1.无符号文件的驱动中断DriverEntry方法一:
- 在加载驱动之前,先使用设置异常命令sxe,设置加载驱动文件时中断.
命令格式:sxe ld <驱动文件名>
- 加载驱动中断后,使用lm命令查看驱动模块的基址.
命令格式:lm m <驱动文件名>
- 通过计算PE文件入口点地址,得到DriverEntry的地址.
计算公式如下:
DriverEntry = moduleBase + *(DWORD*)( moduleBase + *(DWORD*)(moduleBase + 0x3C ) + 0x28);
WinDBG命令如下:
bp moduleBase +poi( moduleBase + poi( moduleBase + 0x3C ) + 0x28 )
2.无符号文件的驱动中断DriverEntry方法二:
- 首先使用命令:uf nt!IopLoadDriver 在WinDBG中查看该函数的反汇编指令.
- Find IopLoadDriver with
x nt!IopLoadDriver - Add a breakpoint at IopLoadDriver+0x66a
- Load and start your driver
Offsets for other Windows versions:
- Windows 7 Pro SP1 32-bit German: nt!IopLoadDriver+0x7eb
- Windows 7 Ultimate 64-bit US: nt!IopLoadDriver+0xA04
- Windows 10 Pro x64 US: nt!IopLoadDriver+0x51C (Build 10586.420)
先用uf /c nt!IopLoadDriver列出里面的所有调用,输出太多,看的眼花。
kd> uf /c nt!IopLoadDriver
nt!IopLoadDriver (805a461b)
nt!IopLoadDriver+0x4b (805a4666):
call to nt!NtQueryKey (80571c4a)
nt!IopLoadDriver+0x78 (805a468b):
call to nt!ExAllocatePoolWithTag (8054c6c4)
nt!IopLoadDriver+0x99 (805a46ac):
call to nt!NtQueryKey (80571c4a)
nt!IopLoadDriver+0xca (805a46dd):
call to nt!ExAllocatePoolWithTag (8054c6c4)
nt!IopLoadDriver+0x114 (805a4727):
call to nt!RtlAppendUnicodeToString (804f9a01)
nt!IopLoadDriver+0x11f (805a4732):
call to nt!HeadlessKernelAddLogEntry (80507946)
nt!IopLoadDriver+0x1e6 (805a4750):
call to nt!ExAcquireResourceSharedLite (804da3a6)
nt!IopLoadDriver+0x1fd (805a476d):
call to nt!RtlEqualString (80502686)
nt!IopLoadDriver+0x212 (805a478c):
call to nt!ExReleaseResourceLite (804dc650)
nt!IopLoadDriver+0x222 (805a479c):
call to nt!IopBuildFullDriverPath (805a437c)
nt!IopLoadDriver+0x31b (805a47b6):
call to nt!IopGetDriverNameFromKeyNode (805a44c1)
nt!IopLoadDriver+0x36c (805a4807):
call to nt!MmLoadSystemImage (805a423f)
nt!IopLoadDriver+0x429 (805a481a):
call to nt!RtlImageNtHeader (804f9e6d)
nt!IopLoadDriver+0x43b (805a482c):
call to nt!IopPrepareDriverLoading (805a6b26)
nt!IopLoadDriver+0x480 (805a4868):
call to nt!ObCreateObject (80566566)
nt!IopLoadDriver+0x4c8 (805a48b4):
call to nt!RtlImageNtHeader (804f9e6d)
nt!IopLoadDriver+0x4fc (805a48e8):
call to nt!ObInsertObject (8056603a)
nt!IopLoadDriver+0x537 (805a4918):
call to nt!ObReferenceObjectByHandle (80565be8)
nt!IopLoadDriver+0x548 (805a4929):
call to nt!NtClose (805688cd)
nt!IopLoadDriver+0x564 (805a4945):
call to nt!ExAllocatePoolWithTag (8054c6c4)
nt!IopLoadDriver+0x5b2 (805a4993):
call to nt!ExAllocatePoolWithTag (8054c6c4)
nt!IopLoadDriver+0x5e9 (805a49b5):
call to nt!NtQueryObject (80580694)
nt!IopLoadDriver+0x61f (805a49d1):
call to nt!ExAllocatePoolWithTag (8054c6c4)
nt!IopLoadDriver+0x66a (805a4a1c):
unresolvable call: call dword ptr [edi+2Ch] <------------就是这个了!
nt!IopLoadDriver+0x6a7 (805a4a54):
call to nt!ExFreePoolWithTag (8054c587)
nt!IopLoadDriver+0x6b2 (805a4a63):
call to nt!IopIsLegacyDriver (805a6348)
nt!IopLoadDriver+0x6c3 (805a4a78):
call to nt!IopPnpDriverStarted (8050bf21)
nt!IopLoadDriver+0x701 (805a4a8e):
call to nt!IopBootLog (805a4b20)
nt!IopLoadDriver+0x709 (805a4a96):
call to nt!MmFreeDriverInitialization (805a75a2)
nt!IopLoadDriver+0x70f (805a4a9c):
call to nt!IopReadyDeviceObjects (805a6328)
nt!IopLoadDriver+0x259 (805a4aad):
call to nt!HeadlessKernelAddLogEntry (80507946)
nt!IopLoadDriver+0x26d (805a4ac1):
call to nt!ExFreePoolWithTag (8054c587)
nt!IopLoadDriver+0x281 (805a4ad5):
call to nt!ExFreePoolWithTag (8054c587)
nt!IopLoadDriver+0x28f (805a4ae3):
call to nt!ExFreePoolWithTag (8054c587)
nt!IopLoadDriver+0x29d (805a4af1):
call to nt!ExFreePoolWithTag (8054c587)
nt!IopLoadDriver+0x2fb (805a4b05):
call to nt!ObCloseHandle (8056cc0e)
nt!IopLoadDriver+0x308 (805a4b12):
call to nt!ObpTraceDepth+0x19 (804e5371)
nt!IopLoadDriver+0x6ed (805a7729):
call to nt!ObMakeTemporaryObject (805a08ca)
nt!IopLoadDriver+0x6f4 (805a7730):
call to nt!ObfDereferenceObject (804da050)
nt!IopLoadDriver+0x2bd (805abc0e):
call to nt!IopDriverLoadingFailed (805c1be5)
nt!IopLoadDriver+0x2d1 (805abc22):
call to nt!IopGetRegistryValue (8058e905)
nt!IopLoadDriver+0x2eb (805abc40):
call to nt!CmBootLastKnownGood (805c0199)
nt!IopLoadDriver+0x2f2 (805abc47):
call to nt!ExFreePoolWithTag (8054c587)
nt!IopLoadDriver+0x39c (805abc8e):
call to nt!ObOpenObjectByName (805693ef)
nt!IopLoadDriver+0x3ef (805abcc2):
call to nt!ObReferenceObjectByHandle (80565be8)
nt!IopLoadDriver+0x3fa (805abccd):
call to nt!NtClose (805688cd)
nt!IopLoadDriver+0x40e (805abcdd):
call to nt!IopResurrectDriver (8050812a)
nt!IopLoadDriver+0x41c (805abceb):
call to nt!ObfDereferenceObject (804da050)
nt!IopLoadDriver+0x50d (805abcf5):
call to nt!IopBootLog (805a4b20)
nt!IopLoadDriver+0x6db (805bf69b):
unresolvable call: call eax
nt!IopLoadDriver+0x6e2 (805bf6a2):
call to nt!IopBootLog (805a4b20)
nt!IopLoadDriver+0x145 (805e8b96):
call to nt!RtlInitUnicodeString (804da2a7)
nt!IopLoadDriver+0x16d (805e8bbe):
call to nt!NtQueryValueKey (8056b1f9)
nt!IopLoadDriver+0x197 (805e8be8):
call to nt!IopSafebootDriverLoad (806199e9)
nt!IopLoadDriver+0x1a4 (805e8bf9):
call to nt!IopSafebootDriverLoad (806199e9)
nt!IopLoadDriver+0x1b2 (805e8c0b):
call to nt!IopBootLog (805a4b20)
nt!IopLoadDriver+0x1c7 (805e8c20):
call to nt!DbgPrint (805000a9)
nt!IopLoadDriver+0x1d2 (805e8c2b):
call to nt!HeadlessKernelAddLogEntry (80507946)
nt!IopLoadDriver+0x243 (805e8c48):
call to nt!ExReleaseResourceLite (804dc650)
nt!IopLoadDriver+0x24e (805e8c53):
call to nt!IopBootLog (805a4b20)
nt!IopLoadDriver+0x3ad (805e8c65):
call to nt!IopBootLog (805a4b20)
nt!IopLoadDriver+0x44a (805e8c8b):
call to nt!MmUnloadSystemImage (805b7bea)
nt!IopLoadDriver+0x5c2 (805e8c9b):
call to nt!ObMakeTemporaryObject (805a08ca)
nt!IopLoadDriver+0x5c9 (805e8ca2):
call to nt!ObfDereferenceObject (804da050)
nt!IopLoadDriver+0x5f6 (805e8cb4):
call to nt!ObMakeTemporaryObject (805a08ca)
nt!IopLoadDriver+0x5fd (805e8cbb):
call to nt!ObfDereferenceObject (804da050)
nt!IopLoadDriver+0x609 (805e8cc7):
call to nt!ExFreePoolWithTag (8054c587)
从上面众多输出中找到了如下
nt!IopLoadDriver+0x66a (805a4a1c):
unresolvable call: call dword ptr [edi+2Ch]
这就是调用DriverEntry的地方。
8057777c ff572c call dword ptr [edi+2Ch]<----进入这个call里面就是DriverEntry
3.有符号文件的驱动中断DriverEntry方法:
- 加载驱动符号文件后使用命令:bp <驱动文件名>!DriverEntry
4.有源码情况下的方法:
- 在DriverEntry函数开始位置增加下面的代码.
#ifdef _DBG
__asm int 3
#endif