实验环境:win7 x86
pDriverObject->DriverSection实际是指向_LDR_DATA_TABLE_ENTRY结构的指针。
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x008 InMemoryOrderLinks : _LIST_ENTRY
+0x010 InInitializationOrderLinks : _LIST_ENTRY
+0x018 DllBase : Ptr32 Void //
+0x01c EntryPoint : Ptr32 Void //
+0x020 SizeOfImage : Uint4B
+0x024 FullDllName : _UNICODE_STRING //
+0x02c BaseDllName : _UNICODE_STRING //
+0x034 Flags : Uint4B
+0x038 LoadCount : Uint2B
+0x03a TlsIndex : Uint2B
+0x03c HashLinks : _LIST_ENTRY
+0x03c SectionPointer : Ptr32 Void
+0x040 CheckSum : Uint4B
+0x044 TimeDateStamp : Uint4B
+0x044 LoadedImports : Ptr32 Void
+0x048 EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT
+0x04c PatchInformation : Ptr32 Void
+0x050 ForwarderLinks : _LIST_ENTRY
+0x058 ServiceTagLinks : _LIST_ENTRY
+0x060 StaticLinks : _LIST_ENTRY
+0x068 ContextInformation : Ptr32 Void
+0x06c OriginalBase : Uint4B
+0x070 LoadTime : _LARGE_INTEGER内核代码 :
#include <ntifs.h>
VOID HideProcess(PDRIVER_OBJECT pDriverObject)
{
PUNICODE_STRING pName = NULL;
PLIST_ENTRY pDriverList = (PLIST_ENTRY)pDriverObject->DriverSection;
PLIST_ENTRY pNextList = pDriverList->Flink;
do
{
pName = (PUNICODE_STRING)((ULONG)pNextList + 0x2c);
DbgPrint("%wZ", pName);
pName = (PUNICODE_STRING)((ULONG)pNextList + 0x24);
DbgPrint("%wZ", pName);
pNextList = pNextList->Flink;
} while (pNextList != pDriverList->Flink);
}
VOID UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("unload success!\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
pDriverObject->DriverUnload = UnloadDriver;
HideProcess(pDriverObject);
DbgPrint("load success!\n");
return STATUS_SUCCESS;
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
