1. 首页
  2. 文章中心
  3. 二进制

驱动层虚拟机检测参考爱写驱动的女装大佬

106 阅读 0 评论
我是靠谱客的博主 落寞指甲油,这篇文章主要介绍驱动层虚拟机检测参考爱写驱动的女装大佬,现在分享给大家,希望可以做个参考。

复制代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#include <ntddk.h>
#include <windef.h>

typedef	struct _SYSTEM_MODULE_INFORMATION{
	HANDLE Section;
	PVOID  MappedBase;
	PVOID  base;
	ULONG  Size;
	ULONG  Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT PathLength;
	CHAR	ImageName[256];

}SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef	NTSTATUS(*NTQUERYSYSTEMINFORMATION)(
	ULONG SystemInformationClass,
	PVOID SystemInformation,
	ULONG_PTR SystemInformationLength,
	PULONG_PTR ReturnLength OPTIONAL
	);
BOOLEAN	bStoped = FALSE;
PVOID	pThreadObj=NULL;
NTSTATUS Unload(PDRIVER_OBJECT driver)
{
	DbgPrint("unloaded!");
	bStoped = TRUE;
	KeWaitForSingleObject(pThreadObj, Executive, KernelMode, FALSE, NULL);
	ObDereferenceObject(pThreadObj);
	return STATUS_SUCCESS;
}

BOOLEAN  CheckVm()
{
	BOOLEAN bRet = FALSE;
	NTQUERYSYSTEMINFORMATION n_NtQuerySystemInformation = NULL;
	UNICODE_STRING NtQuerySystemInformation_Name = { 0 };
	PSYSTEM_MODULE_INFORMATION ModuleEntry = NULL;
	ULONG_PTR RetLength = 0, BaseAddr = 0, EndAddr = 0;
	ULONG ModuleNumbers = 0, Index = 0;
	NTSTATUS status = STATUS_SUCCESS;
	PVOID   buffer = NULL;
	RtlInitUnicodeString(&NtQuerySystemInformation_Name, L"NtQuerySystemInformation");

	n_NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&NtQuerySystemInformation_Name);
	if (!n_NtQuerySystemInformation){
		DbgPrint("NtQuerySystemInformation NULL");
		bRet = TRUE;
	}
	status = n_NtQuerySystemInformation(0xb, NULL, 0, &RetLength);
	if (status<0 && status != STATUS_INFO_LENGTH_MISMATCH){
		DbgPrint("invoke NtQuerySystemInformation Failed");
		bRet = TRUE;
	}
	DbgPrint("Length:%dn", RetLength);
	buffer = ExAllocatePoolWithTag(PagedPool, RetLength, "lxw");
	if (!buffer){
		DbgPrint("ExAllocatePoolWithTag Failed");
		bRet = TRUE;
			
	}
	RtlZeroMemory(buffer, RetLength);
	status = n_NtQuerySystemInformation(0xb, buffer, RetLength, &RetLength);
	if (status<0){
		DbgPrint("n_NtQuerySystemInformation(0xb, buffer, RetLength, &RetLength); Failed");
		bRet = TRUE;

	}
	ModuleNumbers = *(ULONG*)buffer;
	DbgPrint("Module Numbers %d", ModuleNumbers);
	ModuleEntry = (PSYSTEM_MODULE_INFORMATION)((ULONG_PTR)buffer + 8);
	for (Index = 0; Index<ModuleNumbers; Index++){
		if (strstr(ModuleEntry->ImageName, "vmmemctl.sys") ||
			strstr(ModuleEntry->ImageName, "vmhgfs.sys")
			){
			DbgPrint("Virtual Module Name %sn", ModuleEntry->ImageName);
			bRet = TRUE;
			break;
		}
		ModuleEntry++;
	}
		
	if (buffer){
		ExFreePool(buffer);
	}
	buffer = NULL;
	return bRet;
}

void MyThread(PVOID pContext)
{
	LARGE_INTEGER interval;
	interval.QuadPart = -10000000;//1s
	//int i = 0;
	while (!bStoped)
	{
		//DbgPrint("in loop thread %d",i);
		//i++;
		CheckVm();
		
		/*
		something you can do
		*/
		KeDelayExecutionThread(KernelMode, FALSE, &interval);
	}
	PsTerminateSystemThread(STATUS_SUCCESS);
}

NTSTATUS CreateMyThread()
{
	OBJECT_ATTRIBUTES ObjAddr = { 0 };
	HANDLE ThreadHandle = 0;
	NTSTATUS status = STATUS_SUCCESS;
	InitializeObjectAttributes(&ObjAddr, NULL, OBJ_KERNEL_HANDLE, 0, NULL);
	status = PsCreateSystemThread(&ThreadHandle, THREAD_ALL_ACCESS, &ObjAddr, NULL, NULL, MyThread, NULL);
	if (NT_SUCCESS(status)){
		DbgPrint("Create Thread Success");
		status = ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, *PsThreadType, KernelMode, &pThreadObj, NULL);
		ZwClose(ThreadHandle);
		if (!NT_SUCCESS(status)){
			bStoped = TRUE;
		}
	}
	return status;
}


NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{

	int	a;
	driver->DriverUnload = Unload;
	__asm{
		mov eax,1
		cpuid
		shr ecx,31
		mov a,ecx //虚拟机里面ECX最高位为1
	}
	if (a)
	{
		DbgPrint("In Virtual Machine");
	}
	CreateMyThread();
	return STATUS_SUCCESS;

}

在这里插入图片描述

最后

以上就是落寞指甲油最近收集整理的关于驱动层虚拟机检测参考爱写驱动的女装大佬的全部内容,更多相关驱动层虚拟机检测参考爱写驱动内容请搜索靠谱客的其他文章。

本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
点赞(70)

相关文章

驱动开发入门——NTModelAPI调用的基本流程NTModel详解
驱动开发入门——NTModelAPI调用的基本流程NTModel详解
驱动程序与应用程序之间的通信
驱动程序与应用程序之间的通信
驱动与R3的通信IRP_MJ_READ 通信IRP_MJ_DEVICE_CONTROL 通信方式
驱动与R3的通信IRP_MJ_READ 通信IRP_MJ_DEVICE_CONTROL 通信方式
驱动入门 R3与R0的通信
驱动入门 R3与R0的通信
驱动层虚拟机检测参考爱写驱动的女装大佬
驱动层虚拟机检测参考爱写驱动的女装大佬
IOS .a加载 386与ARM架构问题
IOS .a加载 386与ARM架构问题
应用程序与驱动程序的通信
应用程序与驱动程序的通信
windows驱动开发第13课(R3与R0通信之读取数据)
windows驱动开发第13课(R3与R0通信之读取数据)

评论列表共有 0 条评论

立即
投稿
返回
顶部