extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DbgBreakPoint();
DriverObject->DriverUnload = DriverUnload;
NTSTATUS status;
PEPROCESS Process = NULL;
HANDLE ProcessHandle = NULL;
KAPC_STATE kApc;
HANDLE ProcessId = (HANDLE)1332;
pfnNtProtectVirtualMemory = (fnNtProtectVirtualMemory)0x83E88403;
PVOID pUser32dll = NULL;
PVOID pMessage = NULL;
if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &Process))) return STATUS_SUCCESS;
ObfDereferenceObject(Process);
ProcessHandle=MyOpenProcess(ProcessId);
pUser32dll = GetUserModule(ProcessId, L"user32.dll");
if (pUser32dll)
{
pMessage = GetImageFunctionAddress(ProcessId, pUser32dll, L"MessageBoxW");
//附加进程
KeStackAttachProcess(Process, &kApc);
char ShelCode[] = { 0xc2,0x10,0x00 };
int ttt=0;
RtlCopyMemory(&ttt, pMessage, sizeof(int));
ULONG OldProtect = 0;
SIZE_T ProtectSize =PAGE_SIZE;
PVOID ProtectAddress = pMessage;
status = pfnNtProtectVirtualMemory(ProcessHandle, &ProtectAddress, &ProtectSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if (NT_SUCCESS(status))
{
if (ProtectAddress != pMessage)
{
status = pfnNtProtectVirtualMemory(ProcessHandle, &ProtectAddress, &ProtectSize, PAGE_EXECUTE_READWRITE, &OldProtect);
if (NT_SUCCESS(status))
{
WPOFF();
RtlCopyMemory(pMessage, ShelCode, sizeof(ShelCode));
WPON();
}
}
}
//剥离进程
KeUnstackDetachProcess(&kApc);
ObDereferenceObject(Process);
}
ZwClose(ProcessHandle);
return STATUS_SUCCESS;
}
版权声明:本文为qq125096885原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。