x86重载内核[源码在最后]

已于 2024-08-09 09:08:25 修改
阅读量1k 收藏 2
点赞数
CC 4.0 BY-SA版权
文章标签: c语言 驱动开发
于 2023-04-15 12:29:26 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/deadpoolwilson12/article/details/130168309
本文介绍了X86内核重载的原理与实现过程,包括修改PE文件、驱动编程、修复重定向表和IAT表、内核内存申请、SSDT函数替换以及hook KiFastCallEntry。适合驱动编程新手学习,提供了源码地址。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

X86重载内核

测试系统:WinXp, 环境:vs2017

内核重载

一、内核重载简述

涉及PE文件,驱动程序编写, 对X86内核的了解
内核重载其实就是让所有的SSDT函数全部走自己写入的一块新内核

内核重载不是什么高端技术,但对于学习驱动编程的新手而言,还是有学习参考价值的

二、实现步骤(部分代码)

1.打开内核文件存为buffer,拉伸PE,修重定向表,IAT表

​
NTSTATUS LoadNtkrnlpa() 
{
	NTSTATUS						status = STATUS_SUCCESS;
	HANDLE							hFile = NULL;
	OBJECT_ATTRIBUTES				objAttr;
	IO_STATUS_BLOCK					ioBlock;
	UNICODE_STRING					FileName;
	FILE_STANDARD_INFORMATION		FileInfo;
	LARGE_INTEGER					Lageint; // 读取位置offset

	RtlInitUnicodeString(&FileName, FILEPATH);
	InitializeObjectAttributes(&objAttr, &FileName, OBJ_CASE_INSENSITIVE, NULL, NULL);

	status = ZwOpenFile(&hFile, FILE_ALL_ACCESS, &objAttr, &ioBlock, 0, FILE_NON_DIRECTORY_FILE);
	if (!NT_SUCCESS(status))
	{
		DbgPrint("ZwOpenFile Failed!, status:%d\n", status);
		return STATUS_UNSUCCESSFUL;
	}

	status = ZwQueryInformationFile(hFile, &ioBlock, &FileInfo, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation);
	if (!NT_SUCCESS(status))
	{
		ZwClose(hFile);
		DbgPrint("ZwQueryInformationFile Failed!\n");
		return STATUS_UNSUCCESSFUL;
	}
	FileSize = FileInfo.EndOfFile.LowPart;
	pFileBuffer = ExAllocatePool(NonPagedPool, FileSize);

	Lageint.QuadPart = 0;
	status = ZwReadFile(hFile, NULL, NULL, NULL, &ioBlock, pFileBuffer, FileSize, &Lageint, NULL);
	if (!NT_SUCCESS(status))
	{
		ZwClose(hFile);
		DbgPrint("ZwReadFile Failed!\n");
		return STATUS_UNSUCCESSFUL;
	}

	ZwClose(hFile);
	// 读取PE信息
	pDosHeader = (PIMAGE_DOS_HEADER)pFileBuffer;
	if (pDosHeader->e_magic != IMAGE_DOS_SIGNATURE)
	{
		ExFreePool(pFileBuffer);
		pFileBuffer = NULL;
		DbgPrint("Read PE File Failed\n");
		return STATUS_UNSUCCESSFUL;
	}

	pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFileBuffer + pDosHeader->e_lfanew);
	if (pNTHeader->Signature != IMAGE_NT_SIGNATURE)
	{
		ExFreePool(pFileBuffer);
		pFileBuffer = NULL;
		DbgPrint("Read PE File Failed\n");
		return STATUS_UNSUCCESSFUL;
	}

	pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 4);
	pOptionalHeader = (PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader + IMAGE_SIZEOF_FILE_HEADER);
	pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader + pFileHeader->SizeOfOptionalHeader);
	pReloactionDirectory = (PIMAGE_BASE_RELOCATION)((DWORD)pDosHeader + RVA_TO_FOA(pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress));
	pIATDirectory = (PIMAGE_THUNK_DATA)((DWORD)pDosHeader + RVA_TO_FOA(pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress));
	
	return status;
}

(1)修重定向表

​
NTSTATUS FixRelocTable(DWORD OrignalImageBase)
{
	if (pReloactionDirectory == NULL) return STATUS_UNSUCCESSFUL;

	// 修复重定位表
	DWORD AddItem = OrignalImageBase - pOptionalHeader->ImageBase;
	// pOptionalHeader->ImageBase = NewImageBase;

	PIMAGE_BASE_RELOCATION pTempRelocationDir = pReloactionDirectory;
	UINT Count = 0;

	do
	{
		DWORD ChunkNum = (pTempRelocationDir->SizeOfBlock - 0x8) / 0x2;

		for (UINT i = 0; i < ChunkNum; i++)
		{
			PWORD pItem = (PWORD)(((DWORD)pTempRelocationDir + 0x8) + 0x2 * i);
			DWORD Type = (*pItem) >> 12;
			if (Type == 3)
			{
				PDWORD pFixAddress = (PDWORD)((DWORD)pDosHeader + RVA_TO_FOA(pTempRelocationDir->VirtualAddress + (*pItem & 0x0FFF)));
				*pFixAddress += AddItem;
			}
		}

		pTempRelocationDir = (PIMAGE_BASE_RELOCATION)((DWORD)pTempRelocationDir + pTempRelocationDir->SizeOfBlock);
		Count++;
	} while (pTempRelocationDir->VirtualAddress != 0 && pTempRelocationDir->SizeOfBlock != 0);

	// DbgPrint("FixBlockCount:%d\n", Count);
	return STATUS_SUCCESS;
}

(2)修IAT表

​
NTSTATUS FixIATTable()
{
	PIMAGE_THUNK_DATA pTemIATDir = pIATDirectory;
	ULONG CopySize = 0;

	while (pTemIATDir->u1.Function != 0)
	{
		CopySize += 4;
		pTemIATDir++;
	}

	PULONG pCurrentIATDir = OrignImage + pOptionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress;
	RtlCopyMemory(pIATDirectory, pCurrentIATDir, CopySize);
	
	return STATUS_SUCCESS;
}

2.内核层申请一块内存贴入buffer

​
NTSTATUS CopyFileBufferToImageBuffer(_In_ LPVOID pFilebuffer_, _Out_ LPVOID* pImageBuffer_)
{
	PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)pFilebuffer_;
	PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS)((DWORD)pFilebuffer_ + pDosHeader->e_lfanew);

	PIMAGE_FILE_HEADER pFileHeader = (PIMAGE_FILE_HEADER)((DWORD)pNTHeader + 0x4);
	PIMAGE_OPTIONAL_HEADER pOptionalHeader = (PIMAGE_OPTIONAL_HEADER)((DWORD)pFileHeader + IMAGE_SIZEOF_FILE_HEADER);
	PIMAGE_SECTION_HEADER pSectionHeader = (PIMAGE_SECTION_HEADER)((DWORD)pOptionalHeader + pFileHeader->SizeOfOptionalHeader);

	DWORD AlignImageSize = Align(pOptionalHeader->SizeOfImage, pOptionalHeader->SectionAlignment);
	*pImageBuffer_ = ExAllocatePool(NonPagedPool, AlignImageSize);
	memset(*pImageBuffer_, 0, AlignImageSize);
	memcpy(*pImageBuffer_, pFilebuffer_, pOptionalHeader->SizeOfHeaders);

	PIMAGE_SECTION_HEADER TempSectionHeader = pSectionHeader;

	for (int i = 0; i < pFileHeader->NumberOfSections; i++)
	{
		memcpy((LPVOID)((DWORD)*pImageBuffer_ + TempSectionHeader->VirtualAddress), (LPVOID)((DWORD)pDosHeader + TempSectionHeader->PointerToRawData), TempSectionHeader->SizeOfRawData);
		TempSectionHeader++;
	}

	return STATUS_SUCCESS;
}

3.修复ssdt中函数地址为新内核函数地址

4.创建山寨系统服务表

​
NTSTATUS SetNewSSDT(DWORD NewImageBase)
{

	pNewKeServiceDescriptorTable = (PKSERVICE_TABLE_DESCRIPTOR)((DWORD)KeServiceDescriptorTable - OrignImage + NewImageBase);

	// 函数表
	pNewKeServiceDescriptorTable->ntoskrnl.ServiceTableBase = (PULONG)((DWORD)KeServiceDescriptorTable->ntoskrnl.ServiceTableBase - OrignImage + NewImageBase);
	
	// 函数个数
	pNewKeServiceDescriptorTable->ntoskrnl.NumberOfService = KeServiceDescriptorTable->ntoskrnl.NumberOfService;

	// 调用次数
	// pNewKeServiceDescriptorTable->ntoskrnl.ServiceCounterTableBase = (PULONG)((DWORD)KeServiceDescriptorTable->ntoskrnl.ServiceCounterTableBase - OrignImage + NewImageBase);

	// 参数表
	pNewKeServiceDescriptorTable->ntoskrnl.ParamTableBase = (PULONG)((DWORD)KeServiceDescriptorTable->ntoskrnl.ParamTableBase - OrignImage + NewImageBase);

	 PageProtectOff();

	// 修复函数地址表 ,其实重定位表修复那里就修好了
	for (ULONG i = 0; i < pNewKeServiceDescriptorTable->ntoskrnl.NumberOfService; i++)
	{
		pNewKeServiceDescriptorTable->ntoskrnl.ServiceTableBase[i] += (-OrignImage + NewImageBase);

	}
	 PageProtectOn();

	return STATUS_SUCCESS;
}

5.hook KiFastCallEntry

​
NTSTATUS HookKiFastCallEntry()
{
	ULONG	HookAddr = 0;
	ULONG	uKiFastCallEntry = 0;
	// 找到KiFastCallEntry函数首地址, 在特殊模组寄存器的0x176号寄存器中
	__asm
	{
		push ecx;
		push eax;
		push edx;
		mov ecx, 0x176; // 设置编号
		rdmsr; ;// 读取到edx:eax
		mov uKiFastCallEntry, eax;// 保存到变量
		pop edx;
		pop eax;
		pop ecx;
	}

	for (ULONG i = 0; i < 0x1FF; ++i)
	{
		if (RtlCompareMemory((UCHAR*)uKiFastCallEntry + i, OriginalCode, 5) == 5)
		{
			HookAddr = uKiFastCallEntry + i;
			break;
		}
	}
	if (HookAddr == 0)
	{
		DbgPrint("Not Find 2be1c1e902 bytes");
		return STATUS_UNSUCCESSFUL;
	}

	PDWORD JmpAddr = (PDWORD)HookProc;

	PageProtectOff();
	DWORD32 X = (HookAddr + 5) - ((DWORD32)&OriginalCode[5] + 5);
	OriginalCode[5] = '\xE9';
	*(DWORD32*)(OriginalCode + 5 + 1) = X;
	pOrigianlCmd = (PORIGINALCOMD)(CHAR*)OriginalCode;
	BackAddr = HookAddr + 5;

	memset(NewCode, 0, 64);
	NewCode[0] = '\xE9';
	X = (DWORD32)JmpAddr - (HookAddr + 5);
	*(DWORD32*)(NewCode + 1) = (DWORD32)X;
	int Numnop = 5 - 5;
	for (int i = 0; i < Numnop; i++)
	{
		NewCode[5 + i] = '\x90';
	}

	RtlMoveMemory(HookAddr, NewCode, 5);

	PageProtectOn();

	return STATUS_SUCCESS;
}

三、代码测试截图

在这里插入图片描述

四、总结(源码地址)

​​

github地址
https://github.com/DeadpoolWilson12/kernelReload_

openEuler系统下源码编译安装Nginx实践教程
qq_59334230的博客
04-18 466
openEuler系统下源码编译安装Nginx实践教程
内核开发基础
你的牌打的太好啦
04-09 2915
1.构建linux系统 嵌入式系统一般包括硬件和软件两部分,其中硬件以一个高性能的处理器,通常是32为处理器为基础;软件是以一个多任务操作系统为基础的综合平台。 内核产品开发流程: 1.以开发商提供的EVM(评估)板为基础添加、修改、删除硬件,开发所需要的硬件。 2.Bootloader移植。将Bootloader移植到开发平台,使之能在平台上运行。 3.内核移植。
内核重载-让所有的SSDT函数全部走自己的路!过任何驱动保护
07-31
内核重载-让所有的SSDT函数全部走自己的路!过任何驱动保护 一份 非常不错的源码。。 内核重载了,让所有的SSDT函数全部走自己的路 。爆发式的驱动源码公开。代表了我国民间驱动技术已逐渐成熟,韩国棒子的NP技术终将被完结! 内核重载内核重载后指定某个程序使用你重载内核,可以绕过原有内核上面的所有hook
重载内核全程分析笔记
热门推荐
whatday的专栏
11-05 1万+
标 题: 【原创】重载内核全程分析笔记 作 者: Speeday 时 间: 2013-08-20,20:19:46 链 接: http://bbs.pediy.com/showthread.php?t=177555 还记得七夕的那几天,老V率先把AGP的源码发布出来,然后是EasyDebugger的源码出土,后面陆续有很多大牛把珍藏已久的代码拿出来晒太阳,那段疯狂的日子,让看雪论坛都面
驱动-内核重载
chengtoreal的博客
03-13 565
内核重载 读取ntkrnlpa.exe的PE文件,并展开加载到内存 获取模块基址 修复重定位 修复新的SSDT表 HOOK KiFastCallEntry函数 代码 // 准备工作 // KeServiceDescriptorTable变量,声明就可以直接使用 // 函数原型 typedef NTSTATUS(NTAPI* FnZwOpenProcess)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PCLIENT_ID); typedef struc
一份内核重载代码的学习笔记
0xDQ的博客
04-21 1320
0x00 前言 参考文章:https://blog.youkuaiyun.com/whatday/article/details/14160875 https://blog.youkuaiyun.com/pjz969/article/details/8615085 首先重载内核不是什么新技术,对于绕过HOOK是一种一刀切的做法,不过对于我这样初探内核的小白还是很有总结意义的。 本篇涉及的知识点:0环和3环通信...
重载内核全程分析笔记(附源码
08-28
重载内核全程分析笔记(附源码) 还记得七夕的那几天,老V率先把AGP的源码发布出来,然后是EasyDebugger的源码出土,后面陆续有很多大牛把珍藏已久的代码拿出来晒太阳,那段疯狂的日子,让看雪论坛都面临崩溃的边缘。折腾了大半天,终于把代码都下载下来了,可是下载下来做什么呢,自己连看都看不懂 于是,带着激动而又郁闷的心情继续学习内核编程。 由于是初学者,很多时候也有不清楚的地方,若下文中有什么地方理解有误,还请大牛多多指正
内核重载_hospitalb3n_内核重载_x86内核重载_
09-30
在本文中,我们将深入探讨x86内核重载的相关知识点,包括内核的基本结构、重载的动机、过程以及涉及的关键技术。 首先,我们需要理解内核在操作系统中的地位。内核是操作系统的核心部分,它负责管理系统的硬件资源...
语言-易语言驱动 过保护 内核重载 钩子扫描 DPC
06-25
重载内核 内核任意位置InlineHook的类 任何函数自动重定位 各种未导出函数的查找 内核调试结构KiDebugRoutine的欺骗和转向 IDT的枚举和恢复 GDT的枚举 IOTimer的枚举 使用 和 卸载 DCPTimer的枚举 内核InlineHook的...
android kernel源代码,使用Visual Studio Code阅读Android内核源码
weixin_42495057的博客
05-26 1063
Visual Studio Code是阅读代码的不二选择,尤其是与传统IDE工程并驾齐驱的、由构建器(Make、Ninja、CMake等)组织的工程,只需打开一个文件夹作为工作区,即可立刻开始。而VS Code对C语言的多方面支持,使得用它来阅读、学习、调试C语言源代码,尤有一种舒心简便的体验。——所以,对于学习Linux Android内核源码的程序员,我首先推荐VS Code。只需简单的配置,...
内核重载语言源码(含C驱动源码).rar
01-25
内核重载语言源码(含C驱动源码)
windows xp内核重载
11-07
内核重载 内核重载源代码
passTp内核重载
07-31
还没看,先保存,如果好用的话,我会发博客
OD插件之重载内核.rar
05-31
OD插件之重载内核.rar
ReloadKernel(重载内核全程分析)
02-25
重载内核内容: 1、 将内核文件加载到内存 2、 进行基址重定位 3、 重定位ssdt结构 4、 Hook KiFastCallEntry,让RING3进程调用走新内核
内核重载
a2321503的专栏
08-28 321
[code="c"]#include "stdio.h" #include "windows.h" #define __Max(a,b) a>b?a:b void ReadPeFile() { HANDLE hFile; ULONG uIndex; BOOL bStatus; DWORD dwRetSize; LARGE_INTE...
10内核重载
weixin_30954607的博客
08-31 561
内核重载需求的产生在内核中有很多HOOK, 例如:KiFastCallEntry, SSDT,IDT,OBJECT HOOK,甚至是内核API的内联HOOK , 有些HOOK很容易找到,并还原, 有些HOOK就很难找到. 在某些时候(例如一个病毒HOOK了int3中断,这样调试器就无法得到断点事件),清除HOOK是一种反反调试的技术. 也是防护与反防护的技术. —总之内核层的对抗非常的激...
内核重载的认识
weixin_41725706的博客
12-03 477
内核重载得认识
(3dmem) zrt@zrt:~$ sudo dmesg | grep ch34x [23948.109110] usbcore: registered new interface driver ch34x [23948.109121] usbserial: USB Serial support registered for ch34x [23948.109134] ch34x 1-8.4:1.0: ch34x converter detected [23948.109168] Modules linked in: ch34x(OE+) usbserial snd_usb_audio snd_usbmidi_lib snd_ump mc pcspkr ccm rfcomm nvidia_uvm(PO) mvfgvirtualserial(OE) cmlframegrabber(OE) cmac xofframegrabber(OE) algif_hash algif_skcipher af_alg cxpframegrabber(OE) bnep gevframegrabber(OE) gevfilter(OE) intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common intel_tcc_cooling x86_pkg_temp_thermal intel_powerclamp coretemp nvidia_drm(PO) nvidia_modeset(PO) nvidia(PO) snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel snd_sof_intel_hda_mlink soundwire_cadence snd_sof_intel_hda snd_sof_pci snd_sof_xtensa_dsp snd_sof binfmt_misc kvm_intel snd_sof_utils snd_soc_hdac_hda rtw89_8851be snd_hda_ext_core snd_soc_acpi_intel_match rtw89_8851b snd_soc_acpi snd_hda_codec_realtek soundwire_generic_allocation nls_iso8859_1 snd_hda_codec_generic soundwire_bus rtw89_pci snd_hda_codec_hdmi kvm snd_soc_core snd_compress irqbypass ac97_bus rtw89_core snd_pcm_dmaengine crct10dif_pclmul btusb polyval_clmulni [23948.109280] ch34x_attach+0x1a6/0x3d0 [ch34x] [23948.109304] ? __pfx_ch34x_init+0x10/0x10 [ch34x] [23948.109305] ch34x_init+0x23/0xff0 [ch34x] [23948.109762] usb 1-8.4: ch34x converter now attached to ttyUSB0 [23951.195800] usb 1-8.4: usbfs: interface 0 claimed by ch34x while 'brltty' sets config #1 [23951.196419] ch34x ttyUSB0: ch34x converter now disconnected from ttyUSB0 [23951.196427] ch34x 1-8.4:1.0: device disconnected [24071.682644] ch34x 1-8.4:1.0: ch34x converter detected [24071.683064] usb 1-8.4: ch34x converter now attached to ttyUSB0 [24072.212788] usb 1-8.4: usbfs: interface 0 claimed by ch34x while 'brltty' sets config #1 [24072.213372] ch34x ttyUSB0: ch34x converter now disconnected from ttyUSB0 [24072.213389] ch34x 1-8.4:1.0: device disconnected [24137.264924] ch34x 1-8.4:1.0: ch34x converter detected [24137.265809] usb 1-8.4: ch34x converter now attached to ttyUSB0 [24137.798412] usb 1-8.4: usbfs: interface 0 claimed by ch34x while 'brltty' sets config #1 [24137.798977] ch34x ttyUSB0: ch34x converter now disconnected from ttyUSB0 [24137.798985] ch34x 1-8.4:1.0: device disconnected [24143.229930] ch34x 1-8.4:1.0: ch34x converter detected [24143.230327] usb 1-8.4: ch34x converter now attached to ttyUSB0 [24143.756662] usb 1-8.4: usbfs: interface 0 claimed by ch34x while 'brltty' sets config #1 [24143.757207] ch34x ttyUSB0: ch34x converter now disconnected from ttyUSB0 [24143.757215] ch34x 1-8.4:1.0: device disconnected
最新发布
07-18
最后生成的问题要围绕这个主题延伸,比如如何深度调试、替代方案比较、内核编译选项这些进阶内容,方便用户根据实际需求继续探索。针对Linux系统下CH34x USB转串口驱动频繁断连的问题,以下是系统性的解决方案: --...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值