编程技术- 驱动开发:判断自身是否加载成功
推荐 原创在驱动开发中我们有时需要得到驱动自身是否被加载成功的状态,这个功能看似没啥用实际上在某些特殊场景中还是需要的,如下代码实现了判断当前驱动是否加载成功,如果加载成功, 则输出该驱动的详细路径信息。
该功能实现的核心函数是NtQuerySystemInformation这是一个微软未公开的函数,也没有文档化,不过我们仍然可以通过动态指针的方式调用到它,该函数可以查询到很多系统信息状态,首先需要定义一个指针。
|
1
2
3
4
5
|
typedef NTSTATUS(
*
NTQUERYSYSTEMINFORMATION)(
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG_PTR SystemInformationLength,
OUT PULONG_PTR ReturnLength OPTIONAL);
|
其次还需要一个SYSTEM_MODULE_INFORMATION该结构内可以得到模块入口信息模块名称等,调用NtQuerySystemInformation数据会被格式化为SYSTEM_MODULE_INFORMATION方便调用。
|
1
2
3
4
5
6
7
8
9
10
11
12
|
typedef struct _SYSTEM_MODULE_INFORMATION {
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[
256
];
} SYSTEM_MODULE_INFORMATION,
*
PSYSTEM_MODULE_INFORMATION;
|
最后是SYSTEM_INFORMATION_CLASS该结构同样是一个未文档化的结构体,本此代码中需要用到的枚举类型是SystemModuleInformation其他类型也放这里后期做参考用。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation
=
0x0
,
SystemProcessorInformation
=
0x1
,
SystemPerformanceInformation
=
0x2
,
SystemTimeOfDayInformation
=
0x3
,
SystemPathInformation
=
0x4
,
SystemProcessInformation
=
0x5
,
SystemCallCountInformation
=
0x6
,
SystemDeviceInformation
=
0x7
,
SystemProcessorPerformanceInformation
=
0x8
,
SystemFlagsInformation
=
0x9
,
SystemCallTimeInformation
=
0xa
,
SystemModuleInformation
=
0xb
,
SystemLocksInformation
=
0xc
,
SystemStackTraceInformation
=
0xd
,
SystemPagedPoolInformation
=
0xe
,
SystemNonPagedPoolInformation
=
0xf
,
SystemHandleInformation
=
0x10
,
SystemObjectInformation
=
0x11
,
SystemPageFileInformation
=
0x12
,
SystemVdmInstemulInformation
=
0x13
,
SystemVdmBopInformation
=
0x14
,
SystemFileCacheInformation
=
0x15
,
SystemPoolTagInformation
=
0x16
,
SystemInterruptInformation
=
0x17
,
SystemDpcBehaviorInformation
=
0x18
,
SystemFullMemoryInformation
=
0x19
,
SystemLoadGdiDriverInformation
=
0x1a
,
SystemUnloadGdiDriverInformation
=
0x1b
,
SystemTimeAdjustmentInformation
=
0x1c
,
SystemSummaryMemoryInformation
=
0x1d
,
SystemMirrorMemoryInformation
=
0x1e
,
SystemPerformanceTraceInformation
=
0x1f
,
SystemObsolete0
=
0x20
,
SystemExceptionInformation
=
0x21
,
SystemCrashDumpStateInformation
=
0x22
,
SystemKernelDebuggerInformation
=
0x23
,
SystemContextSwitchInformation
=
0x24
,
SystemRegistryQuotaInformation
=
0x25
,
SystemExtendServiceTableInformation
=
0x26
,
SystemPrioritySeperation
=
0x27
,
SystemVerifierAddDriverInformation
=
0x28
,
SystemVerifierRemoveDriverInformation
=
0x29
,
SystemProcessorIdleInformation
=
0x2a
,
SystemLegacyDriverInformation
=
0x2b
,
SystemCurrentTimeZoneInformation
=
0x2c
,
SystemLookasideInformation
=
0x2d
,
SystemTimeSlipNotification
=
0x2e
,
SystemSessionCreate
=
0x2f
,
SystemSessionDetach
=
0x30
,
SystemSessionInformation
=
0x31
,
SystemRangeStartInformation
=
0x32
,
SystemVerifierInformation
=
0x33
,
SystemVerifierThunkExtend
=
0x34
,
SystemSessionProcessInformation
=
0x35
,
SystemLoadGdiDriverInSystemSpace
=
0x36
,
SystemNumaProcessorMap
=
0x37
,
SystemPrefetcherInformation
=
0x38
,
SystemExtendedProcessInformation
=
0x39
,
SystemRecommendedSharedDataAlignment
=
0x3a
,
SystemComPlusPackage
=
0x3b
,
SystemNumaAvailableMemory
=
0x3c
,
SystemProcessorPowerInformation
=
0x3d
,
SystemEmulationBasicInformation
=
0x3e
,
SystemEmulationProcessorInformation
=
0x3f
,
SystemExtendedHandleInformation
=
0x40
,
SystemLostDelayedWriteInformation
=
0x41
,
SystemBigPoolInformation
=
0x42
,
SystemSessionPoolTagInformation
=
0x43
,
SystemSessionMappedViewInformation
=
0x44
,
SystemHotpatchInformation
=
0x45
,
SystemObjectSecurityMode
=
0x46
,
SystemWatchdogTimerHandler
=
0x47
,
SystemWatchdogTimerInformation
=
0x48
,
SystemLogicalProcessorInformation
=
0x49
,
SystemWow64SharedInformationObsolete
=
0x4a
,
SystemRegisterFirmwareTableInformationHandler
=
0x4b
,
SystemFirmwareTableInformation
=
0x4c
,
SystemModuleInformationEx
=
0x4d
,
SystemVerifierTriageInformation
=
0x4e
,
SystemSuperfetchInformation
=
0x4f
,
SystemMemoryListInformation
=
0x50
,
SystemFileCacheInformationEx
=
0x51
,
SystemThreadPriorityClientIdInformation
=
0x52
,
SystemProcessorIdleCycleTimeInformation
=
0x53
,
SystemVerifierCancellationInformation
=
0x54
,
SystemProcessorPowerInformationEx
=
0x55
,
SystemRefTraceInformation
=
0x56
,
SystemSpecialPoolInformation
=
0x57
,
SystemProcessIdInformation
=
0x58
,
SystemErrorPortInformation
=
0x59
,
SystemBootEnvironmentInformation
=
0x5a
,
SystemHypervisorInformation
=
0x5b
,
SystemVerifierInformationEx
=
0x5c
,
SystemTimeZoneInformation
=
0x5d
,
SystemImageFileExecutionOptionsInformation
=
0x5e
,
SystemCoverageInformation
=
0x5f
,
SystemPrefetchPatchInformation
=
0x60
,
SystemVerifierFaultsInformation
=
0x61
,
SystemSystemPartitionInformation
=
0x62
,
SystemSystemDiskInformation
=
0x63
,
SystemProcessorPerformanceDistribution
=
0x64
,
SystemNumaProximityNodeInformation
=
0x65
,
SystemDynamicTimeZoneInformation
=
0x66
,
SystemCodeIntegrityInformation
=
0x67
,
SystemProcessorMicrocodeUpdateInformation
=
0x68
,
SystemProcessorBrandString
=
0x69
,
SystemVirtualAddressInformation
=
0x6a
,
SystemLogicalProcessorAndGroupInformation
=
0x6b
,
SystemProcessorCycleTimeInformation
=
0x6c
,
SystemStoreInformation
=
0x6d
,
SystemRegistryAppendString
=
0x6e
,
SystemAitSamplingValue
=
0x6f
,
SystemVhdBootInformation
=
0x70
,
SystemCpuQuotaInformation
=
0x71
,
SystemNativeBasicInformation
=
0x72
,
SystemErrorPortTimeouts
=
0x73
,
SystemLowPriorityIoInformation
=
0x74
,
SystemBootEntropyInformation
=
0x75
,
SystemVerifierCountersInformation
=
0x76
,
SystemPagedPoolInformationEx
=
0x77
,
SystemSystemPtesInformationEx
=
0x78
,
SystemNodeDistanceInformation
=
0x79
,
SystemAcpiAuditInformation
=
0x7a
,
SystemBasicPerformanceInformation
=
0x7b
,
SystemQueryPerformanceCounterInformation
=
0x7c
,
SystemSessionBigPoolInformation
=
0x7d
,
SystemBootGraphicsInformation
=
0x7e
,
SystemScrubPhysicalMemoryInformation
=
0x7f
,
SystemBadPageInformation
=
0x80
,
SystemProcessorProfileControlArea
=
0x81
,
SystemCombinePhysicalMemoryInformation
=
0x82
,
SystemEntropyInterruptTimingInformation
=
0x83
,
SystemConsoleInformation
=
0x84
,
SystemPlatformBinaryInformation
=
0x85
,
SystemThrottleNotificationInformation
=
0x86
,
SystemHypervisorProcessorCountInformation
=
0x87
,
SystemDeviceDataInformation
=
0x88
,
SystemDeviceDataEnumerationInformation
=
0x89
,
SystemMemoryTopologyInformation
=
0x8a
,
SystemMemoryChannelInformation
=
0x8b
,
SystemBootLogoInformation
=
0x8c
,
SystemProcessorPerformanceInformationEx
=
0x8d
,
SystemSpare0
=
0x8e
,
SystemSecureBootPolicyInformation
=
0x8f
,
SystemPageFileInformationEx
=
0x90
,
SystemSecureBootInformation
=
0x91
,
SystemEntropyInterruptTimingRawInformation
=
0x92
,
SystemPortableWorkspaceEfiLauncherInformation
=
0x93
,
SystemFullProcessInformation
=
0x94
,
SystemKernelDebuggerInformationEx
=
0x95
,
SystemBootMetadataInformation
=
0x96
,
SystemSoftRebootInformation
=
0x97
,
SystemElamCertificateInformation
=
0x98
,
SystemOfflineDumpConfigInformation
=
0x99
,
SystemProcessorFeaturesInformation
=
0x9a
,
SystemRegistryReconciliationInformation
=
0x9b
,
MaxSystemInfoClass
=
0x9c
,
} SYSTEM_INFORMATION_CLASS;
|
- 1.通过MmGetSystemRoutineAddress得到动态的地址。
- 2.动态调用m_NtQuerySystemInformation得到参数。
- 3.判断自身是否被加载,如果是输出路径。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
#include <ntifs.h>
#include <windef.h>
#include <stdlib.h>
typedef NTSTATUS(
*
NTQUERYSYSTEMINFORMATION)(
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG_PTR SystemInformationLength,
OUT PULONG_PTR ReturnLength OPTIONAL);
typedef struct _SYSTEM_MODULE_INFORMATION {
HANDLE Section;
PVOID MappedBase;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[
256
];
} SYSTEM_MODULE_INFORMATION,
*
PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation
=
0x0
,
SystemProcessorInformation
=
0x1
,
SystemPerformanceInformation
=
0x2
,
SystemTimeOfDayInformation
=
0x3
,
SystemPathInformation
=
0x4
,
SystemProcessInformation
=
0x5
,
SystemCallCountInformation
=
0x6
,
SystemDeviceInformation
=
0x7
,
SystemProcessorPerformanceInformation
=
0x8
,
SystemFlagsInformation
=
0x9
,
SystemCallTimeInformation
=
0xa
,
SystemModuleInformation
=
0xb
,
SystemLocksInformation
=
0xc
,
} SYSTEM_INFORMATION_CLASS;
/
/
判断当前Driver是否加载成功
/
/
By: LyShark
ULONG JudgeLoadDriver()
{
NTQUERYSYSTEMINFORMATION m_NtQuerySystemInformation
=
NULL;
UNICODE_STRING NtQuerySystemInformation_Name;
PSYSTEM_MODULE_INFORMATION ModuleEntry;
ULONG_PTR RetLength, BaseAddr, EndAddr;
ULONG ModuleNumbers, Index;
NTSTATUS Status;
PVOID
Buffer
;
RtlInitUnicodeString(&NtQuerySystemInformation_Name, L
"NtQuerySystemInformation"
);
m_NtQuerySystemInformation
=
(NTQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&NtQuerySystemInformation_Name);
if
(m_NtQuerySystemInformation
=
=
NULL)
{
DbgPrint(
"获取NtQuerySystemInformation函数失败!\n"
);
return
1
;
}
RetLength
=
0
;
Status
=
m_NtQuerySystemInformation(SystemModuleInformation, NULL,
0
, &RetLength);
if
(Status <
0
&& Status !
=
STATUS_INFO_LENGTH_MISMATCH)
{
DbgPrint(
"NtQuerySystemInformation调用失败!错误码是:%x\n"
, Status);
return
1
;
}
Buffer
=
ExAllocatePoolWithTag(NonPagedPool, RetLength,
'lysh'
);
if
(
Buffer
=
=
NULL)
{
DbgPrint(
"分配内存失败!\n"
);
return
1
;
}
Status
=
m_NtQuerySystemInformation(SystemModuleInformation,
Buffer
, RetLength, &RetLength);
if
(Status <
0
)
{
DbgPrint(
"NtQuerySystemInformation调用失败 %x\n"
, Status);
return
1
;
}
ModuleNumbers
=
*
(ULONG
*
)
Buffer
;
ModuleEntry
=
(PSYSTEM_MODULE_INFORMATION)((ULONG_PTR)
Buffer
+
8
);
for
(Index
=
0
; Index < ModuleNumbers;
+
+
Index)
{
BaseAddr
=
(ULONG_PTR)ModuleEntry
-
>Base;
EndAddr
=
BaseAddr
+
ModuleEntry
-
>Size;
if
(BaseAddr <
=
(ULONG_PTR)JudgeLoadDriver && (ULONG_PTR)JudgeLoadDriver <
=
EndAddr)
{
DbgPrint(
"模块名称是:%s\n"
, ModuleEntry
-
>ImageName);
return
2
;
}
+
+
ModuleEntry;
}
return
0
;
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(
"驱动卸载成功 \n"
);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint(
"hello lyshark.com \n"
);
ULONG ul
=
JudgeLoadDriver();
DbgPrint(
"驱动状态: %d \n"
, ul);
Driver
-
>DriverUnload
=
UnDriver;
return
STATUS_SUCCESS;
}
|
代码运行效果如下所示:
更多【 驱动开发:判断自身是否加载成功】相关视频教程:www.yxfzedu.com
相关文章推荐
- Amateurs CTF 2023 逆向WP - CTF对抗
- 华云安漏洞安全周报【第142期】 - 企业安全
- Frida 实战 KGB Messenger - Android安全
- DASCTF 2023 7月 逆向题解 - CTF对抗
- 使用 frida 实现 Android 本地文件读写 - Android安全
- Practical Reverse Engineering Exercise P11 Write-up - 软件逆向
- 2020强网杯线下-RV110W赛题复现 - 软件逆向
- frida常用检测点及其原理--一把梭方案 - Android安全
- 逆向调用QQ截图NT与WeChatOCR - 软件逆向
- DNF基址-2023年7月20日【7度获取】 - 游戏逆向 游戏基址
- Frida 拦截 iOS 所有(已知)密码学函数 ( Frida-iOS-Cipher ) - IOS安全
- 10-10-12分页 - 软件逆向
- 棱堡计划 |政企产品专项活动,共筑数字安全基石。 - 企业安全
- 特殊的线性地址 - 软件逆向
- 浅谈AFL++ fuzzing(上):如何用进行有效且规整的fuzzing - 软件逆向
- 签名对抗学习笔记 - Android安全
- 《安卓逆向这档事》六、校验的N次方-签名校验对抗、PM代理、IO重定向 - Android安全
- OLLVM控制流平坦化源码分析+魔改 - Android安全
- 通过替换dll实现后门功能的恶意代码 - 软件逆向
- 《安卓逆向这档事》十二、大佬帮我分析一下 - Android安全
记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
近期原创 更多
