如何通过E语言访问系统ring0层
最近在学习如何通过E语言访问系统ring0层以达到控制修改游戏的目的
但是E语言在操作上比较难
那么能不能实现用E调用其他的驱动来达到控制系统ring0呢
或者有强人帮忙解决用E实现进入系统ring0层来完全无视游戏的NP HS TX等保护呢?
所以开始学习DELPHI编程
有DELPHI高手,能指点下么?
欢迎大家一起跟帖探讨~~
谢谢
下面跟发一段别人用C++访问ring0层的方法
1、Windows NT/2000/XP下不用驱动的Ring0代码实现
2、无驱动执行 Ring0 代码
========================================================================
=======1、Windows NT/2000/XP下不用驱动的Ring0代码实现===========
========================================================================
大家知道,Windows NT/2000为实现其可靠性,严格将系统划分为内核模式与用户模式,在i386系统中分别对应CPU的Ring0与Ring3级别。Ring0下,可以执行特权级指令,对任何I/O设备都有访问权等等。要实现从用户态进入核心态,即从Ring 3进入Ring 0必须借助CPU的某种门机制,如中断门、调用门等。而Windows NT/2000提供用户态执行系统服务(Ring 0例程)的此类机制即System Service的int 2eh中断服务等,严格的参数检查,只能严格的执行Windows NT/2000提供的服务,而如果想执行用户提供的Ring 0代码(指运行在Ring 0权限的代码),常规方法似乎只有编写设备驱动程序。本文将介绍一种在用户态不借助任何驱动程序执行Ring0代码的方法。
Windows NT/2000将设备驱动程序调入内核区域(常见的位于地址0x80000000上),由DPL为0的GDT项8,即cs为8时实现Ring 0权限。本文通过在系统中构造一个指向我们的代码的调用门(CallGate),实现Ring0代码。基于这个思路,为实现这个目的主要是构造自己的CallGate。CallGate由系统中叫Global Descriptor Table(GDT)的全局表指定。GDT地址可由i386指令sgdt获得(sgdt不是特权级指令,普通Ring 3程序均可执行)。GDT地址在Windows NT/2000保存于KPCR(Processor Control Region)结构中(见《再谈Windows NT/2000环境切换》)。GDT中的CallGate是如下的格式:
typedef struct
{
unsigned shortoffset_0_15;
unsigned shortselector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system: 1;
unsigned char dpl : 2;
unsigned char divsent : 1;
unsigned shortoffset_16_31;
} CALLGATE_DESCRIPTOR;
GDT位于内核区域,一般用户态的程序是不可能对这段内存区域有直接的访问权。幸运的是Windows NT/2000提供了一个叫PhysicalMemory的Section内核对象位于\Device的路径下。顾名思义,通过这个Section对象可以对物理内存进行操作。用objdir.exe对这个对象分析如下:
C:\NTDDK\bin>objdir /D \Device
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0xf001f - NT AUTHORITY\SYSTEM
Inherit:
Access: 0x001Fand( D RCtl WOwn WDacl )
Ace[ 1] - Grant - 0x2000d - BUILTIN\Administrators
Inherit:
Access: 0x000Dand( RCtl )
从dump出的这个对象DACL的Ace可以看出默认情况下只有SYSTEM用户才有对这个对象的读写权限,即对物理内存有读写能力,而Administrator只有读权限,普通用户根本就没有权限。不过如果我们有Administrator权限就可以通过GetSecurityInfo、SetEntriesInAcl与SetSecurityInfo这些API来修改这个对象的ACE。这也是我提供的代码需要Administrator的原因。实现的代码如下:
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
printf( "GetSecurityInfo Error %u\n", dwRes );
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
printf( "SetEntriesInAcl %u\n", dwRes );
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
printf("SetSecurityInfo %u\n",dwRes);
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pSD);
}
这段代码对给定HANDLE的对象增加了如下的ACE:
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0x2 - WEBCRAZY\Administrator
Inherit:
Access: 0x0002 //SECTION_MAP_WRITE
这样我们在有Administrator权限的条件下就有了对物理内存的读写能力。但若要修改GDT表实现Ring 0代码。我们将面临着另一个难题,因为sgdt指令获得的GDT地址是虚拟地址(线性地址),我们只有知道GDT表的物理地址后才能通过\Device\PhysicalMemory对象修改GDT表,这就牵涉到了线性地址转化成物理地址的问题。我们先来看一看Windows NT/2000是如何实现这个的:
kd> u nt!MmGetPhysicalAddress l 30
ntoskrnl!MmGetPhysicalAddress:
801374e0 56 push esi
801374e1 8b742408 mov esi,
801374e5 33d2 xor edx,edx
801374e7 81fe00000080 cmp esi,0x80000000
801374ed 722c jb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ef 81fe000000a0 cmp esi,0xa0000000
801374f5 7324 jnb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374f7 39153ce71780 cmp ,edx
801374fd 741c jz ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ff 8bc6 mov eax,esi
80137501 c1e80c shr eax,0xc
80137504 25ffff0100 and eax,0x1ffff
80137509 6a0c push 0xc
8013750b 59 pop ecx
8013750c e8d3a7fcff call ntoskrnl!_allshl (80101ce4)
80137511 81e6ff0f0000 and esi,0xfff
80137517 03c6 add eax,esi
80137519 eb17 jmp ntoskrnl!MmGetPhysicalAddress+0x57 (80137532)
8013751b 8bc6 mov eax,esi
8013751d c1e80a shr eax,0xa
80137520 25fcff3f00 and eax,0x3ffffc
80137525 2d00000040 sub eax,0x40000000
8013752a 8b00 mov eax,
8013752c a801 test al,0x1
8013752e 7506 jnz ntoskrnl!MmGetPhysicalAddress+0x44 (80137536)
80137530 33c0 xor eax,eax
80137532 5e pop esi
80137533 c20400 ret 0x4
从这段汇编代码可看出如果线性地址在0x80000000与0xa0000000范围内,只是简单的进行移位操作(位于801374ff-80137519指令间),并未查页表。我想Microsoft这样安排肯定是出于执行效率的考虑。这也为我们指明了一线曙光,因为GDT表在Windows NT/2000中一般情况下均位于这个区域(我不知道/3GB开关的Windows NT/2000是不是这种情况)。
经过这样的分析,我们就可以只通过用户态程序修改GDT表了。而增加一个CallGate就不是我可以介绍的了,找本Intel手册自己看一看了。具体实现代码如下:
typedef struct gdtr {
short Limit;
short BaseLow;
short BaseHigh;
} Gdtr_t, *PGdtr_t;
ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
}
BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
Gdtr_t gdt;
__asm sgdt gdt;
ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return 0;
HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
status = STATUS_SUCCESS;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
}
if(status != STATUS_SUCCESS)
{
printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
return 0;
}
PVOID BaseAddress;
BaseAddress=MapViewOfFile(hSection,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
mapAddr, //low part
(gdt.Limit+1));
if(!BaseAddress)
{
printf("Error MapViewOfFile:");
PrintWin32Error(GetLastError());
return 0;
}
BOOL setcg=FALSE;
for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));(ULONG)cg>(ULONG)BaseAddress;cg--)
if(cg->type == 0){
cg->offset_0_15 = LOWORD(Entry);
cg->selector = 8;
cg->param_count = 0;
cg->some_bits = 0;
cg->type = 0xC; // 386 call gate
cg->app_system = 0; // A system descriptor
cg->dpl = 3; // Ring 3 code can call
cg->divsent = 1;
cg->offset_16_31 = HIWORD(Entry);
setcg=TRUE;
break;
}
if(!setcg){
ZwClose(hSection);
return 0;
}
short farcall;
farcall=((short)((ULONG)cg-(ULONG)BaseAddress))|3;//Ring 3 callgate;
if(!VirtualLock((PVOID)Entry,seglen))
{
printf("Error VirtualLock:");
PrintWin32Error(GetLastError());
return 0;
}
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
Sleep(0);
_asm call fword ptr
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
VirtualUnlock((PVOID)Entry,seglen);
//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg+1)=0;
ZwClose(hSection);
return TRUE;
}
我在提供的代码中演示了对Control Register与I/O端口的操作。CIH病毒在Windows 9X中就是因为获得Ring 0权限才有了一定的危害,但Windows NT/2000毕竟不是Windows 9X,她已经有了比较多的安全审核机制,本文提供的代码也要求具有Administrator权限,但如果系统存在某种漏洞,如缓冲区溢出等等,还是有可能获得这种权限的,所以我不对本文提供的方法负有任何的责任,所有讨论只是一个技术热爱者在讨论技术而已。谢谢!
参考资料:
1.Intel Corp<<Intel Architecture Software Developer's Manual,Volume 3>>
附件:源码下载
========================================================================
======================2、无驱动执行 Ring0 代码=======================
========================================================================
无驱动执行 Ring0 代码 作者 free2000fly
关键字 无驱动执行 Ring0 代码
原作者姓名 free2000fly
文章原始出处 http://webcrazy.yeah.net
介绍
无驱动执行 Ring0 代码的源程序的改写, 使得能在 VC6 及 vc71 下编译
正文
前不久因为有一个加密及直接操纵硬件的问题, 使用直接访问硬件更直接一点, 但操作系统是NT的,
不能用 CIH 的技术, 在网上狂找, 终于在 http://webcrazy.yeah.net 网站上找到了,
但下载下来的源代码怎么折腾就是编译不过, 当然这其中包括了安装 vc6 加 NTDDK2000,
VC71 加 NTDDK2000 (BTW, 我找不到 XPDDK, M$ 开始要钱了).
后来, 一不做二不休, 直接把 DDK 内的函数声明摘录下来放到我的源代码内, 这下行了.
编译通过有了一线曙光, 但是下下来的源码里的有 inp(...) 和 outp(...) 语句, 编译报错;
干脆,直接改成 汇编指令. 现在编译通过了, 运行一切符合预期.
下面是源代码
//////////////////////////////////////////////////////////////////////////
// Ring0NT.cpp
// 演示无驱动执行 Ring0 代码, 改编自http://webcrazy.yeah.net/网站相关内容
// 能用 VC71 或 VC6 搭配最新 SDK 编译, 同时得有 NTDDK 内的 ntdll.lib 库文件
// 编译方法:cl Ring0NT.cpp
//////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <aclapi.h>
#include <Ntsecapi.h>
//#include <conio.h>
#pragma comment (lib,"ntdll.lib") // Copy From DDK
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib")
/////////////////////////// 从 NTDDK 摘来 ///////////////////////////////////
#ifdef __cplusplus
extern "C" {
#endif
typedef long NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS 0x00000000
#define OBJ_KERNEL_HANDLE 0x00000200
#define STATUS_ACCESS_DENIED 0xC0000022
#define OBJ_CASE_INSENSITIVE 0x00000040L
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) { \
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
NTSYSAPI
VOID
NTAPI
RtlInitUnicodeString(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwClose(
IN HANDLE Handle
);
#ifdef __cplusplus
}
#endif
/////////////////////////////////////////////////////////////////////////////
#define ENTERRING0_asm pushad \
_asm pushf \
_asm cli
#define LEAVERING0_asm popf \
_asm popad\
_asm retf
typedef struct gdtr {
unsigned short Limit;
unsigned short BaseLow;
unsigned short BaseHigh;
} Gdtr_t, *PGdtr_t;
typedef struct
{
unsigned shortoffset_0_15;
unsigned shortselector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system: 1;
unsigned char dpl : 2;
unsigned char divsent : 1;
unsigned shortoffset_16_31;
} CALLGATE_DESCRIPTOR;
void PrintWin32Error( DWORD ErrorCode )
{
LPVOID lpMsgBuf;
FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL, ErrorCode,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf, 0, NULL );
printf("%s\n", lpMsgBuf );
LocalFree( lpMsgBuf );
}
ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
}
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
printf( "GetSecurityInfo Error %u\n", dwRes );
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
printf( "SetEntriesInAcl %u\n", dwRes );
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
printf("SetSecurityInfo %u\n",dwRes);
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pSD);
}
BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
Gdtr_t gdt;
__asm sgdt gdt;
ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return 0;
HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
status = STATUS_SUCCESS;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
}
if(status != STATUS_SUCCESS)
{
printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
return 0;
}
PVOID BaseAddress;
BaseAddress=MapViewOfFile(hSection,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
mapAddr, //low part
(gdt.Limit+1));
if(!BaseAddress)
{
printf("Error MapViewOfFile:");
PrintWin32Error(GetLastError());
return 0;
}
BOOL setcg=FALSE;
for( cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));
(ULONG)cg>(ULONG)BaseAddress; cg-- )
{
if(cg->type == 0){
cg->offset_0_15 = LOWORD(Entry);
cg->selector = 8;
cg->param_count = 0;
cg->some_bits = 0;
cg->type = 0xC; // 386 call gate
cg->app_system = 0; // A system descriptor
cg->dpl = 3; // Ring 3 code can call
cg->divsent = 1;
cg->offset_16_31 = HIWORD(Entry);
setcg=TRUE;
break;
}
}
if(!setcg){
ZwClose(hSection);
return 0;
}
short farcall;
farcall=((short)((ULONG)cg-(ULONG)BaseAddress))|3;//Ring 3 callgate;
if(!VirtualLock((PVOID)Entry,seglen))
{
printf("Error VirtualLock:");
PrintWin32Error(GetLastError());
return 0;
}
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
Sleep(0);
_asm call fword ptr
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
VirtualUnlock((PVOID)Entry,seglen);
//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg+1)=0;
ZwClose(hSection);
return TRUE;
}
struct _RING0DATA
{
DWORD mcr0,mcr2,mcr3;
unsigned short BaseMemory;
unsigned short ExtendedMemory;
}r0Data;
void __declspec (naked) Ring0Proc1()
{
ENTERRING0;
_asm {
mov eax, cr0
mov r0Data.mcr0, eax;
mov eax, cr2
mov r0Data.mcr2, eax;
mov eax, cr3
mov r0Data.mcr3, eax;
}
LEAVERING0;
}
void __declspec (naked) Ring0Proc2()
{
ENTERRING0;
//------ 求基本内存 ---------------------------------------------
// outp( 0x70, 0x15 );
_asm mov al, 15h ;
_asm out 70h, al ;
_asm mov ax,0 ;
_asm in al,71h ;
_asm mov r0Data.BaseMemory,ax ;
// outp( 0x70, 0x16 );
_asm mov al, 16h ;
_asm out 70h, al ;
// r0Data.BaseMemory += inp(0x71) << 8;
_asm xor eax, eax ;
_asm in al, 71h ;
_asm shl eax, 8h ;
_asm add r0Data.BaseMemory, ax;
//------ 求扩展内存 ---------------------------------------------
// outp( 0x70, 0x17 );
_asm mov al, 17h ;
_asm out 70h, al ;
// r0Data.ExtendedMemory = inp( 0x71 );
_asm xor eax, eax ;
_asm in al, 71h ;
_asm mov r0Data.ExtendedMemory, ax;
// outp( 0x70, 0x18 );
_asm mov al, 18h ;
_asm out 70h, al ;
// r0Data.ExtendedMemory += inp(0x71) << 8;
_asm xor eax, eax ;
_asm in al, 71h ;
_asm shl eax, 8h ;
_asm add r0Data.ExtendedMemory, ax;
LEAVERING0;
}
void main(void)
{
ZeroMemory(&r0Data,sizeof(struct _RING0DATA));
VirtualLock((PVOID)&r0Data,sizeof(struct _RING0DATA));
ExecRing0Proc((ULONG)Ring0Proc1,0x100);
ExecRing0Proc((ULONG)Ring0Proc2,0x100);
VirtualUnlock((PVOID)&r0Data,sizeof(struct _RING0DATA));
printf("CR0 = %x\n", r0Data.mcr0);
printf("CR2 = %x\n", r0Data.mcr2);
printf("CR3 = %x\n", r0Data.mcr3);
printf("Base memory = %dK\n", r0Data.BaseMemory);
printf("Extended memory = %dK\n", r0Data.ExtendedMemory);
}
代码和可执行文件的压缩包在这里1 Ring0NT.zip
正文完
附件:
1 Ring0NT.zip
================================================================================
============这个,再补充多一篇:任意用户模式下执行 ring 0 代码=============
================================================================================
任意用户模式下执行 ring 0 代码
Author: sinister
Email : sinister@whitecell.org
HomePage: http://www.whitecell.org
众所周知在非 Admin 用户模式下,是不允许加载驱动执行 RING 0 代码的。
本文提供了一种方法,通过修改系统 GDT,IDT 来添加自己的 CALLGATE 和
INTGATE 这样便在系统中设置了一个后门。我们就可以利用这个后门
在任意用户模式下执行 ring 0 代码了。为了保证我们添加的 CALLGATE 和 INT
GATE 永久性。可以在第一次安装时利用 SERVICE API 或 INF 文件设置成随
系统启动。不过此方法也有个缺陷,就是在第一次安装 CALLGATE 或 INTGATE
时仍然需要 ADMIN 权限。下面分别给出了添加 CALLGATE 与 INTGATE 的具体
代码。
一、通过添加调用门实现
为了可以让任意用户来调用我们的 CALLGATE 需要解决一个小问题。因为
需要知道 CALLGATE 的 SELECTOR 后才可以调用。而在 RING 3 下除了能
得到 GDT 的 BASE ADDRESS 和 LIMIT 外是无法访问 GDT 内容的。我本想
在 RING 0 把 SELECTOR 保存到文件里。在 RING 3 下读取出来再调用。
后经过跟 wowocock 探讨。他提出的思路是在 RING 0 下通过
ZwQuerySystemInformation 得到 NTDLL.DLL 的 MODULE BASE 然后根据
PE HEADER 中的空闲处存放 SELECTOR。这样在 RING 3 的任意用户模式下
就很容易得到了。在这里要特别感谢 wowocock。下面的代码为了演示
方便,用了在我机器上 GDT 中第一个空闲描述符的 SELECTOR 。
驱动程序:
/*****************************************************************
文件名 : WssAddCallGate.c
描述 : 添加调用门
作者 : sinister
最后修改日期: 2002-11-02
*****************************************************************/
#include "ntddk.h"
#include "string.h"
#ifndef DWORD
#define DWORD unsigned int
#endif
#ifndef WORD
#define WORD unsigned short
#endif
#define LOWORD(l) ((unsigned short)(unsigned int)(l))
#define HIWORD(l) ((unsigned short)((((unsigned int)(l)) >> 16) & 0xFFFF))
typedef unsigned long ULONG;
static NTSTATUSMydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject);
#pragma pack(push,1)
typedef struct tagGDTR{
WORD wLimit;
DWORD *dwBase;
}GDTR, *PGDTR;
typedef struct tagGDT_DESCRIPTOR{
unsigned limit : 16;
unsigned baselo : 16;
unsigned basemid : 8;
unsigned type : 4;
unsigned system : 1;
unsigned dpl : 2;
unsigned divsent : 1;
unsigned limithi : 4;
unsigned available : 1;
unsigned zero : 1;
unsigned size : 1;
unsigned granularity : 1;
unsigned basehi : 8;
}GDT_DESCRIPTOR, *PGDT_DESCRIPTOR;
typedef struct tagCALLGATE_DESCRIPTOR{
unsigned short offset_0_15;
unsigned short selector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system: 1;
unsigned char dpl : 2;
unsigned char divsent : 1;
unsigned short offset_16_31;
} CALLGATE_DESCRIPTOR, *PCALLGATE_DESCRIPTOR;
#pragma pack(pop)
void __declspec(naked) Ring0Call()
{
PHYSICAL_ADDRESSPhyAdd;
__asm {
pushad
pushfd
cli
}
DbgPrint("WSS - My CallGate \n");
//
// 这里可以添加你想要执行的 ring 0 代码。
//
__asm {
popfd
popad
retf
}
}
VOID AddCallGate( ULONG FuncAddr )
{
GDTR gdtr;
PGDT_DESCRIPTOR gdt;
PCALLGATE_DESCRIPTOR callgate;
WORD wGDTIndex = 1;
__asm {
sgdtgdtr // 得到 GDT 基地址与界限
}
gdt = (PGDT_DESCRIPTOR) ( gdtr.dwBase + 8 );// 跳过空选择子
while ( wGDTIndex < ( gdtr.wLimit / 8 ) )
{
if ( gdt->divsent == 0 ) //从 GDT 中找到空描述符
{
callgate = (PCALLGATE_DESCRIPTOR)gdt;
callgate->offset_0_15 = LOWORD(FuncAddr);
callgate->selector = 8; // 内核段选择子
callgate->param_count = 0; // 参数复制数量
callgate->some_bits = 0;
callgate->type = 0xC; // 386调用门
callgate->app_system = 0; // 系统描述符
callgate->dpl = 3; // RING 3 可调用
callgate->divsent = 1; // 设置存在位
callgate->offset_16_31 = HIWORD(FuncAddr);
DbgPrint("Add CallGate\n");
return;
}
gdt ++;
wGDTIndex ++;
}
}
// 驱动入口
NTSTATUSDriverEntry( IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath )
{
UNICODE_STRINGnameString, linkString;
PDEVICE_OBJECTdeviceObject;
NTSTATUS status;
HANDLE hHandle;
int i;
//卸载驱动
DriverObject->DriverUnload = DriverUnload;
//建立设备
RtlInitUnicodeString( &nameString, L"\\Device\\WssAddCallGate" );
status = IoCreateDevice( DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
);
if (!NT_SUCCESS( status ))
return status;
RtlInitUnicodeString( &linkString, L"\\DosDevices\\WssAddCallGate" );
status = IoCreateSymbolicLink (&linkString, &nameString);
if (!NT_SUCCESS( status ))
{
IoDeleteDevice (DriverObject->DeviceObject);
return status;
}
AddCallGate((ULONG)Ring0Call);
for ( i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
DriverObject->MajorFunction = MydrvDispatch;
}
DriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
//处理设备对象操作
static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
IoCompleteRequest( Irp, 0 );
return Irp->IoStatus.Status;
}
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRINGnameString;
RtlInitUnicodeString( &nameString, L"\\DosDevices\\WssAddCallGate" );
IoDeleteSymbolicLink(&nameString);
IoDeleteDevice(pDriverObject->DeviceObject);
return;
}
应用程序:
#include <windows.h>
#include <stdio.h>
void main()
{
WORD farcall;
farcall = 0x0;
farcall = 0x0;
farcall = 0x4b;//在我机器上,添加 CALLGATE 的选择子为 4BH
_asm call fword ptr
}
二、通过添加中断门实现
添加中断门没有什么需要解决的问题。直接在 RING 3 利用 int x
即可切换。想想系统调用 INT 2E 就很容易理解了。
/*****************************************************************
文件名 : WssMyInt.c
描述 : 添加中断门
作者 : sinister
最后修改日期: 2002-11-02
*****************************************************************/
#include "ntddk.h"
#pragma pack(1)
typedef struct tagIDTR {
short Limit;
unsigned int Base;
}IDTR, *PIDTR;
typedef struct tagIDTENTRY {
unsigned short OffsetLow;
unsigned short Selector;
unsigned charReserved;
unsigned charType:4;
unsigned charAlways0:1;
unsigned charDpl:2;
unsigned charPresent:1;
unsigned short OffsetHigh;
} IDTENTRY, *PIDTENTRY;
#pragma pack()
#define MYINT 0x76
extern VOID _cdecl MyIntFunc();
CHAR IDTBuffer;
IDTENTRYOldIdt;
PIDTR idtr = (PIDTR)IDTBuffer;
static NTSTATUSMydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject);
// 我们得中断处理函数
VOID _cdecl MyIntFunc()
{
PHYSICAL_ADDRESSPhyAdd;
unsigned int dwCallNum;
unsigned int dwVAddr;
_asm mov dwCallNum,eax
//
// 这里可以添加你想要执行的 ring 0 代码
//
switch ( dwCallNum )
{
case 0x01:
DbgPrint("MyIntGate eax = 0x01\n");
break;
case 0x02:
DbgPrint("MyIntGate eax = 0x02\n");
break;
default:break;
}
_asm iretd; //中断返回
}
NTSTATUS AddMyInt()
{
PIDTENTRY Idt;
//得到 IDTR 中得段界限与基地址
_asm sidt IDTBuffer
Idt = (PIDTENTRY)idtr->Base; //得到IDT表基地址
//保存原有得 IDT
RtlCopyMemory(&OldIdt, &Idt, sizeof(OldIdt));
//禁止中断
_asm cli
//设置 IDT 表各项添加我们得中断
Idt.OffsetLow = (unsigned short)MyIntFunc; //取中断处理函数低16位
Idt.Selector = 8; //设置内核段选择子
Idt.Reserved = 0; //系统保留
Idt.Type = 0xE; //设置0xE表示是中断门
Idt.Always0 = 0; //系统保留必须为0
Idt.Dpl = 3; //描述符权限,设置为允许 RING 3 进程调用
Idt.Present = 1; //存在位设置为1表示有效
Idt.OffsetHigh= (unsigned short)((unsigned int)MyIntFunc>>16); //取中断处理函数高16位
//开中断
_asm sti
return STATUS_SUCCESS;
}
//删除中断
void RemoveMyInt()
{
PIDTENTRY Idt;
Idt = (PIDTENTRY)idtr->Base;
_asm cli
//恢复 IDT
RtlCopyMemory(&Idt, &OldIdt, sizeof(OldIdt));
_asm sti
}
// 驱动入口
NTSTATUSDriverEntry( IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath )
{
UNICODE_STRINGnameString, linkString;
//UNICODE_STRINGdeviceString;
PDEVICE_OBJECTdeviceObject;
NTSTATUS status;
WCHAR wBuffer;
nameString.Buffer = wBuffer;
nameString.MaximumLength = 200;
//卸载驱动
DriverObject->DriverUnload = DriverUnload;
//建立设备
RtlInitUnicodeString( &nameString, L"\\Device\\WSSINT" );
status = IoCreateDevice( DriverObject,
0,
&nameString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&deviceObject
);
if (!NT_SUCCESS( status ))
return status;
RtlInitUnicodeString( &linkString, L"\\??\\WSSINT" );
//使WIN32应用程序可见
status = IoCreateSymbolicLink (&linkString, &nameString);
if (!NT_SUCCESS( status ))
{
IoDeleteDevice (DriverObject->DeviceObject);
return status;
}
AddMyInt();
DriverObject->MajorFunction = MydrvDispatch;
DriverObject->MajorFunction= MydrvDispatch;
return STATUS_SUCCESS;
}
static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS status;
UNREFERENCED_PARAMETER( DeviceObject );
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0L;
status = STATUS_SUCCESS;
IoCompleteRequest( Irp, 0 );
return status;
}
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRINGnameString;
UNICODE_STRINGdeviceString,driveString;
NTSTATUS ntStatus;
RemoveMyInt();
//删除WIN32可见
IoDeleteSymbolicLink(&nameString);
//删除设备
IoDeleteDevice(pDriverObject->DeviceObject);
return;
}
关于我们:
WSS(Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。
WSS 主页:http://www.whitecell.org/ 你这不是易语言写的吧 用易语言不能吧易不能写驱动 :lol
其他写了驱动让易语言调用就是了 师父说的太对了。。。。 其他写了驱动让易语言调用就是了
ps520 发表于 2010-2-15 18:17 http://www.52pojie.cn/images/common/back.gif
好方法 调用别的驱动应该还可以 直接写的话貌似没啥希望 说到底~!到现在E还是不能直接玩到ring0层。。。。 看不懂
俺没学过C++
{:1_923:}
页:
[1]
2