push    esi             ; DestinationString
CODE:00401358                 call    RtlInitUnicodeString
CODE:0040135D                 mov     [esp+238h+ObjectAttributes.Length], 18h
CODE:00401365                 xor     eax, eax
CODE:00401367                 mov     [esp+238h+ObjectAttributes.RootDirectory], eax
CODE:0040136B                 mov     [esp+238h+ObjectAttributes.ObjectName], esi
CODE:0040136F                 xor     eax, eax
CODE:00401371                 mov     [esp+238h+ObjectAttributes.Attributes], eax
CODE:00401375                 xor     eax, eax
CODE:00401377                 mov     [esp+238h+ObjectAttributes.SecurityDescriptor], eax
CODE:0040137B                 xor     eax, eax
CODE:0040137D                 mov     [esp+238h+ObjectAttributes.SecurityQualityOfService], eax
CODE:00401381                 push    0               ; Disposition
CODE:00401383                 push    1               ; CreateOptions
CODE:00401385                 push    0               ; Class
CODE:00401387                 push    0               ; TitleIndex
CODE:00401389                 lea     eax, [esp+248h+ObjectAttributes]
CODE:0040138D                 push    eax             ; ObjectAttributes
CODE:0040138E                 push    0F003Fh         ; DesiredAccess
CODE:00401393                 lea     eax, [esp+250h+KeyHandle]
CODE:00401397                 push    eax             ; KeyHandle
CODE:00401398                 call    ZwCreateKey;上面进行参数的初始化，创建注册表键
CODE:0040139D                 test    eax, eax  
CODE:0040139F                 jnz     loc_4014B4;这有点问题吧，创建成功应该接着往下走啊！
CODE:004013A5                 mov     [esp+238h+Data], 1
CODE:004013AD                 mov     eax, ds:off_402014  ;'ErrorControl'
CODE:004013B2                 push    eax             ; SourceString
CODE:004013B3                 push    esi             ; DestinationString
CODE:004013B4                 call    RtlInitUnicodeString
CODE:004013B9                 push    4               ; DataSize
CODE:004013BB                 lea     eax, [esp+23Ch+Data]
CODE:004013BF                 push    eax             ; Data
CODE:004013C0                 push    4               ; Type
CODE:004013C2                 push    0               ; TitleIndex
CODE:004013C4                 push    esi             ; ValueName
CODE:004013C5                 mov     eax, [esp+24Ch+KeyHandle]
CODE:004013C9                 push    eax             ; KeyHandle
CODE:004013CA                 call    ZwSetValueKey
CODE:004013CF                 mov     [esp+238h+Data], 3  ;这里是重点
CODE:004013D7                 mov     eax, ds:off_402018 ;'Start'
CODE:004013DC                 push    eax             ; SourceString
CODE:004013DD                 push    esi             ; DestinationString
CODE:004013DE                 call    RtlInitUnicodeString
CODE:004013E3                 push    4               ; DataSize
CODE:004013E5                 lea     eax, [esp+23Ch+Data]
CODE:004013E9                 push    eax             ; Data
CODE:004013EA                 push    4               ; Type
CODE:004013EC                 push    0               ; TitleIndex
CODE:004013EE                 push    esi             ; ValueName
CODE:004013EF                 mov     eax, [esp+24Ch+KeyHandle]
CODE:004013F3                 push    eax             ; KeyHandle
CODE:004013F4                 call    ZwSetValueKey
CODE:004013F9                 mov     [esp+238h+Data], 1
CODE:00401401                 mov     eax, ds:off_40201C ;'Type'
CODE:00401406                 push    eax             ; SourceString
CODE:00401407                 push    esi             ; DestinationString
CODE:00401408                 call    RtlInitUnicodeString
CODE:0040140D                 push    4               ; DataSize
CODE:0040140F                 lea     eax, [esp+23Ch+Data]
CODE:00401413                 push    eax             ; Data
CODE:00401414                 push    4               ; Type
CODE:00401416                 push    0               ; TitleIndex
CODE:00401418                 push    esi             ; ValueName
CODE:00401419                 mov     eax, [esp+24Ch+KeyHandle]
CODE:0040141D                 push    eax             ; KeyHandle
CODE:0040141E                 call    ZwSetValueKey
CODE:00401423                 mov     eax, ds:off_402010 ;'ImagePath'
CODE:00401428                 push    eax             ; SourceString
CODE:00401429                 push    esi             ; DestinationString
CODE:0040142A                 call    RtlInitUnicodeString
CODE:0040142F                 lea     eax, [esp+238h+var_210]
CODE:00401433                 call    sub_4010E0
CODE:00401438                 inc     eax
CODE:00401439                 add     eax, eax
CODE:0040143B                 push    eax             ; DataSize
CODE:0040143C                 lea     eax, [esp+23Ch+var_210]
CODE:00401440                 push    eax             ; Data
CODE:00401441                 push    1               ; Type
CODE:00401443                 push    0               ; TitleIndex
CODE:00401445                 push    esi             ; ValueName
CODE:00401446                 mov     eax, [esp+24Ch+KeyHandle]
CODE:0040144A                 push    eax             ; KeyHandle
CODE:0040144B                 call    ZwSetValueKey
CODE:00401450                 mov     eax, ds:SourceString
CODE:00401455                 push    eax             ; SourceString
CODE:00401456                 push    esi             ; DestinationString
CODE:00401457                 call    RtlInitUnicodeString
CODE:0040145C                 test    bl, bl
CODE:0040145E                 jz      short loc_401498
CODE:00401460                 push    esi             ; DriverServiceName
CODE:00401461                 call    ZwLoadDriver   ;加载驱动

从上面可以看到，先调用了一次ZwCreateKey（）创建了一个注册表键，然后调用了4次ZwSetValueKey()生成4个子键项并赋值。打开注册表编辑器查看有关驱动的子键值，里面就有Start,Type,ImagePath等项和对应的值。 Start项的值决定了驱动（提供服务）什么时候加载（开始）。

value(值）                    description(描叙)                        
0X00000000                   SERVICE_BOOT_START(indicates a driver started by operating system (OS) loader--由操作系统加载器启动)
0X00000001                   SERVICE_SYSTEM_START(started during os initialization--在系统初始化时启动)
0X00000002                   SERVICE_AUTO_START(started by the Service Control Manager(SCM) during system startup--由服务管理器在系统开始运行的过程中启动(很少用))
0X00000003                   SERVICE_DEMAND_START(started on demand,either by the Pnp Manager,or the Service Control Manager)
0X000000004                  SERSVICE_DISABLED
(来自windows ddk 文档)