#include <windows.h>
#include <stdio.h>

typedef struct _LSA_UNICODE_STRING {
     USHORT Length;
     USHORT MaximumLength;
     PVOID Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;

typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;

// 申明ntdll中使用的函数
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
typedef DWORD (CALLBACK* RTLFREEUNICODESTRING)(PVOID);
RTLFREEUNICODESTRING RtlFreeUnicodeString;
typedef DWORD (CALLBACK* ZWLOADDRIVER)(PVOID);
ZWLOADDRIVER ZwLoadDriver;

int LoadDriver(char * szDrvName, char * szDrvPath)
{
     //修改注册表启动驱动程序
     char szSubKey[200], szDrvFullPath[256];
     LSA_UNICODE_STRING buf1;
     LSA_UNICODE_STRING buf2;
     int iBuffLen;
     HKEY hkResult;
     char Data[4];
     DWORD dwOK;
     iBuffLen = sprintf(szSubKey,"System\\CurrentControlSet\\Services\\%s",szDrvName);
     szSubKey[iBuffLen]=0;
     dwOK = RegCreateKey(HKEY_LOCAL_MACHINE,szSubKey,&hkResult);
     if(dwOK!=ERROR_SUCCESS)
         return false;
     Data[0]=1;
     Data[1]=0;
     Data[2]=0;
     Data[3]=0;
     dwOK=RegSetValueEx(hkResult,"Type",0,4,(const unsigned char *)Data,4);
     dwOK=RegSetValueEx(hkResult,"ErrorControl",0,4,(const unsigned char *)Data,4);
     dwOK=RegSetValueEx(hkResult,"Start",0,4,(const unsigned char *)Data,4);
     GetFullPathName(szDrvPath, 256, szDrvFullPath, NULL);   
     printf("Loading driver: %s\r\n", szDrvFullPath);
     iBuffLen = sprintf(szSubKey,"\\??\\%s",szDrvFullPath);
     szSubKey[iBuffLen]=0;
     dwOK=RegSetValueEx(hkResult,"ImagePath",0,1,(const unsigned char *)szSubKey,iBuffLen);
     RegCloseKey(hkResult);
     iBuffLen = sprintf(szSubKey,"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%s",szDrvName);
     szSubKey[iBuffLen]=0;
     buf2.Buffer = (PVOID)szSubKey;
     buf2.Length = iBuffLen;
     RtlAnsiStringToUnicodeString(&buf1,&buf2,1);
     //加载驱动程序
     dwOK = ZwLoadDriver(&buf1);
     RtlFreeUnicodeString(&buf1);
     iBuffLen=sprintf(szSubKey,"%s%s\\Enum","System\\CurrentControlSet\\Services\\",szDrvName);
     szSubKey[iBuffLen]=0;
     //删除注册表项
     RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
     iBuffLen=sprintf(szSubKey,"%s%s\\Security","System\\CurrentControlSet\\Services\\",szDrvName);
     szSubKey[iBuffLen]=0;
     RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
     iBuffLen=sprintf(szSubKey,"%s%s","System\\CurrentControlSet\\Services\\",szDrvName);
     szSubKey[iBuffLen]=0;
     RegDeleteKey(HKEY_LOCAL_MACHINE,szSubKey);
     iBuffLen=sprintf(szSubKey,"\\\\.\\%s",szDrvName);
     szSubKey[iBuffLen]=0;
     return true;
}

int main(int argc, char *argv[])
{
     printf("Load driver with ZwLoadDriver( )\r\n");
     printf("Date: 8th May 2007\r\n");
     printf("Modifed by: GaRY <wofeiwo_at_gmail_dot_com>\r\n\r\n");
     if(argc != 3)
     {
         printf("Usage: %s <DriverFilename> <DriverPath>\r\n", argv[0]);
         exit(-1);
     }
     HMODULE hNtdll = NULL;
     hNtdll = LoadLibrary( "ntdll.dll" );
    
     //从ntdll.dll里获取函数
     if ( !hNtdll )
     {
         printf( "LoadLibrary( NTDLL.DLL ) Error:%d\n", GetLastError() );
         return false;
     }

     RtlAnsiStringToUnicodeString = (RTLANSISTRINGTOUNICODESTRING)
         GetProcAddress( hNtdll, "RtlAnsiStringToUnicodeString");
     RtlFreeUnicodeString = (RTLFREEUNICODESTRING)
         GetProcAddress( hNtdll, "RtlFreeUnicodeString");
     ZwLoadDriver = (ZWLOADDRIVER)
         GetProcAddress( hNtdll, "ZwLoadDriver");

     //注册驱动程序
     if(LoadDriver(argv[1], argv[2]) == false) return false;
     return true;
}