-
Notifications
You must be signed in to change notification settings - Fork 2
/
libwindrv.cpp
89 lines (75 loc) · 2.08 KB
/
libwindrv.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#include <libwindrv/libwindrv.h>
#include <ntimage.h>
#define NTSTRSAFE_LIB
#define NTSTRSAFE_NO_CB_FUNCTIONS
#include <ntstrsafe.h>
typedef struct _KLDR_DATA_TABLE_ENTRY_COMMON
{
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
// ULONG padding on IA64
PVOID GpValue;
PNON_PAGED_DEBUG_INFO NonPagedDebugInfo;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
// ULONG padding on IA64
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY_COMMON, *PKLDR_DATA_TABLE_ENTRY_COMMON;
extern "C" PDRIVER_OBJECT LibWinDrvDriverObject = nullptr;
extern "C" wchar_t LibWinDrvRegistryKey[_MAX_PATH];
extern "C" wchar_t LibWinDrvServiceKeyName[_MAX_PATH];
extern "C" PVOID LibWinDrvImageBase = nullptr;
extern "C" SIZE_T LibWinDrvImageSize = 0;
VOID
DriverUnload(__in DRIVER_OBJECT *DriverObject)
{
LibWinDrvDriverUnLoad(DriverObject);
// TODO
}
#pragma alloc_text(INIT, DriverEntry)
EXTERN_C
NTSTATUS
DriverEntry(__in DRIVER_OBJECT *DriverObject, __in UNICODE_STRING *RegistryPath)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
// TODO
DriverObject->DriverUnload = (DRIVER_UNLOAD *)(DriverUnload);
LibWinDrvDriverObject = DriverObject;
do
{
KLDR_DATA_TABLE_ENTRY_COMMON *pEntry = (KLDR_DATA_TABLE_ENTRY_COMMON *)(LibWinDrvDriverObject->DriverSection);
if (pEntry)
{
LibWinDrvImageBase = pEntry->DllBase;
LibWinDrvImageSize = (SIZE_T)pEntry->SizeOfImage;
// TODO
DriverObject->Flags |= 0x20;
}
else
{
Status = STATUS_VIRUS_DELETED;
break;
}
if (RegistryPath)
{
// TODO
}
else
{
Status = STATUS_VIRUS_INFECTED;
break;
}
Status = LibWinDrvDriverEntry(DriverObject, RegistryPath);
} while (0);
return Status;
}