ProHoster > Pūnaewele > Nā Administration > ʻO Windows Native Applications a me Acronis Active Restore service

ʻO Windows Native Applications a me Acronis Active Restore service

I kēia lā ke hoʻomau nei mākou i ka moʻolelo o kā mākou, me nā kāne mai ke Kulanui ʻo Innopolis, e hoʻomohala nei i ka ʻenehana Active Restore e hiki ai i ka mea hoʻohana ke hoʻomaka e hana i kā lākou mīkini i ka wā hiki ʻole. E kamaʻilio mākou e pili ana i nā polokalamu Windows maoli, me nā hiʻohiʻona o kā lākou hana ʻana a hoʻomaka. Aia ma lalo o ka ʻoki e pili ana i kā mākou papahana, a me kahi alakaʻi kūpono i ke kākau ʻana i nā noi maoli.

ʻO Windows Native Applications a me Acronis Active Restore service

Ma nā pou mua ua kamaʻilio mua mākou e pili ana i ia mea Hoʻihoʻi hou, a pehea e ulu ai nā haumāna mai Innopolis lawelawe. I kēia lā makemake wau e nānā i nā noi maoli, i ka pae a mākou e makemake ai e " kanu " i kā mākou lawelawe hoʻolaʻa ikaika. Inā holo pono nā mea a pau, a laila hiki iā mākou ke:

  • E hoʻomaka i ka lawelawe ponoʻī ma mua
  • E hoʻokaʻaʻike i ke ao kahi i loaʻa mua ai ka waihona
  • Ma mua e hoʻomaopopo i ke ʻano o ka ʻōnaehana - boot maʻamau a hoʻihoʻi paha
  • ʻOi aku ka liʻiliʻi o nā faila e hoʻihoʻi ma mua
  • E ʻae i ka mea hoʻohana e hoʻomaka wikiwiki.

He aha ka polokalamu maoli?

No ka pane ʻana i kēia nīnau, e nānā kāua i ke kaʻina o nā kelepona i hana ʻia e ka ʻōnaehana, no ka laʻana, inā hoʻāʻo ka mea polokalamu ma kāna noi e hana i kahi faila.

ʻO Windows Native Applications a me Acronis Active Restore service
Pavel Yosifovich - Ka Papahana Papahana ʻo Windows Kernel (2019)

Hoʻohana ka mea papahana i ka hana CreateFile, i haʻi ʻia ma ka faila fileapi.h a hoʻokō ʻia ma Kernel32.dll. Eia naʻe, ʻaʻole kēia hana ponoʻī e hana i ka faila, nānā wale ia i nā manaʻo hoʻokomo a kāhea i ka hana NtCreateFile (ʻo ka prefix Nt e hōʻike wale ana he ʻōiwi maoli ka hana). Hōʻike ʻia kēia hana ma ka faile poʻomanaʻo winternl.h a hoʻokō ʻia ma ntdll.dll. Hoʻomākaukau ʻo ia e lele i loko o ka lewa nuklea, ma hope o ka hana ʻana i kahi kelepona ʻōnaehana e hana i kahi faila. I kēia hihia, ʻike ʻia ʻo Kernel32 kahi mea hoʻopili wale no Ntdll. ʻO kekahi o nā kumu i hana ʻia ai ʻo ia ka hiki iā Microsoft ke hoʻololi i nā hana o ka honua maoli, akā ʻaʻole e hoʻopā i nā interface maʻamau. ʻAʻole ʻōlelo ʻo Microsoft e kāhea pololei i nā hana maoli a ʻaʻole kākau i ka hapa nui o lākou. Ma ke ala, hiki ke loaʻa nā hana i kākau ʻole ʻia maanei.

ʻO ka pōmaikaʻi nui o nā noi maoli ʻo ia ka ntdll i hoʻouka ʻia i loko o ka ʻōnaehana ma mua o kernel32. He kūpono kēia, no ka mea, koi ʻo kernel32 i ka ntdll e hana. ʻO ka hopena, hiki i nā noi e hoʻohana i nā hana maoli ke hoʻomaka e hana ma mua.

No laila, ʻo Windows Native Applications nā polokalamu hiki ke hoʻomaka mua i ka boot Windows. Hoʻohana wale lākou i nā hana mai ntdll. ʻO kahi laʻana o ia noi: autochk ka mea hana pono chkdisk e nānā i ka diski no nā hewa ma mua o ka hoʻomaka ʻana i nā lawelawe nui. ʻO kēia ka pae a mākou e makemake ai i kā mākou Active Restore.

He aha kā mākou mea e pono ai?

  • DDK (Driver Development Kit), i kēia manawa ʻike ʻia ʻo WDK 7 (Windows Driver Kit).
  • Mīkini uila (no ka laʻana, Windows 7 x64)
  • ʻAʻole pono, akā hiki ke kōkua i nā faila poʻomanaʻo i hiki ke hoʻoiho ʻia maanei

He aha ka mea i loko o ke code?

E hoʻomaʻamaʻa liʻiliʻi a, no ka laʻana, e kākau i kahi noi liʻiliʻi e:

  1. Hōʻike i kahi memo ma ka pale
  2. Hoʻokaʻawale i kahi hoʻomanaʻo
  3. Ke kali nei no ka hookomo keyboard
  4. Hoʻokuʻu i ka hoʻomanaʻo i hoʻohana ʻia

Ma nā noi ʻōiwi, ʻaʻole nui a winmain ka helu komo, akā ʻo ka hana NtProcessStartup, ʻoiai mākou e hoʻomaka pololei i nā kaʻina hana hou i ka ʻōnaehana.

E hoʻomaka kākou ma ka hōʻike ʻana i kahi memo ma ka pale. No kēia mea he hana maoli kā mākou NtDisplayString, ka mea i hoʻopaʻapaʻa i kuhikuhi i kahi mea hoʻolālā UNICODE_STRING. E kōkua ʻo RtlInitUnicodeString iā mākou e hoʻomaka. ʻO ka hopena, no ka hōʻike ʻana i ka kikokikona ma ka pale hiki iā mākou ke kākau i kēia hana liʻiliʻi:

//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
    UNICODE_STRING string;
    RtlInitUnicodeString(&string, Message);
    NtDisplayString(&string);
}

No ka mea, ʻo nā hana mai ntdll wale nō i loaʻa iā mākou, a ʻaʻohe hale waihona puke ʻē aʻe i ka hoʻomanaʻo ʻana, e loaʻa iā mākou nā pilikia me ka hoʻokaʻawale ʻana i ka hoʻomanaʻo. ʻAʻole i loaʻa ka mea hoʻohana hou (no ka mea mai ka honua kiʻekiʻe loa o C ++), a ʻaʻohe hana malloc (pono ia i nā hale waihona puke runtime C). ʻOiaʻiʻo, hiki iā ʻoe ke hoʻohana wale i kahi pā. Akā inā pono mākou e hoʻokaʻawale i ka hoʻomanaʻo, pono mākou e hana ma ka puʻu (ʻo ia hoʻi. No laila e hana kākou i puʻu no kākou iho a lawe i ka hoʻomanaʻo mai ia mea i ka wā e pono ai.

Ua kūpono ka hana no kēia hana RtlCreateHeap. A laila, me ka hoʻohana ʻana iā RtlAllocateHeap a me RtlFreeHeap, e noho mākou a me ka hoʻomanaʻo manuahi inā pono mākou.

PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;

// create heap in order to allocate memory later
memory = RtlCreateHeap(
  HEAP_GROWABLE, 
  NULL, 
  1000, 
  0, NULL, NULL
);

// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
  memory, 
  HEAP_ZERO_MEMORY, 
  bufferSize
);

// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);

RtlDestroyHeap(memory);

E neʻe kākou i ke kali ʻana no ka hoʻokomo ʻana i ka papa keyboard.

// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
  USHORT UnitId;
  USHORT MakeCode;
  USHORT Flags;
  USHORT Reserved;
  ULONG  ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;

//...

HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;

// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);

// open keyboard device
NtCreateFile(&hKeyBoard,
			SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
			&ObjectAttributes,
			&Iosb,
			NULL,
			FILE_ATTRIBUTE_NORMAL,
			0,
			FILE_OPEN,FILE_DIRECTORY_FILE,
			NULL, 0);

// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);

while (TRUE)
{
	NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
	NtWaitForSingleObject(hEvent, TRUE, NULL);

	if (kbData.MakeCode == 0x01)    // if ESC pressed
	{
			break;
	}
}

ʻO nā mea a pau e pono ai mākou e hoʻohana NtReadFile ma kahi hāmeʻa hāmama, a kali a hiki i ka hoʻihoʻi ʻana o ke kīpē i kekahi paʻi iā mākou. Inā paʻi ʻia ke kī ESC, e hoʻomau mākou i ka hana. No ka wehe ʻana i ka hāmeʻa, pono mākou e kāhea i ka hana NtCreateFile (pono mākou e wehe i ka DeviceKeyboardClass0). E kāhea pū mākou NtCreateEvente hoʻomaka i ka mea kali. E haʻi aku mākou iā mākou iho i ke ʻano KEYBOARD_INPUT_DATA, e hōʻike ana i ka ʻikepili keyboard. E maʻalahi kēia i kā mākou hana.

Hoʻopau ka palapala ʻōiwi me kahi kelepona hana NtTerminateProcessno ka mea, ke pepehi wale nei makou i ka makou hana.

ʻO nā code āpau no kā mākou noi liʻiliʻi:

#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"

//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------

NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
  IN HANDLE               ProcessHandle OPTIONAL,
  IN NTSTATUS             ExitStatus
);

NTSYSAPI 
NTSTATUS
NTAPI
NtDisplayString(
	IN PUNICODE_STRING String
);

NTSTATUS 
NtWaitForSingleObject(
  IN HANDLE         Handle,
  IN BOOLEAN        Alertable,
  IN PLARGE_INTEGER Timeout
);

NTSYSAPI 
NTSTATUS
NTAPI
NtCreateEvent(
    OUT PHANDLE             EventHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN EVENT_TYPE           EventType,
    IN BOOLEAN              InitialState
);



// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
  USHORT UnitId;
  USHORT MakeCode;
  USHORT Flags;
  USHORT Reserved;
  ULONG  ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;

//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------

// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
    UNICODE_STRING string;
    RtlInitUnicodeString(&string, Message);
    NtDisplayString(&string);
}

void NtProcessStartup(void* StartupArgument)
{
	// it is important to declare all variables at the beginning
	HANDLE hKeyBoard, hEvent;
	UNICODE_STRING skull, keyboard;
	OBJECT_ATTRIBUTES ObjectAttributes;
	IO_STATUS_BLOCK Iosb;
	LARGE_INTEGER ByteOffset;
	KEYBOARD_INPUT_DATA kbData;
	
	PVOID memory = NULL;
	PVOID buffer = NULL;
	ULONG bufferSize = 42;

	//use it if debugger connected to break
	//DbgBreakPoint();

	WriteLn(L"Hello Native World!n");

	// inialize variables
	RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
	InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);

	// open keyboard device
	NtCreateFile(&hKeyBoard,
				SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
				&ObjectAttributes,
				&Iosb,
				NULL,
				FILE_ATTRIBUTE_NORMAL,
				0,
				FILE_OPEN,FILE_DIRECTORY_FILE,
				NULL, 0);

	// create event to wait on
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
	NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
	
	WriteLn(L"Keyboard readyn");
	
	// create heap in order to allocate memory later
	memory = RtlCreateHeap(
	  HEAP_GROWABLE, 
	  NULL, 
	  1000, 
	  0, NULL, NULL
	);
	
	WriteLn(L"Heap readyn");

	// allocate buffer of size bufferSize
	buffer = RtlAllocateHeap(
	  memory, 
	  HEAP_ZERO_MEMORY, 
	  bufferSize
	);
	
	WriteLn(L"Buffer allocatedn");

	// free buffer (actually not needed because we destroy heap in next step)
	RtlFreeHeap(memory, 0, buffer);

	RtlDestroyHeap(memory);
	
	WriteLn(L"Heap destroyedn");
	
	WriteLn(L"Press ESC to continue...n");

	while (TRUE)
	{
		NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
		NtWaitForSingleObject(hEvent, TRUE, NULL);

		if (kbData.MakeCode == 0x01)    // if ESC pressed
		{
				break;
		}
	}

	NtTerminateProcess(NtCurrentProcess(), 0);
}

PS: Hiki iā mākou ke hoʻohana maʻalahi i ka hana DbgBreakPoint () i kā mākou code e hoʻopau iā ia i ka debugger. ʻOiaʻiʻo, pono ʻoe e hoʻopili iā WinDbg i kahi mīkini virtual no ka hoʻopau ʻana i ka kernel. Hiki ke loaʻa nā ʻōlelo aʻo pehea e hana ai maanei a i ʻole hoʻohana wale VirtualKD.

ʻO ka hui ʻana a me ka hui ʻana

ʻO ke ala maʻalahi loa e kūkulu i kahi noi maoli ʻo ia ka hoʻohana DDK (Ke Kaʻa Hoʻomohala). Pono mākou i ka mana kahiko ʻehiku, no ka mea, he ʻano ʻokoʻa iki nā mana hope a hana pū me Visual Studio. Inā mākou e hoʻohana i ka DDK, pono kā mākou papahana i Makefile a me nā kumu.

make makefile

!INCLUDE $(NTMAKEENV)makefile.def

kumu:

TARGETNAME			= MyNative
TARGETTYPE			= PROGRAM
UMTYPE				= nt
BUFFER_OVERFLOW_CHECKS 		= 0
MINWIN_SDK_LIB_PATH		= $(SDK_LIB_PATH)
SOURCES 			= source.c

INCLUDES 			= $(DDK_INC_PATH); 
				  C:WinDDK7600.16385.1ndk;

TARGETLIBS 			= $(DDK_LIB_PATH)ntdll.lib	
				  $(DDK_LIB_PATH)nt.lib

USE_NTDLL			= 1

E like nō kāu Makefile, akā e nānā kākou i nā kumu ma kahi kikoʻī iki. Hōʻike kēia faila i nā kumu o kāu polokalamu (.c faile), kūkulu i nā koho, a me nā ʻāpana ʻē aʻe.

  • TARGETNAME - ka inoa o ka faila hiki ke hana ʻia i ka hopena.
  • TARGETTYPE - ke ʻano o ka faila hiki ke hoʻokō ʻia, hiki ke lilo i mea hoʻokele (.sys), a laila ʻo DRIVER ka waiwai kahua, inā he waihona (.lib), a laila ʻo ka waiwai he LIBRARY. I kā mākou hihia, pono mākou i kahi faila hoʻokō (.exe), no laila hoʻonoho mākou i ka waiwai i PROGRAM.
  • UMTYPE - nā waiwai kūpono no kēia kahua: console no kahi noi console, windows no ka hana ʻana i ke ʻano puka makani. Akā pono mākou e kuhikuhi i ka nt e kiʻi i kahi noi maoli.
  • BUFFER_OVERFLOW_CHECKS - ke nānā ʻana i ka waihona no ke kahe ʻana o ka buffer, akā naʻe, ʻaʻole kā mākou hihia, hoʻopau mākou.
  • MINWIN_SDK_LIB_PATH - pili kēia waiwai i ka helu SDK_LIB_PATH, mai hopohopo ʻaʻole ʻoe i hōʻike ʻia kahi ʻōnaehana ʻōnaehana, ke holo mākou i kūkulu ʻia mai ka DDK, e haʻi ʻia kēia ʻano a kuhikuhi i nā hale waihona puke e pono ai.
  • SOURCES – he papa inoa o nā kumu no kāu polokalamu.
  • INCLUDES - nā faila poʻomanaʻo e pono ai no ka hui. Maʻaneʻi e hōʻike pinepine lākou i ke ala i nā faila e hele mai me ka DDK, akā hiki iā ʻoe ke kuhikuhi i nā mea ʻē aʻe.
  • TARGETLIBS - papa inoa o nā hale waihona puke e pono e hoʻopili.
  • ʻO USE_NTDLL kahi kahua pono e hoʻonoho ʻia i ka 1 no nā kumu maopopo.
  • USER_C_FLAGS - nā hae i hiki iā ʻoe ke hoʻohana i nā kuhikuhi preprocessor i ka wā e hoʻomākaukau ai i ke code noi.

No laila e kūkulu, pono mākou e holo i ka x86 (a i ʻole x64) Checked Build, e hoʻololi i ka papa kuhikuhi hana i ka waihona papahana a holo i ke kauoha Build. Hōʻike ka hopena ma ke kiʻi kiʻi iā mākou hoʻokahi faila hiki ke hoʻokō.

ʻO Windows Native Applications a me Acronis Active Restore service

ʻAʻole hiki ke hoʻokuʻu maʻalahi kēia faila, hōʻino ka ʻōnaehana a hoʻouna iā mākou e noʻonoʻo e pili ana i kāna ʻano me kēia hewa:

ʻO Windows Native Applications a me Acronis Active Restore service

Pehea e hoʻomaka ai i kahi polokalamu maoli?

Ke hoʻomaka ʻo autochk, hoʻoholo ʻia ke kaʻina hoʻomaka o nā papahana e ka waiwai o ke kī hoʻopaʻa inoa: 

HKLMSystemCurrentControlSetControlSession ManagerBootExecute

Hoʻokō ka luna hālāwai i nā papahana mai kēia papa inoa i kēlā me kēia. Ke nānā nei ka luna hālāwai i nā faila hiki ke hoʻokō iā lākou iho i ka papa kuhikuhi system32. ʻO ka hōpili waiwai kī registry penei: 

autocheck autochk *MyNative

Pono ka waiwai ma ka hōpili hexadecimal, ʻaʻole ka ASCII maʻamau, no laila aia ke kī i hōʻike ʻia ma luna nei ma ke ʻano:

61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00

No ka hoʻololi ʻana i ke poʻo inoa, hiki iā ʻoe ke hoʻohana i kahi lawelawe pūnaewele, no ka laʻana, kēia.

ʻO Windows Native Applications a me Acronis Active Restore service
ʻIke ʻia e hoʻomaka i kahi noi maoli, pono mākou:

  1. E kope i ka faila hoʻokō i ka waihona system32
  2. Hoʻohui i kahi kī i ke kākau inoa
  3. Hoʻomaka hou i ka mīkini

No ka maʻalahi, eia kahi palapala i mākaukau no ka hoʻokomo ʻana i kahi noi maoli:

hoʻokomo.bat

@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pause

add.reg

REGEDIT4

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00

Ma hope o ka hoʻouka ʻana a me ka reboot, ʻoiai ma mua o ka hōʻike ʻana o ka pale koho mea hoʻohana, e loaʻa iā mākou ke kiʻi aʻe:

ʻO Windows Native Applications a me Acronis Active Restore service

ʻO ka hopena

Ke hoʻohana nei i ka laʻana o ia noi liʻiliʻi, ua manaʻo mākou he hiki ke holo i ka noi ma ka pae Windows Native. Ma hope aʻe, e hoʻomau wau a me nā kāne mai ke Kulanui ʻo Innopolis e kūkulu i kahi lawelawe e hoʻomaka ai i ke kaʻina hana o ka launa pū ʻana me ka mea hoʻokele ma mua o ka mana mua o kā mākou papahana. A me ka hiki ʻana mai o ka shell win32, pono e hoʻololi i ka mana i kahi lawelawe piha piha i hoʻomohala ʻia (ʻoi aku ma kēia maanei).

Ma ka ʻatikala aʻe e hoʻopā mākou i kahi mea ʻē aʻe o ka lawelawe Active Restore, ʻo ia ka mea hoʻokele UEFI. E kau inoa i kā mākou moʻomanaʻo i ʻole ʻoe e poina i ka pou aʻe.

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka