概述
#include <ntddk.h>
#include <windef.h>
typedef struct _SYSTEM_MODULE_INFORMATION{
HANDLE Section;
PVOID MappedBase;
PVOID base;
ULONG Size;
ULONG Flags;
USHORT LoadOrderIndex;
USHORT InitOrderIndex;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
}SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG_PTR SystemInformationLength,
PULONG_PTR ReturnLength OPTIONAL
);
BOOLEAN bStoped = FALSE;
PVOID pThreadObj=NULL;
NTSTATUS Unload(PDRIVER_OBJECT driver)
{
DbgPrint("unloaded!");
bStoped = TRUE;
KeWaitForSingleObject(pThreadObj, Executive, KernelMode, FALSE, NULL);
ObDereferenceObject(pThreadObj);
return STATUS_SUCCESS;
}
BOOLEAN CheckVm()
{
BOOLEAN bRet = FALSE;
NTQUERYSYSTEMINFORMATION n_NtQuerySystemInformation = NULL;
UNICODE_STRING NtQuerySystemInformation_Name = { 0 };
PSYSTEM_MODULE_INFORMATION ModuleEntry = NULL;
ULONG_PTR RetLength = 0, BaseAddr = 0, EndAddr = 0;
ULONG ModuleNumbers = 0, Index = 0;
NTSTATUS status = STATUS_SUCCESS;
PVOID buffer = NULL;
RtlInitUnicodeString(&NtQuerySystemInformation_Name, L"NtQuerySystemInformation");
n_NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&NtQuerySystemInformation_Name);
if (!n_NtQuerySystemInformation){
DbgPrint("NtQuerySystemInformation NULL");
bRet = TRUE;
}
status = n_NtQuerySystemInformation(0xb, NULL, 0, &RetLength);
if (status<0 && status != STATUS_INFO_LENGTH_MISMATCH){
DbgPrint("invoke NtQuerySystemInformation Failed");
bRet = TRUE;
}
DbgPrint("Length:%dn", RetLength);
buffer = ExAllocatePoolWithTag(PagedPool, RetLength, "lxw");
if (!buffer){
DbgPrint("ExAllocatePoolWithTag Failed");
bRet = TRUE;
}
RtlZeroMemory(buffer, RetLength);
status = n_NtQuerySystemInformation(0xb, buffer, RetLength, &RetLength);
if (status<0){
DbgPrint("n_NtQuerySystemInformation(0xb, buffer, RetLength, &RetLength); Failed");
bRet = TRUE;
}
ModuleNumbers = *(ULONG*)buffer;
DbgPrint("Module Numbers %d", ModuleNumbers);
ModuleEntry = (PSYSTEM_MODULE_INFORMATION)((ULONG_PTR)buffer + 8);
for (Index = 0; Index<ModuleNumbers; Index++){
if (strstr(ModuleEntry->ImageName, "vmmemctl.sys") ||
strstr(ModuleEntry->ImageName, "vmhgfs.sys")
){
DbgPrint("Virtual Module Name %sn", ModuleEntry->ImageName);
bRet = TRUE;
break;
}
ModuleEntry++;
}
if (buffer){
ExFreePool(buffer);
}
buffer = NULL;
return bRet;
}
void MyThread(PVOID pContext)
{
LARGE_INTEGER interval;
interval.QuadPart = -10000000;//1s
//int i = 0;
while (!bStoped)
{
//DbgPrint("in loop thread %d",i);
//i++;
CheckVm();
/*
something you can do
*/
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}
PsTerminateSystemThread(STATUS_SUCCESS);
}
NTSTATUS CreateMyThread()
{
OBJECT_ATTRIBUTES ObjAddr = { 0 };
HANDLE ThreadHandle = 0;
NTSTATUS status = STATUS_SUCCESS;
InitializeObjectAttributes(&ObjAddr, NULL, OBJ_KERNEL_HANDLE, 0, NULL);
status = PsCreateSystemThread(&ThreadHandle, THREAD_ALL_ACCESS, &ObjAddr, NULL, NULL, MyThread, NULL);
if (NT_SUCCESS(status)){
DbgPrint("Create Thread Success");
status = ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, *PsThreadType, KernelMode, &pThreadObj, NULL);
ZwClose(ThreadHandle);
if (!NT_SUCCESS(status)){
bStoped = TRUE;
}
}
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{
int a;
driver->DriverUnload = Unload;
__asm{
mov eax,1
cpuid
shr ecx,31
mov a,ecx //虚拟机里面ECX最高位为1
}
if (a)
{
DbgPrint("In Virtual Machine");
}
CreateMyThread();
return STATUS_SUCCESS;
}
最后
以上就是落寞指甲油为你收集整理的驱动层虚拟机检测参考爱写驱动的女装大佬的全部内容,希望文章能够帮你解决驱动层虚拟机检测参考爱写驱动的女装大佬所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复