native.c

Undocumented Windows NT 中文版CHM格式

								hKeyCreated,
								NULL);

	rc=NtOpenKey(&hKey,
					MAXIMUM_ALLOWED,
					&ObjectAttr);

	if (rc!=STATUS_SUCCESS) {
		printf("Unable to open key, rc=%x\n", rc);
		goto ExitFunction;
	}

	rc=NtDeleteKey(hKey);

	if (rc!=STATUS_SUCCESS) {
		printf("Unable to delete key, rc=%x\n", rc);
		NtClose(hKey);
		goto ExitFunction;
	}
	NtClose(hKey);


	/* Delete values under HKEY_LOCAL_MACHINE\Software\TestKey */
	RtlInitUnicodeString(&ValueName, L"Value1");
	rc=NtDeleteValueKey(hKeyCreated,
						&ValueName);

	if (rc!=STATUS_SUCCESS) {
		printf("Unable to delete value, rc=%x\n", rc);
		goto ExitFunction;
	}

	RtlInitUnicodeString(&ValueName, L"Value2");
	rc=NtDeleteValueKey(hKeyCreated,
						&ValueName);

	if (rc!=STATUS_SUCCESS) {
		printf("Unable to delete value, rc=%x\n", rc);
		goto ExitFunction;
	}

	NtQuerySystemTime(&KeyWriteTimeInfo.LastWriteTime);

	NtSetInformationKey(hKeyCreated,
							KeyWriteTimeInformation,
							&KeyWriteTimeInfo,
							sizeof(KeyWriteTimeInfo));

	rc=NtDeleteKey(hKeyCreated);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to delete key, rc=%x\n", rc);
	}


ExitFunction:
	NtClose(hKeyCreated);

	rc=NtFlushKey(hKeyOpened);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to flush key, rc=%x\n", rc);
	}
	NtClose(hKeyOpened);
}

#define STACK_SIZE 10000 
static ULONG Stack[STACK_SIZE];


void _stdcall ThreadApcRoutine(PVOID ApcContext, PVOID SystemArgument1, PVOID SystemArgument2)
{
	printf("ThreadApcRoutine called\n");
	NtTerminateThread(NtCurrentThread(), 0);
	return;
}


void NewThreadFunc()
{
	while (1) {
		LARGE_INTEGER Timeout;
		NTSTATUS rc;

		printf("Inside NewThreadFunc\n");

		Timeout.QuadPart=0;
		rc=NtDelayExecution(TRUE, &Timeout);
		if (rc!=STATUS_SUCCESS) {
			printf("NtDelayExecution failed, rc=%x\n", rc);
			return;
		} 
	}
}

void ThreadFunc(int Param)
{
	while (1) {
		printf("Inside ThreadFunc\n");
	}
}


ThreadManagement()
{
	UNICODE_STRING ThreadName;
	OBJECT_ATTRIBUTES ObjectAttr;
	NTSTATUS rc;
	HANDLE hThreadCreated, hThreadOpened;
	CLIENT_ID ClientId;
	CONTEXT Context;
	STACKINFO StackInfo;
	LARGE_INTEGER Timeout;
	ULONG SuspendCount;

	RtlInitUnicodeString(&ThreadName, L"\\MyThread");

	InitializeObjectAttributes(&ObjectAttr,
								&ThreadName,
								OBJ_CASE_INSENSITIVE,
								NULL,
								NULL);

	StackInfo.TopOfStack=(ULONG)&Stack[STACK_SIZE];
	StackInfo.BottomOfStack=(ULONG)&Stack[-1];
	StackInfo.OnePageBelowTopOfStack=(ULONG)(&Stack[STACK_SIZE]-4096);


	Context.ContextFlags=CONTEXT_FULL;
	rc=NtGetContextThread(NtCurrentThread(), &Context);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to get context of current thread\n");
		return 0;
	}

	Context.Eip=(ULONG)ThreadFunc;
	Context.Esp=StackInfo.TopOfStack;

	rc=NtCreateThread(&hThreadCreated,
						THREAD_ALL_ACCESS,
						&ObjectAttr,
						NtCurrentProcess(),
						&ClientId,
						&Context,
						&StackInfo,
						FALSE);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to create thread, rc=%x\n", rc);
		return 0;
	}

	/* Open thread by name */
	rc=NtOpenThread(&hThreadOpened,
					MAXIMUM_ALLOWED,
					&ObjectAttr,
					NULL);
	if (rc!=STATUS_SUCCESS) {
		printf("NtOpenThread with threadname failed, rc=%x\n", rc);
		goto ExitFunction;
	}
	printf("hThreadOpened=%x\n", hThreadOpened);
	NtClose(hThreadOpened);

	/* Open thread by Client id */
	InitializeObjectAttributes(&ObjectAttr,
								NULL,
								OBJ_CASE_INSENSITIVE,
								NULL,
								NULL);

	rc=NtOpenThread(&hThreadOpened,
					MAXIMUM_ALLOWED,
					&ObjectAttr,
					&ClientId);
	if (rc!=STATUS_SUCCESS) {
		printf("NtOpenThread with threadid failed, rc=%x\n", rc);
		goto ExitFunction;
	}
	printf("hThreadOpened=%x\n", hThreadOpened);
	NtClose(hThreadOpened);


	/* Give some chance for the created thread to execute */
	NtYieldExecution();


	/* Suspend, change context and resume*/
	rc=NtSuspendThread(hThreadCreated,
						&SuspendCount);
	if (rc!=STATUS_SUCCESS) {
		printf("NtSuspendThread failed, rc=%x\n", rc);
		goto ExitFunction;
	}

	Context.ContextFlags=CONTEXT_FULL;
	rc=NtGetContextThread(hThreadCreated,
						&Context);
	if (rc!=STATUS_SUCCESS) {
		printf("NtGetContextThread failed, rc=%x\n", rc);
		goto ExitFunction;
	}
	Context.Eip=(ULONG)NewThreadFunc;
	rc=NtSetContextThread(hThreadCreated,
						&Context);
	if (rc!=STATUS_SUCCESS) {
		printf("NtSetContextThread failed, rc=%x\n", rc);
		goto ExitFunction;
	}
	rc=NtResumeThread(hThreadCreated,
						&SuspendCount);
	if (rc!=STATUS_SUCCESS) {
		printf("NtResumeThread failed, rc=%x\n", rc);
		goto ExitFunction;
	}

	/* Give some chance for the thread after changing the context */
	NtYieldExecution();


	/* Queue and APC to thread */
	rc=NtQueueApcThread(hThreadCreated,
						(PKNORMAL_ROUTINE)ThreadApcRoutine,
						NULL,
						NULL,
						NULL);

	if (rc!=STATUS_SUCCESS) {
		printf("NtQueueApcThread failed, rc=%x\n", rc);
		goto ExitFunction;
	}


	/* Wait for the thread to terminate */
	Timeout.QuadPart=-(10^20);
	rc=NtWaitForSingleObject(hThreadCreated,
						TRUE,
						&Timeout);
	if (rc!=STATUS_SUCCESS) {
		printf("NtWaitForSingleObject failed, rc=%x\n", rc);
		goto ExitFunction;
	}

ExitFunction:
	NtClose(hThreadCreated);
}


SectionManagement()
{
	NTSTATUS rc;
	HANDLE hSectionCreated, hSectionOpened;
	OBJECT_ATTRIBUTES ObjectAttr;
	UNICODE_STRING SectionName;
	LARGE_INTEGER MaxSize;
	ULONG SectionSize=8192;
	PVOID BaseAddress=NULL;


	RtlInitUnicodeString(&SectionName, L"\\MySection");
	InitializeObjectAttributes(&ObjectAttr,
								&SectionName,
								OBJ_CASE_INSENSITIVE,
								NULL,
								NULL);

	MaxSize.HighPart=0;
	MaxSize.LowPart=SectionSize;

	rc=NtCreateSection(&hSectionCreated,
					SECTION_ALL_ACCESS,
					&ObjectAttr,
					&MaxSize,
					PAGE_READWRITE,
					SEC_COMMIT,
					NULL);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to create section, rc=%x\n", rc);
		return 0;
	}
	printf("hSectionCreated=%x\n", hSectionCreated);

	rc=NtOpenSection(&hSectionOpened,
					MAXIMUM_ALLOWED,
					&ObjectAttr);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to open section, rc=%x\n", rc);
		NtClose(hSectionCreated);
		return 0;
	}
	printf("hSectionOpened=%x\n", hSectionOpened);

	rc=NtMapViewOfSection(hSectionCreated,
						NtCurrentProcess(),
						&BaseAddress,
						0,
						SectionSize,
						NULL,
						&SectionSize,
					    ViewShare,
						0,
						PAGE_READWRITE);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to map section, rc=%x\n", rc);
		goto ExitFunction;
	}

	printf("Section mapped @%x, size=%x\n", BaseAddress, SectionSize);

	memset(BaseAddress, 0, SectionSize);


	rc=NtUnmapViewOfSection(NtCurrentProcess(),
							BaseAddress);
	if (rc!=STATUS_SUCCESS) {
		printf("Unable to unmap section, rc=%x\n", rc);
		goto ExitFunction;
	}

	printf("Section unmapped\n");

ExitFunction:
	NtClose(hSectionCreated);
	NtClose(hSectionOpened);
}

HandleException(PVOID BaseAddress, ULONG SizeRequestedOrAllocated)
{
	NTSTATUS rc;
	rc=NtAllocateVirtualMemory(NtCurrentProcess(),
							&BaseAddress,
							3,
							&SizeRequestedOrAllocated,
							MEM_COMMIT,
							PAGE_READWRITE);
	if (rc!=STATUS_SUCCESS) {
		printf("NtAllocateVirtualMemory failed, rc=%x\n", rc);
		return EXCEPTION_EXECUTE_HANDLER;
	}
	printf("Memory commited\n");
	return EXCEPTION_CONTINUE_EXECUTION;
}


DumpMemoryInformation(PVOID BaseAddress, ULONG SizeRequestedAllocated)
{
	char Buffer[4096];
	PMEMORY_BASIC_INFORMATION pMemoryBasicInfo;
	ULONG BytesReturned;
	NTSTATUS rc;

	memset(Buffer, 0, sizeof(Buffer));
	rc=NtQueryVirtualMemory(NtCurrentProcess(),
							BaseAddress,
							MemoryBasicInformation,
							Buffer,
							sizeof(Buffer),
							&BytesReturned);
	if (rc!=STATUS_SUCCESS) {
		printf("NtQueryVirtualMemory failed, rc=%x\n", rc);
		return 0;
	}
	pMemoryBasicInfo=(PMEMORY_BASIC_INFORMATION)Buffer;
	printf("BytesReturned=%x\n", BytesReturned);

	printf("pMemoryBasicInfo->BaseAddress   = %x\n", pMemoryBasicInfo->BaseAddress);
	printf("pMemoryBasic->AllocationBase    = %x\n", pMemoryBasicInfo->AllocationBase);
	printf("pMemoryBasic->AllocationProtect = %x\n", pMemoryBasicInfo->AllocationProtect);
	printf("pMemoryBasic->RegionSize        = %x\n", pMemoryBasicInfo->RegionSize);
	printf("pMemoryBasic->State             = %x\n", pMemoryBasicInfo->State);
	printf("pMemoryBasic->Protect           = %x\n", pMemoryBasicInfo->Protect);
	printf("pMemoryBasic->Type              = %x\n", pMemoryBasicInfo->Type);
}


MemoryManagement()
{
	PVOID BaseAddress=NULL;
	ULONG SizeRequestedAllocated=1;
	NTSTATUS rc;
	ULONG OldProtect;
	char Buffer[100];
	ULONG Len, BytesRead, BytesWritten;


	rc=NtAllocateVirtualMemory(NtCurrentProcess(),
							&BaseAddress,
							3,
							&SizeRequestedAllocated,
							MEM_RESERVE,
							PAGE_READWRITE);
	if (rc!=STATUS_SUCCESS) {
		printf("NtAllocateVirtualMemory failed, rc=%x\n", rc);
		return 0;
	}
	printf("Memory of size %x allocated @%x\n", SizeRequestedAllocated, BaseAddress);


	__try {
		memset(BaseAddress, 'A', SizeRequestedAllocated);
	}
	__except (HandleException(BaseAddress, SizeRequestedAllocated)) {
	}		


	DumpMemoryInformation(BaseAddress, SizeRequestedAllocated);


	rc=NtProtectVirtualMemory(NtCurrentProcess(),
							&BaseAddress,
							&SizeRequestedAllocated,
							PAGE_READONLY,
							&OldProtect);
	if (rc!=STATUS_SUCCESS) {
		printf("NtProtectVirtualMemory failed, rc=%x\n", rc);
		goto ExitFunction;
	}
	printf("OldProtect=%x\n", OldProtect);
	DumpMemoryInformation(BaseAddress, SizeRequestedAllocated);

	if (!EnableOrDisablePrivilege(SE_LOCK_MEMORY_PRIVILEGE, FALSE)) {
		printf("EnableOrDisablePrivilege failed\n");
		goto ExitFunction;
	}

	rc=NtLockVirtualMemory(NtCurrentProcess(),
						&BaseAddress,
						&SizeRequestedAllocated,
						1);

	EnableOrDisablePrivilege(SE_LOCK_MEMORY_PRIVILEGE, TRUE);
	if (rc!=STATUS_SUCCESS) {
		printf("NtLockVirtualMemory failed, rc=%x\n", rc);
		goto ExitFunction;
	}


	if (!EnableOrDisablePrivilege(SE_LOCK_MEMORY_PRIVILEGE, FALSE)) {
		printf("EnableOrDisablePrivilege failed\n");
		goto ExitFunction;
	}

	rc=NtUnlockVirtualMemory(NtCurrentProcess(),
						&BaseAddress,
						&SizeRequestedAllocated,
						1);


	EnableOrDisablePrivilege(SE_LOCK_MEMORY_PRIVILEGE, TRUE);
	if (rc!=STATUS_SUCCESS) {
		printf("NtunlockVirtualMemory failed, rc=%x\n", rc);
		goto ExitFunction;
	}

	rc=NtProtectVirtualMemory(NtCurrentProcess(),
							&BaseAddress,
							&SizeRequestedAllocated,
							PAGE_READWRITE,
							&OldProtect);
	if (rc!=STATUS_SUCCESS) {
		printf("NtProtectVirtualMemory failed, rc=%x\n", rc);
		goto ExitFunction;
	}

	strcpy(Buffer, "Hello");
	Len=strlen(Buffer)+1;

	rc=NtWriteVirtualMemory(NtCurrentProcess(),
							BaseAddress,
							Buffer,
							Len,
							&BytesWritten);
	if (rc!=STATUS_SUCCESS) {
		printf("NtWriteVirtualMemory failed, rc=%x\n", rc);
		goto ExitFunction;
	}
	printf("BytesWritten=%x\n", BytesWritten);

	memset(Buffer, 0, sizeof(Buffer));

	rc=NtReadVirtualMemory(NtCurrentProcess(),
							BaseAddress,
							Buffer,
							Len,
							&BytesRead);
	if (rc!=STATUS_SUCCESS) {
		printf("NtWriteVirtualMemory failed, rc=%x\n", rc);
		goto ExitFunction;
	}

	printf("BytesRead=%x %s\n", BytesRead, Buffer);


ExitFunction:
	rc=NtFreeVirtualMemory(NtCurrentProcess(),
							&BaseAddress,
							&SizeRequestedAllocated,
							MEM_DECOMMIT);
	if (rc!=STATUS_SUCCESS) {
		printf("NtFreeVirtualMemory failed, rc=%x\n", rc);
		return 0;
	}

	rc=NtFreeVirtualMemory(NtCurrentProcess(),
							&BaseAddress,
							&SizeRequestedAllocated,
							MEM_RELEASE);
	if (rc!=STATUS_SUCCESS) {
		printf("NtFreeVirtualMemory failed, rc=%x\n", rc);
		return 0;
	}