|
阅读:3509回复:22
请教RING0下读写IO的问题。
我正在写一个可在WINDOWS 98/ME/2K/XP中的小工具,其中有读写IO的操作,有WINIO的方式已经实现,不知WINIO有没有版权的相关制约?后来改用NTRING0的CODE,但发现极不稳定,在测试过程中两台配置不一样的机器会有不一样的结果,在同一台机器中第一次运行结果正确,第二次运行结果就可能不正确。请高手们指导指导,实在想不通了。
|
|
|
沙发#
发布于:2005-01-06 08:54
;;; ring3 --> ring0 switch C code
;;; From zzzEVAzzz idea #include <Windows.h> #include <Ntsecapi.h> #include <Aclapi.h> #pragma comment (lib,"ntdll.lib") // Copy From DDK #pragma comment (lib,"Kernel32.lib") #pragma comment (lib,"Advapi32.lib") //------------------ Data struct define --------------------// typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; typedef struct _MY_PROCESS_INFO { ULONG PID; ULONG KPEB; ULONG CR3; CHAR Name[16]; ULONG Reserved; } MY_PROCESS_INFO, *PMY_PROCESS_INFO; typedef long NTSTATUS; //------------------ data struct end --------------------// //--------------------- Predefine -----------------------// #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS 0x00000000 #define STATUS_UNSUCCESSFUL 0xC0000001 #define STATUS_NOT_IMPLEMENTED 0xC0000002 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 #define STATUS_INVALID_PARAMETER 0xC000000D #define STATUS_ACCESS_DENIED 0xC0000022 #define STATUS_BUFFER_TOO_SMALL 0xC0000023 #define OBJ_KERNEL_HANDLE 0x00000200 #define SystemModuleInformation 11 #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ (p)->RootDirectory = r; \ (p)->Attributes = a; \ (p)->ObjectName = n; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \ } //--------------------- -----------------------// //------------------ Native API decalre ------------------// NTSYSAPI VOID NTAPI RtlInitUnicodeString( PUNICODE_STRING DestinationString, PCWSTR SourceString ); NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI ZwOpenSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwMapViewOfSection( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection( IN HANDLE ProcessHandle, IN PVOID BaseAddress ); NTSYSAPI NTSTATUS NTAPI ZwClose( IN HANDLE Handle ); NTSYSAPI NTSTATUS NTAPI NtVdmControl( IN ULONG ControlCode, IN PVOID ControlData ); //------------------ ------ ------------------// //------------------ Global variable --------------------// NTSTATUS (NTAPI *pfnNtVdmControl)( IN ULONG ControlCode, IN PVOID ControlData ); BOOLEAN (NTAPI *pfnPsGetVersion)( PULONG MajorVersion OPTIONAL, PULONG MinorVersion OPTIONAL, PULONG BuildNumber OPTIONAL, PUNICODE_STRING CSDVersion OPTIONAL ); HANDLE (NTAPI *pfnPsGetCurrentProcessId)( ); PVOID (NTAPI *pfnMemcpy)( IN VOID UNALIGNED *Destination, IN CONST VOID UNALIGNED *Source, IN SIZE_T Length ); ULONG (_cdecl *pfnDbgPrint)( IN PCHAR Format, ... ); ULONG *pPsInitialSystemProcess; //------------------------------------------------// // Get the base of special module PVOID GetModuleBase(PCSTR name) { NTSTATUS status; PVOID pBuffer, pModule; ULONG nRetSize, i, n; PSYSTEM_MODULE_INFORMATION pmi; pBuffer = LocalAlloc(LPTR, 0x1000); if (NULL == pBuffer) { printf("LocalAlloc[0] Failed: %d\n", GetLastError()); return NULL; } status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, 0x1000, &nRetSize); if (STATUS_INFO_LENGTH_MISMATCH == status) { //little buffer,reclloate again LocalFree(pBuffer); pBuffer = LocalAlloc(LPTR, nRetSize); if (NULL == pBuffer) { printf("LocalAlloc[1] Failed: %d\n", GetLastError()); return NULL; } status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, nRetSize, &nRetSize); } if (!NT_SUCCESS(status)) { printf("ZwQuerySystemInformation Failed: %d\n", LsaNtStatusToWinError(status)); LocalFree(pBuffer); return NULL; } pmi = (PSYSTEM_MODULE_INFORMATION)((ULONG)pBuffer + 4); n = *(ULONG*)pBuffer; pModule = NULL; // search special module,get it's base address for (i=0; i<n; i++) { if (!_stricmp(pmi->ImageName+pmi->ModuleNameOffset, name)) { pModule = pmi->Base; break; } pmi++; } LocalFree(pBuffer); return pModule; } // get the read write handle of \Device\PhysicalMemory HANDLE OpenPhysicalMemory() { DWORD dwRet; NTSTATUS status; UNICODE_STRING name; OBJECT_ATTRIBUTES oa; EXPLICIT_ACCESS ea; PSECURITY_DESCRIPTOR pSD; PACL pDacl = NULL; PACL pNewDacl = NULL; HANDLE hSection = NULL; HANDLE hSectionRet = NULL; RtlInitUnicodeString(&name, L"\\Device\\PhysicalMemory"); InitializeObjectAttributes(&oa, &name, OBJ_KERNEL_HANDLE, NULL, NULL); // ÒԿɶÁдSectionȨÏÞ´ò¿ªPhysicalMemory status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa); if (NT_SUCCESS(status)) goto FreeAndExit; // success,return directly if (status != STATUS_ACCESS_DENIED) { // error printf("ZwOpenSection[0] Failed: %d\n", LsaNtStatusToWinError(status)); hSectionRet = NULL; goto FreeAndExit; } // enable PhysicalMemory by read/write enable ACP status = ZwOpenSection(&hSection, READ_CONTROL | WRITE_DAC, &oa); if (!NT_SUCCESS(status)) { printf("ZwOpenSection[1] Failed: %d\n", LsaNtStatusToWinError(status)); goto FreeAndExit; } // get DACL of PhysicalMemory dwRet = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD); if (dwRet != ERROR_SUCCESS) { printf("GetSecurityInfo Failed: %d\n", dwRet); goto FreeAndExit; } // create an ACE,it's allow current user read/write PhysicalMemory ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_READ | SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; // add new ACE to DACL dwRet = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl); if (dwRet != ERROR_SUCCESS) { printf("SetEntriesInAcl Failed: %d\n", dwRet); goto FreeAndExit; } // newer DACL of physicalMemory dwRet = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL); if (dwRet != ERROR_SUCCESS) { printf("SetSecurityInfo Failed: %d\n", dwRet); goto FreeAndExit; } // enable read/write PhysicalMemory again status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa); if (!NT_SUCCESS(status)) { printf("ZwOpenSection[2] Failed: %d\n", LsaNtStatusToWinError(status)); goto FreeAndExit; } FreeAndExit: if (pSD) LocalFree(pSD); if (pNewDacl) LocalFree(pNewDacl); if (hSection) ZwClose(hSection); return hSectionRet; } // Shadow physical memory to current procedure user address PVOID MapPhysicalMemory(HANDLE hSection, // ÎïÀíÄÚ´æµÄSection¾ä±ú ULONG Offset, // Ó³ÉäÆðʼƫÒÆÁ¿£¬Ïà¶ÔÓÚÎïÀíÄÚ´æµÄ0µØÖ? ULONG CommitSize // Ó³Éä?¶Î§ ) { NTSTATUS status; PVOID BaseAddress = NULL; LARGE_INTEGER PhysicalAddress = {Offset, 0}; SIZE_T ViewSize = CommitSize; status = ZwMapViewOfSection(hSection, (HANDLE)-1, &BaseAddress, 0, CommitSize, &PhysicalAddress, &ViewSize, ViewShare, 0, PAGE_READWRITE); if (!NT_SUCCESS(status)) { printf("ZwMapViewOfSection Failed: %d\n", LsaNtStatusToWinError(status)); return NULL; } return BaseAddress; } // Ring0 code.Demo how toget every procedure's PID,KPEB,CR3 and ImageName NTSTATUS Ring0Code(ULONG size, PULONG buffer) { ULONG BuildNumber; ULONG ListOffset; ULONG PIDOffset; ULONG NameOffset; PLIST_ENTRY ListHead, ListPtr; PMY_PROCESS_INFO mypi; pfnDbgPrint("Run in Ring0!\n"); // out put debug information pfnPsGetVersion(NULL, NULL, &BuildNumber, NULL); pfnDbgPrint("BuildNumber = %d\n", BuildNumber); switch (BuildNumber) // every os hase special KPEB { case 2195: // Win2000 ListOffset = 0xa0; PIDOffset = 0x9c; NameOffset = 0x1fc; break; case 2600: // WinXP ListOffset = 0x88; PIDOffset = 0x84; NameOffset = 0x174; break; case 3790: // Win2003 ListOffset = 0x88; PIDOffset = 0x84; NameOffset = 0x154; break; default: return STATUS_NOT_IMPLEMENTED; } if (size<4) return STATUS_BUFFER_TOO_SMALL; size -= 4; if (NULL == buffer) return STATUS_INVALID_PARAMETER; *buffer = 0L; // mypi = (PMY_PROCESS_INFO)(buffer + 1); // search ActiveProcessLinks ListHead = ListPtr = (PLIST_ENTRY)(*pPsInitialSystemProcess + ListOffset); while (ListPtr->Flink != ListHead) { if (size < sizeof(MY_PROCESS_INFO)) return STATUS_BUFFER_TOO_SMALL; mypi->KPEB = (ULONG)ListPtr - ListOffset; mypi->PID = *(ULONG*)(mypi->KPEB + PIDOffset); mypi->CR3 = *(ULONG*)(mypi->KPEB + 0x18); pfnMemcpy(mypi->Name, (PVOID)(mypi->KPEB + NameOffset), 16); (*buffer)++; mypi++; size -= sizeof(MY_PROCESS_INFO); ListPtr = ListPtr->Flink; } return STATUS_SUCCESS; } // diplay procedure infomation void ListProcessInfo(PULONG buffer) { ULONG i, n = *buffer; PMY_PROCESS_INFO mypi = (PMY_PROCESS_INFO)(buffer + 1); printf(" PID KPEB CR3 Name\n" " ---- -------- -------- ----\n"); for (i=0; i<n; i++) { printf(" %-4d %08x %08x %s\n", mypi->PID, mypi->KPEB, mypi->CR3, mypi->Name); mypi++; } } void main() { char *Kernel = "ntoskrnl.exe"; PVOID pKernel = NULL; HMODULE hKernel = NULL; HANDLE hSection = NULL; char *mapping = NULL; PVOID buffer = NULL; ULONG offset; NTSTATUS status; char OrigCode[24], HookCode[24] = "\xE8\xFF\xFF\xFF\xFF" // call 0xffffffff ;nt!PsGetCurrentProcessId "\x3D\xEE\xEE\xEE\xEE" // cmp eax, 0xeeeeeeee ;×Ô¼ºµÄPID "\x75\x05" // jne $+5 "\xE9\xDD\xDD\xDD\xDD" // jmp 0xdddddddd ;Ring0Code "\xB8\x01\x00\x00\xC0" // mov eax, 0xc0000001 ;STATUS_UNSUCCESSFUL "\xC3"; // ret printf("\n -=< Run Ring0 Code Without Driver Demo >=-\n\n"); // get the base of system kernel ntoskrnl.exe pKernel = GetModuleBase(Kernel); if (NULL == pKernel) return; if ((ULONG)pKernel < 0x80000000 || (ULONG)pKernel > 0x9FFFFFFF) { // Module base override dirctly memory shadow address printf("Error: Kernel module base (%08x) is out of range.\n", pKernel); return; } // hKernel = LoadLibrary(Kernel); if (NULL == hKernel) { printf("LoadLibrary Failed: %d\n", GetLastError()); return; } // »ñÈ¡ÄÚºËÀý³Ì/±äÁ¿ÔÚÓû§Ì¬µÄÏà¶ÔλÖà if ((pfnMemcpy = (PVOID)GetProcAddress(hKernel, "memcpy")) && (pfnDbgPrint = (PVOID)GetProcAddress(hKernel, "DbgPrint")) && (pfnNtVdmControl = (PVOID)GetProcAddress(hKernel, "NtVdmControl")) && (pfnPsGetVersion = (PVOID)GetProcAddress(hKernel, "PsGetVersion")) && (pfnPsGetCurrentProcessId = (PVOID)GetProcAddress(hKernel, "PsGetCurrentProcessId")) && (pPsInitialSystemProcess = (PVOID)GetProcAddress(hKernel, "PsInitialSystemProcess"))); else { printf("GetProcAddress Failed: %d\n", GetLastError()); goto FreeAndExit; } //get the real address of kernle procedure/variable offset = (ULONG)pKernel - (ULONG)hKernel; (ULONG)pfnMemcpy += offset; (ULONG)pfnDbgPrint += offset; (ULONG)pfnNtVdmControl += offset; (ULONG)pfnPsGetVersion += offset; (ULONG)pfnPsGetCurrentProcessId += offset; (ULONG)pPsInitialSystemProcess += offset; // set HookCode *(ULONG*)(HookCode+1) = (ULONG)pfnPsGetCurrentProcessId - (ULONG)pfnNtVdmControl - 5; *(ULONG*)(HookCode+6) = GetCurrentProcessId(); *(ULONG*)(HookCode+13) = (ULONG)Ring0Code - (ULONG)pfnNtVdmControl - 17; // open physical memory Section hSection = OpenPhysicalMemory(); if (NULL == hSection) goto FreeAndExit; // shadow NtVdmControl offset = (ULONG)pfnNtVdmControl & 0x1FFFF000; // switch to physical memory mapping = MapPhysicalMemory(hSection, offset, 0x2000); if (NULL == mapping) goto FreeAndExit; // ±£´æNtVdmControlÈë¿Ú´úÂë offset = (ULONG)pfnNtVdmControl & 0x00000FFF; // offset in page memcpy(OrigCode, mapping+offset, 24); buffer = LocalAlloc(LPTR, 0x1000); if (NULL == buffer) { printf("LocalAlloc Failed: %d\n", GetLastError()); goto FreeAndExit; } memcpy(mapping+offset, HookCode, 24); // hook NtVdmControl status = NtVdmControl(0x1000, buffer); // invoke NtVdmControl£¬enter Ring0 memcpy(mapping+offset, OrigCode, 24); // restore NtVdmControl entry if (!NT_SUCCESS(status)) { printf("NtVdmControl Failed: %d\n", LsaNtStatusToWinError(status)); goto FreeAndExit; } ListProcessInfo(buffer); FreeAndExit: if (buffer != NULL) LocalFree(buffer); if (mapping != NULL) ZwUnmapViewOfSection(hSection, mapping); if (hSection != NULL) ZwClose(hSection); if (hKernel != NULL) FreeLibrary(hKernel); } |
|
|
板凳#
发布于:2005-01-05 20:07
I have already post the method that switch from 3 to 0 years ago ,you can search it on the net.
|
|
|
|
地板#
发布于:2005-01-05 17:44
If the software built by VC++ and it will run under Windows. How to use your code? Can you give some example about VC++ implement with your code? Thanks!
|
|
|
地下室#
发布于:2005-01-05 16:34
Coding it asm code.
Can only be compiled by asm. |
|
|
5楼#
发布于:2005-01-05 09:55
Thank you very much for your help. Waiting for your good news. Whether your code can use in VC++ 6?
|
|
|
6楼#
发布于:2005-01-04 21:44
For reply your issue only,I must regist a user.So tied.
I am focous on ring3 to ring0 switch recently,at the first begginning,I implement it by winio driver.Recently ,I have finished coding an asm code for ring3 to ring0 switch without driver,it looks work ok .it's size is 3.5k only.Maybe some days later ,I will post it at this website when I make this code more strong. |
|
|
7楼#
发布于:2004-12-28 17:22
我的目标是要在RING0下去做读写IO的动作,现在只验证在RING0下读,读出来的结果就不稳定了,有时读出来的正确,有时读出来是0,有进读出来的我也不知是什么数据。真得很奇怪,如果一直是错的,我就死心了,但有时又是对的。另外,我有做开关RING0的动作,就是在做完IO读写后,会做退出RING0这个动作,是否我在RING0里保存的数据,会因为我关了RING0而受到影响?
|
|
|
8楼#
发布于:2004-12-28 13:48
兄弟Ring0在不同机器里面写啥内容不稳定 具体点 看看我能否为你解答
|
|
|
|
9楼#
发布于:2004-12-28 10:53
你用NTRING0进去的话,你的RING0代码的地址还是用户地址空间,在2G以下,这会导致某些操作的不正确,建议你在RING0分配核心地址空间,然后把代码复制过去,在核心地址空间运行,用到的地址重定位的方法可以参考一般病毒的做法..... 我不太理解(因为我是刚开始接触RING0),能否详细讲解一下? |
|
|
10楼#
发布于:2004-12-28 10:50
我首先声明我不是写病毒,我也觉得WINIO是最好用的一个。但我想网络有人讨论可以用代码的方式来进入或RING0,而我只是要在RING0中做很简单的IO读写,所以就想用最简单的方法来试一下。
|
|
|
11楼#
发布于:2004-12-28 10:37
哪有没有办法可以确定在RING0下读写资料正确的方法教一下? WINIO是最方便的,一般来说尽量使用驱动来IO比较好,除非你写病毒. |
|
|
|
12楼#
发布于:2004-12-28 10:34
哪有没有办法可以确定在RING0下读写资料正确的方法教一下?
|
|
|
13楼#
发布于:2004-12-27 19:52
你在RING0中读到的数据可能就已经不对了.
|
|
|
|
14楼#
发布于:2004-12-27 13:15
我在读写IO前开启RING0,把读出来的数据放在一个已定义的数据结构里面,然后再关掉RING0,其它的运算等等都在正常模式下来做,这样应该不会有这些问题的呀?
|
|
|
15楼#
发布于:2004-12-27 12:46
你用NTRING0进去的话,你的RING0代码的地址还是用户地址空间,在2G以下,这会导致某些操作的不正确,建议你在RING0分配核心地址空间,然后把代码复制过去,在核心地址空间运行,用到的地址重定位的方法可以参考一般病毒的做法.....
|
|
|
|
16楼#
发布于:2004-12-27 12:03
我的例子暂时无法贴上来,用WINIO就很正常,但是用NTRING0的话有两个问题:一是不能用浮点数,不只在NTRING0中不行,只要包了NTRING0,就连外部没用到它的也不行了。二是结果不稳定,有时读正确,有时为0,有时都不知读出些是什么。
|
|
|
17楼#
发布于:2004-12-27 09:59
把你的例子贴上来看看,还有使用WINIO和直接IO有什么不同,结果都是什么???
|
|
|
|
18楼#
发布于:2004-12-26 21:52
路过,你们继续
|
|
|
19楼#
发布于:2004-12-24 13:38
AllenZhang兄弟,有试过这样的问题吗?或是有没更好的解决方案?
|
|
上一页
下一页