断链隐藏自身模块方法一

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
//https://developer.aliyun.com/article/1061479
//驱动开发:断链隐藏驱动程序自身
#include <ntifs.h>
HANDLE hThread;
VOID ThreadRun(PVOID StartContext);
VOID UnDriver(PDRIVER_OBJECT driver)
{
    DbgPrint(("Uninstall Driver Is OK \n"));
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
    DbgPrint(("hello lyshark \n"));

    PLIST_ENTRY pModuleList;
    pModuleList = Driver->DriverSection;

    // 前一个模块的Flink=本模块的Flink
    pModuleList->Blink->Flink = pModuleList->Flink;

    // 前一个模块的Blink=本模块的Blink
    pModuleList->Flink->Blink = pModuleList->Blink;
    PsCreateSystemThread(&hThread, GENERIC_ALL, NULL, NULL, NULL, ThreadRun, Driver);

    Driver->DriverUnload = UnDriver;
    return STATUS_SUCCESS;
}


VOID ThreadRun(PVOID StartContext)
{
    LARGE_INTEGER times;
    PDRIVER_OBJECT pDriverObject;

    // 等待3秒  单位是纳秒
    times.QuadPart = -30 * 1000 * 1000;

    KeDelayExecutionThread(KernelMode, FALSE, &times);
    pDriverObject = (PDRIVER_OBJECT)StartContext;

    // 修改模块信息
    pDriverObject->DriverSize = 0;
    pDriverObject->DriverSection = NULL;
    pDriverObject->DriverExtension = NULL;
    pDriverObject->DriverStart = NULL;
    pDriverObject->DriverInit = NULL;
    pDriverObject->FastIoDispatch = NULL;
    pDriverObject->DriverStartIo = NULL;

    ZwClose(hThread);
}

断链隐藏自身模块方法二

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include <ntifs.h>
#include "function.h"

#define Log(X) DbgPrint("qi:"X##)

VOID EnumDriver(PDRIVER_OBJECT pdriver);
VOID HideDriver(PDRIVER_OBJECT pdriver);

typedef struct _LDR_DATA_TABLE_ENTRY
{
	LIST_ENTRY InLoadOrderLinks;
	LIST_ENTRY InMemoryOrderLinks;
	LIST_ENTRY InInitializationOrderLinks;
	PVOID DllBase;
	PVOID EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING FullDllName;
	UNICODE_STRING BaseDllName;
	ULONG Flags;
	USHORT LoadCount;
	USHORT TlsIndex;
	LIST_ENTRY HashLinks;
	ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;

NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver)
{
	Log("unload...\n");
	return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING path)
{
	pdriver->DriverUnload = DriverUnload;
	Log("loading...\n");
	EnumDriver(pdriver);
	HideDriver(pdriver);
	//驱动的一些信息填为空可以彻底隐藏
	/*
	pdriver->DriverStart = 0;
	pdriver->DriverSize = 0;
	pdriver->Type = 0;
	pdriver->Size = 0;
	pdriver->DeviceObject = 0;
	pdriver->DriverExtension = 0;
	*/
	return STATUS_SUCCESS;
}

VOID EnumDriver(PDRIVER_OBJECT pdriver)
{
	PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)pdriver->DriverSection;
	PLDR_DATA_TABLE_ENTRY head = ldr;
	do
	{
		DebugMessage("%p,%wZ\n", ldr->DllBase, &ldr->BaseDllName);
		ldr = (PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderLinks.Flink;
	} while (ldr != head);
	return;
}
VOID HideDriver(PDRIVER_OBJECT pdriver)
{
	PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)pdriver->DriverSection;
	(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderLinks.Flink->Blink = ldr->InLoadOrderLinks.Blink;
	(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderLinks.Flink->Blink = ldr->InLoadOrderLinks.Blink;

}