C++ Win32 API 将驱动程序加载到内核空间

C++ Win32 API Load a driver to the kernel space

本文关键字:内核 空间 加载 驱动程序 Win32 API C++      更新时间:2023-10-16

是否有用于在内核空间中加载和执行内核模式程序的Win32/本机API函数?(.sys,.exe)

首先,

您可以使用OpenSCManager()获得服务管理器的句柄。

然后你使用 SERVICE_KERNEL_DRIVER 和 SERVICE_DEMAND_START 调用 CreateService(),这将加载驱动程序。

下面是一个函数的一个很好的例子,它通过错误检查为你做这一切:

BOOL LoadNTDriver(WCHAR* lpszDriverName, WCHAR* lpszDriverPath)
{
    WCHAR szDriverImagePath[256];
    GetFullPathName(lpszDriverPath, 256, szDriverImagePath, NULL);
    BOOL bRet = FALSE;
    SC_HANDLE hServiceMgr = NULL;
    SC_HANDLE hServiceDDK = NULL;
    hServiceMgr = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (hServiceMgr == NULL)
    {
        printf("OpenSCManager() Faild %d ! n", GetLastError());
        bRet = FALSE;
        goto BeforeExit;
    }
    else
    {
        printf("OpenSCManager() ok ! n");
    }
    hServiceDDK = CreateService(hServiceMgr,
        lpszDriverName, 
        lpszDriverName,
        SERVICE_ALL_ACCESS,
        SERVICE_KERNEL_DRIVER,
        SERVICE_DEMAND_START,
        SERVICE_ERROR_IGNORE,
        szDriverImagePath,
        NULL,
        NULL,
        NULL,
        NULL,
        NULL);
    DWORD dwRtn;
    if (hServiceDDK == NULL)
    {
        dwRtn = GetLastError();
        if (dwRtn != ERROR_IO_PENDING && dwRtn != ERROR_SERVICE_EXISTS)
        {
            printf("CrateService() Faild %d ! n", dwRtn);
            bRet = FALSE;
            goto BeforeExit;
        }
        else
        {
            printf("CrateService() Faild Service is ERROR_IO_PENDING or ERROR_SERVICE_EXISTS! n");
        }
        hServiceDDK = OpenService(hServiceMgr, lpszDriverName, SERVICE_ALL_ACCESS);
        if (hServiceDDK == NULL)
        {
            dwRtn = GetLastError();
            printf("OpenService() Faild %d ! n", dwRtn);
            bRet = FALSE;
            goto BeforeExit;
        }
        else
        {
            printf("OpenService() ok ! n");
        }
    }
    else
    {
        printf("CrateService() ok ! n");
    }
    bRet = StartService(hServiceDDK, NULL, NULL);
    if (!bRet)
    {
        DWORD dwRtn = GetLastError();
        if (dwRtn != ERROR_IO_PENDING && dwRtn != ERROR_SERVICE_ALREADY_RUNNING)
        {
            printf("StartService() Faild %d ! n", dwRtn);
            bRet = FALSE;
            goto BeforeExit;
        }
        else
        {
            if (dwRtn == ERROR_IO_PENDING)
            {
                printf("StartService() Faild ERROR_IO_PENDING ! n");
                bRet = FALSE;
                goto BeforeExit;
            }
            else
            {
                printf("StartService() Faild ERROR_SERVICE_ALREADY_RUNNING ! n");
                bRet = TRUE;
                goto BeforeExit;
            }
        }
    }
    bRet = TRUE;
BeforeExit:
    if (hServiceDDK)
    {
        CloseServiceHandle(hServiceDDK);
    }
    if (hServiceMgr)
    {
        CloseServiceHandle(hServiceMgr);
    }
    return bRet;
}

来源:https://github.com/roycncn/PUBG-wall-hacking-user-mode/blob/master/MapESP/LoadDriver.hpp

我所知,没有。你不能那样做(这将是一个相当大的安全问题)。您必须正确注册驱动程序并让 Windows 加载它。

后者可以使用DIFxAPI来完成,您应该在MSDN上阅读,因为它太复杂了,无法将其放在简单的答案中。

您应该寻找的核心功能是 DriverPackageInstall .

相关文章: