環境:win7 32 ,材料: ntoskrnl.exe , spldr.sys spsys.sys
看到一個文件叫spldr.sys,loader for security processor,一個加載器。於是就進去看看如何實現的。在spldr.sys 裏面看到字符串
SystemRoot\system32\drivers\spsys.sys ,應該就是要加載這個驅動了。再看字符串的引用位置,發現調用ZwSetSystemInformation,應該就是通過這個函數來加載驅動的。下面是調用情況(詳情請參考spldr.sys):
DRIVER_OBJECT DriverObject;
UNICODE_STRING RegistryPath;
NTSTATUS Load()
{
#define SystemUnloadGdiDriver 0x1b
#define SystemLoadGdiDriverInSystemSpace 0x36
typedef NTSTATUS (*n_DriverEntry)(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPathy);
typedef struct _LOAD_GDI_DRIVER_INFORMATION
{
UNICODE_STRING DriverPath={0}; //the driver path
ULONG DriverStart; //the DriverStart in _driver_object struct
PVOID DriverInfo; //os use this DriverInfo to manage the loaded gdi drivers,DriverInfo should be a struct which contains info of the loaded gdi driver
PVOID DriverEntry; //address of DriverEntry of the loaded driver
PVOID ExportDirectory; //address of export directory of the loaded driver
ULONG SizeOfImage; //size of the loaded driver image
}LOAD_GDI_DRIVER_INFORMATION,*PLOAD_GDI_DRIVER_INFORMATION;
NTSTATUS status=STATUS_SUCCESS;
LOAD_GDI_DRIVER_INFORMATION LoadGdiDriverInfo={0};
RtlInitUnicodeString(&LoadGdiDriverInfo.DriverPath,L"\\SystemRoot\\system32\\drivers\\spsys.sys");
status=ZwSetSystemInformation(SystemLoadGdiDriverInSystemSpace,&LoadGdiDriverInfo,sizeof(LOAD_GDI_DRIVER_INFORMATION));
if(status>=0)
{
//the driver image is loaded into the system space
//and then call the driver's DriverEntry
//part of DriverObject and RegistryPath should be filled before pass to DriverEntry
status=((n_DriverEntry)LoadGdiDriverInfo.DriverEntry) (&DriverObject,&RegistryPath);
if(!status)
{
//the DriverEntry fails
//unload the loaded gdi driver
ZwSetSystemInformation(SystemUnloadGdiDriver,LoadGdiDriverInfo.DriverInfo,0x4);
}
}
return status;
}