X64枚舉和隱藏內核模塊

? ? 在?WIN64?上枚舉內核模塊的人方法：使用?ZwQuerySystemInformation?的第?11?號功能和枚舉?KLDR_DATA_TABLE_ENTRY?中的?InLoadOrderLinks?雙向鏈表；隱藏內核模塊的通用方法是把指定的驅動對象從?KLDR_DATA_TABLE_ENTRY中的?InLoadOrderLinks?雙向鏈表上摘除。

X64內核模塊枚舉（注意是在R3）

#include <stdio.h> #include <Windows.h>typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION) (IN ULONG SystemInformationClass,OUT PVOID SystemInformation,IN ULONG Length,OUT PULONG ReturnLength );typedef unsigned long DWORD;typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {ULONG Unknow1;ULONG Unknow2;ULONG Unknow3;ULONG Unknow4;PVOID Base;ULONG Size;ULONG Flags;USHORT Index;USHORT NameLength;USHORT LoadCount;USHORT ModuleNameOffset;char ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;typedef struct _SYSTEM_MODULE_INFORMATION {ULONG Count;//內核中以加載的模塊的個數SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;BOOLEAN EnumKM(char *HighlightDrvName) {ULONG NeedSize, i, ModuleCount, HLed=0, BufferSize = 0x5000;PVOID pBuffer = NULL;PCHAR pDrvName = NULL;NTSTATUS Result;PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;do{//分配內存pBuffer = malloc( BufferSize );if( pBuffer == NULL )return 0;//查詢模塊信息Result = ZwQuerySystemInformation( 11, pBuffer, BufferSize, &NeedSize );if( Result == 0xC0000004L ){free( pBuffer );BufferSize *= 2;}else if( Result<0 ){//查詢失敗則退出free( pBuffer );return 0;}}while( Result == 0xC0000004L );pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;//獲得模塊的總數量ModuleCount = pSystemModuleInformation->Count;//遍歷所有的模塊for( i = 0; i < ModuleCount; i++ ){if((ULONG64)(pSystemModuleInformation->Module[i].Base) > (ULONG64)0x8000000000000000){pDrvName = pSystemModuleInformation->Module[i].ImageName+pSystemModuleInformation->Module[i].ModuleNameOffset;printf("0x%llx\t%s",(ULONG64)pSystemModuleInformation->Module[i].Base,pDrvName);if( _stricmp(pDrvName,HighlightDrvName)==0 ){printf("\t\t<--------------------");HLed=1;}printf("\n");}}if(HLed==0)printf("\n[%s] NOT FOUND!",HighlightDrvName);free(pBuffer);return 1; }int main() { ZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)GetProcAddress(LoadLibraryW(L"ntdll.dll"),"ZwQuerySystemInformation");EnumKM("win32k.sys");getchar();return 0; }
然后是R0 隱藏內核模塊，摘鏈問題。也就是要注意結構定義細節就行了。

#include <ntddk.h>#define kprintf DbgPrint #define kmalloc(_s) ExAllocatePoolWithTag(NonPagedPool, _s, 'SYSQ') #define kfree(_p) ExFreePool(_p)NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation (IN ULONG SystemInformationClass,OUT PVOID SystemInformation,IN ULONG Length,OUT PULONG ReturnLength );typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {ULONG Unknow1;ULONG Unknow2;ULONG Unknow3;ULONG Unknow4;PVOID Base;ULONG Size;ULONG Flags;USHORT Index;USHORT NameLength;USHORT LoadCount;USHORT ModuleNameOffset;char ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;typedef struct _SYSTEM_MODULE_INFORMATION {ULONG Count;//內核中以加載的模塊的個數SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;typedef struct _KLDR_DATA_TABLE_ENTRY {LIST_ENTRY64 InLoadOrderLinks;ULONG64 __Undefined1;ULONG64 __Undefined2;ULONG64 __Undefined3;ULONG64 NonPagedDebugInfo;ULONG64 DllBase;ULONG64 EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT __Undefined5;ULONG64 __Undefined6;ULONG CheckSum;ULONG __padding1;ULONG TimeDateStamp;ULONG __padding2; }KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;PDRIVER_OBJECT pDriverObject = NULL;ULONG64 GetSystemModuleBase(char* lpModuleName) {ULONG NeedSize, i, ModuleCount, BufferSize = 0x5000;PVOID pBuffer = NULL;PCHAR pDrvName = NULL;NTSTATUS Result;PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;do{//分配內存pBuffer = kmalloc( BufferSize );if( pBuffer == NULL )return 0;//查詢模塊信息Result = ZwQuerySystemInformation( 11, pBuffer, BufferSize, &NeedSize );if( Result == STATUS_INFO_LENGTH_MISMATCH ){kfree( pBuffer );BufferSize *= 2;}else if( !NT_SUCCESS(Result) ){//查詢失敗則退出kfree( pBuffer );return 0;}}while( Result == STATUS_INFO_LENGTH_MISMATCH );pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)pBuffer;//獲得模塊的總數量ModuleCount = pSystemModuleInformation->Count;//遍歷所有的模塊for( i = 0; i < ModuleCount; i++ ){if((ULONG64)(pSystemModuleInformation->Module[i].Base) > (ULONG64)0x8000000000000000){pDrvName = pSystemModuleInformation->Module[i].ImageName+pSystemModuleInformation->Module[i].ModuleNameOffset;if( _stricmp(pDrvName,lpModuleName)==0 )return (ULONG64)pSystemModuleInformation->Module[i].Base;}}kfree(pBuffer);return 0; }VOID HideDriver(char *pDrvName) {PKLDR_DATA_TABLE_ENTRY entry=(PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;PKLDR_DATA_TABLE_ENTRY firstentry;ULONG64 pDrvBase=0;KIRQL OldIrql;firstentry = entry;pDrvBase = GetSystemModuleBase(pDrvName);while((PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink != firstentry){if( entry->DllBase==pDrvBase ){//typedef struct LIST_ENTRY64 {// ULONGLONG Flink;// ULONGLONG Blink;//} LIST_ENTRY64;//typedef LIST_ENTRY64 *PLIST_ENTRY64;//le->Flink->Blink=le->Blink;//le->Blink->Flink=le->Flink;OldIrql = KeRaiseIrqlToDpcLevel();((LIST_ENTRY64*)(entry->InLoadOrderLinks.Flink))->Blink=entry->InLoadOrderLinks.Blink;((LIST_ENTRY64*)(entry->InLoadOrderLinks.Blink))->Flink=entry->InLoadOrderLinks.Flink;entry->InLoadOrderLinks.Flink=0;entry->InLoadOrderLinks.Blink=0;KeLowerIrql(OldIrql);DbgPrint("Remove LIST_ENTRY64 OK!");break;}//kprintf("%llx\t%wZ\t%wZ",entry->DllBase,entry->BaseDllName,entry->FullDllName);entry = (PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink;} }NTSTATUS UnloadDriver(IN PDRIVER_OBJECT DriverObject) {return STATUS_SUCCESS; }NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {DriverObject->DriverUnload = UnloadDriver;pDriverObject = DriverObject;HideDriver("win32k.sys"); //hidekm64.sysreturn STATUS_SUCCESS; }

?

?

?

總結

以上是生活随笔為你收集整理的Win64 驱动内核编程-25.X64枚举和隐藏内核模块的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。