[求助]网上的"不用驱动程序进入Windows2000的Ring0”我编译不了,谁编译好了给发一下-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]网上的"不用驱动程序进入Windows2000的Ring0”我编译不了,谁编译好了给发一下

发表于: 2007-4-2 10:01 5495

[求助]网上的"不用驱动程序进入Windows2000的Ring0”我编译不了,谁编译好了给发一下

pengmo

2007-4-2 10:01

5495

// ring.cpp : Defines the entry point for the application.
//
  #include "stdio.h"
  #include "windows.h"
  #include "aclapi.h"
  #include "conio.h"
  #include "stdafx.h"
  /*
  extern "C" {
#include "ntddk.h"
   }
  */
  /*------------------------------------------------------*/
  //#pragma comment(lib,"E:\\NTDDK\\ntdll.lib")

  typedef long    NTSTATUS;
  typedef unsigned short USHORT;
  #define STATUS_SUCCESS          ((NTSTATUS)0x00000000L) // ntsubauth
  #define STATUS_ACCESS_DENIED    ((NTSTATUS)0xC0000022L)
  #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
  #define OBJ_INHERIT 0x00000002L
  #define OBJ_PERMANENT 0x00000010L
  #define OBJ_EXCLUSIVE 0x00000020L
  #define OBJ_CASE_INSENSITIVE 0x00000040L
  #define OBJ_OPENIF 0x00000080L
  #define OBJ_OPENLINK 0x00000100L
  #define OBJ_KERNEL_HANDLE 0x00000200L
  #define OBJ_VALID_ATTRIBUTES 0x000003F2L

  typedef struct _UNICODE_STRING {
      USHORT Length;
      USHORT MaximumLength;
  #ifdef MIDL_PASS
      [size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
  #else // MIDL_PASS
      PWSTR    Buffer;
  #endif // MIDL_PASS
  } UNICODE_STRING;
  typedef UNICODE_STRING *PUNICODE_STRING;
  typedef const UNICODE_STRING *PCUNICODE_STRING;
  #define UNICODE_NULL ((WCHAR)0) // winnt

  typedef struct _OBJECT_ATTRIBUTES {
      ULONG Length;
      HANDLE RootDirectory;
      PUNICODE_STRING ObjectName;
      ULONG Attributes;
      PVOID SecurityDescriptor;                // Points to type SECURITY_DESCRIPTOR
      PVOID SecurityQualityOfService;    // Points to type SECURITY_QUALITY_OF_SERVICE
  } OBJECT_ATTRIBUTES;
  typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;

  #define InitializeObjectAttributes(p,n,a,r,s){(p)->Length=sizeof(OBJECT_ATTRIBUTES);\
      (p)->RootDirectory=r;\
      (p)->Attributes=a;\
      (p)->ObjectName=n;\
      (p)->SecurityDescriptor=s;\
      (p)->SecurityQualityOfService=NULL;\
      }
  /*
  extern "C"
  NTSYSAPI
  VOID
  NTAPI
  RtlInitUnicodeString(
      PUNICODE_STRING DestinationString,
      PCWSTR SourceString
      );

  extern "C"
  NTSYSAPI
  NTSTATUS
  NTAPI
  ZwOpenSection(
      OUT PHANDLE SectionHandle,
      IN ACCESS_MASK DesiredAccess,
      IN POBJECT_ATTRIBUTES ObjectAttributes
      );

  extern "C"
  NTSYSAPI
  NTSTATUS
  NTAPI
  ZwClose(
      IN HANDLE Handle
      );

  */
  /*------------------------------------------------------*/
  #define ENTERRING0 _asm pushad _asm pushf _asm cli

  #define LEAVERING0 _asm popf _asm popad _asm retf

  typedef struct gdtr {
               unsigned short Limit;
               unsigned short BaseLow;
               unsigned short BaseHigh;
  } Gdtr_t, *PGdtr_t;

  typedef struct
  {
      unsigned short    offset_0_15;
      unsigned short    selector;

      unsigned char       param_count : 4;
      unsigned char       some_bits    : 4;

      unsigned char       type                : 4;
      unsigned char       app_system    : 1;
      unsigned char       dpl                : 2;
      unsigned char       present          : 1;

      unsigned short    offset_16_31;
  } CALLGATE_DESCRIPTOR;

  void PrintWin32Error( DWORD ErrorCode )
  {
  LPVOID lpMsgBuf;

  FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
  NULL, ErrorCode,
  MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
  (LPTSTR) &lpMsgBuf, 0, NULL );
  //printf("%s\n",lpMsgBuf);
  LocalFree(lpMsgBuf);
  }

  ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
  {
      if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
            return 0;
      return virtualaddress&0x1FFFF000;
  }

  VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
  {

      PACL pDacl=NULL;
      PACL pNewDacl=NULL;
      PSECURITY_DESCRIPTOR    pSD=NULL;
      DWORD dwRes;
      EXPLICIT_ACCESS ea;

      dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
                                    NULL,NULL,&pDacl,NULL,&pSD);
      if(dwRes!=ERROR_SUCCESS)
            {
                  printf( "GetSecurityInfo Error %u\n", dwRes );
                  goto CleanUp;
            }

      ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
      ea.grfAccessPermissions = SECTION_MAP_WRITE;
      ea.grfAccessMode = GRANT_ACCESS;
      ea.grfInheritance= NO_INHERITANCE;
      ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
      ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
      ea.Trustee.ptstrName = "CURRENT_USER";

      dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
      if(dwRes!=ERROR_SUCCESS)
            {
                  printf( "SetEntriesInAcl %u\n", dwRes );
                  goto CleanUp;
            }

      dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
      if(dwRes!=ERROR_SUCCESS)
            {
                  printf("SetSecurityInfo %u\n",dwRes);
                  goto CleanUp;
            }

  CleanUp:

      if(pSD)
            LocalFree(pSD);
      if(pNewDacl)
            LocalFree(pSD);
  }
BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
  {
      Gdtr_t gdt;
      __asm sgdt gdt;

      ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
      if(!mapAddr) return 0;

      HANDLE    hSection=NULL;
      NTSTATUS status;
      OBJECT_ATTRIBUTES                objectAttributes;
      UNICODE_STRING objName;
      CALLGATE_DESCRIPTOR *cg;

      status = STATUS_SUCCESS;

      RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");          //ÕâÀïÊÇ¹Ø¼ü£¬¿ÉÓÃddkµÄobj

      InitializeObjectAttributes(&objectAttributes,&objName,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,NULL,(PSECURITY_DESCRIPTOR)NULL);

      status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);

      if(status == STATUS_ACCESS_DENIED){
            status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
            SetPhyscialMemorySectionCanBeWrited(hSection);
            ZwClose(hSection);
            status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
      }

      if(status != STATUS_SUCCESS)
         {
               printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
               return 0;
         }

      PVOID BaseAddress;

      BaseAddress=MapViewOfFile(hSection,
                                 FILE_MAP_READ|FILE_MAP_WRITE,
                                 0,
                                 mapAddr,       //low part
                                 (gdt.Limit+1));

      if(!BaseAddress)
            {
                  printf("Error MapViewOfFile:");
                  PrintWin32Error(GetLastError());
                  return 0;
            }

      BOOL setcg=FALSE;

      for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));(ULONG)cg>(ULONG)BaseAddress;cg--)
            if(cg->type == 0){
                  cg->offset_0_15 = LOWORD(Entry);
                  cg->selector = 8;
                  cg->param_count = 0;
                  cg->some_bits = 0;
                  cg->type = 0xC;                   // 386 call gate
                  cg->app_system = 0;          // A system descriptor
                  cg->dpl = 3;                         // Ring 3 code can call
                  cg->present = 1;
                  cg->offset_16_31 = HIWORD(Entry);
                  setcg=TRUE;
                  break;
            }

      if(!setcg){
               ZwClose(hSection);
               return 0;
      }

      short farcall[3];

      farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3;    //Ring 3 callgate;

      if(!VirtualLock((PVOID)Entry,seglen))
            {
                  printf("Error VirtualLock:");
                  PrintWin32Error(GetLastError());
                  return 0;
            }

      SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);

      Sleep(0);

      //_asm call fword ptr[farcall]
      _asm
         { lea eax, farcall;
            DB 0FFH, 018H;                      //call fword ptr [eax]
         }

      SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);

      VirtualUnlock((PVOID)Entry,seglen);

      //Clear callgate
      *(ULONG *)cg=0;
      *((ULONG *)cg+1)=0;

      ZwClose(hSection);
      return TRUE;

  }

  struct _RING0DATA
  {
      long mcr0,mcr2,mcr3;
      unsigned short BaseMemory;
      unsigned short ExtendedMemory;
  }r0Data;

  void __declspec (naked) Ring0Proc1()
  {
         // ENTERRING0;
            _asm pushad
            _asm pushf
            _asm cli

            _asm {
mov eax, cr0;
                  //mov r0Data.mcr0, eax;
                  mov eax, cr2;
                  //mov r0Data.mcr2, eax;
                  mov eax, cr3;
                  //mov r0Data.mcr3, eax;
               }
         //    LEAVERING0;
         _asm popf
         _asm popad
         _asm retf
  }
  /*
  void __declspec (naked) Ring0Proc2()
  {
            // ENTERRING0;
            _asm pushad
            _asm pushf
            _asm cli

            _outp(0x70,0x15);

            _asm
               {
                  mov ax,0
                  in al,71h
                  mov r0Data.BaseMemory,ax
               }

  _outp(0x70,0x16);
  r0Data.BaseMemory +=    _inp(0x71)<<8;
  _outp(0x70,0x17);
  r0Data.ExtendedMemory =    _inp(0x71);
  _outp(0x70,0x18);
  r0Data.ExtendedMemory += _inp(0x71)<<8;

         //    LEAVERING0;
         _asm popf
         _asm popad
         _asm retf
  }
  */
int APIENTRY WinMain(HINSTANCE hInstance,
                  HINSTANCE hPrevInstance,
                  LPSTR    lpCmdLine,
                  int    nCmdShow)
  {
      ZeroMemory(&r0Data,sizeof(struct _RING0DATA));
      VirtualLock((PVOID)&r0Data,sizeof(struct _RING0DATA));
      ExecRing0Proc((ULONG)Ring0Proc1,0x100);
      //ExecRing0Proc((ULONG)Ring0Proc2,0x100);
      VirtualUnlock((PVOID)&r0Data,sizeof(struct _RING0DATA));
      printf("CR0                         = %x\n", r0Data.mcr0);
      printf("CR2                         = %x\n", r0Data.mcr2);
      printf("CR3                         = %x\n", r0Data.mcr3);
      printf("Base memory          = %dK\n", r0Data.BaseMemory);
      printf("Extended memory = %dK\n", r0Data.ExtendedMemory);
  }

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・1

免费・0

支持

最新回复 (7)
qdk 雪币： 231 活跃值： (45) 能力值： ( LV2，RANK：10 ) 在线值：发帖 22 回帖 423 粉丝 0 关注私信	qdk 2 楼你没装DDK 2007-4-2 13:19 0
thebutterfly 雪币： 291 活跃值： (213) 能力值： ( LV12，RANK：210 ) 在线值：发帖 10 回帖 548 粉丝 2 关注私信	thebutterfly 5 3 楼另外必须要管理员权限才可以运行 2007-4-2 13:51 0
Winker 雪币： 796 活跃值： (370) 能力值： ( LV9，RANK：380 ) 在线值：发帖 133 回帖 1127 粉丝 19 关注私信	Winker 8 4 楼貌似微软的ＤＤＫ是要钱的　汗　 2007-4-3 14:00 0
pengmo 雪币： 247 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 371 粉丝 0 关注私信	pengmo 5 楼不要钱, 就是安装之后不会用 2007-4-3 14:10 0
xPLK 雪币： 375 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 705 粉丝 0 关注私信	xPLK 3 6 楼 ddk在vcbase有得下 2007-4-3 15:50 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 22 关注私信	笨笨雄 14 7 楼 IFSDDK收钱的，DDK不收钱 IFS才是完整的DDK。免费的DDK缺少过滤驱动要用的相关定义 2007-4-4 00:08 0
hopy 雪币： 442 活跃值： (107) 能力值： ( LV9，RANK：350 ) 在线值：发帖 22 回帖 159 粉丝 1 关注私信	hopy 8 8 楼我用masm重写过一个，看我的帖子 2007-4-4 14:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

pengmo

发帖

371

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (7)
qdk 雪币： 231 活跃值： (45) 能力值： ( LV2，RANK：10 ) 在线值：发帖 22 回帖 423 粉丝 0 关注私信	qdk 2 楼你没装DDK 2007-4-2 13:19 0
thebutterfly 雪币： 291 活跃值： (213) 能力值： ( LV12，RANK：210 ) 在线值：发帖 10 回帖 548 粉丝 2 关注私信	thebutterfly 5 3 楼另外必须要管理员权限才可以运行 2007-4-2 13:51 0
Winker 雪币： 796 活跃值： (370) 能力值： ( LV9，RANK：380 ) 在线值：发帖 133 回帖 1127 粉丝 19 关注私信	Winker 8 4 楼貌似微软的ＤＤＫ是要钱的　汗　 2007-4-3 14:00 0
pengmo 雪币： 247 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 18 回帖 371 粉丝 0 关注私信	pengmo 5 楼不要钱, 就是安装之后不会用 2007-4-3 14:10 0
xPLK 雪币： 375 活跃值： (12) 能力值： ( LV8，RANK：130 ) 在线值：发帖 18 回帖 705 粉丝 0 关注私信	xPLK 3 6 楼 ddk在vcbase有得下 2007-4-3 15:50 0
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 22 关注私信	笨笨雄 14 7 楼 IFSDDK收钱的，DDK不收钱 IFS才是完整的DDK。免费的DDK缺少过滤驱动要用的相关定义 2007-4-4 00:08 0
hopy 雪币： 442 活跃值： (107) 能力值： ( LV9，RANK：350 ) 在线值：发帖 22 回帖 159 粉丝 1 关注私信	hopy 8 8 楼我用masm重写过一个，看我的帖子 2007-4-4 14:38 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复