📄 testapp.c
字号:
/*++
Copyright (c) 1990-98 Microsoft Corporation All Rights Reserved
Module Name:
testapp.c
Abstract:
Author:
Eliyas Yakub
Environment:
Win32 console multi-threaded application
Revision History:
--*/
#include <windows.h>
#include <winioctl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "..\sys\Interface.h"
BOOLEAN
ManageDriver(
IN LPCTSTR DriverName,
IN LPCTSTR ServiceName,
IN USHORT Function
);
BOOLEAN
SetupDriverName(
PUCHAR DriverLocation
);
#define DEVICE_IO_CTRL(ID, outBuf, len) \
memset(outBuf, 0, len); \
bRc = DeviceIoControl ( hDevice, \
(DWORD) (ID), \
(outBuf), \
(len), \
(outBuf), \
(len), \
&bytesReturned, \
NULL ); \
if ( !bRc ) \
{ \
printf ( "Error in DeviceIoControl : %d", GetLastError()); \
return; \
}
VOID _cdecl main( ULONG argc, PCHAR argv[] )
{
HANDLE hDevice;
BOOL bRc;
ULONG errNum ;
ULONG bytesReturned;
UCHAR driverLocation[MAX_PATH];
NTOSKRNL NtOSKrnl;
PULONG pSSDT = NULL;
PCHAR pHookFlag = NULL;
PCHAR pServiceNames = NULL;
DUMPKCB tDumpKCB = {0};
ULONG i = 0;
HANDLE hWndConsole = NULL;
WORD wOldFOREGROUND = 0;
WORD wNewFOREGROUND = FOREGROUND_RED;
WORD wDefFOREGROUND = FOREGROUND_BLUE|FOREGROUND_GREEN;
CHAR cCmdChar = 0;
CONSOLE_SCREEN_BUFFER_INFO csbiInfo;
//
// open the device
//
if((hDevice = CreateFile( "\\\\.\\OSInfo",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL)) == INVALID_HANDLE_VALUE)
{
errNum = GetLastError();
if (errNum != ERROR_FILE_NOT_FOUND)
{
printf("CreateFile failed! ERROR_FILE_NOT_FOUND = %d\n", errNum);
return ;
}
//
// The driver is not started yet so let us the install the driver.
// First setup full path to driver name.
//
if (!SetupDriverName(driverLocation))
{
return ;
}
if (!ManageDriver(DRIVER_NAME,
driverLocation,
DRIVER_FUNC_INSTALL
))
{
printf("Unable to install driver. \n");
//
// Error - remove driver.
//
ManageDriver(DRIVER_NAME,
driverLocation,
DRIVER_FUNC_REMOVE
);
return;
}
hDevice = CreateFile( "\\\\.\\OSInfo",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL);
if ( hDevice == INVALID_HANDLE_VALUE )
{
printf ( "Error: CreatFile Failed : %d\n", GetLastError());
return;
}
}
hWndConsole = GetStdHandle(STD_OUTPUT_HANDLE);
if(hWndConsole == NULL)
{
printf("GetStdHandle failed\n");
}
GetConsoleScreenBufferInfo(hWndConsole, &csbiInfo);
wOldFOREGROUND = csbiInfo.wAttributes;
/////////////////////////////////////////////////////////////////////////
//
// Performing IOCTL_GETKERNALBASEINFO
//
DEVICE_IO_CTRL(IOCTL_GETKERNALBASEINFO, &NtOSKrnl, sizeof(NtOSKrnl));
pSSDT = (PULONG)malloc(NtOSKrnl.ulSrvNum * sizeof(ULONG));
pHookFlag = (PCHAR )malloc(NtOSKrnl.ulSrvNum * sizeof(CHAR));
pServiceNames = (PCHAR )malloc(NtOSKrnl.ulSrvNum * sizeof(SERVICENAME));
while(TRUE)
{
if(cCmdChar != '\n')
{
printf("===Bruce An: Choose a cmd and enter===============================\n");
printf("\t b--Dump kernal baseinfo\n");
printf("\t t--Dump SSDT with modified flag\n");
printf("\t n--Dump SSDT with service name from ntdll\n");
printf("\t k--Dump SSDT with service name from kernal\n");
printf("\t w--Set a work item dump first 4K of ntoskernal to C:\\WorkItem.log\n");
printf("\t r--Dump KCB of HKEY_LOCAL_MACHINE\n");
printf("\t o--Dump Device Object\n");
printf("\t p--Enum Process\n");
printf("\t i--INT 3\n");
printf("\t q--Quit\n");
printf("Cmd:> ");
}
cCmdChar = getchar();
switch(cCmdChar)
{
case '\n':
break;
case 'q':
case 'Q':
goto End;
case 'i':
case 'I':
DEVICE_IO_CTRL(IOCTL_ASMINT3, pSSDT, NtOSKrnl.ulSrvNum * sizeof(ULONG));
break;
case 'b':
case 'B':
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
printf("Image: %s\tSize: %d\nBaseAddr: %08x\tEndAddr: %08x\n\n",
NtOSKrnl.a_bName, NtOSKrnl.ulEndAddr - NtOSKrnl.ulBaseAddr,NtOSKrnl.ulBaseAddr, NtOSKrnl.ulEndAddr);
break;
case 't':
case 'T':
DEVICE_IO_CTRL(IOCTL_GETSSDT, pSSDT, NtOSKrnl.ulSrvNum * sizeof(ULONG));
DEVICE_IO_CTRL(IOCTL_GETSSDTHOOKFLAG, pHookFlag, NtOSKrnl.ulSrvNum * sizeof(CHAR));
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
printf("SSDT(%d services)\t RED = Modified\n", NtOSKrnl.ulSrvNum);
for(i = 0; i < NtOSKrnl.ulSrvNum; i++)
{
if(i != 0 && i % 8 == 0)
{
printf("\n");
}
if(*(pHookFlag+i))
SetConsoleTextAttribute(hWndConsole,wNewFOREGROUND);
else
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
printf("%08x ", *(pSSDT+i));
}
printf("\n");
break;
case 'n':
case 'N':
DEVICE_IO_CTRL(IOCTL_GETSERVICENAMES, pServiceNames, NtOSKrnl.ulSrvNum * sizeof(SERVICENAME));
DEVICE_IO_CTRL(IOCTL_GETSSDT, pSSDT, NtOSKrnl.ulSrvNum * sizeof(ULONG));
DEVICE_IO_CTRL(IOCTL_GETSSDTHOOKFLAG, pHookFlag, NtOSKrnl.ulSrvNum * sizeof(CHAR));
printf("ID\t%Address \tName\n");
for(i = 0; i < NtOSKrnl.ulSrvNum; i++)
{ if(*(pHookFlag+i))
SetConsoleTextAttribute(hWndConsole,wNewFOREGROUND);
else
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
printf("%d\t%08x\t%s\n", i, *(pSSDT+i), pServiceNames + i * sizeof(SERVICENAME));
}
break;
case 'k':
case 'K':
DEVICE_IO_CTRL(IOCTL_GETSSDT, pSSDT, NtOSKrnl.ulSrvNum * sizeof(ULONG));
DEVICE_IO_CTRL(IOCTL_GETSERVICENAMESKRL, pServiceNames, NtOSKrnl.ulSrvNum * sizeof(SERVICENAME));
DEVICE_IO_CTRL(IOCTL_GETSSDTHOOKFLAG, pHookFlag, NtOSKrnl.ulSrvNum * sizeof(CHAR));
printf("ID\t%Address \tName\n");
for(i = 0; i < NtOSKrnl.ulSrvNum; i++)
{ if(*(pHookFlag+i))
SetConsoleTextAttribute(hWndConsole,wNewFOREGROUND);
else
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
printf("%d\t%08x\t%s\n", i, *(pSSDT+i), pServiceNames + i * sizeof(SERVICENAME));
}
break;
case 'w':
case 'W':
DEVICE_IO_CTRL(IOCTL_SETWORKITEM, pSSDT, NtOSKrnl.ulSrvNum * sizeof(ULONG));
break;
case 'r':
case 'R':
DEVICE_IO_CTRL(IOCTL_DUMPKCB, &tDumpKCB, sizeof(tDumpKCB));
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
printf("Handle = %08X\t KCB = %08X\t Hive = %08X\t Cell = %08X\n",
tDumpKCB.hKey, tDumpKCB.pKCB, tDumpKCB.pHive, tDumpKCB.ulCell);
break;
case 'o':
case 'O':
{
PWCHAR pwsDevice = NULL;
ULONG nSize = 1024 * 1024 * sizeof(WCHAR);
pwsDevice = (PWCHAR )malloc(nSize);
DEVICE_IO_CTRL(IOCTL_DUMPDEVICEOBJECT, pwsDevice, nSize);
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
wprintf(L"%s\n", pwsDevice);
free(pwsDevice);
break;
}
case 'p':
case 'P':
{
PCHAR psProcess = NULL;
ULONG nSize = 1024 * 1024 * sizeof(CHAR);
psProcess = (PCHAR )malloc(nSize);
DEVICE_IO_CTRL(IOCTL_ENUMPROCESS, psProcess, nSize);
SetConsoleTextAttribute(hWndConsole,wDefFOREGROUND);
printf("%s\n", psProcess);
free(psProcess);
break;
}
default:
printf("Unsupported Cmd ! \n");
break;
}
SetConsoleTextAttribute(hWndConsole,wOldFOREGROUND);
}
End:
/////////////////////////////////////////////////////////////////////////
CloseHandle ( hDevice );
free(pSSDT);
free(pHookFlag);
free(pServiceNames);
//
// Unload the driver. Ignore any errors.
//
ManageDriver(DRIVER_NAME,
driverLocation,
DRIVER_FUNC_REMOVE
);
//
// close the handle to the device.
//
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -