L o a d i n g . . .
主打一个C++
Hello, tourist
最新公告:
站长技术支持范围公示
关于站点部分功能操作
《心灵交汇的角落:访客公告》
The Blog
Leave traces here
13,2025 03 月
随机文章 canvas将序列png多图解析绘制【Javascript】js中将文本转为十六进制文本html解决表单自动填充后的背景色,字体颜色等被修改情况html+css横向360度翻转卡牌、div等通用写法linux中使用websocketpp完成浏览器与服务器通讯linux中检测目录是否存在或创建目录C++中实现js方法encodeURIComponent与decodeURIComponent电脑本地部署deepseek-r1等扩展关于github访问受阻的问题mfc窗口设置窗口背景透明度
文章详情

C++使用ZwLoadDriver卸载与加载sys驱动程序

Posted on 2023-01-12 21:14:03 by 主打一个C++

方式为自己注册表模拟写入相关驱动参数,使用nt自导出函数ZwLoadDriver加载驱动

//ZwLoadDriver.h

#pragma once
#ifndef ZWLOADDRIVER_H
#define ZWLOADDRIVER_H
#include <fstream>
#include <iostream>
#include <Windows.h>
#pragma comment(lib, "ntdll.lib")
#define cs                  const_cast
#define sc					static_cast
#define rc					reinterpret_cast
#define NT_SUCCESS(Status) (((NTSTATUS)(Status)) >= 0)
typedef struct _UNICODE_STRING {
	USHORT Length;
	USHORT MaximumLength;
#ifdef MIDL_PASS
	[size_is(MaximumLength / 2), length_is((Length) / 2)] USHORT* Buffer;
#else // MIDL_PASS
	_Field_size_bytes_part_opt_(MaximumLength, Length) PWCH   Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;
typedef UNICODE_STRING* PUNICODE_STRING;
typedef const UNICODE_STRING* PCUNICODE_STRING;
//nt自导出函数
extern "C" NTSTATUS NTAPI ZwLoadDriver(PUNICODE_STRING str);
extern "C" NTSTATUS NTAPI ZwUnloadDriver(PUNICODE_STRING str);
extern "C" VOID NTAPI RtlInitUnicodeString(_Out_ PUNICODE_STRING DestinationString, _In_opt_z_ __drv_aliasesMem PCWSTR SourceString);
namespace loader
{
	bool load_driver(uint8_t* driver, int size, const std::wstring path = L"c:/", const std::wstring service = L"cpp.vin");

	bool unload_driver(const std::wstring path = L"c:/", const std::wstring service = L"cpp.vin");
}
#endif // ZWLOADDRIVER_H

//ZwLoadDriver.cpp

#include "ZwLoadDriver.h"
//注册
bool loader::load_driver(uint8_t* driver, int size, const std::wstring path, const std::wstring service)
{
    std::ofstream file((path + service + L".sys").c_str(), std::ios_base::out | std::ios_base::binary);
    file.write(rc< char* >(driver), size);
    file.close();
    HKEY services_key, service_key;
    auto status = RegOpenKeyW(HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet\\Services", &services_key);
    if (status) return false;
    status = RegCreateKeyW(services_key, service.c_str(), &service_key);
    if (status)
    {
        status = RegOpenKeyW(services_key, service.c_str(), &service_key);
        if (status)
        {
            RegCloseKey(services_key);
            return false;
        }

        RegCloseKey(service_key);

        status = RegDeleteKeyW(services_key, service.c_str());
        if (status)
        {
            RegCloseKey(services_key);
            return false;
        }

        status = RegCreateKeyW(services_key, service.c_str(), &service_key);
        if (status)
        {
            RegCloseKey(services_key);
            return false;
        }
    }

    auto service_error = 0, service_type = 1, service_startup_type = 1;
    auto service_group = std::wstring(L"Base");
    auto service_image_path = L"\\??\\" + path + service + L".sys";

    status |= RegSetValueExW(service_key, L"DisplayName", 0, REG_SZ, rc< const BYTE* >(service.c_str()), (service.length() + 1) * sizeof(WCHAR));
    status |= RegSetValueExW(service_key, L"ErrorControl", 0, REG_DWORD, rc< const BYTE* >(&service_error), sizeof(service_error));
    status |= RegSetValueExW(service_key, L"Group", 0, REG_SZ, rc< const BYTE* >(service_group.c_str()), (service_group.length() + 1) * sizeof(WCHAR));
    status |= RegSetValueExW(service_key, L"ImagePath", 0, REG_SZ, rc< const BYTE* >(service_image_path.c_str()), (service_image_path.length() + 1) * sizeof(WCHAR));
    status |= RegSetValueExW(service_key, L"Start", 0, REG_DWORD, rc< const BYTE* >(&service_startup_type), sizeof(service_startup_type));
    status |= RegSetValueExW(service_key, L"Type", 0, REG_DWORD, rc< const BYTE* >(&service_type), sizeof(service_type));

    RegCloseKey(service_key);
    RegCloseKey(services_key);
    if (status) return false;
    auto reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + service;
    UNICODE_STRING driver_path;
    RtlInitUnicodeString(&driver_path, reg_path.c_str());
    status = ZwLoadDriver(&driver_path);
    return NT_SUCCESS(status);
}
//卸载
bool loader::unload_driver(const std::wstring path, const std::wstring service)
{
    auto reg_path = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + service;
    UNICODE_STRING driver_path;
    RtlInitUnicodeString(&driver_path, reg_path.c_str());
    auto ret_status = ZwUnloadDriver(&driver_path);
    HKEY services_key;
    auto status = RegOpenKeyW(HKEY_LOCAL_MACHINE, L"System\\CurrentControlSet\\Services", &services_key);
    if (status) return false;
    status = RegDeleteKeyW(services_key, service.c_str());
    RegCloseKey(services_key);
    return DeleteFileW((path + service + L".sys").c_str()) && !status && NT_SUCCESS(ret_status);
}

//测试代码

#include <iostream>
#include "ZwLoadDriver.h"
int main()
{
    if (loader::load_driver(driverPtr_h, sizeof(driverPtr_h)))
        std::cout << "driver loaded successfully!" << std::endl;
    else
        std::cout << "driver load failed!" << std::endl;
        
    //卸载
    //loader::unload_driver();
    return 0;
}


*转载请注明出处:原文链接:https://cpp.vin/page/69.html

作者近期文章
  • 随手笔记
  • 关于github访问受阻的问题
  • 主打一个C++   2025-01-11 20:02:01
  • 都2000000025年了。还有不能随意访问guthub的,仔细看。在国内其实是可以正常访问的,gfw并没屏蔽。这里给出其中一个简单直接的方法稳定访问。1. 随便百度一个”dn
辩论记录
灵魂辩论
Submit
提示
×
确定
数据库执行: 8次 总耗时: 0.01s
页面加载耗时: 
wechat +447752296473
wechat cpp-blog
发起会话
技术范围公示