#某个上市驱动源码(残缺) 已经开源
1.驱动读写 使用的MmCopyVirtualMemory进行读写操作
2.注入 使用驱动回调 pte操作内存(隐藏)
3.进程回调保护
4.获取进程模块
5.驱动鼠键模拟 使用常规kbdclass mouclass 来模拟
6.句柄提权
7.窗口反截图
使用注册表 注册钩子跳板 用来通讯
#1. Drive related functions - analysis
-
Drive MmCopyVirtualMemory used for read and write operations
-
Injection using driver callback pte operation memory (hidden)
-
Process callback protection
-
Obtain the process module
-
Drive mouse key simulation using regular kbdclass mouclass simulation
-
Handle power
-
Window backshot
#2. Drive communication
Use the registry registry Hook springboard for communication