与断链隐藏进程功能类似,关于断链进程隐藏可参考《驱动开发:DKOM 实现进程隐藏》这一篇文章,断链隐藏驱动自身则用于隐藏自身SYS驱动文件,当驱动加载后那么使用ARK工具扫描将看不到自身驱动模块,此方法可能会触发PG会蓝屏,在某些驱动辅助中也会使用这种方法隐藏自己。
驱动实现代码如下所示:
#include <ntifs.h>
HANDLE hThread;
VOID ThreadRun(PVOID StartContext)
{
LARGE_INTEGER times;
PDRIVER_OBJECT pDriverObject;
// 等待3秒 单位是纳秒
times.QuadPart = -30 * 1000 * 1000;
KeDelayExecutionThread(KernelMode, FALSE, ×);
pDriverObject = (PDRIVER_OBJECT)StartContext;
// 修改模块信息
pDriverObject->DriverSize = 0;
pDriverObject->DriverSection = NULL;
pDriverObject->DriverExtension = NULL;
pDriverObject->DriverStart = NULL;
pDriverObject->DriverInit = NULL;
pDriverObject->FastIoDispatch = NULL;
pDriverObject->DriverStartIo = NULL;
ZwClose(hThread);
}
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("Uninstall Driver Is OK \n"));
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint(("hello lyshark \n"));
PLIST_ENTRY pModuleList;
pModuleList = Driver->DriverSection;
// 前一个模块的Flink=本模块的Flink
pModuleList->Blink->Flink = pModuleList->Flink;
// 前一个模块的Blink=本模块的Blink
pModuleList->Flink->Blink = pModuleList->Blink;
PsCreateSystemThread(&hThread, GENERIC_ALL, NULL, NULL, NULL, ThreadRun, Driver);
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}输出效果如下,驱动每隔3秒执行一次模块修改:
