用instDrv加載驅(qū)動,用CreateService()函數(shù)等等過程如下,
1,先是它向Service進程注冊服務。
2,然后Service進程調(diào)用ZwLoadDriver()加載驅(qū)動。進入NtLoadDriver()系統(tǒng)調(diào)用,它先會檢測SerVice進程(當前進程)是不是有加載驅(qū)動的權(quán)限,然后檢測當前進程是不是System進程,是的話直接調(diào)用IopLoadUnloadDriver()加載驅(qū)動,-》IopLoadDriver()最后會調(diào)用驅(qū)動的DriverEntry(),所以這種方法加載驅(qū)動的DriverEntry()函數(shù)是在System進程的地址空間執(zhí)行的。
如果當前進程不是System進程的話,則調(diào)用如下的函數(shù),向system進程的系統(tǒng)線程的工作隊列中插入這項,函數(shù)為IopLoadUnloadDriver(),也就是說系統(tǒng)線程會替它調(diào)用IopLoadUnloadDriver()函數(shù)
ExInitializeWorkItem( &loadPacket.WorkQueueItem,
????????????????????????????? IopLoadUnloadDriver,
????????????????????????????? &loadPacket ); ExQueueWorkItem( &loadPacket.WorkQueueItem, DelayedWorkQueue );
IopLoadUnloadDriver會調(diào)用IopLoadDriver()做真正的加載驅(qū)動的工作
1,先根據(jù)鍵句柄調(diào)用NtQueryKey()函數(shù)得到驅(qū)動的全路徑名。
2,循環(huán)檢查PsLoadedModuleList內(nèi)核模塊鏈表看是不是這個驅(qū)動已經(jīng)加載
3.調(diào)用 status = MmLoadSystemImage( &baseName,
??????????????????????????????? NULL,
??????????????????????????????? NULL,
??????????????????????????????? 0,
??????????????????????????????? §ionPointer,
??????????????????????????????? (PVOID *) &imageBaseAddress );
?? 這函數(shù)里面會調(diào)用 InitializeObjectAttributes (&ObjectAttributes,
??????????????????????????????????? ImageFileName,
??????????????????????????????????? (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
??????????????????????????????????? NULL,
??????????????????????????????????? NULL);
??????? Status = ZwOpenFile (&FileHandle,
???????????????????????????? FILE_EXECUTE,
???????????????????????????? &ObjectAttributes,
???????????????????????????? &IoStatus,
???????????????????????????? FILE_SHARE_READ | FILE_SHARE_DELETE,
???????????????????????????? 0);?? //返回句柄為0x80000140
函數(shù)根據(jù)驅(qū)動文件名打開文件,向system進程的句柄表中插入一項,返回句柄表的下標,就是文件句柄(這里是內(nèi)核句柄))
Status = MmCheckSystemImage (FileHandle, FALSE);//這個函數(shù)是檢查這個PE文件各個節(jié)看是不是好的。
最后調(diào)用
InitializeObjectAttributes (&ObjectAttributes,
??????????????????????????????????? NULL,
??????????????????????????????????? (OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE),
??????????????????????????????????? NULL,
??????????????????????????????????? NULL);
??????? Status = ZwCreateSection (&SectionHandle,
????????????????????????????????? SectionAccess,
????????????????????????????????? &ObjectAttributes,
????????????????????????????????? (PLARGE_INTEGER) NULL,
????????????????????????????????? PAGE_EXECUTE,
????????????????????????????????? SEC_IMAGE,
????????????????????????????????? FileHandle);
建立節(jié)對象向system進程句柄表中插入一項,返回句柄為0x80000170
Status = ObReferenceObjectByHandle (SectionHandle,
??????????????????????????????????????????? SECTION_MAP_EXECUTE,
??????????????????????????????????????????? MmSectionObjectType,
??????????????????????????????????????????? KernelMode,
??????????????????????????????????????????? (PVOID *) &SectionPointer,
??????????????????????????????????????????? (POBJECT_HANDLE_INFORMATION) NULL);//根據(jù)句柄從system進程句柄中找到節(jié)對象的地址。
??????? ZwClose (SectionHandle);//把此句柄關(guān)了,會從system 進程句柄中刪除一項。下次訪問節(jié)對象時就通過地址來訪問。不用句柄。
調(diào)用 Status = MiLoadImageSection (&SectionPointer,
???????????????????????????????? ImageBaseAddress,
???????????????????????????????? ImageFileName,
???????????????????????????????? LoadFlags & MM_LOAD_IMAGE_IN_SESSION,
???????????????????????????????? FoundDataTableEntry);
進行真正的文件映射它里面會調(diào)用 MmMapViewOfSection (SectionPointer,TargetProcess(system),
???????????????????????????????? &Base,
???????????????????????????????? 0,
???????????????????????????????? 0,
???????????????????????????????? &SectionOffset,
???????????????????????????????? &ViewSize,
???????????????????????????????? ViewUnmap,
???????????????????????????????? 0,
???????????????????????????????? PAGE_EXECUTE);
進行文件映射,返回基址為0xba377000
最后分配 PKLDR_DATA_TABLE_ENTRY DataTableEntry;
初始化它,最后調(diào)用 MiProcessLoaderEntry (DataTableEntry, TRUE);
把它個內(nèi)核模塊結(jié)構(gòu)加入PsLoadModuleList鏈表中等等,還會處理這個驅(qū)動的Reference等等
4,調(diào)用??? status = ObCreateObject( KeGetPreviousMode(),
???????????????????????????? IoDriverObjectType,
???????????????????????????? &objectAttributes,
???????????????????????????? KernelMode,
???????????????????????????? (PVOID) NULL,
???????????????????????????? (ULONG) (sizeof( DRIVER_OBJECT ) + sizeof ( DRIVER_EXTENSION )),
???????????????????????????? 0,
???????????????????????????? 0,
???????????????????????????? (PVOID *) &driverObject );建立驅(qū)動對象
初始化驅(qū)動對象后,調(diào)用 status = ObInsertObject( driverObject,
???????????????????????????? (PACCESS_STATE) NULL,
???????????????????????????? FILE_READ_DATA,
???????????????????????????? 0,
???????????????????????????? (PVOID *) NULL,
???????????????????????????? &driverHandle );把驅(qū)動對象插入到system進程的句柄表的一項,返回句柄,注意這個函數(shù)還會把這對象插入對象目錄中。
5,最后會調(diào)用 status = driverObject->DriverInit( driverObject, ®istryPath->Name );也就是DriverEntry()函數(shù)。