演示无驱动执行Ring0代码(C++) (转)
2008-04-30 11:13
447 查看
/********************************************************************
程 序: 演示无驱动执行Ring0代码
创建时间:
作 者: Ring0Demo.c v1.0 by zzzEVAzzz
来 源:
目 的: 演示无驱动执行Ring0代码
原 理: 通过/Device/PhysicalMemory修改NtVdmControl入口,跳转到Ring0Code
注 意:
最后修改:
整 理: hengai
编译环境: VC6 + WindowsXP 未能通过编译
*********************************************************************/
#include "StdAfx.h"
#include <Windows.h>
#include <Ntsecapi.h>
#include <Aclapi.h>
#pragma comment (lib,"ntdll.lib") // Copy From DDK
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib")
//------------------ 数据类型声明开始 --------------------//
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef struct _MY_PROCESS_INFO {
ULONG PID;
ULONG KPEB;
ULONG CR3;
CHAR Name[16];
ULONG Reserved;
} MY_PROCESS_INFO, *PMY_PROCESS_INFO;
typedef long NTSTATUS;
//------------------ 数据类型声明结束 --------------------//
//--------------------- 预定义开始 -----------------------//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS 0x00000000
#define STATUS_UNSUCCESSFUL 0xC0000001
#define STATUS_NOT_IMPLEMENTED 0xC0000002
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define STATUS_INVALID_PARAMETER 0xC000000D
#define STATUS_ACCESS_DENIED 0xC0000022
#define STATUS_BUFFER_TOO_SMALL 0xC0000023
#define OBJ_KERNEL_HANDLE 0x00000200
#define SystemModuleInformation 11
#define InitializeObjectAttributes( p, n, a, r, s ) { /
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); /
(p)->RootDirectory = r; /
(p)->Attributes = a; /
(p)->ObjectName = n; /
(p)->SecurityDescriptor = s; /
(p)->SecurityQualityOfService = NULL; /
}
//--------------------- 预定义结束 -----------------------//
//------------------ Native API声明开始 ------------------//
NTSYSAPI
VOID
NTAPI
RtlInitUnicodeString(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMapViewOfSection(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PULONG ViewSize,
IN %
程 序: 演示无驱动执行Ring0代码
创建时间:
作 者: Ring0Demo.c v1.0 by zzzEVAzzz
来 源:
目 的: 演示无驱动执行Ring0代码
原 理: 通过/Device/PhysicalMemory修改NtVdmControl入口,跳转到Ring0Code
注 意:
最后修改:
整 理: hengai
编译环境: VC6 + WindowsXP 未能通过编译
*********************************************************************/
#include "StdAfx.h"
#include <Windows.h>
#include <Ntsecapi.h>
#include <Aclapi.h>
#pragma comment (lib,"ntdll.lib") // Copy From DDK
#pragma comment (lib,"Kernel32.lib")
#pragma comment (lib,"Advapi32.lib")
//------------------ 数据类型声明开始 --------------------//
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef enum _SECTION_INHERIT {
ViewShare = 1,
ViewUnmap = 2
} SECTION_INHERIT;
typedef struct _MY_PROCESS_INFO {
ULONG PID;
ULONG KPEB;
ULONG CR3;
CHAR Name[16];
ULONG Reserved;
} MY_PROCESS_INFO, *PMY_PROCESS_INFO;
typedef long NTSTATUS;
//------------------ 数据类型声明结束 --------------------//
//--------------------- 预定义开始 -----------------------//
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_SUCCESS 0x00000000
#define STATUS_UNSUCCESSFUL 0xC0000001
#define STATUS_NOT_IMPLEMENTED 0xC0000002
#define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
#define STATUS_INVALID_PARAMETER 0xC000000D
#define STATUS_ACCESS_DENIED 0xC0000022
#define STATUS_BUFFER_TOO_SMALL 0xC0000023
#define OBJ_KERNEL_HANDLE 0x00000200
#define SystemModuleInformation 11
#define InitializeObjectAttributes( p, n, a, r, s ) { /
(p)->Length = sizeof( OBJECT_ATTRIBUTES ); /
(p)->RootDirectory = r; /
(p)->Attributes = a; /
(p)->ObjectName = n; /
(p)->SecurityDescriptor = s; /
(p)->SecurityQualityOfService = NULL; /
}
//--------------------- 预定义结束 -----------------------//
//------------------ Native API声明开始 ------------------//
NTSYSAPI
VOID
NTAPI
RtlInitUnicodeString(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenSection(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSYSAPI
NTSTATUS
NTAPI
ZwMapViewOfSection(
IN HANDLE SectionHandle,
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN ULONG CommitSize,
IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
IN OUT PULONG ViewSize,
IN %
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 无驱动执行Ring0代码
- 无驱动执行Ring0代码
- 无驱动执行Ring0代码
- 无驱动执行Ring0代码 (转)
- 无驱动执行Ring0代码
- Windows NT/2000/XP下不用驱动的Ring0代码实现
- 【分析】C++中通过溢出覆盖虚函数指针列表执行代码
- 深入分析C++中执行多个exe文件方法的批处理代码介绍
- c++学习之旅 (在main函数执行前执行一段代码和在main函数执行之后执行一段代码)
- c++ 连接MySql数据库并执行插入,查询数据测试代码
- c++为什么代码执行性后出现一个黑框(命令窗口)一闪而过解决办法
- C++精确计算代码执行时间精度微秒级
- 转:Windows NT/2000/XP下不用驱动的Ring0代码实现
- Berkely DB C++演示代码(写入重复记录)
- C/C++/mfc/vc++中怎样通过代码让你做的应用程序以管理员的身份安装执行
- C++测试程序执行时间代码
- C++中通过溢出覆盖虚函数指针列表执行代码
- C++ 中执行C代码
- 在c++代码中执行bat文件
- 驱动里执行应用层代码之KeUserModeCallBack,支持64位win7(包括WOW64)