ʻO Windows Native Applications a me Acronis Active Restore service
I kēia lā ke hoʻomau nei mākou i ka moʻolelo o kā mākou, me nā kāne mai ke Kulanui ʻo Innopolis, e hoʻomohala nei i ka ʻenehana Active Restore e hiki ai i ka mea hoʻohana ke hoʻomaka e hana i kā lākou mīkini i ka wā hiki ʻole. E kamaʻilio mākou e pili ana i nā polokalamu Windows maoli, me nā hiʻohiʻona o kā lākou hana ʻana a hoʻomaka. Aia ma lalo o ka ʻoki e pili ana i kā mākou papahana, a me kahi alakaʻi kūpono i ke kākau ʻana i nā noi maoli.
Ma nā pou mua ua kamaʻilio mua mākou e pili ana i ia mea Hoʻihoʻi hou, a pehea e ulu ai nā haumāna mai Innopolis lawelawe. I kēia lā makemake wau e nānā i nā noi maoli, i ka pae a mākou e makemake ai e " kanu " i kā mākou lawelawe hoʻolaʻa ikaika. Inā holo pono nā mea a pau, a laila hiki iā mākou ke:
E hoʻomaka i ka lawelawe ponoʻī ma mua
E hoʻokaʻaʻike i ke ao kahi i loaʻa mua ai ka waihona
Ma mua e hoʻomaopopo i ke ʻano o ka ʻōnaehana - boot maʻamau a hoʻihoʻi paha
ʻOi aku ka liʻiliʻi o nā faila e hoʻihoʻi ma mua
E ʻae i ka mea hoʻohana e hoʻomaka wikiwiki.
He aha ka polokalamu maoli?
No ka pane ʻana i kēia nīnau, e nānā kāua i ke kaʻina o nā kelepona i hana ʻia e ka ʻōnaehana, no ka laʻana, inā hoʻāʻo ka mea polokalamu ma kāna noi e hana i kahi faila.
Pavel Yosifovich - Ka Papahana Papahana ʻo Windows Kernel (2019)
Hoʻohana ka mea papahana i ka hana CreateFile, i haʻi ʻia ma ka faila fileapi.h a hoʻokō ʻia ma Kernel32.dll. Eia naʻe, ʻaʻole kēia hana ponoʻī e hana i ka faila, nānā wale ia i nā manaʻo hoʻokomo a kāhea i ka hana NtCreateFile (ʻo ka prefix Nt e hōʻike wale ana he ʻōiwi maoli ka hana). Hōʻike ʻia kēia hana ma ka faile poʻomanaʻo winternl.h a hoʻokō ʻia ma ntdll.dll. Hoʻomākaukau ʻo ia e lele i loko o ka lewa nuklea, ma hope o ka hana ʻana i kahi kelepona ʻōnaehana e hana i kahi faila. I kēia hihia, ʻike ʻia ʻo Kernel32 kahi mea hoʻopili wale no Ntdll. ʻO kekahi o nā kumu i hana ʻia ai ʻo ia ka hiki iā Microsoft ke hoʻololi i nā hana o ka honua maoli, akā ʻaʻole e hoʻopā i nā interface maʻamau. ʻAʻole ʻōlelo ʻo Microsoft e kāhea pololei i nā hana maoli a ʻaʻole kākau i ka hapa nui o lākou. Ma ke ala, hiki ke loaʻa nā hana i kākau ʻole ʻia maanei.
ʻO ka pōmaikaʻi nui o nā noi maoli ʻo ia ka ntdll i hoʻouka ʻia i loko o ka ʻōnaehana ma mua o kernel32. He kūpono kēia, no ka mea, koi ʻo kernel32 i ka ntdll e hana. ʻO ka hopena, hiki i nā noi e hoʻohana i nā hana maoli ke hoʻomaka e hana ma mua.
No laila, ʻo Windows Native Applications nā polokalamu hiki ke hoʻomaka mua i ka boot Windows. Hoʻohana wale lākou i nā hana mai ntdll. ʻO kahi laʻana o ia noi: autochk ka mea hana pono chkdisk e nānā i ka diski no nā hewa ma mua o ka hoʻomaka ʻana i nā lawelawe nui. ʻO kēia ka pae a mākou e makemake ai i kā mākou Active Restore.
He aha kā mākou mea e pono ai?
DDK (Driver Development Kit), i kēia manawa ʻike ʻia ʻo WDK 7 (Windows Driver Kit).
Mīkini uila (no ka laʻana, Windows 7 x64)
ʻAʻole pono, akā hiki ke kōkua i nā faila poʻomanaʻo i hiki ke hoʻoiho ʻia maanei
He aha ka mea i loko o ke code?
E hoʻomaʻamaʻa liʻiliʻi a, no ka laʻana, e kākau i kahi noi liʻiliʻi e:
Hōʻike i kahi memo ma ka pale
Hoʻokaʻawale i kahi hoʻomanaʻo
Ke kali nei no ka hookomo keyboard
Hoʻokuʻu i ka hoʻomanaʻo i hoʻohana ʻia
Ma nā noi ʻōiwi, ʻaʻole nui a winmain ka helu komo, akā ʻo ka hana NtProcessStartup, ʻoiai mākou e hoʻomaka pololei i nā kaʻina hana hou i ka ʻōnaehana.
E hoʻomaka kākou ma ka hōʻike ʻana i kahi memo ma ka pale. No kēia mea he hana maoli kā mākou NtDisplayString, ka mea i hoʻopaʻapaʻa i kuhikuhi i kahi mea hoʻolālā UNICODE_STRING. E kōkua ʻo RtlInitUnicodeString iā mākou e hoʻomaka. ʻO ka hopena, no ka hōʻike ʻana i ka kikokikona ma ka pale hiki iā mākou ke kākau i kēia hana liʻiliʻi:
//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
No ka mea, ʻo nā hana mai ntdll wale nō i loaʻa iā mākou, a ʻaʻohe hale waihona puke ʻē aʻe i ka hoʻomanaʻo ʻana, e loaʻa iā mākou nā pilikia me ka hoʻokaʻawale ʻana i ka hoʻomanaʻo. ʻAʻole i loaʻa ka mea hoʻohana hou (no ka mea mai ka honua kiʻekiʻe loa o C ++), a ʻaʻohe hana malloc (pono ia i nā hale waihona puke runtime C). ʻOiaʻiʻo, hiki iā ʻoe ke hoʻohana wale i kahi pā. Akā inā pono mākou e hoʻokaʻawale i ka hoʻomanaʻo, pono mākou e hana ma ka puʻu (ʻo ia hoʻi. No laila e hana kākou i puʻu no kākou iho a lawe i ka hoʻomanaʻo mai ia mea i ka wā e pono ai.
Ua kūpono ka hana no kēia hana RtlCreateHeap. A laila, me ka hoʻohana ʻana iā RtlAllocateHeap a me RtlFreeHeap, e noho mākou a me ka hoʻomanaʻo manuahi inā pono mākou.
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
E neʻe kākou i ke kali ʻana no ka hoʻokomo ʻana i ka papa keyboard.
ʻO nā mea a pau e pono ai mākou e hoʻohana NtReadFile ma kahi hāmeʻa hāmama, a kali a hiki i ka hoʻihoʻi ʻana o ke kīpē i kekahi paʻi iā mākou. Inā paʻi ʻia ke kī ESC, e hoʻomau mākou i ka hana. No ka wehe ʻana i ka hāmeʻa, pono mākou e kāhea i ka hana NtCreateFile (pono mākou e wehe i ka DeviceKeyboardClass0). E kāhea pū mākou NtCreateEvente hoʻomaka i ka mea kali. E haʻi aku mākou iā mākou iho i ke ʻano KEYBOARD_INPUT_DATA, e hōʻike ana i ka ʻikepili keyboard. E maʻalahi kēia i kā mākou hana.
Hoʻopau ka palapala ʻōiwi me kahi kelepona hana NtTerminateProcessno ka mea, ke pepehi wale nei makou i ka makou hana.
ʻO nā code āpau no kā mākou noi liʻiliʻi:
#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"
//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
IN PUNICODE_STRING String
);
NTSTATUS
NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------
// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
void NtProcessStartup(void* StartupArgument)
{
// it is important to declare all variables at the beginning
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
//use it if debugger connected to break
//DbgBreakPoint();
WriteLn(L"Hello Native World!n");
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
WriteLn(L"Keyboard readyn");
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
WriteLn(L"Heap readyn");
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
WriteLn(L"Buffer allocatedn");
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
WriteLn(L"Heap destroyedn");
WriteLn(L"Press ESC to continue...n");
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
NtTerminateProcess(NtCurrentProcess(), 0);
}
PS: Hiki iā mākou ke hoʻohana maʻalahi i ka hana DbgBreakPoint () i kā mākou code e hoʻopau iā ia i ka debugger. ʻOiaʻiʻo, pono ʻoe e hoʻopili iā WinDbg i kahi mīkini virtual no ka hoʻopau ʻana i ka kernel. Hiki ke loaʻa nā ʻōlelo aʻo pehea e hana ai maanei a i ʻole hoʻohana wale VirtualKD.
ʻO ka hui ʻana a me ka hui ʻana
ʻO ke ala maʻalahi loa e kūkulu i kahi noi maoli ʻo ia ka hoʻohana DDK (Ke Kaʻa Hoʻomohala). Pono mākou i ka mana kahiko ʻehiku, no ka mea, he ʻano ʻokoʻa iki nā mana hope a hana pū me Visual Studio. Inā mākou e hoʻohana i ka DDK, pono kā mākou papahana i Makefile a me nā kumu.
make makefile
!INCLUDE $(NTMAKEENV)makefile.def
kumu:
TARGETNAME = MyNative
TARGETTYPE = PROGRAM
UMTYPE = nt
BUFFER_OVERFLOW_CHECKS = 0
MINWIN_SDK_LIB_PATH = $(SDK_LIB_PATH)
SOURCES = source.c
INCLUDES = $(DDK_INC_PATH);
C:WinDDK7600.16385.1ndk;
TARGETLIBS = $(DDK_LIB_PATH)ntdll.lib
$(DDK_LIB_PATH)nt.lib
USE_NTDLL = 1
E like nō kāu Makefile, akā e nānā kākou i nā kumu ma kahi kikoʻī iki. Hōʻike kēia faila i nā kumu o kāu polokalamu (.c faile), kūkulu i nā koho, a me nā ʻāpana ʻē aʻe.
TARGETNAME - ka inoa o ka faila hiki ke hana ʻia i ka hopena.
TARGETTYPE - ke ʻano o ka faila hiki ke hoʻokō ʻia, hiki ke lilo i mea hoʻokele (.sys), a laila ʻo DRIVER ka waiwai kahua, inā he waihona (.lib), a laila ʻo ka waiwai he LIBRARY. I kā mākou hihia, pono mākou i kahi faila hoʻokō (.exe), no laila hoʻonoho mākou i ka waiwai i PROGRAM.
UMTYPE - nā waiwai kūpono no kēia kahua: console no kahi noi console, windows no ka hana ʻana i ke ʻano puka makani. Akā pono mākou e kuhikuhi i ka nt e kiʻi i kahi noi maoli.
BUFFER_OVERFLOW_CHECKS - ke nānā ʻana i ka waihona no ke kahe ʻana o ka buffer, akā naʻe, ʻaʻole kā mākou hihia, hoʻopau mākou.
MINWIN_SDK_LIB_PATH - pili kēia waiwai i ka helu SDK_LIB_PATH, mai hopohopo ʻaʻole ʻoe i hōʻike ʻia kahi ʻōnaehana ʻōnaehana, ke holo mākou i kūkulu ʻia mai ka DDK, e haʻi ʻia kēia ʻano a kuhikuhi i nā hale waihona puke e pono ai.
SOURCES – he papa inoa o nā kumu no kāu polokalamu.
INCLUDES - nā faila poʻomanaʻo e pono ai no ka hui. Maʻaneʻi e hōʻike pinepine lākou i ke ala i nā faila e hele mai me ka DDK, akā hiki iā ʻoe ke kuhikuhi i nā mea ʻē aʻe.
TARGETLIBS - papa inoa o nā hale waihona puke e pono e hoʻopili.
ʻO USE_NTDLL kahi kahua pono e hoʻonoho ʻia i ka 1 no nā kumu maopopo.
USER_C_FLAGS - nā hae i hiki iā ʻoe ke hoʻohana i nā kuhikuhi preprocessor i ka wā e hoʻomākaukau ai i ke code noi.
No laila e kūkulu, pono mākou e holo i ka x86 (a i ʻole x64) Checked Build, e hoʻololi i ka papa kuhikuhi hana i ka waihona papahana a holo i ke kauoha Build. Hōʻike ka hopena ma ke kiʻi kiʻi iā mākou hoʻokahi faila hiki ke hoʻokō.
ʻAʻole hiki ke hoʻokuʻu maʻalahi kēia faila, hōʻino ka ʻōnaehana a hoʻouna iā mākou e noʻonoʻo e pili ana i kāna ʻano me kēia hewa:
Pehea e hoʻomaka ai i kahi polokalamu maoli?
Ke hoʻomaka ʻo autochk, hoʻoholo ʻia ke kaʻina hoʻomaka o nā papahana e ka waiwai o ke kī hoʻopaʻa inoa:
Hoʻokō ka luna hālāwai i nā papahana mai kēia papa inoa i kēlā me kēia. Ke nānā nei ka luna hālāwai i nā faila hiki ke hoʻokō iā lākou iho i ka papa kuhikuhi system32. ʻO ka hōpili waiwai kī registry penei:
autocheck autochk *MyNative
Pono ka waiwai ma ka hōpili hexadecimal, ʻaʻole ka ASCII maʻamau, no laila aia ke kī i hōʻike ʻia ma luna nei ma ke ʻano:
Ma hope o ka hoʻouka ʻana a me ka reboot, ʻoiai ma mua o ka hōʻike ʻana o ka pale koho mea hoʻohana, e loaʻa iā mākou ke kiʻi aʻe:
ʻO ka hopena
Ke hoʻohana nei i ka laʻana o ia noi liʻiliʻi, ua manaʻo mākou he hiki ke holo i ka noi ma ka pae Windows Native. Ma hope aʻe, e hoʻomau wau a me nā kāne mai ke Kulanui ʻo Innopolis e kūkulu i kahi lawelawe e hoʻomaka ai i ke kaʻina hana o ka launa pū ʻana me ka mea hoʻokele ma mua o ka mana mua o kā mākou papahana. A me ka hiki ʻana mai o ka shell win32, pono e hoʻololi i ka mana i kahi lawelawe piha piha i hoʻomohala ʻia (ʻoi aku ma kēia maanei).
Ma ka ʻatikala aʻe e hoʻopā mākou i kahi mea ʻē aʻe o ka lawelawe Active Restore, ʻo ia ka mea hoʻokele UEFI. E kau inoa i kā mākou moʻomanaʻo i ʻole ʻoe e poina i ka pou aʻe.