64位新增
- PG 如果修改SSDT GDT ntosk,直接蓝,而且检查是随机的。
- DES 强制签名
内存操作
#include <ntifs.h>
//wdm.h
//ntifs.h
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNREFERENCED_PARAMETER(pDriver);
DbgPrint("卸载成功!\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath)
{
pDriver->DriverUnload = DriverUnload;
UNREFERENCED_PARAMETER(pRegPath);
DbgPrint("加载成功!\n")
//ExAllocatePool
//ExFreePool
//ExAllocatePoolWithTag
//ExFreePoolWithTa
PVOID pBuffer;
ULONG uLength = 0;
uLength = (strlen("Hello World!") + 1);
pBuffer = ExAllocatePoolWithTag(NonPagedPool, uLength-3, 'SJ');
ANSI_STRING
//跟memset一样
RtlZeroMemory(pBuffer, uLength);
RtlCopyMemory(pBuffer, "Hello World!", uLength);
//%wZ Unicode_string
//%Z ANSI_STRING
//%s char
//%ws short (Unicode)
DbgPrint("%s", pBuffer);
ExFreePoolWithTag(pBuffer, 'SJ');
return STATUS_SUCCESS;
}
字符串操作
#include <ntifs.h>
//wdm.h
//ntifs.h
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNREFERENCED_PARAMETER(pDriver);
DbgPrint("卸载成功!\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath)
{
UNREFERENCED_PARAMETER(pRegPath);
pDriver->DriverUnload = DriverUnload;
//五种方式初始化字符串
//第一种方法
DECLARE_CONST_UNICODE_STRING(usStr, L"Hello World!");
DbgPrint("%wZ", usStr);
//第二种方法
UNICODE_STRING usStr2 = { 0 };
RtlInitUnicodeString(&usStr2, L"Hello World2!");
DbgPrint("%wZ", usStr2);
//第三种方法
UNICODE_STRING usStr3 = { 0 };
WCHAR wcStr[512] = L"Hello World3!";
usStr3.Buffer = wcStr;
usStr3.Length = wcslen(wcStr) * sizeof(WCHAR);
usStr3.MaximumLength = 512;
DbgPrint("%wZ", usStr3);
//第四种方法
UNICODE_STRING usStr4 = RTL_CONSTANT_STRING(L"Hello World4!");
DbgPrint("%wZ", usStr4);
//第五种方法
UNICODE_STRING usStr5 = { 0 };
ULONG uLength = wcslen(L"Hello World5!") * sizeof(WCHAR);
usStr5.Buffer = ExAllocatePoolWithTag(NonPagedPool, uLength, 'rtS');
usStr5.Length = uLength;
if (usStr5.Buffer == NULL)
{
return STATUS_SUCCESS;
}
RtlZeroMemory(usStr5.Buffer, usStr5.Length);
RtlCopyMemory(usStr5.Buffer, L"Hello World5!", usStr5.Length);
usStr5.MaximumLength = usStr5.Length;
DbgPrint("%wZ", usStr5);
//拷贝
UNICODE_STRING usStr6 = { 0 };
WCHAR wcBuffer[256];
RtlInitEmptyUnicodeString(&usStr6, wcBuffer,256 * sizeof(WCHAR));
RtlCopyUnicodeString(&usStr6, &usStr5);
DbgPrint("%wZ", usStr6);
//拼接
//RtlAppendUnicodeStringToString(&usStr6, &usStr4);
DbgPrint("%wZ", usStr6);
//比较
if (0 == RtlCompareUnicodeString(&usStr5, &usStr6,FALSE))
{
DbgPrint("==");
}
else
{
DbgPrint("!=");
}
return STATUS_SUCCESS;
}
双向链
终止进程
#include <ntifs.h>
//wdm.h
//ntifs.h
NTSTATUS KillProcessFunc(ULONG ulPid)
{
PEPROCESS pEprocess;
PsLookupProcessByProcessId(ulPid, &pEprocess);
KeAttachProcess(pEprocess);
for (size_t i = 0;i< 0x10000000;i+=0x1000)
{
if (MmIsAddressValid((PVOID)i))
{
__try
{
ProbeForRead((PVOID)i, 0x1000, sizeof(ULONG));
memset((PVOID)i, 0xcc, 0x1000);
}
_except(1)
{
continue;
}
}
}
KeDetachProcess();
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNREFERENCED_PARAMETER(pDriver);
DbgPrint("卸载成功!\n");
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath)
{
pDriver->DriverUnload = DriverUnload;
UNREFERENCED_PARAMETER(pRegPath);
DbgPrint("加载成功!\n");
KillProcessFunc(3188);
return STATUS_SUCCESS;
}
Ring0
#include <ntifs.h>
#define DEVICE_NAME L"\\device\\MyDriver1"
#define LINK_NAME L"\\dosdevices\\Mikasys"
//控制码起始地址
#define IRP_IOCTRL_BASE 0x8000
//控制码宏定义
#define IRP_IOCTRL_CODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN,IRP_IOCTRL_BASE + i,METHOD_BUFFERED,FILE_ALL_ACCESS)
//控制码定义
#define CTL_PRINT IRP_IOCTRL_CODE(0)
#define CTL_PRINT_A IRP_IOCTRL_CODE(1)
//ARP派遣函数-默认处理函数
NTSTATUS DispatchCom(PDEVICE_OBJECT DeviceObject,PIRP pIrp)
{
UNREFERENCED_PARAMETER(DeviceObject);
//设置IRP处理成功
pIrp->IoStatus.Status = STATUS_SUCCESS;
//设置返回的字节数
pIrp->IoStatus.Information = 0;
//结束IRP处理流程
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//返回
return STATUS_SUCCESS;
}
//IRP派遣函数-读取Read
NTSTATUS DispatchRead(PDEVICE_OBJECT DeviceObject, PIRP pIrp)
{
UNREFERENCED_PARAMETER(DeviceObject);
//接收缓冲区指针
PVOID pReadBuffer = NULL;
//读取的长度
ULONG uReadLength = 0;
//IRP栈的结构指针
PIO_STACK_LOCATION pStack = NULL;
//获取缓冲区位置
pReadBuffer = pIrp->AssociatedIrp.SystemBuffer;
//获取当前层的IRP栈结构
pStack = IoGetCurrentIrpStackLocation(pIrp);
//获取读写长度
uReadLength = pStack->Parameters.Read.Length;
//字符串
char* str = "Hello World";
ULONG uLenth = strlen("Hello World") + 1;
//判断实际读取的长度
ULONG uMinLength = 0;
uMinLength = uReadLength >= uLenth ? uLenth : uReadLength;
//拷贝数据
RtlCopyMemory(pReadBuffer, str, uMinLength);
//设置IRP处理成功
pIrp->IoStatus.Status = STATUS_SUCCESS;
//设置返回的字节数
pIrp->IoStatus.Information = uMinLength;
//结束IRP处理流程
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//返回
return STATUS_SUCCESS;
}
//IRP派遣函数-读取Write
NTSTATUS DispatchWrite(PDEVICE_OBJECT DeviceObject, PIRP pIrp)
{
UNREFERENCED_PARAMETER(DeviceObject);
//接收缓冲区指针
PVOID pWriteBuffer = NULL;
//读取的长度
ULONG uWriteLength = 0;
//IRP栈的结构指针
PIO_STACK_LOCATION pStack = NULL;
//获取缓冲区位置
pWriteBuffer = pIrp->AssociatedIrp.SystemBuffer;
//获取当前层的IRP栈结构
pStack = IoGetCurrentIrpStackLocation(pIrp);
//获取读写长度
uWriteLength = pStack->Parameters.Write.Length;
//打印数据
DbgPrint("%ws", pWriteBuffer);
//设置IRP处理成功
pIrp->IoStatus.Status = STATUS_SUCCESS;
//设置返回的字节数
pIrp->IoStatus.Information = uWriteLength;
//结束IRP处理流程
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//返回
return STATUS_SUCCESS;
}
//IRP派遣函数-控制
NTSTATUS DispatchIoCtrl(PDEVICE_OBJECT DeviceObject, PIRP pIrp)
{
//控制码
ULONG uIoCode = 0;
//输入缓冲区
PVOID pInputBuffer = NULL;
//输出缓冲区
PVOID pOutPutBuffer = NULL;
//获取输入缓冲区长度
ULONG uInputBufferLenth = 0;
//栈结构指针
PIO_STACK_LOCATION pStack = IoGetCurrentIrpStackLocation(pIrp);
//获取缓冲区
pInputBuffer = pOutPutBuffer = pIrp->AssociatedIrp.SystemBuffer;
//获取缓冲区长度
uInputBufferLenth = pStack->Parameters.DeviceIoControl.InputBufferLength;
//获取控制码
uIoCode = pStack->Parameters.DeviceIoControl.IoControlCode;
//按照控制码进行分发
switch (uIoCode)
{
case CTL_PRINT:
{
DbgPrint("%s", pInputBuffer);
//初始化缓冲区内存
RtlZeroMemory(pOutPutBuffer, 256);
//
ULONG uStrLenth = strlen("Io Success! Mikasys");
RtlCopyMemory(pOutPutBuffer, "Io Success! Mikasys", uStrLenth);
//设置IRP处理成功
pIrp->IoStatus.Status = STATUS_SUCCESS;
//设置返回的字节数
pIrp->IoStatus.Information = uStrLenth;
//结束IRP处理流程
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//返回
return STATUS_SUCCESS;
}
case CTL_PRINT_A:
{
DbgPrint("A");
break;
}
default:
break;
}
//设置IRP处理成功
pIrp->IoStatus.Status = STATUS_SUCCESS;
//设置返回的字节数
pIrp->IoStatus.Information = 0;
//结束IRP处理流程
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
//返回
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNREFERENCED_PARAMETER(pDriver);
//创建设备名称和符号链接名称
UNICODE_STRING uLinkName = { 0 };
//初始化
RtlInitUnicodeString(&uLinkName, LINK_NAME);
IoDeleteSymbolicLink(&uLinkName);
IoDeleteDevice(pDriver->DeviceObject);
DbgPrint("卸载成功!\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath)
{
UNREFERENCED_PARAMETER(pRegPath);
pDriver->DriverUnload = DriverUnload;
PDEVICE_OBJECT pDeviceObject = NULL;
NTSTATUS ntStatus;
size_t i = 0;
//创建设备名称和符号链接名称
UNICODE_STRING uDeviceName = { 0 }, uLinkName = { 0 };
//初始化
RtlInitUnicodeString(&uDeviceName, DEVICE_NAME);
RtlInitUnicodeString(&uLinkName, LINK_NAME);
//创建设备对象
ntStatus = IoCreateDevice(pDriver, 0,&uDeviceName,FILE_DEVICE_UNKNOWN,0,TRUE, &pDeviceObject);
//判断设备是否创建成功
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("IoCreateDevice failed:%X", ntStatus);
return ntStatus;
}
//1.DO_BUFFERED_IO 基于缓存的IO方式
//2.DO_DIRECT_IO 直接读写的IO方式
//3.DO_FORCE_NEITHER_IO 两者都不是
pDeviceObject->Flags |= DO_BUFFERED_IO;
//创建符号链接
ntStatus = IoCreateSymbolicLink(&uLinkName, &uDeviceName);
//判断符号链接是否创建成功
if (!NT_SUCCESS(ntStatus))
{
IoDeleteDevice(pDeviceObject);
DbgPrint("IoCreateSymbolicLink failed:%X", ntStatus);
return ntStatus;
}
//讲所有的IRP派遣处理函数,设置为默认处理函数
for (;i <= IRP_MJ_MAXIMUM_FUNCTION;i++)
{
pDriver->MajorFunction[i] = DispatchCom;
}
pDriver->MajorFunction[IRP_MJ_READ] = DispatchRead;
pDriver->MajorFunction[IRP_MJ_WRITE] = DispatchWrite;
pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoCtrl;
//加载成功
DbgPrint("Driver Load Success2!");
return STATUS_SUCCESS;
}
Ring3
#include <stdio.h>
#include <windows.h>
#define LINK_NAME L"\\\\.\\Mikasys"
//控制码起始地址
#define IRP_IOCTRL_BASE 0x8000
//控制码宏定义
#define IRP_IOCTRL_CODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN,IRP_IOCTRL_BASE + i,METHOD_BUFFERED,FILE_ALL_ACCESS)
//控制码定义
#define CTL_PRINT IRP_IOCTRL_CODE(0)
#define CTL_PRINT_A IRP_IOCTRL_CODE(1)
int main()
{
HANDLE hDeviceHandle = CreateFile(LINK_NAME, GENERIC_ALL,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if (hDeviceHandle == INVALID_HANDLE_VALUE)
{
printf("ERROR:%d\n",GetLastError());
system("pause");
return 0;
}
//IRP_MJ_READ
/*
UCHAR buffer[MAX_PATH] = {0};
ULONG ulReadLength = 0;
bool bRet = ReadFile(hDeviceHandle, buffer, MAX_PATH, &ulReadLength, NULL);
if (bRet)
{
printf("Read %d byte!\n", ulReadLength);
printf("%s\n", buffer);
}
*/
//IRP_MJ_WRITE
/*
ULONG uRetWriteLength = 0;
ULONG uWriteLenth = wcslen(L"Mikasys") * sizeof(WCHAR) + 1;
WriteFile(hDeviceHandle, L"Mikasys", uWriteLenth,&uRetWriteLength,NULL);
*/
//IRP_MJ_DEVICE_CONTROL
while (1)
{
char InputBuffer[MAX_PATH] = { 0 };
char OutBuffer[MAX_PATH] = { 0 };
ULONG uRet = 0;
printf("输入字符串");
scanf("%s", InputBuffer);
DeviceIoControl(hDeviceHandle, CTL_PRINT, InputBuffer, sizeof(InputBuffer), OutBuffer, sizeof(OutBuffer), &uRet, NULL);
printf("Return %d bytes!\n", uRet);
printf("Return Buffer:%s\n", OutBuffer);
DeviceIoControl(hDeviceHandle, CTL_PRINT_A, InputBuffer, sizeof(InputBuffer), OutBuffer, sizeof(OutBuffer), &uRet, NULL);
}
CloseHandle(hDeviceHandle);
system("pause");
return 0;
}