引用鏈接: http://blog.csdn.net/qq125096885/article/details/53161169
#include <ntddk.h>
#include <Ntstrsafe.h>
typedef struct _REINIT_PACKET {
LIST_ENTRY ListEntry;
PDRIVER_OBJECT DriverObject;
PDRIVER_REINITIALIZE DriverReinitializationRoutine;
PVOID Context;
} REINIT_PACKET, *PREINIT_PACKET;
DWORD g_OsVersion; //系統版本
//操作系統版本
#define WINXP 51
#define WIN7 61
#define WIN8 62
#define WIN81 63
#define WIN10 100
//獲取系統版本
BOOLEAN GetOsVer(void);
ULONG_PTR IopBootDriverReinitializeQueueHead;
//獲取IopBootDriverReinitializeQueueHead
ULONG_PTR GetIopBootDriverReinitializeQueueHead(void);
//枚舉移除IoRegisterBootDriverReinitialization
NTSTATUS EnumRemoveBootDriverReinitialization(void);
VOID Reinitialize(struct _DRIVER_OBJECT *DriverObject, PVOID Context, ULONG Count);
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgBreakPoint();
IoRegisterBootDriverReinitialization(DriverObject, Reinitialize, NULL);
EnumRemoveBootDriverReinitialization();
return STATUS_SUCCESS;
}
VOID Reinitialize(struct _DRIVER_OBJECT *DriverObject,PVOID Context,ULONG Count)
{
KdPrint(("hehe\n"));
return;
}
//枚舉移除IoRegisterBootDriverReinitialization
NTSTATUS EnumRemoveBootDriverReinitialization(void)
{
//定義變量
PLIST_ENTRY entry;
PREINIT_PACKET reinitEntry;
//獲取系統版本
if (GetOsVer() == FALSE)return STATUS_UNSUCCESSFUL;
//獲取IopBootDriverReinitializeQueueHead
IopBootDriverReinitializeQueueHead =GetIopBootDriverReinitializeQueueHead();
if (IopBootDriverReinitializeQueueHead == NULL)return STATUS_UNSUCCESSFUL;
while (!IsListEmpty(IopBootDriverReinitializeQueueHead))
{
entry = RemoveTailList(IopBootDriverReinitializeQueueHead);
reinitEntry = CONTAINING_RECORD(entry, REINIT_PACKET, ListEntry);
if (reinitEntry->DriverObject)
{
reinitEntry->DriverObject->DriverExtension->Count++;
reinitEntry->DriverObject->Flags &= ~DRVO_BOOTREINIT_REGISTERED;
//reinitEntry->DriverReinitializationRoutine(reinitEntry->DriverObject, reinitEntry->Context, reinitEntry->DriverObject->DriverExtension->Count);
}
ExFreePool(reinitEntry);
}
return STATUS_SUCCESS;
}
//獲取IopBootDriverReinitializeQueueHead
ULONG_PTR GetIopBootDriverReinitializeQueueHead(void)
{
//定義變量
ULONG_PTR i = 0;
ULONG_PTR OffsetAddr = 0;
ULONG_PTR NotifyRoutine = 0;
LONG OffsetAddr64 = 0;
UNICODE_STRING unstrFunc;
ULONG_PTR pIoRegisterBootDriverReinitialization;
RtlInitUnicodeString(&unstrFunc, L"IoRegisterBootDriverReinitialization");
//獲取函數地址
pIoRegisterBootDriverReinitialization = (ULONG_PTR)MmGetSystemRoutineAddress(&unstrFunc);
if (pIoRegisterBootDriverReinitialization == NULL)return NULL;
#ifdef _WIN64
switch (g_OsVersion)
{
case WIN7:
case WIN8:
case WIN81:
case WIN10:
{
//fffff800`040870c7 834b1020 or dword ptr[rbx + 10h], 20h
//fffff800`040870cb 488d0d3e31e0ff lea rcx, [nt!IopBootDriverReinitializeQueueHead(fffff800`03e8a210)]
for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++)
{
if (*(PUCHAR)i == 0x83 && *(PUCHAR)(i + 3) == 0x20 && *(PUCHAR)(i + 4) == 0x48 && *(PUCHAR)(i + 5) == 0x8d && *(PUCHAR)(i + 6) == 0x0d)
{
RtlCopyMemory(&OffsetAddr64, (PUCHAR)(i + 7), sizeof(DWORD));
OffsetAddr = OffsetAddr64 + 11 + i;
break;
}
}
}
break;
default:
break;
}
#else
switch (g_OsVersion)
{
case WINXP:
{
//8056a8bf 8bd0 mov edx, eax
//8056a8c1 b9f0285580 mov ecx, offset nt!IopBootDriverReinitializeQueueHead(805528f0)
for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++)
{
if (*(PUCHAR)i == 0x8b && *(PUCHAR)(i + 1) == 0xd0 && *(PUCHAR)(i + 2) == 0xb9)
{
RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR));
break;
}
}
}
break;
case WIN7:
{
//83db2398 8bf0 mov esi, eax
//83db239a bfe8c7da83 mov edi, offset nt!IopBootDriverReinitializeQueueHead(83dac7e8)
for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++)
{
if (*(PUCHAR)i == 0x8b && *(PUCHAR)(i + 1) == 0xf0 && *(PUCHAR)(i + 2) == 0xbf)
{
RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR));
break;
}
}
}
break;
case WIN8:
{
//8177a710 8bf1 mov esi, ecx
//8177a712 bf80e06081 mov edi, offset nt!IopBootDriverReinitializeQueueHead(8160e080)
for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++)
{
if (*(PUCHAR)i == 0x8b && *(PUCHAR)(i + 1) == 0xf1 && *(PUCHAR)(i + 2) == 0xbf)
{
RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 3), sizeof(ULONG_PTR));
break;
}
}
}
break;
case WIN81:
case WIN10:
{
//81781cf2 834e0820 or dword ptr[esi + 8], 20h
//81781cf6 b9405d6081 mov ecx, offset nt!IopBootDriverReinitializeQueueHead(81605d40)
for (i = pIoRegisterBootDriverReinitialization; i < pIoRegisterBootDriverReinitialization + 0xff; i++)
{
if (*(PUCHAR)i == 0x83 && *(PUCHAR)(i + 3) == 0x20 && *(PUCHAR)(i + 4) == 0xb9)
{
RtlCopyMemory(&OffsetAddr, (PUCHAR)(i + 5), sizeof(ULONG_PTR));
break;
}
}
}
break;
default:
break;
}
#endif
if (OffsetAddr && MmIsAddressValid(OffsetAddr))
{
NotifyRoutine = OffsetAddr;
}
return NotifyRoutine;
}
//獲取系統版本
BOOLEAN GetOsVer(void)
{
ULONG dwMajorVersion = 0;
ULONG dwMinorVersion = 0;
PsGetVersion(&dwMajorVersion, &dwMinorVersion, NULL, NULL);
if (dwMajorVersion == 5 && dwMinorVersion == 1)
g_OsVersion = WINXP;
else if (dwMajorVersion == 6 && dwMinorVersion == 1)
g_OsVersion = WIN7;
else if (dwMajorVersion == 6 && dwMinorVersion == 2)
g_OsVersion = WIN8;
else if (dwMajorVersion == 6 && dwMinorVersion == 3)
g_OsVersion = WIN81;
else if (dwMajorVersion == 10 && dwMinorVersion == 0)
g_OsVersion = WIN10;
else
{
g_OsVersion = 0;
KdPrint(("未知版本"));
return FALSE;
}
return TRUE;
}