能否使这段最简便的映射驱动代码使其支持InfinityHookPro

[BaiFeng666]

KDU的代码实在太太太长了，想把映射功能集成到自己的项目里对我来说有点天方夜谭

于是翻遍了Github找了下，着应该是最简便的映射驱动代码，常规的驱动映射都没什么问题

但是！依旧无法映射带有InfinityHookPro的驱动..

如果大佬有时间的话可以抽空看一下，这个映射代码能否支持映射带有InfinityHookPro的项目~万分感谢

' auto ResolveImageRefs(LPBYTE pImageBase) -> NTSTATUS {

NTSTATUS Status = STATUS_SUCCESS;

ULONG Size = 0;

PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(RtlImageDirectoryEntryToData(pImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size));

while (pImportDescriptor->Characteristics != 0) {

    LPBYTE pModule = GetModuleBaseForHash(GetTextHashA((LPCSTR)(pImageBase + pImportDescriptor->Name)));

    if (pModule != NULL) {

        PIMAGE_THUNK_DATA pNameData = ((PIMAGE_THUNK_DATA)(pImageBase + (ULONG)pImportDescriptor->OriginalFirstThunk));

        PIMAGE_THUNK_DATA pFuncData = ((PIMAGE_THUNK_DATA)(pImageBase + (ULONG)pImportDescriptor->FirstThunk));

        for (; pNameData->u1.ForwarderString; ++pNameData, ++pFuncData) {

            PIMAGE_IMPORT_BY_NAME pName = (PIMAGE_IMPORT_BY_NAME)(pImageBase + (ULONG)pNameData->u1.AddressOfData);

            LPBYTE pFunc = GetRoutineAddressForHash(pModule, GetTextHashA(pName->Name));

            if (pFunc) {

                pFuncData->u1.Function = (ULONGLONG)pFunc;
            }
        }
    }
    else
        break;

    pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONGLONG)pImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}

return Status;

}

auto MapDriver(LPBYTE pFileBuffer) -> NTSTATUS {

NTSTATUS Status = STATUS_UNSUCCESSFUL;

if (pFileBuffer != NULL) {

    PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)(RtlImageNtHeader(pFileBuffer));

    if (pImageNtHeaders != NULL) {

        auto pDriverBase = RtlAllocatePool(pImageNtHeaders->OptionalHeader.SizeOfImage);

        if (pDriverBase != NULL) {

            RtlZeroMemoryEx(pDriverBase, pImageNtHeaders->OptionalHeader.SizeOfImage);

            RtlCopyMemoryEx(pDriverBase, pFileBuffer, pImageNtHeaders->OptionalHeader.SizeOfHeaders);

            PIMAGE_SECTION_HEADER pImageSectionHeader = (PIMAGE_SECTION_HEADER)(((PIMAGE_DOS_HEADER)pFileBuffer)->e_lfanew + sizeof(IMAGE_NT_HEADERS) + pFileBuffer);

            for (ULONG Index = 0; Index < pImageNtHeaders->FileHeader.NumberOfSections; Index++) {

                RtlCopyMemoryEx(pDriverBase + pImageSectionHeader[Index].VirtualAddress, (LPBYTE)(pFileBuffer + pImageSectionHeader[Index].PointerToRawData), pImageSectionHeader[Index].SizeOfRawData);
            }

            if (NT_SUCCESS(LdrRelocateImageWithBias(pDriverBase))) {

                if (NT_SUCCESS(ResolveImageRefs(pDriverBase))) {

                    HANDLE ThreadHandle = NULL;

                    Status = PsCreateSystemThread(&ThreadHandle, THREAD_ALL_ACCESS, NULL, NtCurrentProcess(), NULL, (PKSTART_ROUTINE)(pDriverBase + pImageNtHeaders->OptionalHeader.AddressOfEntryPoint), NULL);

                    if (NT_SUCCESS(Status)) {

                        PVOID ThreadObject = NULL;

                        if (NT_SUCCESS(ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, NULL, KernelMode, &ThreadObject, NULL))) {

                            KeWaitForSingleObject(ThreadObject, Executive, KernelMode, FALSE, NULL);

                            ObfDereferenceObject(ThreadObject);
                        }

                        ObCloseHandle(ThreadHandle, KernelMode);
                    }
                }
            }
        }
    }
}

return Status;

} '

[zhutingxf]

KdMapper和KDU都是复用了一些已知的漏洞驱动做的映射，你这样直接映射是没办法去执行InfinityHook的啊

[zhutingxf]

KDU的代码实在太太太长了，想把映射功能集成到自己的项目里对我来说有点天方夜谭

于是翻遍了Github找了下，着应该是最简便的映射驱动代码，常规的驱动映射都没什么问题

但是！依旧无法映射带有InfinityHookPro的驱动..

如果大佬有时间的话可以抽空看一下，这个映射代码能否支持映射带有InfinityHookPro的项目~万分感谢

' auto ResolveImageRefs(LPBYTE pImageBase) -> NTSTATUS {

NTSTATUS Status = STATUS_SUCCESS;

ULONG Size = 0;

PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(RtlImageDirectoryEntryToData(pImageBase, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &Size));

while (pImportDescriptor->Characteristics != 0) {

  LPBYTE pModule = GetModuleBaseForHash(GetTextHashA((LPCSTR)(pImageBase + pImportDescriptor->Name)));

  if (pModule != NULL) {

      PIMAGE_THUNK_DATA pNameData = ((PIMAGE_THUNK_DATA)(pImageBase + (ULONG)pImportDescriptor->OriginalFirstThunk));

      PIMAGE_THUNK_DATA pFuncData = ((PIMAGE_THUNK_DATA)(pImageBase + (ULONG)pImportDescriptor->FirstThunk));

      for (; pNameData->u1.ForwarderString; ++pNameData, ++pFuncData) {

          PIMAGE_IMPORT_BY_NAME pName = (PIMAGE_IMPORT_BY_NAME)(pImageBase + (ULONG)pNameData->u1.AddressOfData);

          LPBYTE pFunc = GetRoutineAddressForHash(pModule, GetTextHashA(pName->Name));

          if (pFunc) {

              pFuncData->u1.Function = (ULONGLONG)pFunc;
          }
      }
  }
  else
      break;

  pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONGLONG)pImportDescriptor + sizeof(IMAGE_IMPORT_DESCRIPTOR));
}

return Status;

}

auto MapDriver(LPBYTE pFileBuffer) -> NTSTATUS {

NTSTATUS Status = STATUS_UNSUCCESSFUL;

if (pFileBuffer != NULL) {

  PIMAGE_NT_HEADERS pImageNtHeaders = (PIMAGE_NT_HEADERS)(RtlImageNtHeader(pFileBuffer));

  if (pImageNtHeaders != NULL) {

      auto pDriverBase = RtlAllocatePool(pImageNtHeaders->OptionalHeader.SizeOfImage);

      if (pDriverBase != NULL) {

          RtlZeroMemoryEx(pDriverBase, pImageNtHeaders->OptionalHeader.SizeOfImage);

          RtlCopyMemoryEx(pDriverBase, pFileBuffer, pImageNtHeaders->OptionalHeader.SizeOfHeaders);

          PIMAGE_SECTION_HEADER pImageSectionHeader = (PIMAGE_SECTION_HEADER)(((PIMAGE_DOS_HEADER)pFileBuffer)->e_lfanew + sizeof(IMAGE_NT_HEADERS) + pFileBuffer);

          for (ULONG Index = 0; Index < pImageNtHeaders->FileHeader.NumberOfSections; Index++) {

              RtlCopyMemoryEx(pDriverBase + pImageSectionHeader[Index].VirtualAddress, (LPBYTE)(pFileBuffer + pImageSectionHeader[Index].PointerToRawData), pImageSectionHeader[Index].SizeOfRawData);
          }

          if (NT_SUCCESS(LdrRelocateImageWithBias(pDriverBase))) {

              if (NT_SUCCESS(ResolveImageRefs(pDriverBase))) {

                  HANDLE ThreadHandle = NULL;

                  Status = PsCreateSystemThread(&ThreadHandle, THREAD_ALL_ACCESS, NULL, NtCurrentProcess(), NULL, (PKSTART_ROUTINE)(pDriverBase + pImageNtHeaders->OptionalHeader.AddressOfEntryPoint), NULL);

                  if (NT_SUCCESS(Status)) {

                      PVOID ThreadObject = NULL;

                      if (NT_SUCCESS(ObReferenceObjectByHandle(ThreadHandle, THREAD_ALL_ACCESS, NULL, KernelMode, &ThreadObject, NULL))) {

                          KeWaitForSingleObject(ThreadObject, Executive, KernelMode, FALSE, NULL);

                          ObfDereferenceObject(ThreadObject);
                      }

                      ObCloseHandle(ThreadHandle, KernelMode);
                  }
              }
          }
      }
  }
}

return Status;

} '

你能把源码发我一下么，我测试下。再说你的这个代码好像也是驱动里的，你要如何先加载这个驱动呢

[BaiFeng666]

因为我找到了一个劳永逸的办法 就是编译一个能映射驱动的驱动 而且代码比较简洁我能看懂 这样我就可以让别人帮忙只签名一次这个加载器就行 而不是我每次编译驱动的时候都要签名一次

我刚上传了一下代码 https://github.com/BaiFeng666/DriverLoader

[zhutingxf]

因为我找到了一个劳永逸的办法 就是编译一个能映射驱动的驱动 而且代码比较简洁我能看懂 这样我就可以让别人帮忙只签名一次这个加载器就行 而不是我每次编译驱动的时候都要签名一次

我刚上传了一下代码 https://github.com/BaiFeng666/DriverLoader

把你的 Utils.cpp 中的 ResolveImageRefs 函数改一下，其实还是解析导入表的问题，因为 InfinityHookPro 使用了 hal.dll 的导出表函数，而在 hal.dll 中的导出表实际又是跳转到 ntoskrnl 中。 在你的函数 ResolveImageRefs 中将 LPBYTE pFunc = GetRoutineAddressForHash(pModule, GetTextHashA(pName->Name));注释掉，换成下边的逻辑：

ANSI_STRING asFun; RtlInitAnsiString(&asFun, pName->Name); UNICODE_STRING usFun = { 0 }; RtlAnsiStringToUnicodeString(&usFun, &asFun, TRUE); LPBYTE pFunc = (LPBYTE)MmGetSystemRoutineAddress(&usFun); if (pFunc) {

                pFuncData->u1.Function = (ULONGLONG)pFunc;
            }
            RtlFreeUnicodeString(&usFun);

然后InfinityHookPro的逻辑还是按之前讨论的把DriverEntry里关于参数不能使用或者用 IoCreateDriver创建个驱动对象，你按上述方法试试

[BaiFeng666]

好像可以了 大佬牛逼万岁！！！