-
-
[半原创]贴点内核态中创建用户态进程的代码
-
发表于: 2009-1-9 14:28
-
自己编写进线程、文件系统等相关函数,并在内核中实现虽然没什么应用价值,不过对内核
的学习大有裨益。
刚想逆CreateProcess,发现Gary Nebbett大牛已经有了相关代码。那就用大牛的代码改进改进。
下面是驱动中创建进程的代码,不知道前人有发过没(论坛上有一份,我看了,那是插apc的取巧方式)
本代码大部分是搬Gary Nebbett的,不过为了移植到内核中我还是做了不少工作……
另外还有个驱动中创建用户态线程的函数,觉得太简单了,就不贴了
(注意,代码中的写入用户环境部分我是直接把用户态下的GetEnvironmentStringsW得到的
东西直接贴进去了,所以大家要用的时候自己改改吧。)
大牛就不用看了,自己写写抄抄的而已。
另外还想请教大牛们,为什么有时候启动的时候会出现STATUS_DLL_INIT_FAILED错误??
主函数:
int MyCreateProcess(PUNICODE_STRING name, PWSTR param)
{
//write by weolar(http://hi.baidu.com/weolar)
PWSTR tmp;
HANDLE hProcess, hThread, hSection, hFile;
OBJECT_ATTRIBUTES oa;
RtlZeroMemory(&oa, sizeof(OBJECT_ATTRIBUTES)) ;
InitializeObjectAttributes( &oa,name, OBJ_CASE_INSENSITIVE, 0, NULL);
IO_STATUS_BLOCK iosb;
ZwOpenFile(&hFile,FILE_READ_DATA|FILE_EXECUTE|SYNCHRONIZE, &oa, &iosb,
FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
oa.ObjectName = 0;
ZwCreateSection(&hSection, SECTION_ALL_ACCESS, 0, 0, PAGE_EXECUTE, SEC_IMAGE, hFile);
ZwClose(hFile);
ZwCreateProcess(&hProcess, PROCESS_ALL_ACCESS, 0,
(HANDLE)-1, TRUE, hSection, 0, 0);
CloseHandle(hep);
SECTION_IMAGE_INFORMATION sii;
ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof sii, 0);
ZwClose(hSection);
USER_STACK stack = {0};
ULONG n = sii.StackReserve;
ZwAllocateVirtualMemory(hProcess, &stack.ExpandableStackBottom, 0, &n,
MEM_RESERVE, PAGE_READWRITE);
stack.ExpandableStackBase = PCHAR(stack.ExpandableStackBottom) + sii.StackReserve;
stack.ExpandableStackLimit = PCHAR(stack.ExpandableStackBase) - sii.StackCommit;
n = sii.StackCommit + PAGE_SIZE;
PVOID p = PCHAR(stack.ExpandableStackBase) - n;
ZwAllocateVirtualMemory(hProcess, &p, 0, &n, MEM_COMMIT, PAGE_READWRITE);
ULONG x; n = PAGE_SIZE;
ZwProtectVirtualMemory(hProcess, &p, &n, PAGE_READWRITE | PAGE_GUARD, &x);
CONTEXT context = {CONTEXT_FULL};
context.SegGs = 0;
context.SegFs = 0x38;
context.SegEs = 0x20;
context.SegDs = 0x20;
context.SegSs = 0x20;
context.SegCs = 0x18;
context.EFlags = 0x3000;
context.Esp = ULONG(stack.ExpandableStackBase) - 4;
context.Eip = ULONG(sii.EntryPoint);
CLIENT_ID cid;
ZwCreateThread(&hThread, THREAD_ALL_ACCESS, 0, hProcess, &cid, &context, &stack, TRUE);
PROCESS_BASIC_INFORMATION pbi;
ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof pbi, 0);
CreateProcessParameters(hProcess, pbi.PebBaseAddress, name);
InformCsrss(hProcess, hThread, ULONG(cid.UniqueProcess), ULONG(cid.UniqueThread));
ZwResumeThread(hThread, 0);
ZwClose(hProcess);
ZwClose(hThread);
return int(cid.UniqueProcess);
}
的学习大有裨益。
刚想逆CreateProcess,发现Gary Nebbett大牛已经有了相关代码。那就用大牛的代码改进改进。
下面是驱动中创建进程的代码,不知道前人有发过没(论坛上有一份,我看了,那是插apc的取巧方式)
本代码大部分是搬Gary Nebbett的,不过为了移植到内核中我还是做了不少工作……
另外还有个驱动中创建用户态线程的函数,觉得太简单了,就不贴了
(注意,代码中的写入用户环境部分我是直接把用户态下的GetEnvironmentStringsW得到的
东西直接贴进去了,所以大家要用的时候自己改改吧。)
大牛就不用看了,自己写写抄抄的而已。
另外还想请教大牛们,为什么有时候启动的时候会出现STATUS_DLL_INIT_FAILED错误??
主函数:
int MyCreateProcess(PUNICODE_STRING name, PWSTR param)
{
//write by weolar(http://hi.baidu.com/weolar)
PWSTR tmp;
HANDLE hProcess, hThread, hSection, hFile;
OBJECT_ATTRIBUTES oa;
RtlZeroMemory(&oa, sizeof(OBJECT_ATTRIBUTES)) ;
InitializeObjectAttributes( &oa,name, OBJ_CASE_INSENSITIVE, 0, NULL);
IO_STATUS_BLOCK iosb;
ZwOpenFile(&hFile,FILE_READ_DATA|FILE_EXECUTE|SYNCHRONIZE, &oa, &iosb,
FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
oa.ObjectName = 0;
ZwCreateSection(&hSection, SECTION_ALL_ACCESS, 0, 0, PAGE_EXECUTE, SEC_IMAGE, hFile);
ZwClose(hFile);
ZwCreateProcess(&hProcess, PROCESS_ALL_ACCESS, 0,
(HANDLE)-1, TRUE, hSection, 0, 0);
CloseHandle(hep);
SECTION_IMAGE_INFORMATION sii;
ZwQuerySection(hSection, SectionImageInformation, &sii, sizeof sii, 0);
ZwClose(hSection);
USER_STACK stack = {0};
ULONG n = sii.StackReserve;
ZwAllocateVirtualMemory(hProcess, &stack.ExpandableStackBottom, 0, &n,
MEM_RESERVE, PAGE_READWRITE);
stack.ExpandableStackBase = PCHAR(stack.ExpandableStackBottom) + sii.StackReserve;
stack.ExpandableStackLimit = PCHAR(stack.ExpandableStackBase) - sii.StackCommit;
n = sii.StackCommit + PAGE_SIZE;
PVOID p = PCHAR(stack.ExpandableStackBase) - n;
ZwAllocateVirtualMemory(hProcess, &p, 0, &n, MEM_COMMIT, PAGE_READWRITE);
ULONG x; n = PAGE_SIZE;
ZwProtectVirtualMemory(hProcess, &p, &n, PAGE_READWRITE | PAGE_GUARD, &x);
CONTEXT context = {CONTEXT_FULL};
context.SegGs = 0;
context.SegFs = 0x38;
context.SegEs = 0x20;
context.SegDs = 0x20;
context.SegSs = 0x20;
context.SegCs = 0x18;
context.EFlags = 0x3000;
context.Esp = ULONG(stack.ExpandableStackBase) - 4;
context.Eip = ULONG(sii.EntryPoint);
CLIENT_ID cid;
ZwCreateThread(&hThread, THREAD_ALL_ACCESS, 0, hProcess, &cid, &context, &stack, TRUE);
PROCESS_BASIC_INFORMATION pbi;
ZwQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof pbi, 0);
CreateProcessParameters(hProcess, pbi.PebBaseAddress, name);
InformCsrss(hProcess, hThread, ULONG(cid.UniqueProcess), ULONG(cid.UniqueThread));
ZwResumeThread(hThread, 0);
ZwClose(hProcess);
ZwClose(hThread);
return int(cid.UniqueProcess);
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
自己做沙发~~
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
谢谢分享~~~
|
|
|
糟糕,一时大意用马甲发文章了
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
嘿嘿....好东西自己顶不用不好意思.....
|
|
|
 被大家揭穿了~下次还是老老实实的写点东西.FC太黑了,这都要搜出来啊
|
|
|
|
|
|
pjf的那个应该就是改Gary Nebbett的。只不过都是r3下,我给改到r0了;
能不能帮忙改进下bug?
|
|
|
|
|
|
|
