R0注入DLL到R3进程

原创
2014/01/02 13:07
阅读数 2.1K

R0注入DLL到R3,貌似没有必要,也的确没有必要。以下代码只是为了验证R0调用NtQueueApcThread来注入DLL到R3进程中,没有什么神秘的东西,博大家一笑。

#include <ntddk.h>

PVOID pfn_BaseDispatchApc = NULL;
PVOID pfn_LoadLibraryA = NULL;
PVOID pszText_Kernel32 = NULL;

NTSTATUS (NTAPI* pfn_NtQueueApcThread)(
    __in HANDLE     ThreadHandle,
    __in PVOID      ApcRoutine,
    __in_opt PVOID  ApcArgument1,
    __in_opt PVOID  ApcArgument2,
    __in_opt PVOID  ApcArgument3
    );
    
VOID LoadImageNotifyRoutine (
    IN PUNICODE_STRING  FullImageName,
    IN HANDLE  ProcessId, // where image is mapped
    IN PIMAGE_INFO  ImageInfo
    )
{    
    PWSTR ptr = FullImageName->Buffer + FullImageName->Length/sizeof(WCHAR)-4;
    
    if( ptr > FullImageName->Buffer && _wcsicmp( ptr, L".exe" ) == 0 )
    {
        ptr -= 8;            
        if( ptr > FullImageName->Buffer && _wcsicmp( ptr, L"\\notepad.exe" ) == 0 );
        {
            pfn_NtQueueApcThread( ZwCurrentThread(),
                pfn_BaseDispatchApc,
                pfn_LoadLibraryA,
                pszText_Kernel32,
                NULL );
        }
    }        
}

VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
	PsRemoveLoadImageNotifyRoutine( LoadImageNotifyRoutine );
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
    //just for winxp
	KdBreakPoint();
    
    //填写kernel32!BaseDispatchApc//win7上是ntdll!RtlDispatchAPC
    (PVOID)pfn_BaseDispatchApc = (PVOID)0x7c82c0f6;
    
    //填写kernel32!LoadLibraryA
    (PVOID)pfn_LoadLibraryA = (PVOID)0x7c801d7b;
    
    //保证待Load的DLL的名称为text.dll,可以放到system目录下
    //填写kernel32的头部text字符的位置
    (PVOID)pszText_Kernel32 = (PVOID)0x7c8001e9;
    
    //填写nt!NtQueueApcThread    
    (PVOID)pfn_NtQueueApcThread = (PVOID)0x805d3756;
    
    DriverObject->DriverUnload = DriverUnload;
    
	return PsSetLoadImageNotifyRoutine( LoadImageNotifyRoutine );
}

 

展开阅读全文
打赏
1
6 收藏
分享
加载中
更多评论
打赏
0 评论
6 收藏
1
分享
返回顶部
顶部