阅读:7252回复:34
APC插入失败
//Allocate memory for our APC
pApc = ExAllocatePool(NonPagedPool, sizeof (KAPC)); if (!pApc) { DbgPrint("KernelExec -> Failed to allocate memory for the APC structure"); return STATUS_INSUFFICIENT_RESOURCES; } //Get the size of our UserMode code dwSize = (PUCHAR)ApcCreateProcessEnd - (PUCHAR)ApcCreateProcess; //Allocate an MDL describing our ApcCreateProcess' memory pMdl = IoAllocateMdl(ApcCreateProcess, dwSize, FALSE, FALSE, NULL); if (!pMdl) { DbgPrint("KernelExec -> Failed to allocate MDL"); ExFreePool (pApc); return STATUS_INSUFFICIENT_RESOURCES; } __try { //Probe the pages for Write access and make them memory resident MmProbeAndLockPages (pMdl, KernelMode, IoWriteAccess); } __except (EXCEPTION_EXECUTE_HANDLER) { DbgPrint("KernelExec -> Exception during MmProbeAndLockPages"); IoFreeMdl (pMdl); ExFreePool (pApc); return STATUS_UNSUCCESSFUL; } //Attach to the Explorer's address space //KeStackAttachProcess(&(pTargetProcess->Pcb), &ApcState); KeAttachProcess((PKPROCESS)g_EProcessWinlogon); //Now map the physical pages (our code) described by 'pMdl' pMappedAddress = MmMapLockedPagesSpecifyCache (pMdl, UserMode, MmCached, NULL, FALSE, NormalPagePriority); if (!pMappedAddress) { DbgPrint("KernelExec -> Cannot map address"); //KeUnstackDetachProcess (&ApcState); KeDetachProcess(); IoFreeMdl (pMdl); ExFreePool (pApc); return STATUS_UNSUCCESSFUL; } else DbgPrint("KernelExec -> UserMode memory at address: 0x%p",pMappedAddress); KeDetachProcess(); //Initialize the APC... KeInitializeApc(pApc, pTargetThread, OriginalApcEnvironment, &ApcKernelRoutine, NULL, pMappedAddress, UserMode, (PVOID) NULL); //KdPrint(("Test\n")); //return 0; //...and queue it if (!KeInsertQueueApc(pApc, 0, NULL, 0)) { DbgPrint("KernelExec -> Failed to insert APC"); MmUnlockPages(pMdl); IoFreeMdl (pMdl); ExFreePool (pApc); return STATUS_UNSUCCESSFUL; } else { DbgPrint("KernelExec -> APC delivered"); } 在2000和XP工作很正常,在2003SP1上总是KernelExec -> Failed to insert APC,问题到底是出在哪里呢?难道2003不许插入APC到其他进程? |
|
最新喜欢:imlym |
沙发#
发布于:2008-04-07 12:28
KeInitializeApcKeInitializeApc
xp 和2003 sp1,KeInsertQueueApc的区别在于XP只检测Thread->ApcQueueable == TRUE即可,而2003 sp1,下还要检测Apc->Inserted == FALSE,不然直接返回失败,所以你也需要多做点事情. |
|
|
板凳#
发布于:2008-04-07 12:38
不过在KeInitializeApc默认已经设置了Apc->Inserted = FALSE;,所以估计还是你插入的线程ApcQueueable为FASLE的可能比较大.
|
|
|
地板#
发布于:2008-04-07 15:25
wowocock我要拜你为师啊,第一次在2003实机上运行成功
请你喝茶/cup |
|
地下室#
发布于:2008-04-07 15:33
引用第3楼boywhp于2008-04-07 15:25发表的 : 请说明如何解决问题的,以方便后来人. |
|
|
5楼#
发布于:2008-04-07 16:18
#ifndef _PROCESS_H_
#define _PROCESS_H_ typedef unsigned char BYTE; typedef unsigned short WORD; typedef unsigned long DWORD; #define ProcessBasicInformation 0 #define SystemProcessesAndThreadsInformation 5 #define SystemModuleInformation 11 // SYSTEMINFOCLASS #define WINDOWS_VERSION_NONE 0 #define WINDOWS_VERSION_2K 1 #define WINDOWS_VERSION_XP 2 #define WINDOWS_VERSION_2K3 3 #define WINDOWS_VERSION_2K3_SP1 4 #define WINDOWS_VERSION_VISTA 5 #define BASE_PEB_PROCESS_PARAMETER_OFFSET 0x0010 #define BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME 0x003C #define BASE_KPROCESS_THREAD_OFFSET 0x0050//各个版本一致 //线程链表偏移地址 #define BASE_PROCESS_PEB_OFFSET_2K 0x01B0//NT5.0.2195.7133 #define BASE_PROCESS_PEB_OFFSET_XP 0x01B0//NT5.1.2600.3093 #define BASE_PROCESS_PEB_OFFSET_2K3 0x0190//nt5.2.3790.0 #define BASE_PROCESS_PEB_OFFSET_2K3_SP1 0x01A0//nt5.2.3790.1830 #define BASE_PROCESS_PEB_OFFSET_VISTA 0x0188 #define BASE_PROCESS_NAME_OFFSET_2K 0x01FC//NT5.0.2195.7133 #define BASE_PROCESS_NAME_OFFSET_XP 0x0174//NT5.1.2600.3093 #define BASE_PROCESS_NAME_OFFSET_2K3 0x0154//nt5.2.3790.0 #define BASE_PROCESS_NAME_OFFSET_2K3_SP1 0x0164//nt5.2.3790.1830 #define BASE_PROCESS_NAME_OFFSET_VISTA 0x014c #define BASE_PROCESS_FLINK_OFFSET_2K 0x00A0//NT5.0.2195.7133 #define BASE_PROCESS_FLINK_OFFSET_XP 0x0088//NT5.1.2600.3093 #define BASE_PROCESS_FLINK_OFFSET_2K3 0x0088//NT5.2.3790.0 #define BASE_PROCESS_FLINK_OFFSET_2K3_SP1 0x0098//nt5.2.3790.1830 #define BASE_PROCESS_FLINK_OFFSET_VISTA 0x00A0 //ThreadListEntry偏移 #define BASE_KTHREAD_LIST_OFFSET_2K 0x01A4 #define BASE_KTHREAD_LIST_OFFSET_XP 0x01B0 #define BASE_KTHREAD_LIST_OFFSET_2K3 0x01AC #define BASE_KTHREAD_LIST_OFFSET_2K3_SP1 0x01A8 #define BASE_KTHREAD_ALERTABLE_OFFSET_2K 0x0158 #define BASE_KTHREAD_ALERTABLE_OFFSET_XP 0x0164 #define BASE_KTHREAD_ALERTABLE_OFFSET_2K3 0x0058 #define BASE_KTHREAD_ALERTABLE_OFFSET_2K3_SP1 0x0058 #define BASE_KTHREAD_APCSTATE_OFFSET_2K 0x0034 #define BASE_KTHREAD_APCSTATE_OFFSET_XP 0x0034 #define BASE_KTHREAD_APCSTATE_OFFSET_2K3 0x0034 #define BASE_KTHREAD_APCSTATE_OFFSET_2K3_SP1 0x0028 typedef struct _EPROCESS_OFFSET { WORD wOffsetPeb; WORD wOffsetName; WORD wOffsetFlink; WORD wOffsetResv; }EPROCESS_OFFSET, *PEPROCESS_OFFSET, *LPEPROCESS_OFFSET; typedef struct _KTHREAD_OFFSET { WORD wOffsetThreadListEntry; WORD wOffsetAlertable; WORD wOffsetApcState; }KTHREAD_OFFSET, *PKTHREAD_OFFSET, *LPKTHREAD_OFFSET; typedef enum { OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment } KAPC_ENVIRONMENT; typedef struct _MODULE_INFO { DWORD dReserved1; DWORD dReserved2; PVOID pBase; DWORD dSize; DWORD dFlags; WORD wIndex; WORD wRank; WORD wLoadCount; WORD wNameOffset; BYTE abPath [MAXIMUM_FILENAME_LENGTH]; }MODULE_INFO, *PMODULE_INFO, **PPMODULE_INFO; // //write by Gxter //peb.h // //以下就是PEB的数据组织结构了 typedef void (*PPEBLOCKROUTINE)(PVOID PebLock); typedef struct _RTL_DRIVE_LETTER_CURDIR { USHORT Flags; USHORT Length; ULONG TimeStamp; UNICODE_STRING DosPath; } RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR; typedef struct _PEB_LDR_DATA { ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _LDR_MODULE { LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; SHORT LoadCount; SHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp; } LDR_MODULE, *PLDR_MODULE; typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; PVOID ConsoleHandle; ULONG ConsoleFlags; HANDLE StdInputHandle; HANDLE StdOutputHandle; HANDLE StdErrorHandle; UNICODE_STRING CurrentDirectoryPath; HANDLE CurrentDirectoryHandle; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PVOID Environment; ULONG StartingPositionLeft; ULONG StartingPositionTop; ULONG Width; ULONG Height; ULONG CharWidth; ULONG CharHeight; ULONG ConsoleTextAttributes; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopName; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20]; } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_FREE_BLOCK { struct _PEB_FREE_BLOCK *Next; ULONG Size; } PEB_FREE_BLOCK, *PPEB_FREE_BLOCK; typedef struct _PEB { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; BOOLEAN Spare; HANDLE Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA LoaderData; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PVOID FastPebLock; PPEBLOCKROUTINE FastPebLockRoutine; PPEBLOCKROUTINE FastPebUnlockRoutine; ULONG EnvironmentUpdateCount; PVOID *KernelCallbackTable; PVOID EventLogSection; PVOID EventLog; PPEB_FREE_BLOCK FreeList; ULONG TlsExpansionCounter; PVOID TlsBitmap; ULONG TlsBitmapBits[0x2]; PVOID ReadOnlySharedMemoryBase; PVOID ReadOnlySharedMemoryHeap; PVOID *ReadOnlyStaticServerData; PVOID AnsiCodePageData; PVOID OemCodePageData; PVOID UnicodeCaseTableData; ULONG NumberOfProcessors; ULONG NtGlobalFlag; BYTE Spare2[0x4]; LARGE_INTEGER CriticalSectionTimeout; ULONG HeapSegmentReserve; ULONG HeapSegmentCommit; ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitFreeBlockThreshold; ULONG NumberOfHeaps; ULONG MaximumNumberOfHeaps; PVOID **ProcessHeaps; PVOID GdiSharedHandleTable; PVOID ProcessStarterHelper; PVOID GdiDCAttributeList; PVOID LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; ULONG OSBuildNumber; ULONG OSPlatformId; ULONG ImageSubSystem; ULONG ImageSubSystemMajorVersion; ULONG ImageSubSystemMinorVersion; ULONG GdiHandleBuffer[0x22]; ULONG PostProcessInitRoutine; ULONG TlsExpansionBitmap; BYTE TlsExpansionBitmapBits[0x80]; ULONG SessionId; } PEB, *PPEB; typedef struct _KPROCESS *PKPROCESS; //------------------------------------------the--------------end------------ typedef struct _KAPC_STATE // 5 elements, 0x18 bytes (sizeof) { /*0x000*/ struct _LIST_ENTRY ApcListHead[2]; /*0x010*/ struct _KPROCESS* Process; /*0x014*/ UCHAR KernelApcInProgress; /*0x015*/ UCHAR KernelApcPending; /*0x016*/ UCHAR UserApcPending; /*0x017*/ UCHAR _PADDING0_[0x1]; }KAPC_STATE, *PKAPC_STATE; NTKERNELAPI NTSTATUS NTAPI PsLookupProcessByProcessId ( IN HANDLE ProcessId, OUT PEPROCESS *Process ); NTKERNELAPI VOID NTAPI KeAttachProcess ( IN PKPROCESS Process ); NTKERNELAPI VOID NTAPI KeDetachProcess ( VOID ); #define MODULE_INFO_ sizeof (MODULE_INFO) // ----------------------------------------------------------------- typedef struct _MODULE_LIST { DWORD dModules; MODULE_INFO aModules[]; }MODULE_LIST, *PMODULE_LIST, **PPMODULE_LIST; #define MODULE_LIST_ sizeof (MODULE_LIST) typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; extern EPROCESS_OFFSET g_EProcessOffset; typedef struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; DWORD BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; DWORD VmCounters; DWORD IoCounters; // Windows 2000 only PVOID Threads[1]; } SYSTEM_PROCESSES, *PSYSTEM_PROCESSES; NTSYSAPI NTSTATUS NTAPI NtQuerySystemInformation( IN ULONG SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); NTSYSAPI NTSTATUS NTAPI NtReadVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL ); //------------------------------------------------------------------- NTKERNELAPI VOID KeInitializeApc ( PKAPC Apc, PKTHREAD Thread, UCHAR StateIndex, PKKERNEL_ROUTINE KernelRoutine, PKRUNDOWN_ROUTINE RundownRoutine, PKNORMAL_ROUTINE NormalRoutine, KPROCESSOR_MODE ApcMode, PVOID NormalContext ); NTKERNELAPI BOOLEAN KeInsertQueueApc ( IN PKAPC Apc, IN PVOID SystemArgument1, IN PVOID SystemArgument2, IN KPRIORITY Increment ); ULONG SearchApi( IN WORD api_hash ); VOID ApcKernelRoutine( IN PKAPC Apc, IN OUT PKNORMAL_ROUTINE *NormalRoutine, IN OUT PVOID *NormalContext, IN OUT PVOID *SystemArgument1, IN OUT PVOID *SystemArgument2 ); WORD GetWindowsVersion(); VOID InitEProcessInfo(); VOID ApcCreateProcessEnd(); NTSTATUS RunProcess(LPSTR lpProcess); VOID ApcCreateProcess(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2); #endif |
|
6楼#
发布于:2008-04-07 16:19
#include <ntddk.h>
#include "process.h" EPROCESS_OFFSET g_EProcessOffset = {0}; KTHREAD_OFFSET g_KThreadOffset = {0}; PEPROCESS g_EProcessWinlogon = NULL; ULONG g_WinExec = 0; PMDL pMdl = NULL; ULONG SearchApi(WORD api_hash) /* * 在kern32.dll中搜索指定API地址 * Hash(WinExec) = 0x72dc Hash(LoadLibraryA) = 0xae14 */ { //搜索k32dll的API地址 PEPROCESS pSystemProcess = PsGetCurrentProcess(); //make sure you are running at IRQL PASSIVE_LEVEL PLIST_ENTRY pCurrentList = (PLIST_ENTRY)((PUCHAR)pSystemProcess + g_EProcessOffset.wOffsetFlink); PLIST_ENTRY pTempList = pCurrentList; PEPROCESS pEProcess = NULL; do { PPEB peb = NULL; PUCHAR lpname = NULL; pEProcess = (PEPROCESS)((PUCHAR)pTempList - g_EProcessOffset.wOffsetFlink); peb = (PPEB)(*(PULONG)((PUCHAR)pEProcess + g_EProcessOffset.wOffsetPeb)); lpname = (PUCHAR)pEProcess + g_EProcessOffset.wOffsetName; KdPrint(("process %s\n", lpname)); if ((peb != NULL) && (_strnicmp(lpname, "services", 8) == 0)) //不区分大小写 { ULONG api_addr = 0; g_EProcessWinlogon = pEProcess; //记录winlogon进程指针 KeAttachProcess((PKPROCESS)pEProcess); KdPrint(("ImageBaseAddress:%08x\n", peb->ImageBaseAddress)); _asm { mov eax, peb; mov eax, [eax+0x0c];//ldr mov esi, [eax+0x1c];//esi->ldr.InInitializationOrderMoudleList _LIST_ENTRY struct lodsd; //eax = [esi]; mov ebx, [eax+0x08];//k32dll is the first! and baseaddress is follow _LIST_ENTRY //now get pe image infos to find LoadLibrary and GetProcAddress API //assert ebx is the pe image base!!! mov ax, api_hash; //Hash(LoadLibraryA) = 0xae14 //Hash(WinExec) = 0x72dc //call search_api; //mov [ebp-4], eax; //this is LoadLibraryA API //------------------------------------------------------------------------------ //ebx-PE Image Base,eax-hash of api name, return eax!!! //------------------------------------------------------------------------------ //search_api: mov edx, eax; mov eax, [ebx+0x3c]; //File address of the new exe header mov eax, [eax+ebx+0x78]; //pe base ->data directory[16] add eax, ebx; //get directory[0] Address ->export table ->eax mov esi, [eax+0x20]; //get export funs names rva add esi, ebx; //esi->export names table address //mov ecx, [eax+0x18]; //get export funs numbers xor ecx, ecx; //search funs name tables next_api: mov edi, [esi+ecx*4]; // add edi, ebx; //----------------------------------- //计算[edi]字符串的hash值 //----------------------------------- pushad; xor eax, eax; cacul_next: shl eax, 2; movzx ecx, byte ptr[edi]; add ax, cx; inc edi; inc ecx; loop cacul_next; //test edx!!! cmp ax, dx; jz search_end; popad; inc ecx; jmp next_api; search_end: popad; //ecx is the GetProcAdress index mov eax, [eax+0x1c]; add eax, ebx; mov eax, [eax+4*ecx]; add eax, ebx; mov api_addr, eax; //ret; } KdPrint(("%08x\n", api_addr)); KeDetachProcess(); return api_addr; } pTempList = pTempList->Flink; } while(pCurrentList != pTempList); return 0; /* DWORD dwNeedSize = 0x10000; PSYSTEM_PROCESSES lpProcesslist = NULL; //NtQuerySystemInformation(SystemProcessesAndThreadsInformation, &dwNeedSize, 0, &dwNeedSize); //KdPrint (("Process list required: %d Bytes\n", dwNeedSize)); lpProcesslist = ExAllocatePool(PagedPool, dwNeedSize); if (lpProcesslist) { if(NT_SUCCESS(NtQuerySystemInformation( SystemProcessesAndThreadsInformation, lpProcesslist, dwNeedSize, &dwNeedSize))) { PSYSTEM_PROCESSES lpProcess = lpProcesslist; for(;;) { CLIENT_ID pd; HANDLE ProcessHandle = NULL; OBJECT_ATTRIBUTES attr = {0}; attr.Length = sizeof(OBJECT_ATTRIBUTES); pd.UniqueProcess=(HANDLE)lpProcess->ProcessId; pd.UniqueThread=(HANDLE)0; if (NT_SUCCESS(NtOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS, &attr, &pd))) { //枚举进程模块 PEPROCESS EProcess = NULL; PPEB peb = NULL; NTSTATUS status = 0; status = PsLookupProcessByProcessId((HANDLE)lpProcess->ProcessId, &EProcess); //通过进程的PID得到它的EProcess指针 peb = (PPEB)(*(PULONG)((ULONG)EProcess + 0x1b0)); KeAttachProcess((PKPROCESS)EProcess); KeDetachProcess(); KdPrint(("%08x:%08x:%08x:%wZ\n", EProcess, ProcessHandle, lpProcess->ProcessId, &lpProcess->ProcessName)); } if(lpProcess->NextEntryDelta == 0) break; lpProcess = (PSYSTEM_PROCESSES)(((PUCHAR)lpProcess) + lpProcess->NextEntryDelta); } //Id -> Handle //NtOpenProcess() //NtQueryInformationProcess() } } */ //============================================== } WORD GetWindowsVersion() { /* ULONG MajorVersion, MinorVersion, BuildNumber; PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, NULL); KdPrint(("OSVersion NT %d.%d:%d", MajorVersion, MinorVersion, BuildNumber)); if(MajorVersion == 5 && MinorVersion == 0) return WINDOWS_VERSION_2K; else if (MajorVersion == 5 && MinorVersion == 1) return WINDOWS_VERSION_XP; else if (MajorVersion == 5 && MinorVersion == 2) return WINDOWS_VERSION_2K3_SP1; else if (MajorVersion == 6 && MinorVersion == 0) return WINDOWS_VERSION_VISTA; return WINDOWS_VERSION_NONE; */ PEPROCESS pSystemProcess = PsGetCurrentProcess(); WORD offset; for (offset=0; offset < PAGE_SIZE; offset++) { if(strncmp("System", (PCHAR)pSystemProcess + offset, 6) == 0) { g_EProcessOffset.wOffsetName = offset; KdPrint(("%08x", offset)); switch (offset) { case BASE_PROCESS_NAME_OFFSET_2K: KdPrint(("WINDOWS_VERSION_2K\n")); return WINDOWS_VERSION_2K; break; case BASE_PROCESS_NAME_OFFSET_XP: KdPrint(("WINDOWS_VERSION_XP\n")); return WINDOWS_VERSION_XP; break; case BASE_PROCESS_NAME_OFFSET_2K3: KdPrint(("WINDOWS_VERSION_2K3\n")); return WINDOWS_VERSION_2K3; break; case BASE_PROCESS_NAME_OFFSET_2K3_SP1: KdPrint(("WINDOWS_VERSION_2K3_SP1\n")); return WINDOWS_VERSION_2K3_SP1; break; case BASE_PROCESS_NAME_OFFSET_VISTA: KdPrint(("WINDOWS_VERSION_VISTA\n")); return WINDOWS_VERSION_VISTA; break; default: return WINDOWS_VERSION_NONE; } } } return WINDOWS_VERSION_NONE; } VOID InitEProcessInfo() { switch (GetWindowsVersion()) { case WINDOWS_VERSION_2K: g_EProcessOffset.wOffsetPeb = BASE_PROCESS_PEB_OFFSET_2K; g_EProcessOffset.wOffsetFlink = BASE_PROCESS_FLINK_OFFSET_2K; g_KThreadOffset.wOffsetThreadListEntry = BASE_KTHREAD_LIST_OFFSET_2K; g_KThreadOffset.wOffsetAlertable = BASE_KTHREAD_ALERTABLE_OFFSET_2K; g_KThreadOffset.wOffsetApcState = BASE_KTHREAD_APCSTATE_OFFSET_2K; break; case WINDOWS_VERSION_XP: g_EProcessOffset.wOffsetPeb = BASE_PROCESS_PEB_OFFSET_XP; g_EProcessOffset.wOffsetFlink = BASE_PROCESS_FLINK_OFFSET_XP; g_KThreadOffset.wOffsetThreadListEntry = BASE_KTHREAD_LIST_OFFSET_XP; g_KThreadOffset.wOffsetAlertable = BASE_KTHREAD_ALERTABLE_OFFSET_XP; g_KThreadOffset.wOffsetApcState = BASE_KTHREAD_APCSTATE_OFFSET_XP; break; case WINDOWS_VERSION_2K3: g_EProcessOffset.wOffsetPeb = BASE_PROCESS_PEB_OFFSET_2K3; g_EProcessOffset.wOffsetFlink = BASE_PROCESS_FLINK_OFFSET_2K3; g_KThreadOffset.wOffsetThreadListEntry = BASE_KTHREAD_LIST_OFFSET_2K3; g_KThreadOffset.wOffsetAlertable = BASE_KTHREAD_ALERTABLE_OFFSET_2K3; g_KThreadOffset.wOffsetApcState = BASE_KTHREAD_APCSTATE_OFFSET_2K3; break; case WINDOWS_VERSION_2K3_SP1: g_EProcessOffset.wOffsetPeb = BASE_PROCESS_PEB_OFFSET_2K3_SP1; g_EProcessOffset.wOffsetFlink = BASE_PROCESS_FLINK_OFFSET_2K3_SP1; g_KThreadOffset.wOffsetThreadListEntry = BASE_KTHREAD_LIST_OFFSET_2K3_SP1; g_KThreadOffset.wOffsetAlertable = BASE_KTHREAD_ALERTABLE_OFFSET_2K3_SP1; g_KThreadOffset.wOffsetApcState = BASE_KTHREAD_APCSTATE_OFFSET_2K3_SP1; break; default: KdPrint(("OS not support!\n")); return; } g_WinExec = SearchApi(0x72dc); } /* * 使用APC在Winlogon进程的线程队列里面,运行指定程序 */ NTSTATUS RunProcess(LPSTR lpProcess) { PRKAPC pApc = NULL; //Our APC PVOID pMappedAddress = NULL; //This is where the UserMode routine's code will be placed at ULONG dwSize = 0; //Size of code to be executed in Explorer's address space ULONG *data_addr=0; //just a helper to change the address of the 'push' instruction in the ApcCreateProcess routine ULONG dwMappedAddress = 0; //same as above PKTHREAD pTargetThread = NULL; PKAPC_STATE pApcState = NULL; PLIST_ENTRY pTempList = NULL; PLIST_ENTRY pCurrentList = NULL; PUCHAR lpThreadAlertable = NULL; PUCHAR lpTargetPath = NULL; if (!g_EProcessWinlogon || !g_WinExec) return STATUS_UNSUCCESSFUL; //枚举线程 pCurrentList = (PLIST_ENTRY)((PUCHAR)g_EProcessWinlogon + BASE_KPROCESS_THREAD_OFFSET); pTempList = pCurrentList; do { lpThreadAlertable = (PUCHAR)pTempList - g_KThreadOffset.wOffsetThreadListEntry + g_KThreadOffset.wOffsetAlertable; if (*lpThreadAlertable) { pTargetThread = (PKTHREAD)(lpThreadAlertable - g_KThreadOffset.wOffsetAlertable); KdPrint(("Alert Thread: %08x\n", pTargetThread)); break; } pTempList = pTempList->Flink; } while(pTempList != pCurrentList); if (!pTargetThread) return STATUS_UNSUCCESSFUL; KdPrint(("g_EProcessWinlogon:%08x\n", g_EProcessWinlogon)); //Allocate memory for our APC pApc = ExAllocatePool(NonPagedPool, sizeof (KAPC)); if (!pApc) { DbgPrint("KernelExec -> Failed to allocate memory for the APC structure"); return STATUS_INSUFFICIENT_RESOURCES; } //Get the size of our UserMode code dwSize = (PUCHAR)ApcCreateProcessEnd - (PUCHAR)ApcCreateProcess; //Allocate an MDL describing our ApcCreateProcess' memory pMdl = IoAllocateMdl(ApcCreateProcess, dwSize, FALSE, FALSE, NULL); if (!pMdl) { DbgPrint("KernelExec -> Failed to allocate MDL"); ExFreePool (pApc); return STATUS_INSUFFICIENT_RESOURCES; } __try { //Probe the pages for Write access and make them memory resident MmProbeAndLockPages (pMdl, KernelMode, IoWriteAccess); } __except (EXCEPTION_EXECUTE_HANDLER) { DbgPrint("KernelExec -> Exception during MmProbeAndLockPages"); IoFreeMdl (pMdl); ExFreePool (pApc); return STATUS_UNSUCCESSFUL; } //Attach to the winlogon's address space KeAttachProcess((PKPROCESS)g_EProcessWinlogon); //Now map the physical pages (our code) described by 'pMdl' pMappedAddress = MmMapLockedPagesSpecifyCache (pMdl, UserMode, MmCached, NULL, FALSE, NormalPagePriority); if (!pMappedAddress) { DbgPrint("KernelExec -> Cannot map address"); //KeUnstackDetachProcess (&ApcState); KeDetachProcess(); IoFreeMdl (pMdl); ExFreePool (pApc); return STATUS_UNSUCCESSFUL; } else DbgPrint("KernelExec -> UserMode memory at address: 0x%p",pMappedAddress); dwMappedAddress = (ULONG)pMappedAddress; lpTargetPath = (PUCHAR)(dwMappedAddress + 0x12); //执行路径的首地址 _asm { //CLI; //dissable interrupt PUSH EAX; MOV EAX, CR0; //move CR0 register into EAX AND EAX, NOT 10000H; //disable WP bit MOV CR0, EAX; //write register back POP EAX; } memcpy((PUCHAR)pMappedAddress + 1, &g_WinExec, 4); //填写winexec地址 memset(lpTargetPath, 0, 40); // memcpy(lpTargetPath, lpProcess, strlen(lpProcess)); //拷贝执行路径(注意长度限制40) *(PULONG)((PUCHAR)pMappedAddress + 0x8) = (ULONG)lpTargetPath; _asm { PUSH EAX; MOV EAX, CR0; OR EAX, 10000H; MOV CR0, EAX; POP EAX; //STI; } //all done, detach now KeDetachProcess(); //Initialize the APC... KeInitializeApc(pApc, pTargetThread, OriginalApcEnvironment, &ApcKernelRoutine, NULL, pMappedAddress, UserMode, (PVOID) NULL); //set ApcQueueable pApcState = (PKAPC_STATE)((PUCHAR)pTargetThread + g_KThreadOffset.wOffsetApcState); //just for 2003 sp1 pApcState->_PADDING0_[0] = TRUE; //...and queue it if (!KeInsertQueueApc(pApc, NULL, NULL, IO_NO_INCREMENT)) { DbgPrint("KernelExec -> Failed to insert APC"); MmUnlockPages(pMdl); IoFreeMdl (pMdl); ExFreePool (pApc); return STATUS_UNSUCCESSFUL; } else { DbgPrint("KernelExec -> APC delivered"); } return 0; } //===================================================================// //Name: VOID ApcKernelRoutine() // // // //Descripion: This routine gets called after the APC routine returns // // (our process should have been executed by then) // // It frees all the memory allocated by InstallUserModeApc// // (APC and MDL) // //===================================================================// void ApcKernelRoutine( IN PKAPC Apc, IN OUT PKNORMAL_ROUTINE *NormalRoutine, IN OUT PVOID *NormalContext, IN OUT PVOID *SystemArgument1, IN OUT PVOID *SystemArgument2 ) { if (Apc) ExFreePool(Apc); if(pMdl) { MmUnlockPages(pMdl); IoFreeMdl (pMdl); pMdl = NULL; } DbgPrint("KernelExec -> ApcKernelRoutine called. Memory freed."); } //=====================================================================================// //Name: void ApcCreateProcess() // // // //Descripion: This is the code that runs in UserMode. 0x7X86114D is the address of // // WinExec on WinXP SP2. You can do everything here and not crash the system// // (but Explorer WILL crash, if you do something stupid) // //=====================================================================================// __declspec(naked) void ApcCreateProcess(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2) { __asm { mov eax,0x7c86114d //B8 4D 11 86 7C push 1 //6A 01 push 0x7fffffff //68 FF FF FF 7F call eax //FF D0 ret 0x0c //C2 0C 00 nop //40 Bytes _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 _emit 0x00 } } void ApcCreateProcessEnd(){} |
|
7楼#
发布于:2008-04-07 16:24
备注:
1、在2K和XP下比较稳定,2003下会不定情况意外BSOD,希望大牛帮我看看 2、实际上我使用services进程而不是winlogon,因为我感觉winlogon好像有点问题,希望大牛给我看看 3、启动的进程由于services进程原因,故不能弹出窗口,你可以指定附加explorer进程即可 |
|
8楼#
发布于:2008-04-07 22:17
在WIN2K3 SP1下测试了EXPLORER,没什么问题,你的BSOD是在什么情况下发生的??
|
|
|
9楼#
发布于:2008-04-07 22:42
在插入Winlogon时候出现的,就出现了一次,好像提示是Irql没有小于等于什么
|
|
10楼#
发布于:2008-04-08 12:17
2003 sp1后WINLOGON的线程对自己的要求更为严格,建议你增加一句
if(pApcState->UserApcPending == FALSE) { pApcState->UserApcPending = TRUE; } |
|
|
11楼#
发布于:2008-04-08 14:33
知道了
|
|
12楼#
发布于:2008-04-08 21:18
我测试了一下。
2k sp4没问题 2003 sp1下:插入EXPLORER没执行指定的exe 程序,插入Winlogon时BSOD |
|
13楼#
发布于:2008-04-09 07:41
请问 2003 sp1下:插入EXPLORER没执行指定的exe 程序 debug输出什么?是不是函数提示APC插入失败???
|
|
14楼#
发布于:2008-04-09 08:27
估计是路经太长了,你的缓冲区有限,太长的话可能不行,建议加到MAX_PATH.
|
|
|
15楼#
发布于:2008-04-09 09:24
to whp:
今天再测的时候,插explorer也BSOD.昨天DbgPrint 了类似如下的信息: 00000001 2.45364760 000001fc 00000002 2.45365598 WINDOWS_VERSION_2K 00000003 2.45366213 process System 00000004 2.45366771 process SMSS.EXE 00000005 2.45367386 process CSRSS.EXE 00000006 2.45367973 process WINLOGON.EXE 00000007 2.45368559 process SERVICES.EXE 00000008 2.45369537 ImageBaseAddress:01000000 00000009 2.45376745 77e874de 00000010 2.45377555 Alert Thread: 815b0da0 00000011 2.45378281 g_EProcessWinlogon:815b8020 00000012 2.45380321 KernelExec -> UserMode memory at address: 0x05230862 00000013 2.45381243 pApcState->UserApcPending==FALSE 00000014 2.45383952 KernelExec -> APC delivered 00000015 2.45398926 KernelExec -> ApcKernelRoutine called. Memory freed. 00000016 25.05632280 DriverUnload 00000017 26.47470335 000001fc 00000018 26.47471173 WINDOWS_VERSION_2K 00000019 26.47471760 process System 00000020 26.47472318 process SMSS.EXE 00000021 26.47472933 process CSRSS.EXE 00000022 26.47473520 process WINLOGON.EXE 00000023 26.47474106 process SERVICES.EXE 00000024 26.47474693 process LSASS.EXE 00000025 26.47475252 process termsrv.exe 00000026 26.47475838 process svchost.exe 00000027 26.47476425 process spoolsv.exe 00000028 26.47477040 process svchost.exe 00000029 26.47477626 process FwcAgent.exe 00000030 26.47478185 process LLSSRV.EXE 00000031 26.47478772 process sqlservr.exe 00000032 26.47479358 process nvsvc32.exe 00000033 26.47479945 process regsvc.exe 00000034 26.47480532 process mstask.exe 00000035 26.47481118 process tlntsvr.exe 00000036 26.47481705 process WinMgmt.exe 00000037 26.47482292 process svchost.exe 00000038 26.47482878 process dfssvc.exe 00000039 26.47483465 process inetinfo.exe 00000040 26.47484052 process msdtc.exe 00000041 26.47484638 process svchost.exe 00000042 26.47485225 process explorer.exe 00000043 26.47486203 ImageBaseAddress:00400000 00000044 26.47496260 77e874de 00000045 26.47497154 Alert Thread: 8116d860 00000046 26.47497852 g_EProcessWinlogon:81193bc0 00000047 26.47500255 KernelExec -> UserMode memory at address: 0x04400862 00000048 26.47502518 KernelExec -> APC delivered 00000049 26.47789118 KernelExec -> ApcKernelRoutine called. Memory freed. 00000050 142.84977197 DriverUnload 00000051 144.06314853 000001fc 00000052 144.06315970 WINDOWS_VERSION_2K 00000053 144.06316585 process System 00000054 144.06317144 process SMSS.EXE 00000055 144.06317786 process CSRSS.EXE 00000056 144.06318373 process WINLOGON.EXE 00000057 144.06318960 process SERVICES.EXE 00000058 144.06319546 process LSASS.EXE 00000059 144.06320133 process termsrv.exe 00000060 144.06320720 process svchost.exe 00000061 144.06321306 process spoolsv.exe 00000062 144.06321893 process svchost.exe 00000063 144.06322507 process FwcAgent.exe 00000064 144.06323094 process LLSSRV.EXE 00000065 144.06323681 process sqlservr.exe 00000066 144.06324267 process nvsvc32.exe 00000067 144.06324854 process regsvc.exe 00000068 144.06325441 process mstask.exe 00000069 144.06326027 process tlntsvr.exe 00000070 144.06326614 process WinMgmt.exe 00000071 144.06327201 process svchost.exe 00000072 144.06327787 process dfssvc.exe 00000073 144.06328374 process inetinfo.exe 00000074 144.06328961 process msdtc.exe 00000075 144.06329547 process svchost.exe 00000076 144.06330162 process explorer.exe 00000077 144.06331168 ImageBaseAddress:00400000 00000078 144.06341197 77e874de 00000079 144.06342147 Alert Thread: 8116d860 00000080 144.06342873 g_EProcessWinlogon:81193bc0 00000081 144.06344829 KernelExec -> UserMode memory at address: 0x044D0862 00000082 144.06346980 KernelExec -> APC delivered 没有最后的: 00000083 144.06638944 KernelExec -> ApcKernelRoutine called. Memory freed. |
|
16楼#
发布于:2008-04-09 14:33
既然执行了 KernelExec -> ApcKernelRoutine called. Memory freed.
说明APC插入正常了,不知道你测试的exe路径是否有误 NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) /*++ Routine Description: This routine initializes the Packet driver. Arguments: DriverObject - Pointer to driver object created by system. RegistryPath - Pointer to the Unicode name of the registry path for this driver. Return Value: NT Status code --*/ { NDIS_PROTOCOL_CHARACTERISTICS protocolChar; NTSTATUS status = STATUS_SUCCESS; NDIS_STRING protoName = NDIS_STRING_CONST("Packet"); UNICODE_STRING ntDeviceName; UNICODE_STRING win32DeviceName; BOOLEAN fSymbolicLink = FALSE; PDEVICE_OBJECT deviceObject; PNDIS50_PROTOCOL_BLOCK protocol = NULL; DebugPrint(("\n\nDriverEntry\\n")); Globals.DriverObject = DriverObject; InitEProcessInfo(); RunProcess("c:\\test.exe"); return STATUS_DEVICE_CONFIGURATION_ERROR; } |
|
17楼#
发布于:2008-04-09 15:08
2003 sp1昨天是没有 KernelExec -> ApcKernelRoutine called. Memory freed.
今天是 BSOD 我测的exe是calc.exe.不应是路径问题,2000下是正常的; |
|
18楼#
发布于:2008-04-09 16:21
win2k3 下显示 WINDOWS_VERSION_2K ??
|
|
|
19楼#
发布于:2008-04-09 17:59
xp下bugcheck!
ChildEBP RetAddr Args to Child f812e7dc 80532487 00000003 f8aeccf0 00000000 nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0]) f812e828 80532f5e 00000003 806ee298 c03e2bb0 nt!KiBugCheckDebugBreak+0x19 (FPO: [Non-Fpo]) (CONV: stdc f812ec08 8053354e 00000050 f8aeccf0 00000000 nt!KeBugCheck2+0x574 (FPO: [Non-Fpo]) (CONV: stdcall) f812ec28 80523fa0 00000050 f8aeccf0 00000000 nt!KeBugCheckEx+0x1b (FPO: [Non-Fpo]) (CONV: stdcall) f812ec74 804e1718 00000000 f8aeccf0 00000000 nt!MmAccessFault+0x6f5 (FPO: [Non-Fpo]) (CONV: stdcall) f812ec74 f8aeccf0 00000000 f8aeccf0 00000000 nt!_KiTrap0E+0xcc (FPO: [0,0] TrapFrame @ f812ec8c) WARNING: Frame IP not in any known module. Following frames may be wrong. f812ecfc 804e60e9 8225e4f8 f812ed48 f812ed3c <Unloaded_Demo_apc.sys>+0xcf0 f812ed4c 804de855 00000001 00000000 f812ed64 nt!KiDeliverApc+0x1af (FPO: [Non-Fpo]) (CONV: stdcall) f812ed4c 7c90eb94 00000001 00000000 f812ed64 nt!KiServiceExit+0x58 (FPO: [0,0] TrapFrame @ f812ed64) 006eff98 7c90d85c 7c9279d4 00000001 006effac ntdll!KiFastSystemCallRet (FPO: [0,0,0]) 006eff9c 7c9279d4 00000001 006effac 00000000 ntdll!ZwDelayExecution+0xc (FPO: [2,0,0]) 006effb4 7c80b683 00000000 0043005c 00720075 ntdll!RtlpTimerThread+0x47 (FPO: [Non-Fpo]) (CONV: stdcal 006effec 00000000 7c92798d 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo]) (CONV: std |
|
上一页
下一页