在卸载例程中对ssdt进行修复驱动的功能就基本完成了,
VOID OnUnload(IN PDRIVER_OBJECT DriverObject) { NTSTATUS ntStatus; UNICODE_STRING DeviceName; UNICODE_STRING DeviceLinkString; PDEVICE_OBJECT pDeviceObject; RtlInitUnicodeString(&DeviceLinkString,DOS_DEVICE_NAME); IoDeleteSymbolicLink(&DeviceLinkString); pDeviceObject = DriverObject->DeviceObject; IoDeleteDevice(pDeviceObject); _asm { CLI MOV EAX, CR0 AND EAX, NOT 10000H MOV CR0, EAX } (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess)) = OldZwOpenProcess; _asm { MOV EAX, CR0 OR EAX, 10000H MOV CR0, EAX STI } DbgPrint("驱动卸载完成"); } |
在应用程序中我们使用,CreateService来注册一个服务,由于驱动注册了符号链接这样我们就可以像打开一个文件一样打开驱动,我们用进程快照遍历进程获得ID然后传递给驱动,这样一个简单的保护功能就完成了。
TCHAR name[256]; GetCurrentDirectory(256,name); strcat(name,"//"); strcat(name,DriverName); SC_HANDLE sh = OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS); if(!sh) { return ; } SC_HANDLE rh = CreateService(sh,DriverName,DriverName, SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START, SERVICE_ERROR_CRITICAL,name,NULL,NULL,NULL,NULL,NULL); if(!rh) { if(GetLastError()==ERROR_SERVICE_EXISTS) { rh=OpenService(sh,DriverName,SERVICE_ALL_ACCESS); if(!rh) { CloseServiceHandle(sh); return; } } else { CloseServiceHandle(sh); return; } } if(rh) { if(0==StartService(rh,0,NULL)) { if(ERROR_SERVICE_ALREADY_RUNNING==GetLastError()) { return; } CloseServiceHandle(sh); CloseServiceHandle(rh); return; } CloseServiceHandle(sh); CloseServiceHandle(rh); } void CProtectDriverDlg::OnStart() { char outbuffer[4096]={0}; DWORD dw; // TODO: Add your control notification handler code here device=CreateFile(".//HookSSDT", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_SYSTEM, 0); if(device!=INVALID_HANDLE_VALUE) { FindProcessPid(); DeviceIoControl(device,IOCTL_PROTECT_CONTROL,&pid, sizeof(long),outbuffer,4096,&dw,NULL); MessageBox("驱动已经加载开始保护","注意",NULL); CloseHandle(device); } return; } VOID CProtectDriverDlg::FindProcessPid() { CString ProcessName; GetDlgItem(IDC_EDIT)->GetWindowText(ProcessName); PROCESSENTRY32 pe32; // 在使用这个结构之前,先设置它的大小 pe32.dwSize = sizeof(pe32); // 给系统内的所有进程拍一个快照 HANDLE hProcessSnap = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(hProcessSnap == INVALID_HANDLE_VALUE) { MessageBox("调用失败","注意", NULL); return ; } // 遍历进程快照,轮流显示每个进程的信息 BOOL bMore = ::Process32First(hProcessSnap, &pe32); while(bMore) { if(pe32.szExeFile==ProcessName) { pid=(long)pe32.th32ProcessID; } bMore = ::Process32Next(hProcessSnap, &pe32); } // 不要忘记清除掉snapshot对象 ::CloseHandle(hProcessSnap); return ; } |