内核上项目【通信】

最新推荐文章于 2024-11-16 21:35:34 发布

mi-key

最新推荐文章于 2024-11-16 21:35:34 发布

阅读量401

点赞数 3

分类专栏： windows内核文章标签：系统安全 windows 驱动开发网络安全

本文链接：https://blog.csdn.net/qq_45844442/article/details/134960230

版权

windows内核专栏收录该内容

23 篇文章 8 订阅

订阅专栏

文章目录

目的
操作步骤
逆向分析
实现代码
参考文献

目的

在Win7 64位系统上编写驱动利用ExRegisterAttributeInformationCallback注册回调进行通信

操作步骤

1.利用MmGetSystemRoutineAddress获取ExRegisterAttributeInformationCallback中ExpDisSetAttributeInformation、ExpDisQueryAttributeInformation全局变量位置，并将其置为0，以实现执行到注册的目标回调函数
2.三环部分利用NtQueryInformationFile进行通信，最后一项的FileInformationClass成员置为0x34以实现调用到0环注册的回调函数
3.在卸载驱动时将其原先保存的ExpDisQueryAttributeInformation、ExpDisSetAttributeInformation进行恢复，否则将蓝屏

逆向分析

箭头所标记位置进行判断全局变量ExpDisSetAttributeInformation、ExpDisQueryAttributeInformation是否为空，如果不为空就不进行注册，所以需要在操作步骤一中将其进行置0
在这里插入图片描述对ExpDisQueryAttributeInformation进行交叉引用发现其最终会通过NtQueryInformationFile进行调用
NtQueryInformationFile中会判断成员FileInformationClass是否为0x34，如果不为0x34则不进行调用ExQueryAttributeInformation

实现代码

Win7_Comm.h（通信头文件）

#pragma once
#include<ntifs.h>
typedef struct _CommPackage
{
	ULONG64 Id;
	ULONG64 cmd;
	ULONG64 Data;
	ULONG64 Size;
	ULONG64 retStatus;
}CommPackage, * PCommPackage;

typedef NTSTATUS(*CommCallbackProc)(PCommPackage package);
typedef NTSTATUS(*FileCallBack)(HANDLE FileHandle, PVOID info);
typedef struct _RegisterCallback
{
	FileCallBack QueryFileCallback;
	FileCallBack SetFileCallBack;

}RegisterCallback, * PRegisterCallback;
typedef NTSTATUS(*ExRegisterAttributeInformationCallbackProc)(PRegisterCallback callbacks);

NTSTATUS CommWin7(CommCallbackProc callback);

VOID UnRegisterCommWin7();

VOID UnRegisterCommWin10();

VOID UnRegisterComm();

NTSTATUS SetFileCallBack(HANDLE FileHandle, PVOID info);

NTSTATUS QueryFileCallBack(HANDLE FileHandle, PVOID info);

Win7_Comm.c （通信实现代码）

#include"Win7_comm.h"

FileCallBack oldExpDisQueryAttributeInformationFunc = 0;
FileCallBack oldExpDisSetAttributeInformationFunc = 0;
CommCallbackProc gCommCallback = NULL;
PULONG64 gWin7CallbackVar = 0;

NTSTATUS QueryFileCallBack(HANDLE FileHandle, PVOID info)
{
	KdPrintEx((77, 0, "QueryFileCallBack\r\n"));
	if (MmIsAddressValid(info))
	{
		PCommPackage package = (PCommPackage)info;
		if (package->Id == 0x12345678)
		{
			package->retStatus = gCommCallback(package);

		}
		else
		{
			if (oldExpDisQueryAttributeInformationFunc)
			{
				return oldExpDisQueryAttributeInformationFunc(FileHandle, info);
			}
		}
	}


	return STATUS_SUCCESS;
}

NTSTATUS SetFileCallBack(HANDLE FileHandle, PVOID info)
{
	KdPrintEx((77, 0, "SetFileCallBack\r\n"));
	if (MmIsAddressValid(info))
	{
		PCommPackage package = (PCommPackage)info;
		if (package->Id == 0x12345678)
		{
			package->retStatus = gCommCallback(package);

		}
		else
		{
			if (oldExpDisSetAttributeInformationFunc)
			{
				return oldExpDisSetAttributeInformationFunc(FileHandle, info);
			}
		}

	}

	return STATUS_SUCCESS;
}

NTSTATUS CommWin7(CommCallbackProc callback)
{
	UNICODE_STRING unName = { 0 };
	RtlInitUnicodeString(&unName, L"ExRegisterAttributeInformationCallback");
	ExRegisterAttributeInformationCallbackProc pFunc = MmGetSystemRoutineAddress(&unName);
	DbgBreakPoint();
	//寻找系统初始化的ExpDisQueryAttributeInformation与ExpDisSetAttributeInformation
	ULONG64 offset = *(PULONG)((ULONG64)pFunc + 0xD + 3);
	PULONG64 ExpDisQueryAttributeInformation = (offset + 0x14 + (ULONG64)pFunc);
	oldExpDisQueryAttributeInformationFunc = (FileCallBack)ExpDisQueryAttributeInformation[0];
	oldExpDisSetAttributeInformationFunc = (FileCallBack)ExpDisQueryAttributeInformation[1];

	ExpDisQueryAttributeInformation[0] = 0;
	ExpDisQueryAttributeInformation[1] = 0;
	RegisterCallback rcb = { 0 };
	rcb.SetFileCallBack = SetFileCallBack;
	rcb.QueryFileCallback = QueryFileCallBack;

	NTSTATUS state = pFunc(&rcb);
	if (NT_SUCCESS(state))
	{
		gWin7CallbackVar = ExpDisQueryAttributeInformation;
		gCommCallback = callback;
	}
	return state;
}

VOID UnRegisterCommWin7()
{
	if (gWin7CallbackVar)
	{
		gWin7CallbackVar[0] = oldExpDisQueryAttributeInformationFunc;
		gWin7CallbackVar[1] = oldExpDisSetAttributeInformationFunc;
	}
}

VOID UnRegisterComm()
{
	RTL_OSVERSIONINFOEXW version = { 0 };
	RtlGetVersion(&version);

	if (version.dwBuildNumber == 7600 || version.dwBuildNumber == 7601)
	{
		UnRegisterCommWin7();
		return;
	}
}

DriverMain.c （驱动主函数）

#include<ntifs.h>
#include"Win7_comm.h"

VOID DriverUnload(_In_ struct _DRIVER_OBJECT* DriverObject)
{
	DbgPrint("--------------DRIVER_UNLOAD-----------------");
	UnRegisterComm();
}

NTSTATUS NTAPI DispatchComm(PCommPackage package)
{
	DbgPrintEx(77, 0, "[db]:%llx,%llx\r\n", package->Id, package->cmd);
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
{
	NTSTATUS state = CommWin7(DispatchComm);

	pDriverObject->DriverUnload = DriverUnload;

	return STATUS_SUCCESS;
}

通信三环程序.cpp （三环通信程序）

#include <stdio.h>
#include<windows.h>

typedef struct _IO_STATUS_BLOCK {
	union {
		ULONG Status;
		PVOID Pointer;
	};

	ULONG_PTR Information;
} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;

typedef struct _CommPackage
{
	ULONG64 Id; 
	ULONG64 cmd;
	ULONG64 Data;
	ULONG64 Size;
	ULONG64 retStatus;
}CommPackage, * PCommPackage;

typedef ULONG(WINAPI* NtQueryInformationFileProc)(
	__in HANDLE FileHandle,
	__out PIO_STATUS_BLOCK IoStatusBlock,
	__out_bcount(Length) PVOID FileInformation,
	__in ULONG Length,
	__in ULONG FileInformationClass);

int main()
{
	char a[] = "123";
	PUCHAR b = (PUCHAR)a;

	NtQueryInformationFileProc NtQueryInformationFile = (NtQueryInformationFileProc)GetProcAddress(GetModuleHandleA("ntdll"),"NtQueryInformationFile");
	if (NtQueryInformationFile == NULL)
	{
		printf("NtQueryInformationFile获取失败!\n");
		system("pause");
		return 0;
	}
	IO_STATUS_BLOCK is = { 0 };
	char buf[0xFF] = { 0 };
	PCommPackage package = (PCommPackage)buf;
	package->Id = 0x12345678;
	package->cmd = 1;

	HANDLE handle = CreateFileA("C:\\1.txt", FILE_ALL_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
	system("pause");
	NtQueryInformationFile(handle, &is, buf, sizeof(buf), 0x34);
	CloseHandle(handle);
	system("pause");
}