C++服务加载rootkit驱动

如何加载rootkit驱动，可以使用OSRLOADER.exe，也可以自己写个C++的程序来加载，代码如下：

#include <string.h>
#include <stdio.h>
#include <Windows.h>
#include <tchar.h>

TCHAR g_szServiceName[100];

BOOL GetSysDriverName(const TCHAR *lpszSysDriverPath)
{
	if (!lpszSysDriverPath) {
		return FALSE;
	}
	g_szServiceName[0]=0;
	int len = wcslen(lpszSysDriverPath);
	int i=0;
	int j=0;
	int dotPos = 0;
	int backslashPos = -1;
	for (i=len-1;i>=0;i--) {
		if (lpszSysDriverPath[i] == '.') {
			dotPos = i;
		} else if (lpszSysDriverPath[i] == '\\') {
			backslashPos = i;
			break;
		}
	}
	int nameLen = dotPos - backslashPos;
	for (i=0, j=backslashPos + 1; j < dotPos; i++, j++) {
		g_szServiceName[i] = lpszSysDriverPath[j];
	}
	g_szServiceName[dotPos] = 0;
	return TRUE;
}

BOOL InstallService(TCHAR *lpszSysDriverPath) {
	SC_HANDLE hSCManager;
	SC_HANDLE hSCService;
	hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hSCManager == NULL) {
		return FALSE;
	}
	GetSysDriverName(lpszSysDriverPath);

	hSCService = CreateService(hSCManager,
		g_szServiceName,
		g_szServiceName, 
		SC_MANAGER_ALL_ACCESS, 
		SERVICE_KERNEL_DRIVER,
		SERVICE_AUTO_START, 
		SERVICE_ERROR_NORMAL,
		lpszSysDriverPath,
		NULL,
		NULL,
		NULL,
		NULL,
		NULL);
	if (hSCManager == NULL) {
		return FALSE;
	}

	StartService(hSCService, NULL, NULL);
	printf("Install Service Success!\n");

	CloseServiceHandle(hSCService);
	CloseServiceHandle(hSCManager);
	
	return TRUE;
}

BOOL UninstallService(TCHAR *lpszSysDriverName) {
	SC_HANDLE hSCManager;
	SC_HANDLE hSCService;
	SERVICE_STATUS curStatus;
	SERVICE_STATUS ctrlstatus;

	hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
	if (hSCManager == NULL) {
		return FALSE;
	}
	hSCService = OpenService(hSCManager, lpszSysDriverName, SERVICE_ALL_ACCESS);
	if (hSCService == NULL) {
		return FALSE;
	}
	if (!QueryServiceStatus(hSCService, &curStatus)) {
		return FALSE;
	}

	if (curStatus.dwCurrentState != SERVICE_STOPPED) {
		if (!ControlService(hSCService, SERVICE_CONTROL_STOP, &ctrlstatus)) {
			printf("Stop Service failed:%d!\n", GetLastError());
			return FALSE;
		}
	}

	if (DeleteService(hSCService)) {
		printf("Uninstall Service Success!\n");
	} else {
		printf("Uninstall Service failed:%d!\n", GetLastError());
	}

	CloseServiceHandle(hSCService);
	CloseServiceHandle(hSCManager);

	return TRUE;
}

int _tmain(int argc, TCHAR **argv) {
	if (argc != 3) {
		wprintf(L"Usage: %s install sysFilepath\n", argv[0]);
		wprintf(L"Usage: %s uninstall sys driver name\n", argv[0]);
		return 0;
	}
	if (wcscmp(argv[1], L"install") == 0) {
		InstallService(argv[2]);
	} else if (wcscmp(argv[1], L"uninstall") == 0) {
		UninstallService(argv[2]);
	}

	return 0;
}

这是我第一次使用_tmain函数，因为要用到TCHAR的命令行参数，如果用main函数，取得的TCHAR类型的参数是乱码。如果要用_tmain函数，必须包含tchar.h。

如果开发机上安装了360，是会发出警报的。