📄 r32r0.cpp
字号:
/*
* For x86/EWindows XP SP1 & VC 7
* cl dump.c /Os /G6 /W3 /Fadump.asm
*
* Usage: dump [-h] [-g Gdtrbase] [-a Address] [-l Length]
*/
/*
* 名为dump.c,实则与dump非紧藕合,dump功能仅为其中一种演示而已。
*
* 该程序仅为演示用途,其潜在的危险由使用者本人承担,否则请勿执行之。
*
* 由于参考太多源代码,我不是太清楚该将哪些作者的名字列于此处:
*
* crazylord <crazylord@minithins.net>
* Gary Nebbett
* h0ck0r@smth
* Mark E. Russinovich
* tsu00 <tsu00@263.net>
*
* 这是此番学习笔记中惟一列举源作者的C程序。总之,该程序与我没有太大关系,
* 就不贪天功为己有了,顺带少些风险,上场当念下场时。
*/
/************************************************************************
* *
* Head File *
* *
************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <malloc.h>
#include <windows.h>
#include <aclapi.h>
#include <memory.h>
/************************************************************************
* *
* Macro *
* *
************************************************************************/
#pragma comment( linker, "/subsystem:console" )
#pragma comment( lib, "advapi32.lib" )
typedef LONG NTSTATUS;
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
#define RING0_CODE_SELECTOR ((unsigned short int)0x0008)
/*
*************************************************************************
* ntdef.h
*/
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
/*
* Valid values for the Attributes field
*/
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_FORCE_ACCESS_CHECK 0x00000400L
#define OBJ_VALID_ATTRIBUTES 0x000007F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
/*
* ntdef.h
*************************************************************************
*/
/*
*************************************************************************
* <<Windows NT/2000 Native API Reference>> by Gary Nebbett
*/
typedef enum _SECTION_INHERIT
{
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
/*
* 虽然本程序用不到这么多枚举值,还是列出一份最完整的。这个程序本身不求完
* 美,尽可能多地保留一些未文档化的参考资料。
*/
typedef enum _SYSTEM_INFORMATION_CLASS // Q S
{
SystemBasicInformation, // 00 Y N
SystemProcessorInformation, // 01 Y N
SystemPerformanceInformation, // 02 Y N
SystemTimeOfDayInformation, // 03 Y N
SystemNotImplemented1, // 04 Y N
SystemProcessesAndThreadsInformation, // 05 Y N
SystemCallCounts, // 06 Y N
SystemConfigurationInformation, // 07 Y N
SystemProcessorTimes, // 08 Y N
SystemGlobalFlag, // 09 Y Y
SystemNotImplemented2, // 10 Y N
SystemModuleInformation, // 11 Y N
SystemLockInformation, // 12 Y N
SystemNotImplemented3, // 13 Y N
SystemNotImplemented4, // 14 Y N
SystemNotImplemented5, // 15 Y N
SystemHandleInformation, // 16 Y N
SystemObjectInformation, // 17 Y N
SystemPagefileInformation, // 18 Y N
SystemInstructionEmulationCounts, // 19 Y N
SystemInvalidInfoClass1, // 20
SystemCacheInformation, // 21 Y Y
SystemPoolTagInformation, // 22 Y N
SystemProcessorStatistics, // 23 Y N
SystemDpcInformation, // 24 Y Y
SystemNotImplemented6, // 25 Y N
SystemLoadImage, // 26 N Y
SystemUnloadImage, // 27 N Y
SystemTimeAdjustment, // 28 Y Y
SystemNotImplemented7, // 29 Y N
SystemNotImplemented8, // 30 Y N
SystemNotImplemented9, // 31 Y N
SystemCrashDumpInformation, // 32 Y N
SystemExceptionInformation, // 33 Y N
SystemCrashDumpStateInformation, // 34 Y Y/N
SystemKernelDebuggerInformation, // 35 Y N
SystemContextSwitchInformation, // 36 Y N
SystemRegistryQuotaInformation, // 37 Y Y
SystemLoadAndCallImage, // 38 N Y
SystemPrioritySeparation, // 39 N Y
SystemNotImplemented10, // 40 Y N
SystemNotImplemented11, // 41 Y N
SystemInvalidInfoClass2, // 42
SystemInvalidInfoClass3, // 43
SystemTimeZoneInformation, // 44 Y N
SystemLookasideInformation, // 45 Y N
SystemSetTimeSlipEvent, // 46 N Y
SystemCreateSession, // 47 N Y
SystemDeleteSession, // 48 N Y
SystemInvalidInfoClass4, // 49
SystemRangeStartInformation, // 50 Y N
SystemVerifierInformation, // 51 Y Y
SystemAddVerifier, // 52 N Y
SystemSessionProcessesInformation // 53 Y N
} SYSTEM_INFORMATION_CLASS;
typedef struct _SYSTEM_MODULE_INFORMATION // Information Class 11
{
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
/*
* <<Windows NT/2000 Native API Reference>> by Gary Nebbett
*************************************************************************
*/
/*
*************************************************************************
* 参<<Intel Architecture Software Developer's Manual. Volume 3>>
*/
#pragma pack(push, 1)
/*
* 卷III的3.5.1小节,GDTR/IDTR均适用,这里假设是IA-32架构
*/
typedef struct _PSEUDODESCRIPTOR
{
unsigned short int limit;
unsigned int base;
} PSEUDODESCRIPTOR;
/*
* 卷III的4.8.3小节。
*/
typedef struct _GATEDESCRIPTOR
{
unsigned offset_low : 16; /* 32-bit偏移的低16位 */
unsigned selector : 16; /* 段选择子 */
unsigned parameter_count : 5; /* 参数个数 */
unsigned reserved : 3; /* 保留,总为0 */
unsigned type : 4; /* 类型 */
unsigned s : 1; /* 总为0,系统描述符 */
unsigned dpl : 2; /* 描述符特权级DPL */
unsigned p : 1; /* 为1表示有效 */
unsigned offset_high : 16; /* 32-bit偏移的高16位 */
} GATEDESCRIPTOR;
typedef struct _CALL_ARG_0
{
unsigned int cr0;
unsigned int cr2;
unsigned int cr3;
/*
* unsigned int cr4;
*/
unsigned int dr0;
unsigned int dr1;
unsigned int dr2;
unsigned int dr3;
unsigned int dr6;
unsigned int dr7;
} CALL_ARG_0;
/*
* MmGetPhysicalAddress
*/
typedef struct _CALL_ARG_1
{
PVOID LinearAddress;
PHYSICAL_ADDRESS PhysicalAddress;
} CALL_ARG_1;
/*
* 内存复制
*/
typedef struct _CALL_ARG_2
{
PVOID src;
PVOID dst;
ULONG len;
} CALL_ARG_2;
#pragma pack(pop)
/*
* <<Intel Architecture Software Developer's Manual. Volume 3>>
*************************************************************************
*/
/*
* 参看DDK文档以及<<Windows NT/2000 Native API Reference>> by Gary Nebbett
* 这些Native API由ntdll.dll输出
*/
typedef VOID ( __stdcall *RTLINITUNICODESTRING ) ( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString );
typedef NTSTATUS ( __stdcall *ZWOPENSECTION ) ( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
typedef NTSTATUS ( __stdcall *ZWCLOSE ) ( IN HANDLE Handle );
typedef NTSTATUS ( __stdcall *ZWMAPVIEWOFSECTION ) ( IN HANDLE SectionHandle, IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN ULONG CommitSize, IN OUT PLARGE_INTEGER SectionOffset, IN OUT PULONG ViewSize, IN SECTION_INHERIT InheritDisposition, IN ULONG AllocationType, IN ULONG Protect );
typedef NTSTATUS ( __stdcall *ZWUNMAPVIEWOFSECTION ) ( IN HANDLE ProcessHandle, IN PVOID BaseAddress );
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
/*
* 参看ntddk.h以及Phrack Magazine 59-0x10,这些Kernel API由ntoskrnl.exe输
* 出。
*/
typedef PHYSICAL_ADDRESS ( *MMGETPHYSICALADDRESS ) ( IN PVOID BaseAddress );
/************************************************************************
* *
* Function Prototype *
* *
************************************************************************/
static VOID ExecuteRing0Code ( PVOID Ring0Code,
ULONG Ring0CodeLength,
unsigned short int selector,
unsigned int call_type,
void *call_arg );
static VOID InitializeObjectAttributes
(
OUT POBJECT_ATTRIBUTES InitializedAttributes,
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN HANDLE RootDirectory,
IN PSECURITY_DESCRIPTOR SecurityDescriptor
);
static GATEDESCRIPTOR *
InstallCallgate ( ULONG Gdtrbase, ULONG Gdtrlimit,
DWORD CodeOffset,
GATEDESCRIPTOR *orig_callgate );
static BOOLEAN LocateNtdllEntry ( void );
static BOOLEAN LocateNtoskrnlEntry
( void );
static BOOLEAN MapPhysicalMemory (
IN HANDLE SectionHandle,
IN OUT PVOID *LinearAddress,
IN OUT PULONG MapSize,
IN OUT PLARGE_INTEGER PhysicalAddress,
IN ULONG Protect
);
static HANDLE OpenPhysicalMemory ( ACCESS_MASK DesiredAccess );
static void outputBinary ( FILE *out,
const unsigned char *byteArray,
const size_t byteArrayLen );
static void PrintWin32Error ( char *message, DWORD dwMessageId );
static void PrintZwError ( char *message, NTSTATUS status );
static PVOID PrivateFindModule ( const char *ModuleName );
static PHYSICAL_ADDRESS
PrivateMmGetPhysicalAddress
( IN PVOID LinearAddress );
/*
* 不能定义Ring0Code()函数原型
*/
static BOOLEAN SetPhysicalMemoryDACLs
( HANDLE handle, LPTSTR ptstrName );
static VOID UnmapPhysicalMemory
( IN PVOID LinearAddress );
static void usage ( char *arg );
/************************************************************************
* *
* Static Global Var *
* *
************************************************************************/
/*
* 由ntdll.dll输出的Native API函数指针
*/
static RTLINITUNICODESTRING RtlInitUnicodeString = NULL;
static ZWOPENSECTION ZwOpenSection = NULL;
static ZWCLOSE ZwClose = NULL;
static ZWMAPVIEWOFSECTION ZwMapViewOfSection = NULL;
static ZWUNMAPVIEWOFSECTION ZwUnmapViewOfSection = NULL;
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
/*
* 由ntoskrnl.exe输出的Kernel API函数指针
*/
static MMGETPHYSICALADDRESS MmGetPhysicalAddress = NULL;
static SYSTEM_INFO system_info;
/************************************************************************/
static VOID ExecuteRing0Code ( PVOID Ring0Code,
ULONG Ring0CodeLength,
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -