ToB企服应用市场:ToB评测及商务社交产业平台

标题: 驱动开发：判断自身是否加载成功 [打印本页]

---

作者: 祗疼妳一个    时间: 2022-10-8 20:04
标题: 驱动开发：判断自身是否加载成功
在驱动开发中我们有时需要得到驱动自身是否被加载成功的状态，这个功能看似没啥用实际上在某些特殊场景中还是需要的，如下代码实现了判断当前驱动是否加载成功，如果加载成功, 则输出该驱动的详细路径信息。
该功能实现的核心函数是NtQuerySystemInformation这是一个微软未公开的函数，也没有文档化，不过我们仍然可以通过动态指针的方式调用到它，该函数可以查询到很多系统信息状态，首先需要定义一个指针。

1. typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(
2. IN ULONG SystemInformationClass,
3. OUT PVOID   SystemInformation,
4. IN ULONG_PTR    SystemInformationLength,
5. OUT PULONG_PTR  ReturnLength OPTIONAL);

复制代码

其次还需要一个SYSTEM_MODULE_INFORMATION该结构内可以得到模块入口信息模块名称等，调用NtQuerySystemInformation数据会被格式化为SYSTEM_MODULE_INFORMATION方便调用。

1. typedef struct _SYSTEM_MODULE_INFORMATION {
2.         HANDLE Section;
3.         PVOID MappedBase;
4.         PVOID Base;
5.         ULONG Size;
6.         ULONG Flags;
7.         USHORT LoadOrderIndex;
8.         USHORT InitOrderIndex;
9.         USHORT LoadCount;
10.         USHORT PathLength;
11.         CHAR ImageName[256];
12. } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

复制代码

最后是SYSTEM_INFORMATION_CLASS该结构同样是一个未文档化的结构体，本此代码中需要用到的枚举类型是SystemModuleInformation其他类型也放这里后期做参考用。

1. typedef enum _SYSTEM_INFORMATION_CLASS
2. {
3.         SystemBasicInformation = 0x0,
4.         SystemProcessorInformation = 0x1,
5.         SystemPerformanceInformation = 0x2,
6.         SystemTimeOfDayInformation = 0x3,
7.         SystemPathInformation = 0x4,
8.         SystemProcessInformation = 0x5,
9.         SystemCallCountInformation = 0x6,
10.         SystemDeviceInformation = 0x7,
11.         SystemProcessorPerformanceInformation = 0x8,
12.         SystemFlagsInformation = 0x9,
13.         SystemCallTimeInformation = 0xa,
14.         SystemModuleInformation = 0xb,
15.         SystemLocksInformation = 0xc,
16.         SystemStackTraceInformation = 0xd,
17.         SystemPagedPoolInformation = 0xe,
18.         SystemNonPagedPoolInformation = 0xf,
19.         SystemHandleInformation = 0x10,
20.         SystemObjectInformation = 0x11,
21.         SystemPageFileInformation = 0x12,
22.         SystemVdmInstemulInformation = 0x13,
23.         SystemVdmBopInformation = 0x14,
24.         SystemFileCacheInformation = 0x15,
25.         SystemPoolTagInformation = 0x16,
26.         SystemInterruptInformation = 0x17,
27.         SystemDpcBehaviorInformation = 0x18,
28.         SystemFullMemoryInformation = 0x19,
29.         SystemLoadGdiDriverInformation = 0x1a,
30.         SystemUnloadGdiDriverInformation = 0x1b,
31.         SystemTimeAdjustmentInformation = 0x1c,
32.         SystemSummaryMemoryInformation = 0x1d,
33.         SystemMirrorMemoryInformation = 0x1e,
34.         SystemPerformanceTraceInformation = 0x1f,
35.         SystemObsolete0 = 0x20,
36.         SystemExceptionInformation = 0x21,
37.         SystemCrashDumpStateInformation = 0x22,
38.         SystemKernelDebuggerInformation = 0x23,
39.         SystemContextSwitchInformation = 0x24,
40.         SystemRegistryQuotaInformation = 0x25,
41.         SystemExtendServiceTableInformation = 0x26,
42.         SystemPrioritySeperation = 0x27,
43.         SystemVerifierAddDriverInformation = 0x28,
44.         SystemVerifierRemoveDriverInformation = 0x29,
45.         SystemProcessorIdleInformation = 0x2a,
46.         SystemLegacyDriverInformation = 0x2b,
47.         SystemCurrentTimeZoneInformation = 0x2c,
48.         SystemLookasideInformation = 0x2d,
49.         SystemTimeSlipNotification = 0x2e,
50.         SystemSessionCreate = 0x2f,
51.         SystemSessionDetach = 0x30,
52.         SystemSessionInformation = 0x31,
53.         SystemRangeStartInformation = 0x32,
54.         SystemVerifierInformation = 0x33,
55.         SystemVerifierThunkExtend = 0x34,
56.         SystemSessionProcessInformation = 0x35,
57.         SystemLoadGdiDriverInSystemSpace = 0x36,
58.         SystemNumaProcessorMap = 0x37,
59.         SystemPrefetcherInformation = 0x38,
60.         SystemExtendedProcessInformation = 0x39,
61.         SystemRecommendedSharedDataAlignment = 0x3a,
62.         SystemComPlusPackage = 0x3b,
63.         SystemNumaAvailableMemory = 0x3c,
64.         SystemProcessorPowerInformation = 0x3d,
65.         SystemEmulationBasicInformation = 0x3e,
66.         SystemEmulationProcessorInformation = 0x3f,
67.         SystemExtendedHandleInformation = 0x40,
68.         SystemLostDelayedWriteInformation = 0x41,
69.         SystemBigPoolInformation = 0x42,
70.         SystemSessionPoolTagInformation = 0x43,
71.         SystemSessionMappedViewInformation = 0x44,
72.         SystemHotpatchInformation = 0x45,
73.         SystemObjectSecurityMode = 0x46,
74.         SystemWatchdogTimerHandler = 0x47,
75.         SystemWatchdogTimerInformation = 0x48,
76.         SystemLogicalProcessorInformation = 0x49,
77.         SystemWow64SharedInformationObsolete = 0x4a,
78.         SystemRegisterFirmwareTableInformationHandler = 0x4b,
79.         SystemFirmwareTableInformation = 0x4c,
80.         SystemModuleInformationEx = 0x4d,
81.         SystemVerifierTriageInformation = 0x4e,
82.         SystemSuperfetchInformation = 0x4f,
83.         SystemMemoryListInformation = 0x50,
84.         SystemFileCacheInformationEx = 0x51,
85.         SystemThreadPriorityClientIdInformation = 0x52,
86.         SystemProcessorIdleCycleTimeInformation = 0x53,
87.         SystemVerifierCancellationInformation = 0x54,
88.         SystemProcessorPowerInformationEx = 0x55,
89.         SystemRefTraceInformation = 0x56,
90.         SystemSpecialPoolInformation = 0x57,
91.         SystemProcessIdInformation = 0x58,
92.         SystemErrorPortInformation = 0x59,
93.         SystemBootEnvironmentInformation = 0x5a,
94.         SystemHypervisorInformation = 0x5b,
95.         SystemVerifierInformationEx = 0x5c,
96.         SystemTimeZoneInformation = 0x5d,
97.         SystemImageFileExecutionOptionsInformation = 0x5e,
98.         SystemCoverageInformation = 0x5f,
99.         SystemPrefetchPatchInformation = 0x60,
100.         SystemVerifierFaultsInformation = 0x61,
101.         SystemSystemPartitionInformation = 0x62,
102.         SystemSystemDiskInformation = 0x63,
103.         SystemProcessorPerformanceDistribution = 0x64,
104.         SystemNumaProximityNodeInformation = 0x65,
105.         SystemDynamicTimeZoneInformation = 0x66,
106.         SystemCodeIntegrityInformation = 0x67,
107.         SystemProcessorMicrocodeUpdateInformation = 0x68,
108.         SystemProcessorBrandString = 0x69,
109.         SystemVirtualAddressInformation = 0x6a,
110.         SystemLogicalProcessorAndGroupInformation = 0x6b,
111.         SystemProcessorCycleTimeInformation = 0x6c,
112.         SystemStoreInformation = 0x6d,
113.         SystemRegistryAppendString = 0x6e,
114.         SystemAitSamplingValue = 0x6f,
115.         SystemVhdBootInformation = 0x70,
116.         SystemCpuQuotaInformation = 0x71,
117.         SystemNativeBasicInformation = 0x72,
118.         SystemErrorPortTimeouts = 0x73,
119.         SystemLowPriorityIoInformation = 0x74,
120.         SystemBootEntropyInformation = 0x75,
121.         SystemVerifierCountersInformation = 0x76,
122.         SystemPagedPoolInformationEx = 0x77,
123.         SystemSystemPtesInformationEx = 0x78,
124.         SystemNodeDistanceInformation = 0x79,
125.         SystemAcpiAuditInformation = 0x7a,
126.         SystemBasicPerformanceInformation = 0x7b,
127.         SystemQueryPerformanceCounterInformation = 0x7c,
128.         SystemSessionBigPoolInformation = 0x7d,
129.         SystemBootGraphicsInformation = 0x7e,
130.         SystemScrubPhysicalMemoryInformation = 0x7f,
131.         SystemBadPageInformation = 0x80,
132.         SystemProcessorProfileControlArea = 0x81,
133.         SystemCombinePhysicalMemoryInformation = 0x82,
134.         SystemEntropyInterruptTimingInformation = 0x83,
135.         SystemConsoleInformation = 0x84,
136.         SystemPlatformBinaryInformation = 0x85,
137.         SystemThrottleNotificationInformation = 0x86,
138.         SystemHypervisorProcessorCountInformation = 0x87,
139.         SystemDeviceDataInformation = 0x88,
140.         SystemDeviceDataEnumerationInformation = 0x89,
141.         SystemMemoryTopologyInformation = 0x8a,
142.         SystemMemoryChannelInformation = 0x8b,
143.         SystemBootLogoInformation = 0x8c,
144.         SystemProcessorPerformanceInformationEx = 0x8d,
145.         SystemSpare0 = 0x8e,
146.         SystemSecureBootPolicyInformation = 0x8f,
147.         SystemPageFileInformationEx = 0x90,
148.         SystemSecureBootInformation = 0x91,
149.         SystemEntropyInterruptTimingRawInformation = 0x92,
150.         SystemPortableWorkspaceEfiLauncherInformation = 0x93,
151.         SystemFullProcessInformation = 0x94,
152.         SystemKernelDebuggerInformationEx = 0x95,
153.         SystemBootMetadataInformation = 0x96,
154.         SystemSoftRebootInformation = 0x97,
155.         SystemElamCertificateInformation = 0x98,
156.         SystemOfflineDumpConfigInformation = 0x99,
157.         SystemProcessorFeaturesInformation = 0x9a,
158.         SystemRegistryReconciliationInformation = 0x9b,
159.         MaxSystemInfoClass = 0x9c,
160. } SYSTEM_INFORMATION_CLASS;

复制代码

最后的JudgeLoadDriver()是核心函数，我们看下该函数具体是如何实现的，原理很简单。

• 1.通过MmGetSystemRoutineAddress得到动态的地址。
  
• 2.动态调用m_NtQuerySystemInformation得到参数。
  
• 3.判断自身是否被加载，如果是输出路径。
  

1. #include #include #include typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(
2. IN ULONG SystemInformationClass,
3. OUT PVOID   SystemInformation,
4. IN ULONG_PTR    SystemInformationLength,
5. OUT PULONG_PTR  ReturnLength OPTIONAL);typedef struct _SYSTEM_MODULE_INFORMATION {
6.         HANDLE Section;
7.         PVOID MappedBase;
8.         PVOID Base;
9.         ULONG Size;
10.         ULONG Flags;
11.         USHORT LoadOrderIndex;
12.         USHORT InitOrderIndex;
13.         USHORT LoadCount;
14.         USHORT PathLength;
15.         CHAR ImageName[256];
16. } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;typedef enum _SYSTEM_INFORMATION_CLASS{        SystemBasicInformation = 0x0,        SystemProcessorInformation = 0x1,        SystemPerformanceInformation = 0x2,        SystemTimeOfDayInformation = 0x3,        SystemPathInformation = 0x4,        SystemProcessInformation = 0x5,        SystemCallCountInformation = 0x6,        SystemDeviceInformation = 0x7,        SystemProcessorPerformanceInformation = 0x8,        SystemFlagsInformation = 0x9,        SystemCallTimeInformation = 0xa,        SystemModuleInformation = 0xb,        SystemLocksInformation = 0xc,} SYSTEM_INFORMATION_CLASS;// 判断当前Driver是否加载成功// By: LySharkULONG JudgeLoadDriver(){        NTQUERYSYSTEMINFORMATION m_NtQuerySystemInformation = NULL;        UNICODE_STRING NtQuerySystemInformation_Name;        PSYSTEM_MODULE_INFORMATION ModuleEntry;        ULONG_PTR RetLength, BaseAddr, EndAddr;        ULONG ModuleNumbers, Index;        NTSTATUS Status;        PVOID Buffer;        RtlInitUnicodeString(&NtQuerySystemInformation_Name, L"NtQuerySystemInformation");        m_NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&NtQuerySystemInformation_Name);        if (m_NtQuerySystemInformation == NULL)        {                DbgPrint("获取NtQuerySystemInformation函数失败！\n");                return 1;        }        RetLength = 0;        Status = m_NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &RetLength);        if (Status < 0 && Status != STATUS_INFO_LENGTH_MISMATCH)        {                DbgPrint("NtQuerySystemInformation调用失败！错误码是：%x\n", Status);                return 1;        }        Buffer = ExAllocatePoolWithTag(NonPagedPool, RetLength, 'lysh');        if (Buffer == NULL)        {                DbgPrint("分配内存失败！\n");                return 1;        }        Status = m_NtQuerySystemInformation(SystemModuleInformation, Buffer, RetLength, &RetLength);        if (Status < 0)        {                DbgPrint("NtQuerySystemInformation调用失败 %x\n", Status);                return 1;        }        ModuleNumbers = *(ULONG*)Buffer;        ModuleEntry = (PSYSTEM_MODULE_INFORMATION)((ULONG_PTR)Buffer + 8);        for (Index = 0; Index < ModuleNumbers; ++Index)        {                BaseAddr = (ULONG_PTR)ModuleEntry->Base;                EndAddr = BaseAddr + ModuleEntry->Size;                if (BaseAddr DriverUnload = UnDriver;        return STATUS_SUCCESS;}

复制代码

代码运行效果如下所示：


免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！

---

欢迎光临 ToB企服应用市场:ToB评测及商务社交产业平台 (https://dis.qidao123.com/)

Powered by Discuz! X3.4