xp3下保护xuetr

#ifndef _PROTECT_XUETR_H_ #define _PROTECT_XUETR_H_ #include <ntddk.h> #include <windef.h> #define DWORD ULONG typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY HashLinks; struct { PVOID SectionPointer; ULONG CheckSum; }; }; union { struct { ULONG TimeDateStamp; }; struct { PVOID LoadedImports; }; }; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; extern POBJECT_TYPE *IoDriverObjectType; NTKERNELAPI NTSTATUS ObReferenceObjectByName( IN PUNICODE_STRING ObjectName, IN ULONG Attributes, IN PACCESS_STATE PassedAccessState OPTIONAL, IN ACCESS_MASK DesiredAccess OPTIONAL, IN POBJECT_TYPE ObjectType, IN KPROCESSOR_MODE AccessMode, IN OUT PVOID ParseContext OPTIONAL, OUT PVOID *Object ); extern NTKERNELAPI NTSTATUS ObReferenceObjectByHandle( IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL ); typedef struct _OBJECT_DIRECTORY_ENTRY { PVOID pNext; PVOID pObject; }OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY; typedef struct _OBJECT_DIRECTORY { POBJECT_DIRECTORY_ENTRY pObjectDirectoryEntry[37]; PVOID pLock; PVOID DeviceMap; ULONG SessionId; USHORT Reserved; USHORT SymbolicLinkUsageCount; }OBJECT_DIRECTORY, *POBJECT_DIRECTORY; typedef ULONG DWORD, *PDWORD; typedef UCHAR BYTE, *PBYTE; extern POBJECT_TYPE *IoDriverObjectType; #endif

 

#include "ProtectXuetr.h" NTSTATUS HideDriverByName(LPCSTR pDriverName) { NTSTATUS Status = STATUS_SUCCESS; UNICODE_STRING stDriverDirectory = {0}; OBJECT_ATTRIBUTES stObjectAttributes = {0}; POBJECT_DIRECTORY pObjectDirectory = NULL; PDRIVER_OBJECT pHideDriver = NULL; char pDriverDirectoryName[256] = {0}; ANSI_STRING stAnsiName = {0}; UNICODE_STRING stUnicodeName = {0}; //初始化一些我们需要的文本 strncat( pDriverDirectoryName, "\\Driver\\", strlen("\\Driver\\") ); strncat( pDriverDirectoryName, pDriverName, strlen(pDriverName) ); RtlInitAnsiString( &stAnsiName, pDriverDirectoryName ); RtlAnsiStringToUnicodeString( &stUnicodeName, &stAnsiName, TRUE ); DbgPrint("tofind %ws\r\n",stUnicodeName.Buffer); RtlInitUnicodeString( &stDriverDirectory, L"\\Driver" ); InitializeObjectAttributes( &stObjectAttributes, &stDriverDirectory, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL ); //通过 \\Driver\\PCHunter32 得到驱动的目录对象 POBJECT_DIRECTORY Status = ObReferenceObjectByName( &stDriverDirectory, OBJ_CASE_INSENSITIVE, NULL, 0, *IoDriverObjectType, KernelMode, NULL, &pObjectDirectory ); if( NT_SUCCESS(Status) ) { ULONG index = 0; BOOLEAN bFound = FALSE; POBJECT_DIRECTORY_ENTRY pObjectDirectoryEntry = NULL; //开始枚举驱动目录对象 for( index = 0; index < 37; index++ ) { PDRIVER_OBJECT pDriver = NULL; pObjectDirectoryEntry = pObjectDirectory->pObjectDirectoryEntry[index]; bFound = FALSE; while(pObjectDirectoryEntry&&MmIsAddressValid(pObjectDirectoryEntry) ) { //指向一个DriverObject pDriver = (PDRIVER_OBJECT)(pObjectDirectoryEntry->pObject); if( MmIsAddressValid(pDriver) ) { //DbgPrint("%ws\r\n",pDriver->DriverName.Buffer); //是，找到了。 if(wcsstr(pDriver->DriverName.Buffer,stUnicodeName.Buffer)) { //设置一个标志，说明我们找到了xuetr的驱动目录对象 bFound = TRUE; pHideDriver = pDriver; DbgPrint("found it\r\n"); break; } } pObjectDirectoryEntry = pObjectDirectoryEntry->pNext; } if( bFound ) { //开始摘除 pObjectDirectory->pObjectDirectoryEntry[index] = pObjectDirectory->pObjectDirectoryEntry[index]->pNext; } } } //释放引用计数 ObDereferenceObject( pObjectDirectory ); //释放我们前面使用的unicode RtlFreeUnicodeString( &stUnicodeName ); return Status; } VOID DriverUnload(IN PDRIVER_OBJECT DriverObject) { return; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString) { NTSTATUS status = STATUS_UNSUCCESSFUL; DriverObject->DriverUnload = DriverUnload; //准备摘除PCHunter32的驱动对象目录 status = HideDriverByName("PCHunter32al"); if (NT_SUCCESS(status)) { DbgPrint("Hide PCHunter32 success\r\n"); } status = STATUS_UNSUCCESSFUL; status = HideDriverByName("XueTr"); if (NT_SUCCESS(status)) { DbgPrint("Hide XueTr success\r\n"); } return STATUS_SUCCESS; }