NTDLL

最新推荐文章于 2023-06-15 09:09:52 发布
原创 最新推荐文章于 2023-06-15 09:09:52 发布 · 1.2k 阅读 · 0 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。 

/*++

Copyright (c) 

Module Name:

    SafeModel.h

Abstract:

    This framework is generated by QuickSYS 0.4

Author:

    <your name>

Environment:

    User or kernel mode.

Revision History:

--*/

#ifndef _SAFEMODEL_H
#define _SAFEMODEL_H 1

#ifndef _MSC_VER
#define __in
#define __out
#define __inout
#define __in_opt
#define __out_opt
#define __deref_out
#define __out_bcount_opt(x)
#define IN
#define OUT
#define OPTIONAL
#define __try
#endif // _MSC_VER

//#define NTDDI_VERSION NTDDI_VISTA
//
// Define the various device type values.  Note that values used by Microsoft
// Corporation are in the range 0-0x7FFF(32767), and 0x8000(32768)-0xFFFF(65535)
// are reserved for use by customers.
//

#define FILE_DEVICE_SAFEMODEL    0x8000

//
// Macro definition for defining IOCTL and FSCTL function control codes. Note
// that function codes 0-0x7FF(2047) are reserved for Microsoft Corporation,
// and 0x800(2048)-0xFFF(4095) are reserved for customers.
//

#define SAFEMODEL_IOCTL_BASE    0x800

//
// The device driver IOCTLs
//

#define CTL_CODE_SAFEMODEL(i)    \
    CTL_CODE(FILE_DEVICE_SAFEMODEL, SAFEMODEL_IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)

// 定义I/O控制代码
#define DRIVE_INITIALIZE                CTL_CODE_SAFEMODEL(0)
#define CRATE_PROCESS_MONITOR_ON        CTL_CODE_SAFEMODEL(1)
#define CRATE_PROCESS_MONITOR_OFF       CTL_CODE_SAFEMODEL(2)
#define WRITE_VIRTUAL_MEMORY_ON         CTL_CODE_SAFEMODEL(3)
#define WRITE_VIRTUAL_MEMORY_OFF        CTL_CODE_SAFEMODEL(4)
#define SET_VALUEKEY_MONITOR_ON         CTL_CODE_SAFEMODEL(5)
#define SET_VALUEKEY_MONITOR_OFF        CTL_CODE_SAFEMODEL(6)
#define SET_HOOK_MONITOR_ON             CTL_CODE_SAFEMODEL(7)
#define SET_HOOK_MONITOR_OFF            CTL_CODE_SAFEMODEL(8)
#define SET_SYSTEMTIME_MONITOR_ON       CTL_CODE_SAFEMODEL(9)
#define SET_SYSTEMTIME_MONITOR_OFF      CTL_CODE_SAFEMODEL(10)
#define WRITE_FILE_MONITOR_ON           CTL_CODE_SAFEMODEL(11)
#define WRITE_FILE_MONITOR_OFF          CTL_CODE_SAFEMODEL(12)
#define SYSTEM_DEBUG_MONITER_ON         CTL_CODE_SAFEMODEL(13)
#define SYSTEM_DEBUG_MONITER_OFF        CTL_CODE_SAFEMODEL(14)
#define LOAD_DRIVE_MONITOR_ON           CTL_CODE_SAFEMODEL(15)
#define LOAD_DRIVE_MONITOR_OFF          CTL_CODE_SAFEMODEL(16)
#define OPEN_SECTION_MONITOR_ON         CTL_CODE_SAFEMODEL(17)
#define OPEN_SECTION_MONITOR_OFF        CTL_CODE_SAFEMODEL(18)
#define READ_FILE_MONITOR_ON            CTL_CODE_SAFEMODEL(19)
#define READ_FILE_MONITOR_OFF           CTL_CODE_SAFEMODEL(20)

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Name that Win32 front end will use to open the SafeModel device
//

#define SAFEMODEL_WIN32_DEVICE_NAME_A    "\\\\.\\SafeModel"
#define SAFEMODEL_WIN32_DEVICE_NAME_W    L"\\\\.\\SafeModel"
#define SAFEMODEL_DEVICE_NAME_A          "\\Device\\SafeModel"
#define SAFEMODEL_DEVICE_NAME_W          L"\\Device\\SafeModel"
#define SAFEMODEL_DOS_DEVICE_NAME_A      "\\DosDevices\\SafeModel"
#define SAFEMODEL_DOS_DEVICE_NAME_W      L"\\DosDevices\\SafeModel"

#ifdef _UNICODE
#define SAFEMODEL_WIN32_DEVICE_NAME  SAFEMODEL_WIN32_DEVICE_NAME_W
#define SAFEMODEL_DEVICE_NAME        SAFEMODEL_DEVICE_NAME_W
#define SAFEMODEL_DOS_DEVICE_NAME    SAFEMODEL_DOS_DEVICE_NAME_W
#else
#define SAFEMODEL_WIN32_DEVICE_NAME  SAFEMODEL_WIN32_DEVICE_NAME_A
#define SAFEMODEL_DEVICE_NAME        SAFEMODEL_DEVICE_NAME_A
#define SAFEMODEL_DOS_DEVICE_NAME    SAFEMODEL_DOS_DEVICE_NAME_A
#endif

#endif

#include <windef.h>

#ifdef __GNUC__
  //#include <ddk/ntimage.h>
  #include <ddk/ntddk.h>
  #include <ddk/ntifs.h>

  DECLARE_HANDLE(HHOOK);

  #define SECTION_MAP_EXECUTE_EXPLICIT 0x0020 
#define  INTERRUPT_3 \
	  __asm__ ("int $3")
#else
  #include <ntimage.h>
  #include <ntddk.h>
  #include <ntifs.h>
#define  INTERRUPT_3 \
	__asm int 3
#endif

//#include <winnt.h>

#ifndef OBJ_KERNEL_HANDLE
  #define OBJ_KERNEL_HANDLE 0x00000200L
#endif

//
// A structure representing the instance information associated with
// a particular device
//
//#define SEC_IMAGE 0x1000000   
#define SYSTEM_INFORMATION_CLASS  ULONG
//#define DEBUG_CONTROL_CODE  ULONG
#define ObjectNameInformation  1
#define RETURN_ERRO_NOBOX    0x80070000
#define SystemHandleInformation 0x10
#define SystemLoadAndCallImage 38   //ZwSetSystemInformation加载驱动的参数

typedef enum _SYSDBG_COMMAND {
    SysDbgQueryModuleInformation,
    SysDbgQueryTraceInformation,
    SysDbgSetTracepoint,
    SysDbgSetSpecialCall,
    SysDbgClearSpecialCalls,
    SysDbgQuerySpecialCalls,
    SysDbgBreakPoint,
    SysDbgQueryVersion,
    SysDbgReadVirtual,
    SysDbgWriteVirtual,
    SysDbgReadPhysical,
    SysDbgWritePhysical,
    SysDbgReadControlSpace,
    SysDbgWriteControlSpace,
    SysDbgReadIoSpace,
    SysDbgWriteIoSpace,
    SysDbgReadMsr,
    SysDbgWriteMsr,
    SysDbgReadBusData,
    SysDbgWriteBusData,
    SysDbgCheckLowMemory,
    SysDbgEnableKernelDebugger,
    SysDbgDisableKernelDebugger,
    SysDbgGetAutoKdEnable,
    SysDbgSetAutoKdEnable,
    SysDbgGetPrintBufferSize,
    SysDbgSetPrintBufferSize,
    SysDbgGetKdUmExceptionEnable,
    SysDbgSetKdUmExceptionEnable,
    SysDbgGetTriageDump,
    SysDbgGetKdBlockEnable,
    SysDbgSetKdBlockEnable,
} SYSDBG_COMMAND, *PSYSDBG_COMMAND;

typedef struct _DEVICE_EXTENSION
{
    ULONG  StateVariable;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

//typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
//{
//    UNICODE_STRING ModuleName;
//} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;

typedef enum WIN_VER_DETAIL {
    WINDOWS_VERSION_NONE,       // 0
    WINDOWS_VERSION_2K,
    WINDOWS_VERSION_XP,
    WINDOWS_VERSION_2K3,
    WINDOWS_VERSION_2K3_SP1_SP2,
    WINDOWS_VERSION_VISTA,
} WIN_VER_DETAIL;

//定义消息结构体
struct MESSAGE
{
    BOOL state;
    DWORD function;
    HANDLE Appevent;
    HANDLE Sysevent;
    char source[MAX_PATH];
    char object[MAX_PATH];
};

struct REGDATA
{
    char szRegType[25];
    char szRegData[MAX_PATH];
};

struct ADDRDATA
{
    ULONG uAddr;
    char szAddr[16];
};

struct HOOKDATA
{
    ULONG uHookType;
    char szHookType[20];
};

struct SECTIONDATA
{
    ULONG access_mask;
    char szAccess[MAX_PATH];
};

typedef struct _ServiceDescriptorTableEntry {
    unsigned int  *ServiceTableBase;        //array of entry points
    unsigned int  *ServiceCounterTableBase; //array of usage counters
    unsigned int  NumberOfServices;         //number of table entries
    unsigned char *ParamTableBase;          //array of byte counts
} ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;

//typedef struct _SECTION_IMAGE_INFORMATION {
//    PVOID EntryPoint; 
//    ULONG StackZeroBits; 
//    ULONG StackReserved; 
//    ULONG StackCommit; 
//    ULONG ImageSubsystem; 
//    WORD  SubsystemVersionLow; 
//    WORD  SubsystemVersionHigh; 
//    ULONG Unknown1; 
//    ULONG ImageCharacteristics; 
//    ULONG ImageMachineType; 
//    ULONG Unknown2[3];
//} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;

typedef struct _RTL_DRIVE_LETTER_CURDIR {
    USHORT Flags;
    USHORT Length;
    ULONG TimeStamp;
    UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

/*
typedef struct _RTL_USER_PROCESS_PARAMETERS {
    ULONG MaximumLength;
    ULONG Length;
    ULONG Flags;
    ULONG DebugFlags;
    PVOID ConsoleHandle;
    ULONG ConsoleFlags;
    HANDLE StdInputHandle;
    HANDLE StdOutputHandle;
    HANDLE StdErrorHandle;
    UNICODE_STRING CurrentDirectoryPath;
    HANDLE CurrentDirectoryHandle;
    UNICODE_STRING DllPath;
    UNICODE_STRING ImagePathName;
    UNICODE_STRING CommandLine;
    PVOID Environment;
    ULONG StartingPositionLeft;
    ULONG StartingPositionTop;
    ULONG Width;
    ULONG Height;
    ULONG CharWidth;
    ULONG CharHeight;
    ULONG ConsoleTextAttributes;
    ULONG WindowFlags;
    ULONG ShowWindowFlags;
    UNICODE_STRING WindowTitle;
    UNICODE_STRING DesktopName;
    UNICODE_STRING ShellInfo;
    UNICODE_STRING RuntimeData;
    RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;


typedef struct _SYSTEM_HANDLE_INFORMATION {
    ULONG ProcessId;
    UCHAR ObjectTypeNumber;
    UCHAR Flags;
    USHORT Handle;
    PVOID Object;
    ACCESS_MASK GrantedAccess;
} _SYSTEM_HANDLE_INFORMATION, *P_SYSTEM_HANDLE_INFORMATION;
*/

typedef struct _SYSTEM_HANDLE_INFORMATION _SYSTEM_HANDLE_INFORMATION;

typedef struct _SYSTEM_HANDLE_INformATION_EX {
    ULONG NumberOfHandles;
    _SYSTEM_HANDLE_INFORMATION Information[1];
} _SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;

typedef struct _KPROCESS *PKPROCESS ,*PRKPROCESS;//, *PEPROCESS;

/*
typedef struct _KAPC_STATE {
    LIST_ENTRY ApcListHead[MaximumMode];
    struct _KPROCESS *Process;
    BOOLEAN KernelApcInProgress;
    BOOLEAN KernelApcPending;
    BOOLEAN UserApcPending;
} KAPC_STATE, *PKAPC_STATE, *PRKAPC_STATE;
*/

typedef struct _KAPC_STATE KAPC_STATE, *PKAPC_STATE, *PRKAPC_STATE;

typedef struct _PEB_LDR_DATA {
    BYTE Reserved1[8];
    PVOID Reserved2[3];
    LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA,  *PPEB_LDR_DATA;

//typedef struct PPS_POST_PROCESS_INIT_ROUTINE PVOID ;
typedef struct _PEB {
    BYTE Reserved1[2];
    BYTE BeingDebugged;
    BYTE Reserved2[1];
    PVOID Reserved3[2];
    PPEB_LDR_DATA Ldr;
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // PRTL_USER_PROCESS_PARAMETERS
    BYTE Reserved4[104];
    PVOID Reserved5[52];
    PVOID PostProcessInitRoutine; // PPS_POST_PROCESS_INIT_ROUTINE
    BYTE Reserved6[128];
    PVOID Reserved7[1];
    ULONG SessionId;
} PEB, * PPEB;

typedef PPEB (__stdcall *PPSGETPROCESSPEB) (IN PEPROCESS  Process);

///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//typedef enum _OBJECT_INFORMATION_CLASS {
//    ObjectBasicInformation = 0,
//    ObjectTypeInformation = 2
//} OBJECT_INFORMATION_CLASS;


extern NTSYSAPI
NTSTATUS
NTAPI
ZwQueryInformationProcess(
                          IN HANDLE ProcessHandle,
                          IN PROCESSINFOCLASS ProcessInformationClass,
                          OUT PVOID ProcessInformation,
                          IN ULONG ProcessInformationLength,
                          OUT PULONG ReturnLength OPTIONAL
                          );
//extern NTSTATUS ZwQuerySystemInformation( 
//                                  IN ULONG SystemInformationClass, 
//                                  IN PVOID SystemInformation, 
//                                  IN ULONG SystemInformationLength, 
//                                  OUT PULONG ReturnLength);

/*
extern KPROCESSOR_MODE
KeGetPreviousMode(
VOID
);
*/

//extern NTKERNELAPI
//NTSTATUS
//PsLookupProcessByProcessId(
//                           __in HANDLE ProcessId,
//                           __deref_out PEPROCESS *Process
//                           );
extern NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(
                  __in HANDLE SourceProcessHandle,
                  __in HANDLE SourceHandle,
                  __in_opt HANDLE TargetProcessHandle,
                  __out_opt PHANDLE TargetHandle,
                  __in ACCESS_MASK DesiredAccess,
                  __in ULONG HandleAttributes,
                  __in ULONG Options
                  );
extern NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject(
              __in_opt HANDLE Handle,
              __in OBJECT_INFORMATION_CLASS ObjectInformationClass,
              __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation,
              __in ULONG ObjectInformationLength,
              __out_opt PULONG ReturnLength
              );
extern NTKERNELAPI
NTSTATUS
ObQueryNameString(
                  __in PVOID Object,
                  __out_bcount_opt(Length) POBJECT_NAME_INFORMATION ObjectNameInfo,
                  __in ULONG Length,
                  __out PULONG ReturnLength
                  );
                  /*
extern NTKERNELAPI
VOID
KeStackAttachProcess (
                      __inout PEPROCESS PROCESS,
                      __out PRKAPC_STATE ApcState
                      );
*/
extern NTKERNELAPI
VOID
KeUnstackDetachProcess (
                        PRKAPC_STATE ApcState
                        );
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
typedef NTSTATUS (*ZWCREATEPROCESS)(OUT PHANDLE ProcessHandle,
                                    IN ACCESS_MASK DesiredAccess,
                                    IN POBJECT_ATTRIBUTES ObjectAttributes,
                                    IN HANDLE ParentProcess,
                                    IN BOOLEAN InheritObjectTable,
                                    IN HANDLE SectionHandle,
                                    IN HANDLE DebugPort,
                                    IN HANDLE ExceptionPort
                                    );

typedef NTSTATUS (*ZWCREATEPROCESSEX)(
                                      OUT PHANDLE ProcessHandle,
                                      IN ACCESS_MASK DesiredAccess,
                                      IN POBJECT_ATTRIBUTES ObjectAttributes,
                                      IN HANDLE InheritFromProcessHandle,
                                      IN BOOLEAN InheritHandles,
                                      IN HANDLE SectionHandle OPTIONAL,
                                      IN HANDLE DebugPort OPTIONAL,
                                      IN HANDLE ExceptionPort OPTIONAL,
                                      IN HANDLE Unknown 
                                      );

typedef NTSTATUS (*NTCREATEUSERPROCESS)(PHANDLE ProcessHandle,
                                        PHANDLE ThreadHandle,
                                        PVOID Parameter2,
                                        PVOID Parameter3,
                                        PVOID ProcessSecurityDescriptor,
                                        PVOID ThreadSecurityDescriptor,
                                        PVOID Parameter6,
                                        PVOID Parameter7,
                                        PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
                                        PVOID Parameter9,
                                        PVOID pProcessUnKnow);

typedef NTSTATUS (*ZWSETVALUEKEY)
(
 IN HANDLE  KeyHandle,
 IN PUNICODE_STRING  ValueName,
 IN ULONG  TitleIndex  OPTIONAL,
 IN ULONG  Type,
 IN PVOID  Data,
 IN ULONG  DataSize
 );

typedef NTSTATUS (*ZWLOADDRIVER)
(
 IN PUNICODE_STRING  DriverServiceName
 );

typedef NTSTATUS (*ZWSETSYSTEMTIME)
(
 PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime
 );

typedef NTSTATUS (*NTSETSYSTEMINFORMATION)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    IN OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength
    );
typedef NTSTATUS (*NTSYSTEMDEBUGCONTROL)(
    IN DEBUG_CONTROL_CODE ControlCode,
    IN PVOID InputBuffer OPTIONAL,
    IN ULONG InputBufferLength,
    OUT PVOID OutputBuffer OPTIONAL,
    IN ULONG OutputBufferLength,
    OUT PULONG ReturnLength OPTIONAL
    );
typedef NTSTATUS (*NTWRITEFILE)(
                                IN HANDLE FileHandle,
                                IN HANDLE Event OPTIONAL,
                                IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
                                IN PVOID ApcContext OPTIONAL,
                                OUT PIO_STATUS_BLOCK IoStatusBlock,
                                IN PVOID Buffer,
                                IN ULONG Length,
                                IN PLARGE_INTEGER ByteOffset OPTIONAL,
                                IN PULONG Key OPTIONAL
                                );
typedef NTSTATUS (*NTREADFILE)(
                               IN HANDLE FileHandle,
                               IN HANDLE Event OPTIONAL,
                               IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, 
                               IN PVOID ApcContext OPTIONAL,
                               OUT PIO_STATUS_BLOCK IoStatusBlock,
                               OUT PVOID Buffer,
                               IN ULONG Length,
                               IN PLARGE_INTEGER ByteOffset OPTIONAL,
                               IN PULONG Key OPTIONAL);
typedef NTSTATUS(*ZWWRITEVIRTUALMEMORY)(
                     IN HANDLE ProcessHandle,
                     IN PVOID BaseAddress,
                     IN PVOID Buffer,
                     IN ULONG BufferLength,
                     OUT PULONG ReturnLength OPTIONAL
                     );
typedef NTSTATUS(*ZWOPENSECTION)(
                   __out PHANDLE SectionHandle,
                   __in ACCESS_MASK DesiredAccess,
                   __in POBJECT_ATTRIBUTES ObjectAttributes
                   );
typedef HHOOK (*NTUSERSETWINDOWSHOOKEX)(
                                        HINSTANCE Mod, 
                                        PUNICODE_STRING UnsafeModuleName, 
                                        DWORD ThreadId, 
                                        int HookId, 
                                        PVOID HookProc, 
                                        BOOL Ansi
                                        );
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//
// Device driver routine declarations.
//

NTSTATUS DDKAPI DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);

NTSTATUS DDKAPI SafemodelDispatchCreate(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

NTSTATUS DDKAPI SafemodelDispatchClose(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

NTSTATUS DDKAPI SafemodelDispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);

VOID DDKAPI SafemodelUnload(IN PDRIVER_OBJECT DriverObject);

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
PVOID GetInfoTable(ULONG ATableType);
HANDLE GetProcPidByObjName(PWCHAR pwObjName,int iSize);
//VOID ZeroMemory(VOID* pobj,int len);
//BOOLEAN Sleep(ULONG MillionSecond);
WIN_VER_DETAIL GetWindowsVersion();
int ConvertFileNameWCHARToCHAR(PWCHAR pWChar, PCHAR pChar);
int ConvertFileNameUNISTRToCHAR(PUNICODE_STRING usFileName, PCHAR pChar);
NTSTATUS   GetFilePathVista(HANDLE  KeyHandle,char   *fullname);
NTSTATUS   GetFilePath2000_2003(HANDLE     KeyHandle,char   *fullname);
NTSTATUS   GetFilePath(HANDLE     KeyHandle,char   *fullname);
BOOLEAN GetRegPath(HANDLE handle,PCHAR pKeyPath);
BOOL GetProcessName(PEPROCESS pProcess,PCHAR pProcessName);
BOOL GetProcessPath(HANDLE hProcess,PCHAR pPathName);
PULONG GetProcessObjectState(PEPROCESS MyProcess,HANDLE MyProcessId);
BOOL GoOrNot(PVOID fathername,PVOID procname,ULONG dFun,PVOID pValue1,PVOID pValue2,PVOID pValue3);
BOOL FakeAnyPro(IN PULONG FakeFunPos,IN ULONG NewFunValue,OUT PULONG POldFunValue,OUT PBOOL fakestate);
BOOL UnFakeAnyPro(IN PULONG FakeFunPos,IN  ULONG OldFunValue,OUT PBOOL fakestate);
VOID InitShadowCallIndex();
VOID InitSysCallIndex();
unsigned int GetAddressOfShadowTable();
PULONG GetAddressOfShadowTable2() ;
ULONG GetShadowTable();

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
NTSTATUS FakedZwCreateProcess (OUT PHANDLE ProcessHandle,
                               IN ACCESS_MASK DesiredAccess,
                               IN POBJECT_ATTRIBUTES ObjectAttributes,
                               IN HANDLE ParentProcess,
                               IN BOOLEAN InheritObjectTable,
                               IN HANDLE SectionHandle,
                               IN HANDLE DebugPort,
                               IN HANDLE ExceptionPort);

NTSTATUS FakedZwCreateProcessEx(
                                OUT PHANDLE ProcessHandle,
                                IN ACCESS_MASK DesiredAccess,
                                IN POBJECT_ATTRIBUTES ObjectAttributes,
                                IN HANDLE InheritFromProcessHandle,
                                IN BOOLEAN InheritHandles,
                                IN HANDLE SectionHandle OPTIONAL,
                                IN HANDLE DebugPort OPTIONAL,
                                IN HANDLE ExceptionPort OPTIONAL,
                                IN HANDLE Unknown 
                                );

NTSTATUS FakedNtCreateUserProcess (PHANDLE ProcessHandle,
                                   PHANDLE ThreadHandle,
                                   PVOID Parameter2,
                                   PVOID Parameter3,
                                   PVOID ProcessSecurityDescriptor,
                                   PVOID ThreadSecurityDescriptor,
                                   PVOID Parameter6,
                                   PVOID Parameter7,
                                   PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
                                   PVOID Parameter9,
                                   PVOID pProcessUnKnow);

NTSTATUS FakedZwSetValueKey(
                             IN HANDLE  KeyHandle,
                             IN PUNICODE_STRING  ValueName,
                             IN ULONG  TitleIndex  OPTIONAL,
                             IN ULONG  Type,
                             IN PVOID  Data,
                             IN ULONG  DataSize
                            );

NTSTATUS FakedZwLoadDriver(IN PUNICODE_STRING DriverServiceName);

NTSTATUS FakedZwSetSystemTime(PLARGE_INTEGER NewTime,PLARGE_INTEGER OldTime);

NTSTATUS FakedZwLoadDriver(IN PUNICODE_STRING DriverServiceName);

NTSTATUS FakedZwWriteVirtualMemory(
                                   IN HANDLE ProcessHandle,
                                   IN PVOID BaseAddress,
                                   IN PVOID Buffer,
                                   IN ULONG BufferLength,
                                   OUT PULONG ReturnLength OPTIONAL
                                   );

NTSTATUS FakedNtSetSystemInformation(
                                     IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                     IN OUT PVOID SystemInformation,
                                     IN ULONG SystemInformationLength
                                     );
NTSTATUS FakedNtSystemDebugControl(
                                   IN DEBUG_CONTROL_CODE ControlCode,
                                   IN PVOID InputBuffer OPTIONAL,
                                   IN ULONG InputBufferLength,
                                   OUT PVOID OutputBuffer OPTIONAL,
                                   IN ULONG OutputBufferLength,
                                   OUT PULONG ReturnLength OPTIONAL
                                   );
NTSTATUS FakedNtWriteFile(
                          IN HANDLE FileHandle,
                          IN HANDLE Event OPTIONAL,
                          IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
                          IN PVOID ApcContext OPTIONAL,
                          OUT PIO_STATUS_BLOCK IoStatusBlock,
                          IN PVOID Buffer,
                          IN ULONG Length,
                          IN PLARGE_INTEGER ByteOffset OPTIONAL,
                          IN PULONG Key OPTIONAL
                          );
HHOOK FakedNtUserSetWindowsHookEx(
                                   HINSTANCE Mod, 
                                   PUNICODE_STRING UnsafeModuleName, 
                                   DWORD ThreadId, 
                                   int HookId, 
                                   PVOID HookProc, 
                                   BOOL Ansi 
                                   );
NTSTATUS FakedNtOpenProcess (
               __out PHANDLE ProcessHandle,
               __in ACCESS_MASK DesiredAccess,
               __in POBJECT_ATTRIBUTES ObjectAttributes,
               __in_opt PCLIENT_ID ClientId
               );
NTSTATUS FakedZwOpenSection(
              __out PHANDLE SectionHandle,
              __in ACCESS_MASK DesiredAccess,
              __in POBJECT_ATTRIBUTES ObjectAttributes
              );

VOID ProcMoniterOn();
VOID ProcMoniterOff();
VOID RegMoniterOn();
VOID RegMoniterOff();
VOID ModMonitorOn();
VOID ModMonitorOff();
VOID TimeSafeOn();
VOID TimeSafeOff();
VOID HookMoniterOn();
VOID HookMoniterOff();
VOID WriteFileMoniterOn();
VOID WriteFileMoniterOff();
VOID SystemDebugMoniterOn();
VOID SystemDebugMoniterOff();
VOID WriteVirtualMemoryOn();
VOID WriteVirtualMemoryOff();
VOID OpenSectionOn();
VOID OpenSectionOff();
windows ntdll 10.0.19041.423
07-11
《深入解析Windows NTDLL 10.0.19041.423》 NTDLL,全称为“NT Dynamic Link Library”,是Windows操作系统的核心动态链接库之一,扮演着至关重要的角色。它提供了系统调用接口,是用户模式与内核模式之间的桥梁,...
解决VS2019 ntdll.dll下载符号失败的问题
09-28
### 解决VS2019 ntdll.dll下载符号失败的问题 在开发过程中,使用Visual Studio 2019(简称VS2019)进行UWP应用开发时,可能会遇到一个常见问题——ntdll.dll下载符号失败。这一问题不仅会打断开发流程,还会严重...
通过 PEB 改变进程名,实现“穿透”防火墙
01-12 2139
PEB(Process Environment Block)——进程环境块,存放进程信息,每个进程都有自己的 PEB 信息。在 Win 2000 下,进程环境块的地址对于每个进程来说是固定的,在 0x7FFDF000 处,这是用户区内存,所以程序能够直接访问。准确的 PEB 地址应从系统的 EPROCESS 结构的 1b0H 偏移处获得,但由于 EPROCESS 在进程的核心内存区,所以程序不能直
关于进程PEB结构的修改实现
eaglenet的专栏
02-18 4858
关于进程PEB结构前辈们给出了几篇比较详细的文章。例如:《JIURL玩玩Win2k进程线程篇 PEB》《陆麟 的 WIN2000 SP1的PEB结构》其中JIURL写的那篇是我到现在看到最详细的了。但是他们都没有给出具体的编程实现。所以在这里我就实现了一下PEB结构修改算是一个小小补充吧:)。下面是我的实现代码。关于原理我在里就不多说了,原理的东西可以看上面两个大牛的文章。代码如下:CODE:
Windows NT引导过程源代码分析(三)
hnzwx888的专栏
06-20 1217
1.3建立用户登录会话 Windows内核在阶段1初始化的最后,启动了一个用户模式进程——会话管理器子系统(smss)。Smss进程是Windows操作系统的关键组成部分,它尽管是一个用户模式进程,但有其特殊性:首先,它是可信的,这意味着它可以做一些其他用户进程无法做的事情,比如创建安全令牌;其次,它直接建立在Windows内核的基础上,只使用Windows内核提供的系统服务,...
SystemCrashDumpStateInformation加载驱动
04-14 839
使用如下代码可将系统中的atapi.sys (如果你的机器磁盘PORT驱动是atapi.sys的话,如果是scsiport的话会有不同)加载到系统中。模块名为dump_atapi.sys(如果已配置了生成dump则无法生效)HMODULE hlib = LoadLibrary("ntdll.dll");PVOID p = GetProcAddress(hlib , "NtSetSystemIn
hook zwduplicateobject 防止句柄被复制。。。
xum2008的专栏
06-09 2315
<br />具体方法,是在这个函数体中判断,现将其下发,得到复制后的句柄后,通过ZwQueryInformationProcess 查询,得到持程序的 pid ,最后,与我们的程序的PID 比较,如果是我们要保护的,则将其句柄值清0 ,返回访问错误。。。<br /> <br />这里我犯了三个错误:<br />1:使用函数的时候,没有注意函数是否有效,也就是,在使用一些可能被别人挂钩过的函数时,我们还是先通过自己搜索比较好。<br />2:在函数中,只需要调用一次底层的函数就可以了<br />3:在发现时我
Windows系统中如何获取系统的启动时间.NTDLL.DLL中有很多鲜为人知的API函数,这些函数非常有用
03-20
NTDLL.DLL库是Windows内核与用户模式之间的重要桥梁,它提供了许多底层且不常被开发者直接使用的API函数。这些函数对于深入理解和调试Windows系统至关重要。本文将详细介绍如何利用NTDLL.DLL中的API来获取系统启动...
ntdll 32/64 .lib文件及.h文件
09-26
在Windows系统中,`ntdll.dll`是内核级的动态链接库,它承载着NT内核(New Technology Kernel)的许多核心功能。这个库在32位和64位系统上都有对应的版本,即`ntdll.lib`,分别对应于不同架构的编程需求。在开发过程...
Call_Ntdll_API.rar如何才能调用Native API即ntdll.dll
08-06
ntdll.dll是这些Native API的核心组件,它为Windows系统提供了一个与硬件无关的接口,允许应用程序和系统服务直接交互。本篇文章将详细讲解如何在VC++环境中调用ntdll.dll中的Native API。 首先,我们需要理解VC++...
C++ 反反调试(PEB)
LYSM
09-10 1139
PEB 反调试参考这篇文章 没错,这也是我写的。(/手动滑稽) 把之前的程序用原版 OD 打开,根据控制台里的 PEB 地址,找到对应的内存地址: 根据 BeingDebugged 、 NtGlobalFlag 在 _PEB 结构体中的位置,可以发现 01、70 这两个标志(注意这里 main函数还没开始运行,所以程序不会退出,只有当你第一次点击 “运行” 时才会执行到 main,检测代码才会有...
驱动开发:内核解锁与强删文件
热门推荐
优快云
06-15 2万+
在某些时候我们的系统中会出现一些无法被正常删除的文件,如果想要强制删除则需要在驱动层面对其进行解锁后才可删掉,而所谓的解锁其实就是释放掉文件描述符(句柄表)占用,文件解锁的核心原理是通过调用`ObSetHandleAttributes`函数将特定句柄设置为可关闭状态,然后在调用`ZwClose`将其文件关闭,强制删除则是通过`ObReferenceObjectByHandle`在对象上提供相应的权限后直接调用`ZwDeleteFile`将其删除,虽此类代码较为普遍,但作为揭秘ARK工具来说也必须要将其分析并
32位 64位 获得进程peb的方法
aijuzhou1959的博客
02-14 679
基于上一篇文章,大概了解了peb的获取方法,但是那个方法只能获得当前进程的PEB,不能获得其他的进程的PEB。根据那个思想,获得其他进程PEB则需要注入,得到进程信息,然后进程间通信,将信息返回来,经过考虑,这个方法太复杂。 下面介绍的方法是 用了一个未公开的函数NtQueryInformationProcess,获得进程信息,然后去读对方进程ReadProcessMemory。 结...
【旧文章搬运】获取并修改PEB中的映像路径,命令行和当前目录
weixin_30709929的博客
12-26 377
原文发表于百度空间,2008-7-24 当时对UNICODE_STRING的使用还有点问题,导致最终效果图中字符串被截断了========================================================================== 先从分析PEB开始吧.感觉分析这个东西,首先要把类型定义搞清楚,这个在Windbg里dt _PEB就可以了搞清楚定义主要是为...
驱动框架笔记
kernweak的博客
05-21 385
驱动框架 R3操作一个文件 create->read/write/deviceiocontrol->clean->close DIspatch分发函数存放在Driverobject的一个数组MajorFunction里。0x1b个,28个。用来接收应用层API请求。就是应用层的请求封装在一个IRP包,请求内核操作。 驱动有两个模型,NT模型和WDM模型。 NT模型 ...
《Windows内核原理与实现》-------函数,结构,全局变量的所在页数
走在北风里
11-08 904
最近学习《Windows内核原理与实现》发现其博大精深,粗略过了一遍,很多东西比较茫然,看书之余把书中涉及的函数,结构,全局变量的所在页数总结出来,便于以后查阅。 由于半自动半手工,难免有写错的地方,如有发现还请留言通知,谢谢。 函数 函数名称 所在页数 _KeSystemStartup 149 _KiExceptionExit 341 _KiFastCallEntry 552 554 _KiServiceExit 553 _KiShutUpAssembler 321 _
驱动加载监控
kernweak的博客
05-31 1839
Hook_ZwLoadDriver和HOOK_ZwSetSystemInformation(xp) Hook_ZwLoadDriver( IN PUNICODE_STRING DriverServiceName )//服务名,在注册表 所以要在注册表改驱动ImagePath看驱动路径。 注意通过instrDrv加载驱动不一定看到的是原本加载驱动的文件,是通信方式加载驱动,在ZwLoadD...
ntdll
最新发布
11-12
### ntdll详细介绍 ntdll.dll描述了Windows本地NT API的接口,是重要的Windows NT内核级文件。当Windows启动时,ntdll.dll就驻留在内存中特定的写保护区域,使别的程序无法占用这个内存区域。它的版本是6.3.9600....
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值