一些内核操作函数

来源：互联网发布：大数据时代的重要性编辑：程序博客网时间：2024/05/20 18:17
#ifdef __cplusplusextern "C" {#endif#define DELAY_ONE_MICRO (-10)#define DELAY_ONE_MILLI (DELAY_ONE_MICRO*1000)#include <ntifs.h>#include <stdlib.h>NTSTATUS DriverEntry(IN PDRIVER_OBJECT  objDriver,IN PUNICODE_STRING strRegPath);HANDLE KernelCreateFile(IN PUNICODE_STRING pstrFile,IN BOOLEAN bIsDir);ULONG64 KernelGetFileSize(IN HANDLE hFile);ULONG64 KernelReadFile(IN HANDLE hFile,IN PLARGE_INTEGER Offset,IN ULONG ulLength,OUT PVOID pBuffer);ULONG64 KernelWriteFile(IN HANDLE hFile,IN PLARGE_INTEGER Offset,IN ULONG ulLength,OUT PVOID pBuffer);NTSTATUS KernelDeleteFile(IN PUNICODE_STRING pstrFile);void KernelKillProcess(UINT32 PiD);PEPROCESS LookupProcess(HANDLE hPid);NTKERNELAPI HANDLE PsGetProcessInheritedFromUniqueProcessId(IN PEPROCESS pEProcess);NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS pEProcess);VOID EnumProcess();PFILE_BOTH_DIR_INFORMATION KernelFindFirstFile(IN HANDLE hFile,IN ULONG ulLen,OUT PFILE_BOTH_DIR_INFORMATION pDir);NTSTATUS KernelFindNextFile(IN OUT PFILE_BOTH_DIR_INFORMATION* pDir);void Traversal();NTKERNELAPI NTSTATUS PsSuspendProcess(PEPROCESS pEProcess);NTKERNELAPI NTSTATUS PsResumeProcess(PEPROCESS pEProcess);UINT32 PauseProcess(PEPROCESS pEProcess);UINT32 ResumeProcess(PEPROCESS pEProcess);typedef NTSTATUS (__stdcall *PSSUSPENDTHREAD)(IN PETHREAD pEThread,OUT PULONG PreviousSuspendCount);typedef NTSTATUS (__stdcall *PSRESUMETHREAD)(IN PETHREAD pEThread,OUT PULONG PreviousCount);PSSUSPENDTHREAD PsSuspendThread = (PSSUSPENDTHREAD)0x842de1bb;PSRESUMETHREAD PsResumeThread = (PSRESUMETHREAD)0x84235cd6;UINT32 PauseThread(PETHREAD pEThread);UINT32 ResumeThread(PETHREAD pEThread);KEVENT g_kEvent;VOID t_funThread(IN PVOID StartContext);VOID Test_CreateThread();typedef NTSTATUS (__fastcall *ZWTERMINATETHREAD)(HANDLE hThread,ULONG uExitCode);ZWTERMINATETHREAD ZwTerminateThread = (ZWTERMINATETHREAD)0x8407fad4;void KernelKillThread(UINT32 TiD);NTSTATUS ZwOpenThread(OUT PHANDLE ThreadHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);VOID EnumThread(PEPROCESS pEProcess);VOID KernelSleepA(LONG MicroSeconds);VOID KernelSleepB(LONG MicroSeconds);ULONG KernelGetVersion();VOID Test_GetCurrentTime();#ifdef __cplusplus}#endifHANDLE KernelCreateFile(IN PUNICODE_STRING pstrFile,IN BOOLEAN bIsDir){HANDLE hFile = NULL;NTSTATUS Status = STATUS_UNSUCCESSFUL;IO_STATUS_BLOCK StatusBlock = {0};ULONG ulShareAccess = FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE;ULONG ulCreateOpt = FILE_SYNCHRONOUS_IO_NONALERT;OBJECT_ATTRIBUTES objAttrib = {0};ULONG ulAttributes = OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE;InitializeObjectAttributes(&objAttrib,pstrFile,ulAttributes,NULL,NULL);ulCreateOpt |= bIsDir?FILE_DIRECTORY_FILE:FILE_NON_DIRECTORY_FILE;Status = ZwCreateFile(&hFile,GENERIC_ALL,&objAttrib,&StatusBlock,0,FILE_ATTRIBUTE_NORMAL,ulShareAccess,FILE_OPEN_IF,ulCreateOpt,NULL,0);if (!NT_SUCCESS(Status)){return (HANDLE)-1;}return hFile;}ULONG64 KernelGetFileSize(IN HANDLE hFile){IO_STATUS_BLOCK StatusBlock = {0};FILE_STANDARD_INFORMATION fsi = {0};NTSTATUS Status = STATUS_UNSUCCESSFUL;Status = ZwQueryInformationFile(hFile,&StatusBlock,&fsi,sizeof(FILE_STANDARD_INFORMATION),FileStandardInformation);if (!NT_SUCCESS(Status)){return 0;}return fsi.EndOfFile.QuadPart;}ULONG64 KernelReadFile(IN HANDLE hFile,IN PLARGE_INTEGER Offset,IN ULONG ulLength,OUT PVOID pBuffer){IO_STATUS_BLOCK StatusBlock = {0};NTSTATUS Status = STATUS_UNSUCCESSFUL;Status = ZwReadFile(hFile,NULL,NULL,NULL,&StatusBlock,pBuffer,ulLength,Offset,NULL);if (!NT_SUCCESS(Status)){return 0;}return StatusBlock.Information;}ULONG64 KernelWriteFile(IN HANDLE hFile,IN PLARGE_INTEGER Offset,IN ULONG ulLength,OUT PVOID pBuffer){IO_STATUS_BLOCK StatusBlock = {0};NTSTATUS Status = STATUS_UNSUCCESSFUL;Status = ZwWriteFile(hFile,NULL,NULL,NULL,&StatusBlock,pBuffer,ulLength,Offset,NULL);if (!NT_SUCCESS(Status)){return 0;}return StatusBlock.Information;}NTSTATUS KernelDeleteFile(IN PUNICODE_STRING pstrFile){OBJECT_ATTRIBUTES objAttrib = {0};ULONG ulAttributes = OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE;InitializeObjectAttributes(&objAttrib,pstrFile,ulAttributes,NULL,NULL);return ZwDeleteFile(&objAttrib);}PFILE_BOTH_DIR_INFORMATION KernelFindFirstFile(IN HANDLE hFile,IN ULONG ulLen,OUT PFILE_BOTH_DIR_INFORMATION pDir){NTSTATUS Status = STATUS_UNSUCCESSFUL;IO_STATUS_BLOCK StatusBlock = {0};PFILE_BOTH_DIR_INFORMATION pFileList = (PFILE_BOTH_DIR_INFORMATION)ExAllocatePool(PagedPool,ulLen);Status = ZwQueryDirectoryFile(hFile,NULL,NULL,NULL,&StatusBlock,pDir,ulLen,FileBothDirectoryInformation,TRUE,NULL,FALSE);RtlCopyMemory(pFileList,pDir,ulLen);Status = ZwQueryDirectoryFile(hFile,NULL,NULL,NULL,&StatusBlock,pFileList,ulLen,FileBothDirectoryInformation,FALSE,NULL,FALSE);return pFileList;}NTSTATUS KernelFindNextFile(IN OUT PFILE_BOTH_DIR_INFORMATION* pDir){if ( (*pDir)->NextEntryOffset){(*pDir)=(PFILE_BOTH_DIR_INFORMATION)((UINT32)(*pDir)+(*pDir)->NextEntryOffset); return STATUS_SUCCESS;}return STATUS_UNSUCCESSFUL;}void Traversal(){UNICODE_STRING ustrFolder = {0};WCHAR szSymbol[0x512] = L"\\??\\";UNICODE_STRING ustrPath = RTL_CONSTANT_STRING(L"C:\\");HANDLE hFile = NULL;SIZE_T nFileInfoSize = sizeof(FILE_BOTH_DIR_INFORMATION)+270*sizeof(WCHAR);SIZE_T nSize = nFileInfoSize*0x256;char strFileName[0x256] = {0};PFILE_BOTH_DIR_INFORMATION pFileListBuf = NULL;PFILE_BOTH_DIR_INFORMATION pFileList = NULL;PFILE_BOTH_DIR_INFORMATION pFileDirInfo = (PFILE_BOTH_DIR_INFORMATION)ExAllocatePool(PagedPool,nSize);wcscat_s(szSymbol,_countof(szSymbol),ustrPath.Buffer);RtlInitUnicodeString(&ustrFolder,szSymbol);hFile = KernelCreateFile(&ustrFolder,TRUE);pFileList = pFileListBuf;KernelFindFirstFile(hFile,nSize,pFileDirInfo);if (pFileList){RtlZeroMemory(strFileName,0x256);RtlCopyMemory(strFileName,pFileDirInfo->FileName,pFileDirInfo->FileNameLength);if (strcmp(strFileName,"..")!=0 || strcmp(strFileName,".")!=0){if (pFileDirInfo->FileAttributes & FILE_ATTRIBUTE_DIRECTORY){DbgPrint("[目录]%S\n",strFileName);}else{DbgPrint("[文件]%S\n",strFileName);}}}while (NT_SUCCESS(KernelFindNextFile(&pFileList))){RtlZeroMemory(strFileName,0x256);RtlCopyMemory(strFileName,pFileList->FileName,pFileList->FileNameLength);if (strcmp(strFileName,"..")==0 || strcmp(strFileName,".")==0){continue;}if (pFileList->FileAttributes & FILE_ATTRIBUTE_DIRECTORY){DbgPrint("[目录]%S\n",strFileName);} else{DbgPrint("[文件]%S\n",strFileName);}}RtlZeroMemory(strFileName,0x256);RtlCopyMemory(strFileName,pFileListBuf->FileName,pFileListBuf->FileNameLength);if (strcmp(strFileName,"..")!=0 || strcmp(strFileName,".")!=0){if (pFileDirInfo->FileAttributes & FILE_ATTRIBUTE_DIRECTORY){DbgPrint("[目录]%S\n",strFileName);}else{DbgPrint("[文件]%S\n",strFileName);}ExFreePool(pFileListBuf);ExFreePool(pFileDirInfo);}}void KernelKillProcess(UINT32 PiD){HANDLE hProcess = NULL;CLIENT_ID ClientId = {0};OBJECT_ATTRIBUTES objAttribut = {sizeof(OBJECT_ATTRIBUTES)};ClientId.UniqueProcess = (HANDLE)PiD;ClientId.UniqueThread = 0;ZwOpenProcess(&hProcess,1,&objAttribut,&ClientId);if (hProcess){ZwTerminateProcess(hProcess,0);ZwClose(hProcess);}}PEPROCESS LookupProcess(HANDLE hPid){PEPROCESS pEProcess = NULL;if (NT_SUCCESS(PsLookupProcessByProcessId(hPid,&pEProcess))){return pEProcess;}return NULL;}VOID EnumProcess(){PEPROCESS pEProc = NULL;ULONG i = 0;for (i=4;i<0x25600;i=i+4){pEProc = LookupProcess((HANDLE)i);if (!pEProc){continue;}DbgPrint("EPROCESS=%p PID=%ld PPID=%ld Name=%s\n",pEProc,(UINT32)PsGetProcessId(pEProc),(UINT32)PsGetProcessInheritedFromUniqueProcessId(pEProc),PsGetProcessImageFileName(pEProc));ObDereferenceObject(pEProc);DbgPrint("\n");}}UINT32 PauseProcess(PEPROCESS pEProcess){if (NT_SUCCESS(PsSuspendProcess(pEProcess))){return FALSE;}return TRUE;}UINT32 ResumeProcess(PEPROCESS pEProcess){if (NT_SUCCESS(PsResumeProcess(pEProcess))){return FALSE;}return TRUE;}UINT32 PauseThread(PETHREAD pEThread){ULONG ulSuspendCount;if (NT_SUCCESS(PsSuspendThread(pEThread,&ulSuspendCount))){return FALSE;}return TRUE;}UINT32 ResumeThread(PETHREAD pEThread){ULONG ulSuspendCount;if (NT_SUCCESS(PsResumeThread(pEThread,&ulSuspendCount))){return FALSE;}return TRUE;}VOID t_funThread(IN PVOID StartContext){PUNICODE_STRING pustrMsg = (PUNICODE_STRING)StartContext;DbgPrint("Kernel thread: %wZ\n",pustrMsg);KeSetEvent(&g_kEvent,0,TRUE);PsTerminateSystemThread(STATUS_SUCCESS);}VOID Test_CreateThread(){NTSTATUS Status;HANDLE hThread;UNICODE_STRING ustrMsg = RTL_CONSTANT_STRING(L"15PB!");KeInitializeEvent(&g_kEvent,SynchronizationEvent,FALSE);Status = PsCreateSystemThread(&hThread,0,NULL,NULL,NULL,t_funThread,(PVOID)&ustrMsg);if (!NT_SUCCESS(Status)){return;}ZwClose(hThread);KeWaitForSingleObject(&g_kEvent,Executive,KernelMode,0,0);}void KernelKillThread(UINT32 TiD){HANDLE hThread = NULL;CLIENT_ID ClientId = {0};OBJECT_ATTRIBUTES objAttribut = {sizeof(OBJECT_ATTRIBUTES)};ClientId.UniqueProcess = 0;ClientId.UniqueThread = (HANDLE)TiD;ZwOpenThread(&hThread,1,&objAttribut,&ClientId);if (hThread){ZwTerminateThread(hThread,0);ZwClose(hThread);}}PETHREAD LookupThread(HANDLE hTid){PETHREAD pEThread = NULL;if (NT_SUCCESS(PsLookupThreadByThreadId(hTid,&pEThread))){return pEThread;}return NULL;}VOID EnumThread(PEPROCESS pEProcess){PEPROCESS pEProc = NULL;PETHREAD pEThrd = NULL;ULONG i = 0;for (i=4;i<0x25600;i+=4){pEThrd = LookupThread((HANDLE)i);if (!pEThrd){continue;}pEProc = IoThreadToProcess(pEThrd);if (pEProc == pEProcess){DbgPrint("[THREAD]ETHREAD=%p TID=%ld\n",pEThrd,(ULONG)PsGetThreadId(pEThrd));}ObDereferenceObject(pEThrd);}}VOID KernelSleepA(LONG MicroSeconds){LARGE_INTEGER WaitTime = {0};WaitTime = RtlConvertLongToLargeInteger(DELAY_ONE_MILLI*MicroSeconds);KeDelayExecutionThread(KernelMode,0,&WaitTime);}VOID KernelSleepB(LONG MicroSeconds){KEVENT kEnent = {0};LARGE_INTEGER WaitTime = {0};WaitTime = RtlConvertLongToLargeInteger(DELAY_ONE_MILLI*MicroSeconds);KeInitializeEvent(&kEnent,SynchronizationEvent,FALSE);KeWaitForSingleObject(&kEnent,Executive,KernelMode,FALSE,&WaitTime);}ULONG KernelGetVersion(){/*ULONG NtBuildNumber;*/RTL_OSVERSIONINFOW osi = {sizeof(RTL_OSVERSIONINFOW)};RtlGetVersion(&osi);return osi.dwBuildNumber;}VOID Test_GetCurrentTime(){LARGE_INTEGER CurrentTime;LARGE_INTEGER LocalTime;TIME_FIELDS TimeFiled;KeQuerySystemTime(&CurrentTime);ExSystemTimeToLocalTime(&CurrentTime,&LocalTime);RtlTimeToTimeFields(&LocalTime,&TimeFiled);DbgPrint("Time : %4d-%2d-%2d %2d:%2d:%2d\n",TimeFiled.Year,TimeFiled.Month,TimeFiled.Day,TimeFiled.Hour,TimeFiled.Minute,TimeFiled.Second);}VOID KernelFileUnload(IN PDRIVER_OBJECT objDriver){// 1. 删除设备对象if ( objDriver->DeviceObject )IoDeleteDevice(objDriver->DeviceObject);}NTSTATUS DriverEntry(IN PDRIVER_OBJECT  objDriver, IN PUNICODE_STRING strRegPath){UNREFERENCED_PARAMETER(objDriver);UNREFERENCED_PARAMETER(strRegPath);__debugbreak();UNICODE_STRING pstrFile = RTL_CONSTANT_STRING(L"\\??\\C:\\Users\\SQ\\Desktop\\15PB.txt");HANDLE hFile = KernelCreateFile(&pstrFile,FALSE);__debugbreak();WCHAR WriteBuffer[100] = L"Hello Driver!";KernelWriteFile(hFile,0,28,(PVOID)WriteBuffer);DbgPrint("写入缓存内容：%S",WriteBuffer);__debugbreak();ULONG64ulGetSize = KernelGetFileSize(hFile);DbgPrint("文件大小：%d\n",ulGetSize);__debugbreak();IO_STATUS_BLOCK statusBlock = {0};FILE_POSITION_INFORMATION fileInformation = {0};ULONG64 status = ZwSetInformationFile(hFile,&statusBlock,&fileInformation,sizeof(FILE_POSITION_INFORMATION),FilePositionInformation);DbgPrint("****Position Status:%x\n",status);__debugbreak();WCHAR ReadBuffer[100];KernelReadFile(hFile,0,28,ReadBuffer);DbgPrint("读取缓存内容：%S",ReadBuffer);__debugbreak();EnumProcess();__debugbreak();objDriver->DriverUnload = KernelFileUnload;return STATUS_SUCCESS;}
0 0