用Visual studio11在Windows8上開發驅動實現內存填0殺進程 · Visual Studio 11開發專欄

在Windows NT中，80386保護模式的“保護”比Windows 95中更堅固，這個“鍍金的籠子”更加結實，更加難以打破。在Windows 95中，至少應用程序I/O操作是不受限制的，而在Windows NT中，我們的應用程序連這點權限都被剝奪了。在NT中幾乎不太可能進入真正的ring0層。? 在Windows NT中，存在三種Device Driver： ? 1．“Virtual device Driver” (VDD)。通過VDD，16位應用程序，如DOS 和Win16應用程序可以訪問特定的I/O端口（注意，不是直接訪問，而是要通過VDD來實現訪問）。 ? 2．“GDI Driver”，提供顯示和打印所需的GDI函數。 ? 3．“Kernel Mode Driver”，實現對特定硬件的操作，比如說CreateFile, CloseHandle (對于文件對象而言), ReadFile, WriteFile, DeviceIoControl 等操作。“Kernel Mode Driver”還是Windows NT中唯一可以對硬件中斷和DMA進行操作的Driver。SCSI 小端口驅動和網卡NDIS 驅動都是Kernel Mode Driver的一種特殊形式。 Visual studio11與Windows8帶來格外不同的新體驗 ? 1.啟動Vs11 ![](https://box.kancloud.cn/2016-04-01_56fdf153bac99.png) 2.看見滿目的驅動開發模板 ![](https://box.kancloud.cn/2016-04-01_56fdf151a72a9.png) 3.選擇一個驅動模式，有內核模式與用戶模式兩種的驅動 ![](https://box.kancloud.cn/2016-04-01_56fdf151e0f15.png) ? 4.創建一個驅動程序，KMDF DriverMVP ![](https://box.kancloud.cn/2016-04-01_56fdf152053f8.png) ? 5.我們選擇的是內核模式的驅動程序，下面是創建成功后的界面，分別是驅動程序本身，與驅動安裝包 ![](https://box.kancloud.cn/2016-04-01_56fdf15221ca7.png) 6.按下F5，選擇驅動編譯， ? ![](https://box.kancloud.cn/2016-04-01_56fdf15236a2b.png) 插入下列代碼實現內存填0殺進程，請見代碼分析 ~~~ void WPOFF() { __asm { //去掉內存保護 cli mov eax,cr0 and eax,not 10000h mov cr0,eax } } void WPON() { __asm { //恢復內存保護 mov eax,cr0 or eax,10000h mov cr0,eax sti } } ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// #ifdef __cplusplus } #endif #endif NTKERNELAPI BOOLEAN KeInsertQueueApc ( PRKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment ); BOOLEAN fake_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost); BOOLEAN Proxy_KeInsertQueueApc(IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY PriorityBoost); ULONG g_uCr0; void WPOFF() { ULONG uAttr; _asm { push eax; mov eax, cr0; mov uAttr, eax; and eax, 0FFFEFFFFh; // CR0 16 BIT = 0 mov cr0, eax; pop eax; cli }; g_uCr0 = uAttr; //保存原有的 CRO 屬性 } VOID WPON() { _asm { sti push eax; mov eax, g_uCr0; //恢復原有 CR0 屬性 mov cr0, eax; pop eax; }; } #include <ntddk.h> #include"ntifs.h" typedef unsigned long DWORD; PHYSICAL_ADDRESS g_PhysicalPage; void WPOFF() { __asm { //去掉內存保護 cli mov eax,cr0 and eax,not 10000h mov cr0,eax } } void WPON() { __asm { //恢復內存保護 mov eax,cr0 or eax,10000h mov cr0,eax sti } } VOID DestroyProcess(DWORD eproc) { DWORD VirtualAddr; PHYSICAL_ADDRESS physical_addr; DWORD AddrTmp; PVOID ProcessHandle; KeAttachProcess( (PEPROCESS)eproc ); for ( VirtualAddr = 0x1000; VirtualAddr < *(DWORD*)MmSystemRangeStart; VirtualAddr+=0x1000) { // 跳過不再內存里的 physical_addr = MmGetPhysicalAddress( (PVOID)VirtualAddr); if ( physical_addr.HighPart > g_PhysicalPage.HighPart ) continue; if ( physical_addr.HighPart == g_PhysicalPage.HighPart && physical_addr.LowPart >= g_PhysicalPage.LowPart ) continue; if ( (physical_addr.HighPart | physical_addr.LowPart) == 0 ) continue; AddrTmp = (DWORD)MmGetVirtualForPhysical( physical_addr); if ( AddrTmp != VirtualAddr) continue; WPOFF(); RtlZeroMemory( (PVOID)VirtualAddr, 0x1000); WPON(); } KeDetachProcess(); if ( ObOpenObjectByPointer( (PVOID)eproc, 0, NULL, 0, NULL, KernelMode, &ProcessHandle) != STATUS_SUCCESS) return; ZwTerminateProcess( (HANDLE)ProcessHandle, STATUS_SUCCESS); ZwClose( (HANDLE)ProcessHandle ); return; } VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("My Driver UnLoad!"); } //================================================================================================ NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { SYSTEM_BASIC_INFORMATION BasicInfo; ULONG ReturnedLength; PEPROCESS eproc; DbgPrint("My Driver Loaded!"); theDriverObject->DriverUnload = OnUnload; ZwQuerySystemInformation( SystemBasicInformation, &BasicInfo, sizeof(SYSTEM_BASIC_INFORMATION), &ReturnedLength); __asm mov eax,BasicInfo.PhysicalPageSize; __asm mul BasicInfo.NumberOfPhysicalPages; __asm mov g_PhysicalPage.HighPart, edx; __asm mov g_PhysicalPage.LowPart, eax; PsLookupProcessByProcessId((PVOID)1068,&eproc); DestroyProcess((DWORD)eproc); return STATUS_SUCCESS; } //================================================================================================ #include "pe.h" #ifndef GLOBAL_NATIVE_API_DEF_SUDAMI #define GLOBAL_NATIVE_API_DEF_SUDAMI #ifdef __cplusplus extern "C" { #endif //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// typedef long NTSTATUS, *PNTSTATUS; typedef unsigned long DWORD; typedef DWORD * PDWORD; typedef unsigned long ULONG; typedef unsigned long ULONG_PTR; typedef ULONG *PULONG; typedef unsigned short WORD; typedef unsigned char BYTE; typedef unsigned char UCHAR; typedef unsigned short USHORT; typedef void *PVOID; typedef int BOOL; typedef BYTE BOOLEAN; typedef CCHAR KPROCESSOR_MODE; #ifndef LOWORD #define LOWORD(l) ((unsigned short)(unsigned int)(l)) #endif #ifndef HIWORD #define HIWORD(l) ((unsigned short)((((unsigned int)(l)) >> 16) & 0xFFFF)) #endif // 定義ioctl相關的，用于R3和R0間的通信 #ifndef MAKELONG #define MAKELONG(a, b) ((LONG) (((WORD) (a)) | ((DWORD) ((WORD) (b))) << 16)) #endif #define MY_DEVICE_TYPE 0x0000AA71 // 這地方可以自己改 #define DRIVER_IO(code) CTL_CODE (MY_DEVICE_TYPE, code, METHOD_BUFFERED, FILE_ANY_ACCESS) typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS; /********************************************************** #define NT_DEVICE_NAME L"\\Device\\sKillTimeProtected" #define DOS_DEVICE_NAME L"\\DosDevices\\sKillTimeProtected" // -- #ifndef ANSI_STRING typedef struct _STRING { USHORT Length; USHORT MaximumLength; PCHAR Buffer; } ANSI_STRING, *PANSI_STRING; #endif #ifndef UNICODE_STRING typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; #endif /* SSDT */ #pragma pack(1) typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; typedef struct ServiceDescriptorShadowEntry { unsigned int *Win32kTableBase; unsigned int *Win32kCounterTableBase; unsigned int NumberofWin32kServices; unsigned char *Win32kParamTableBase; } ServiceDescriptorTableShadowEntry_t, *PServiceDescriptorTableShadowEntry_t; #pragma pack() __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; PServiceDescriptorTableShadowEntry_t KeServiceDescriptorTableShadow; struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; //windows 2000 only struct _SYSTEM_THREADS Threads[1]; }; // PROCESS_BASIC_INFORMATION #ifdef PROCESS_BASIC_INFORMATION #undef PROCESS_BASIC_INFORMATION typedef struct _PROCESS_BASIC_INFORMATION { NTSTATUS ExitStatus; ULONG PebBaseAddress; ULONG_PTR AffinityMask; LONG BasePriority; ULONG_PTR UniqueProcessId; ULONG_PTR InheritedFromUniqueProcessId; } PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION; #endif // SYSTEM_HANDLE_INFORMATION typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO { USHORT UniqueProcessId; USHORT CreatorBackTraceIndex; UCHAR ObjectTypeIndex; UCHAR HandleAttributes; USHORT HandleValue; // 句柄 PVOID Object; // 若HANDLE類型為線程,則它是ETHREAD結構 ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG NumberOfHandles; SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; // SYSTEM_MODULE_INFORMATION typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct { ULONG dwNumberOfModules; SYSTEM_MODULE_INFORMATION smi; } MODULES, *PMODULES; // SYSTEM_BASIC_INFORMATION typedef struct _SYSTEM_BASIC_INFORMATION { ULONG Unknown; //Always contains zero ULONG MaximumIncrement; //一個時鐘的計量單位 ULONG PhysicalPageSize; //一個內存頁的大小 ULONG NumberOfPhysicalPages; //系統管理著多少個頁 ULONG LowestPhysicalPage; //低端內存頁 ULONG HighestPhysicalPage; //高端內存頁 ULONG AllocationGranularity; ULONG LowestUserAddress; //地端用戶地址 ULONG HighestUserAddress; //高端用戶地址 ULONG ActiveProcessors; //激活的處理器 UCHAR NumberProcessors; //有多少個處理器 } SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION; // SYSTEM_INFORMATION_CLASS typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemPathInformation, SystemProcessInformation, SystemCallCountInformation, SystemDeviceInformation, SystemProcessorPerformanceInformation, SystemFlagsInformation, SystemCallTimeInformation, SystemModuleInformation, // 11 SystemLocksInformation, SystemStackTraceInformation, SystemPagedPoolInformation, SystemNonPagedPoolInformation, SystemHandleInformation, // 0x10 -- 16 SystemObjectInformation, SystemPageFileInformation, SystemVdmInstemulInformation, SystemVdmBopInformation, SystemFileCacheInformation, SystemPoolTagInformation, SystemInterruptInformation, SystemDpcBehaviorInformation, SystemFullMemoryInformation, SystemLoadGdiDriverInformation, SystemUnloadGdiDriverInformation, SystemTimeAdjustmentInformation, SystemSummaryMemoryInformation, SystemUnused1, SystemPerformanceTraceInformation, SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashDumpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemExtendServiceTableInformation, SystemPrioritySeperation, SystemUnused3, SystemUnused4, SystemUnused5, SystemUnused6, SystemCurrentTimeZoneInformation, SystemLookasideInformation, SystemTimeSlipNotification, SystemSessionCreate, SystemSessionDetach, SystemSessionInformation } SYSTEM_INFORMATION_CLASS; #ifndef SECTION_INHERIT typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; #endif #ifndef LUID typedef struct _LUID { DWORD LowPart; LONG HighPart; } LUID, *PLUID; #endif #ifndef LARGE_INTEGER typedef union _LARGE_INTEGER { struct { ULONG LowPart; LONG HighPart; }; struct { ULONG LowPart; LONG HighPart; } u; LONGLONG QuadPart; } LARGE_INTEGER, *PLARGE_INTEGER; #endif #ifndef TIME_FIELDS typedef struct _TIME_FIELDS { USHORT Year; USHORT Month; USHORT Day; USHORT Hour; USHORT Minute; USHORT Second; USHORT Milliseconds; USHORT Weekday; } TIME_FIELDS, *PTIME_FIELDS; #endif NTSTATUS NTAPI ZwQuerySystemInformation( DWORD SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI NtOpenFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions ); NTSYSAPI VOID NTAPI RtlInitUnicodeString( PUNICODE_STRING DestinationString, PCWSTR SourceString ); NTSYSAPI NTSTATUS NTAPI ZwOpenSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES objectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwMapViewOfSection( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTSYSAPI NTSTATUS NTAPI NtCreateSection( PHANDLE SectionHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PLARGE_INTEGER MaximumSize OPTIONAL, ULONG SectionPageProtection, ULONG AllocationAttributes, HANDLE FileHandle ); NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection( IN HANDLE ProcessHandle, IN PVOID BaseAddress ); NTSYSAPI NTSTATUS NTAPI NtReadFile( IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL ); NTSYSAPI VOID NTAPI RtlTimeToTimeFields( IN PLARGE_INTEGER Time, OUT PTIME_FIELDS TimeFields ); NTSYSAPI BOOLEAN NTAPI RtlTimeFieldsToTime( IN PTIME_FIELDS TimeFields, OUT PLARGE_INTEGER Time ); /* VOID NTAPI KeSetSystemTime( IN PLARGE_INTEGER NewTime, OUT PLARGE_INTEGER OldTime, IN BOOLEAN FixInterruptTime, IN PLARGE_INTEGER HalTime OPTIONAL ); */ NTSTATUS NTAPI NtQuerySystemTime ( OUT PLARGE_INTEGER SystemTime ); // 寫保護的開&關 void WPOFF() { __asm { //去掉內存保護 cli mov eax,cr0 and eax,not 10000h mov cr0,eax } } void WPON() { __asm { //恢復內存保護 mov eax,cr0 or eax,10000h mov cr0,eax sti } } ////////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////// #ifdef __cplusplus } #endif #endif ~~~