|
|
|
[原创]微点主动防御 1.2.10580.0169 (及以下版本)内核拒绝服务漏洞
wordless.. |
|
[求助]如何用汇编强制删除文件
怎么没人给代码呀,我来整一个: ////////////////////////////////////////////////// // DeleteFile.cpp文件 extern "C" { #include <ntddk.h> } //控制字 #define IOCTL_DELETE_FILE CTL_CODE( FILE_DEVICE_UNKNOWN, 0x888, METHOD_BUFFERED, FILE_ANY_ACCESS ) //设备名称 #define NT_DEVICE_NAME L"[URL="file://\\Device\\DeleteFile"]\\Device\\DeleteFile[/URL]" #define DOS_DEVICE_NAME L"[URL="file://\\DosDevices\\DeleteFile"]\\DosDevices\\DeleteFile[/URL]" //创建关闭驱动的例程 NTSTATUS DispatchCreateClose( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { //设置IRP状态 Irp->IoStatus.Status = STATUS_SUCCESS; //完成请求 IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } NTSTATUS IoCompletion( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp, IN PVOID Context ) { //设置IRP Irp->UserIosb->Status = Irp->IoStatus.Status; Irp->UserIosb->Information = Irp->IoStatus.Information; //受信状态 KeSetEvent(Irp->UserEvent, IO_NO_INCREMENT, FALSE); //KeResetEvent( Irp->UserEvent ); IoFreeIrp(Irp); return STATUS_MORE_PROCESSING_REQUIRED; } BOOLEAN SuperDeleteFile( IN PCWSTR lpFileName ) { HANDLE hFile = NULL; IO_STATUS_BLOCK IoStatus; NTSTATUS ntStatus; UNICODE_STRING UniFileName; OBJECT_ATTRIBUTES ObjAttributes; PFILE_OBJECT pFileObj; PDEVICE_OBJECT pFileDeviceObj; PIRP pIrp; PIO_STACK_LOCATION pIOStack; KEVENT Event; FILE_BASIC_INFORMATION FileInfo; FILE_DISPOSITION_INFORMATION FileDispostionInformation; //代码必须运行在PASSIVE_LEVEL等级上 __try { if (KeGetCurrentIrql() > PASSIVE_LEVEL) { DbgPrint("KeGetCurrentIrql() > PASSIVE_LEVEL\n"); return FALSE; } RtlInitUnicodeString( &UniFileName, lpFileName ); //初始化对象属性 InitializeObjectAttributes( &ObjAttributes, &UniFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL ); //打开文件 ntStatus = IoCreateFile( &hFile, FILE_READ_ATTRIBUTES, &ObjAttributes, &IoStatus, 0, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_READ, FILE_OPEN, FILE_RANDOM_ACCESS, NULL, 0, CreateFileTypeNone, NULL, IO_NO_PARAMETER_CHECKING ); if ( !NT_SUCCESS( ntStatus ) || hFile == NULL ) { DbgPrint( "打开文件失败\n" ); return FALSE; } //-------------开始去掉文件的属性---------------------- ntStatus = ObReferenceObjectByHandle( hFile, DELETE, *IoFileObjectType, KernelMode, (void**)&pFileObj, NULL ); if ( !NT_SUCCESS( ntStatus ) ) { DbgPrint( "获得文件访问权失败!\n" ); return FALSE; } //获得和文件相关的设备对象 pFileDeviceObj = IoGetRelatedDeviceObject( pFileObj ); //为IRP分配空间 pIrp = IoAllocateIrp( pFileDeviceObj->StackSize, TRUE ); if (pIrp == NULL) { ObDereferenceObject( pFileObj ); return FALSE; } //初始化事件对象 KeInitializeEvent( &Event, SynchronizationEvent, FALSE ); //清空结构体 memset( &FileInfo, 0, sizeof( FILE_BASIC_INFORMATION ) ); FileInfo.FileAttributes = FILE_ATTRIBUTE_NORMAL; //填充IRP pIrp->AssociatedIrp.SystemBuffer = &FileInfo; pIrp->UserEvent = &Event; pIrp->UserIosb = &IoStatus; pIrp->Tail.Overlay.OriginalFileObject = pFileObj; pIrp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread(); pIrp->RequestorMode = KernelMode; //填充IO堆栈 pIOStack = IoGetNextIrpStackLocation( pIrp ); pIOStack->MajorFunction = IRP_MJ_SET_INFORMATION; pIOStack->DeviceObject = pFileDeviceObj; pIOStack->FileObject = pFileObj; pIOStack->Parameters.SetFile.Length = sizeof( FILE_BASIC_INFORMATION ); pIOStack->Parameters.SetFile.FileInformationClass = FileBasicInformation; pIOStack->Parameters.SetFile.FileObject = pFileObj; //设置IRP处理完成时调用的例程 IoSetCompletionRoutine( pIrp, IoCompletion, &Event, TRUE, TRUE, TRUE ); //开始处理 IoCallDriver( pFileDeviceObj, pIrp ); //等待IRP处理完成 KeWaitForSingleObject( &Event, Executive, KernelMode, TRUE, NULL ); //-------------------开始删除文件----------------------- pIrp = IoAllocateIrp(pFileDeviceObj->StackSize, TRUE); FileDispostionInformation.DeleteFile = TRUE; //初始化事件对象 KeInitializeEvent( &Event, SynchronizationEvent, FALSE ); //填充IRP pIrp->AssociatedIrp.SystemBuffer = &FileDispostionInformation; pIrp->UserEvent = &Event; pIrp->UserIosb = &IoStatus; pIrp->Tail.Overlay.OriginalFileObject = pFileObj; pIrp->Tail.Overlay.Thread = (PETHREAD)KeGetCurrentThread(); pIrp->RequestorMode = KernelMode; //填充IO堆栈 pIOStack = IoGetNextIrpStackLocation( pIrp ); pIOStack->MajorFunction = IRP_MJ_SET_INFORMATION; pIOStack->DeviceObject = pFileDeviceObj; pIOStack->FileObject = pFileObj; pIOStack->Parameters.SetFile.Length = sizeof( FILE_DISPOSITION_INFORMATION ); pIOStack->Parameters.SetFile.FileInformationClass = FileDispositionInformation; pIOStack->Parameters.SetFile.FileObject = pFileObj; //设置IRP处理完成时调用的例程 IoSetCompletionRoutine( pIrp, IoCompletion, &Event, TRUE, TRUE, TRUE ); IoCallDriver( pFileDeviceObj, pIrp ); KeWaitForSingleObject( &Event, Executive, KernelMode, TRUE, NULL ); ObDereferenceObject( pFileObj ); ZwClose( hFile ); DbgPrint( "删除文件%ws成功!\n", lpFileName ); } __except( 1 ) { ObDereferenceObject( pFileObj ); DbgPrint( "删除文件%ws失败!\n", lpFileName ); return FALSE; } return TRUE; } NTSTATUS DispatchDeviceControl( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PIO_STACK_LOCATION pIoStack = IoGetCurrentIrpStackLocation( Irp ); ULONG uCtlCode = pIoStack->Parameters.DeviceIoControl.IoControlCode; PVOID pWChar = Irp->AssociatedIrp.SystemBuffer; ULONG uInLength = pIoStack->Parameters.DeviceIoControl.InputBufferLength; ULONG uOutLength = pIoStack->Parameters.DeviceIoControl.OutputBufferLength; PCWSTR pFilePath; //NTSTATUS ntstatus; pFilePath = (PCWSTR)pWChar; DbgPrint( " DispatchDeviceControl\n " ); switch ( uCtlCode ) { case IOCTL_DELETE_FILE: { DbgPrint( " 接受命令成功\n " ); DbgPrint( "FileName = %ws\n", pFilePath ); //DbgPrint( "FileName = %ws\n", (PCSTR)pWChar ) SuperDeleteFile( pFilePath ); break; } } Irp->IoStatus.Information = uOutLength; Irp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS; } //卸载驱动 VOID DriverUnload( IN PDRIVER_OBJECT DriverObject ) { //删除符号连接 UNICODE_STRING UniDosLink; RtlInitUnicodeString( &UniDosLink, DOS_DEVICE_NAME ); IoDeleteSymbolicLink( &UniDosLink ); //删除设备 IoDeleteDevice( DriverObject->DeviceObject ); DbgPrint( "Driver Unload successfully!\n" ); } // 驱动程序加载时调用DriverEntry例程 NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString ) { NTSTATUS ntStatus; UNICODE_STRING UniNTDev; UNICODE_STRING UniDosDev; PDEVICE_OBJECT pDeviceObj; //初始化Unicode字符串 RtlInitUnicodeString( &UniNTDev, NT_DEVICE_NAME ); RtlInitUnicodeString( &UniDosDev, DOS_DEVICE_NAME ); //分配例程 pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose; pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose; pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl; pDriverObj->DriverUnload = DriverUnload; //创建设备 ntStatus = IoCreateDevice( pDriverObj, 0, &UniNTDev, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObj ); if ( !NT_SUCCESS( ntStatus ) ) { DbgPrint( "创建设备失败!\n" ); return ntStatus; } //创建符号连接 ntStatus = IoCreateSymbolicLink( &UniDosDev, &UniNTDev ); if ( !NT_SUCCESS( ntStatus ) ) { DbgPrint( "创建符号连接失败!\n" ); IoDeleteDevice( pDeviceObj ); return ntStatus; } DbgPrint( "Driver load successfully!\n" ); return STATUS_SUCCESS; } |
|
[求助]什么是CPU的分配粒度?????
还是看英文的吧,可能还可以理解的好点 |
|
有几个问题问一下
[QUOTE=;]...[/QUOTE] 一,可以 二,可以 三,具我猜测,硬件信息都考到硬件的芯片上了,每个芯片都有考硬件信息的位置,单片机学习时的将程序考进芯片的软件中有硬件信息的选项,另一个实例就是linux源码读取cpu信息中就是在硬件芯片的rom中读的 |
|
[求助]如何得到进程的图标(像360那样)
combojiang说的函数没试过,我的思路是得到进程的路经,然后根据路经读取exe的图标资源… |
|
ShellExecute简单流程
谁不是一点一点过来的.不要随便鄙视人,你有技术我佩服你,你BS人,我更BS你,不就是比我们早学了几年嘛. |
|
[求助]抓特务
貌似像是音速启动哦 |
|
[求助]线程中创建窗口的问题
因为线程中没有消息循环,你可以考虑在线程中发送消息到主线程,叫主线程创建窗口,也就是先在主线程中写消息想用代码,然后调用PostMessage或者SendMessage,这样就能创建窗口了 |
|
[结束][第一阶段◇第三题]看雪论坛.腾讯公司2008软件安全技术竞赛
到第二题加挂掉了 |
|
[原创]从DKOM摘链隐藏进程想到的(文中问题已经解决)
[quote=frozenrain;494367]好文!支持~~ 试了下,搜了下。 第一种XP不能用 第二个这里编译不过 (ZWQUERYSYSTEMINFORMATION) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)ZwQuerySyst...[/quote] 第一个问题,我已经说了,对NT都无效 第二,我能编译过去: 编译信息: 2 files compiled 1 executable built 不知道你的DDK是什么,保存成.C文件 |
|
[原创]去除程序SEH处理校检
有时候逆向时看到的SEH很讨厌 |
|
[原创]从DKOM摘链隐藏进程想到的(文中问题已经解决)
是的!!!!! |
|
[讨论]DKOM断链的恢复问题(已解决!)
吃了好几回蓝玻璃了!好像恢复不了 |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值