Niaj hnub no peb txuas ntxiv zaj dab neeg ntawm yuav ua li cas peb, nrog rau cov hais mav los ntawm Innopolis University, tab tom tsim Active Restore thev naus laus zis los tso cai rau cov neeg siv pib ua haujlwm ntawm lawv lub tshuab sai li sai tau tom qab ua tsis tiav. Peb yuav tham txog cov kev siv Windows ib txwm muaj, suav nrog cov yam ntxwv ntawm lawv cov kev tsim thiab tso tawm. Hauv qab ntawm qhov txiav yog me ntsis txog peb qhov project, nrog rau cov lus qhia ua haujlwm ntawm kev sau cov ntawv thov ib txwm muaj.
Hauv cov ntawv dhau los peb twb tau tham txog qhov nws yog dab tsi , thiab cov tub ntxhais kawm los ntawm Innopolis txhim kho li cas . Niaj hnub no kuv xav tsom mus rau cov ntawv thov ib txwm muaj, mus rau qib uas peb xav "faus" peb cov kev pabcuam rov ua haujlwm zoo. Yog tias txhua yam ua tiav, peb yuav tuaj yeem:
- Tua tawm qhov kev pab cuam nws tus kheej ntau ua ntej
- Hu rau huab qhov chaw thaub qab nyob ntau dua
- Ntau dhau los kom nkag siab tias hom twg yog qhov system nyob rau hauv - khau raj ib txwm lossis rov qab
- Ntau tsawg cov ntaub ntawv rov qab ua ntej
- Tso cai rau tus neeg siv kom pib sai dua.
Yuav ua li cas yog ib haiv neeg app lawm?
Txhawm rau teb cov lus nug no, cia peb saib cov kab ke hu ua qhov system ua, piv txwv li, yog tias tus programmer hauv nws daim ntawv thov sim tsim cov ntaub ntawv.
Pavel Yosifovich - Windows Kernel Programming (2019)
Tus programmer siv lub luag haujlwm , uas tau tshaj tawm hauv header file fileapi.h thiab siv hauv Kernel32.dll. Txawm li cas los xij, qhov haujlwm no nws tus kheej tsis tsim cov ntaub ntawv, nws tsuas yog kuaj xyuas cov lus sib cav thiab hu rau cov haujlwm (cov lus ua ntej Nt tsuas yog qhia tias qhov ua haujlwm yog haiv neeg). Txoj haujlwm no tau tshaj tawm hauv cov ntaub ntawv winternl.h header thiab siv hauv ntdll.dll. Nws npaj dhia mus rau hauv qhov chaw nuclear, tom qab ntawd nws ua rau lub kaw lus hu los tsim cov ntaub ntawv. Hauv qhov no, nws hloov tawm tias Kernel32 tsuas yog qhwv rau Ntdll. Ib qho ntawm cov laj thawj vim li cas qhov no tau ua tiav yog tias Microsoft yog li muaj peev xwm hloov pauv cov haujlwm ntawm lub ntiaj teb ib txwm muaj, tab sis tsis kov cov qauv kev sib tshuam. Microsoft tsis pom zoo hu xov tooj rau cov haujlwm hauv zej zog ncaj qha thiab tsis sau lawv feem ntau. Los ntawm txoj kev, cov haujlwm tsis muaj ntaub ntawv tuaj yeem pom .
Qhov txiaj ntsig tseem ceeb ntawm cov ntawv thov ib txwm yog tias ntdll tau thauj mus rau hauv lub kaw lus ua ntej ntau dua kernel32. Qhov no yog qhov laj thawj, vim kernel32 xav tau ntdll ua haujlwm. Yog li ntawd, cov ntawv thov uas siv cov haujlwm hauv ib txwm muaj tuaj yeem pib ua haujlwm ntau dhau los.
Yog li, Windows Native Applications yog cov kev pab cuam uas tuaj yeem pib ntxov hauv Windows boot. Lawv tsuas yog siv cov haujlwm los ntawm ntdll. Ib qho piv txwv ntawm xws li ib daim ntawv thov: leej twg ua txhawm rau txheeb xyuas qhov tsis raug ua ntej pib cov kev pabcuam tseem ceeb. Qhov no yog raws nraim theem peb xav kom peb Active Restore ua.
Peb xav tau dab tsi?
- (Driver Development Kit), tam sim no tseem hu ua WDK 7 (Windows Driver Kit).
- Virtual tshuab (piv txwv li, Windows 7 x64)
- Tsis tsim nyog, tab sis cov ntaub ntawv header uas tuaj yeem rub tawm tuaj yeem pab tau
Dab tsi yog hauv code?
Cia peb xyaum me ntsis thiab, piv txwv li, sau ib daim ntawv thov me me uas:
- Tso cov lus ntawm qhov screen
- Allocates ib co nco
- Tos rau cov keyboard input
- Frees siv lub cim xeeb
Hauv cov ntawv thov ib txwm muaj, lub ntsiab lus nkag tsis yog lub ntsiab lossis winmain, tab sis NtProcessStartup muaj nuj nqi, txij li peb tau ncaj qha tso tawm cov txheej txheem tshiab hauv qhov system.
Cia peb pib los ntawm kev nthuav tawm cov lus ntawm qhov screen. Rau qhov no peb muaj ib txwm ua haujlwm , uas siv raws li kev sib cav ib tus taw tes rau UNICODE_STRING qauv khoom. RtlInitUnicodeString yuav pab peb pib nws. Yog li ntawd, txhawm rau tso saib cov ntawv ntawm lub vijtsam peb tuaj yeem sau qhov haujlwm me me no:
//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}Txij li tsuas yog kev ua haujlwm ntawm ntdll muaj rau peb, thiab tsuas yog tsis muaj lwm lub tsev qiv ntawv hauv lub cim xeeb tseem, peb yuav muaj teeb meem nrog kev faib cov cim xeeb li cas. Tus neeg teb xov tooj tshiab tseem tsis tau muaj nyob (vim tias nws los ntawm lub ntiaj teb siab dhau ntawm C ++), thiab tsis muaj kev ua haujlwm malloc (nws yuav tsum tau khiav sijhawm C cov tsev qiv ntawv). Tau kawg, koj tsuas tuaj yeem siv ib pawg. Tab sis yog tias peb xav tau dynamically faib lub cim xeeb, peb yuav tau ua nws ntawm lub heap (piv txwv li heap). Yog li cia peb tsim ib lub heap rau peb tus kheej thiab nqa lub cim xeeb ntawm nws thaum twg peb xav tau.
Lub luag haujlwm yog tsim nyog rau txoj haujlwm no . Tom ntej no, siv RtlAllocateHeap thiab RtlFreeHeap, peb yuav nyob thiab nco pub dawb thaum peb xav tau.
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);Cia peb mus tos rau cov lus qhia keyboard.
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//...
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}Txhua yam peb xav tau yog siv ntawm lub cuab yeej qhib, thiab tos kom txog thaum cov keyboard rov qab los rau peb. Yog tias tus yuam sij ESC raug nias, peb yuav ua haujlwm ntxiv. Txhawm rau qhib lub cuab yeej, peb yuav tsum hu rau NtCreateFile muaj nuj nqi (peb yuav tsum qhib DeviceKeyboardClass0). Peb kuj yuav hu los pib qhov khoom tos. Peb yuav tshaj tawm cov qauv KEYBOARD_INPUT_DATA peb tus kheej, uas sawv cev rau cov ntaub ntawv keyboard. Qhov no yuav ua rau peb txoj haujlwm yooj yim dua.
Daim ntawv thov haiv neeg xaus nrog lub luag haujlwm hu vim peb tsuas yog tua peb tus kheej xwb.
Tag nrho cov cai rau peb daim ntawv thov me me:
#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"
//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
IN PUNICODE_STRING String
);
NTSTATUS
NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------
// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
void NtProcessStartup(void* StartupArgument)
{
// it is important to declare all variables at the beginning
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
//use it if debugger connected to break
//DbgBreakPoint();
WriteLn(L"Hello Native World!n");
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
WriteLn(L"Keyboard readyn");
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
WriteLn(L"Heap readyn");
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
WriteLn(L"Buffer allocatedn");
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
WriteLn(L"Heap destroyedn");
WriteLn(L"Press ESC to continue...n");
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
NtTerminateProcess(NtCurrentProcess(), 0);
}PS: Peb tuaj yeem yooj yim siv DbgBreakPoint() muaj nuj nqi hauv peb cov cai kom txwv tsis pub nws hauv qhov debugger. Muaj tseeb, koj yuav tsum txuas WinDbg mus rau lub tshuab virtual rau kev debugging kernel. Cov lus qhia yuav ua li cas thiaj nrhiav tau los yog siv xwb .
Compilation thiab assembling
Txoj kev yooj yim tshaj plaws los tsim ib daim ntawv thov ib txwm siv yog siv (Driver Development Kit). Peb xav tau lub xya xyoo qub, txij li cov versions tom qab muaj qhov sib txawv me ntsis thiab ua haujlwm ze nrog Visual Studio. Yog tias peb siv DDK, ces peb qhov project tsuas yog xav tau Makefile thiab qhov chaw.
Makefile
!INCLUDE $(NTMAKEENV)makefile.defqhov chaw:
TARGETNAME = MyNative
TARGETTYPE = PROGRAM
UMTYPE = nt
BUFFER_OVERFLOW_CHECKS = 0
MINWIN_SDK_LIB_PATH = $(SDK_LIB_PATH)
SOURCES = source.c
INCLUDES = $(DDK_INC_PATH);
C:WinDDK7600.16385.1ndk;
TARGETLIBS = $(DDK_LIB_PATH)ntdll.lib
$(DDK_LIB_PATH)nt.lib
USE_NTDLL = 1Koj Makefile yuav zoo ib yam, tab sis cia saib cov chaw hauv me ntsis ntxiv. Cov ntaub ntawv no qhia koj qhov kev pab cuam qhov chaw (.c cov ntaub ntawv), tsim cov kev xaiv, thiab lwm yam tsis.
- TARGETNAME β lub npe ntawm cov ntaub ntawv executable uas yuav tsum tau ua thaum kawg.
- TARGETTYPE β hom ntaub ntawv executable, nws tuaj yeem yog tus tsav tsheb (.sys), ces tus nqi teb yuav tsum yog DRIVER, yog lub tsev qiv ntawv (.lib), ces tus nqi yog LIBRARY. Hauv peb qhov xwm txheej, peb xav tau cov ntaub ntawv ua tiav (.exe), yog li peb teeb tsa tus nqi rau PROGRAM.
- UMTYPE - qhov muaj peev xwm ua tau rau daim teb no: console rau daim ntawv thov console, qhov rais rau kev ua haujlwm hauv hom windowed. Tab sis peb yuav tsum tau qhia nt kom tau ib daim ntawv thov haiv.
- BUFFER_OVERFLOW_CHECKS - tshawb xyuas cov pawg rau qhov tsis sib xws, hmoov tsis tsis yog peb rooj plaub, peb muab nws tua.
- MINWIN_SDK_LIB_PATH - tus nqi no yog hais txog SDK_LIB_PATH sib txawv, tsis txhob txhawj xeeb tias koj tsis muaj qhov sib txawv ntawm qhov system tau tshaj tawm, thaum peb khiav xyuas tsim los ntawm DDK, qhov sib txawv no yuav raug tshaj tawm thiab yuav taw tes rau cov tsev qiv ntawv tsim nyog.
- SOURCES β ib daim ntawv teev cov chaw rau koj qhov kev pab cuam.
- suav nrog β header cov ntaub ntawv uas yuav tsum tau rau kev sib dhos. Ntawm no lawv feem ntau qhia txoj hauv kev rau cov ntaub ntawv uas tuaj nrog DDK, tab sis koj tuaj yeem hais qhia lwm tus.
- TARGETLIBS - daim ntawv teev cov tsev qiv ntawv uas yuav tsum tau txuas.
- USE_NTDLL yog qhov yuav tsum tau teb uas yuav tsum tau teem rau 1 rau qhov laj thawj pom tseeb.
- USER_C_FLAGS - txhua tus chij uas koj tuaj yeem siv hauv cov lus qhia ua ntej thaum npaj daim ntawv thov code.
Yog li txhawm rau tsim, peb yuav tsum khiav x86 (lossis x64) Tshawb Xyuas Tsim, hloov cov npe ua haujlwm rau hauv qhov project folder thiab khiav Build command. Qhov tshwm sim nyob rau hauv lub screenshot qhia tau hais tias peb muaj ib tug executable ntaub ntawv.
Cov ntaub ntawv no tsis tuaj yeem tso tawm tau yooj yim, lub kaw lus foom thiab xa peb los xav txog nws tus cwj pwm nrog qhov yuam kev hauv qab no:
Yuav ua li cas qhib ib daim ntawv thov haiv?
Thaum autochk pib, qhov pib ua ntu zus ntawm cov kev pab cuam yog txiav txim siab los ntawm tus nqi ntawm tus yuam sij rau npe:
HKLMSystemCurrentControlSetControlSession ManagerBootExecuteTus neeg saib xyuas kev sib kho ua haujlwm ntawm cov npe no ib los ntawm ib qho. Tus thawj tswj kev sib ntsib nrhiav cov ntaub ntawv ua tiav lawv tus kheej hauv cov npe system32. Daim ntawv teev npe tus nqi tseem ceeb yog raws li hauv qab no:
autocheck autochk *MyNativeTus nqi yuav tsum yog hom hexadecimal, tsis yog ASCII li ib txwm, yog li tus yuam sij qhia saum toj no yuav yog hom:
61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00Txhawm rau hloov lub npe, koj tuaj yeem siv qhov kev pabcuam online, piv txwv li, .
Nws hloov tawm tias txhawm rau tsim ib daim ntawv thov haiv neeg, peb xav tau:
- Luam cov ntaub ntawv executable rau system32 nplaub tshev
- Ntxiv tus yuam sij rau lub npe
- Reboot lub tshuab
Txhawm rau kom yooj yim, ntawm no yog cov ntawv npaj ua tiav rau kev txhim kho daim ntawv thov ib txwm:
install.bat
@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pauseadd.reg
REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00Tom qab kev teeb tsa thiab rov pib dua, txawm tias ua ntej tus neeg siv xaiv lub vijtsam tshwm, peb yuav tau txais daim duab hauv qab no:
Qhov no
Siv cov piv txwv ntawm xws li ib daim ntawv thov me me, peb tau ntseeg tias nws muaj peev xwm khiav tau daim ntawv thov ntawm Windows Native theem. Tom ntej no, cov txiv neej los ntawm Innopolis University thiab kuv yuav txuas ntxiv tsim cov kev pabcuam uas yuav pib ua cov txheej txheem ntawm kev sib cuam tshuam nrog tus tsav tsheb ntau dua li yav dhau los version ntawm peb qhov project. Thiab nrog rau qhov tshwm sim ntawm lub plhaub win32, nws yuav yog qhov laj thawj rau kev hloov kev tswj mus rau qhov kev pabcuam puv ntoob uas twb tau tsim lawm (ntxiv rau qhov no ).
Nyob rau hauv tsab xov xwm tom ntej peb yuav kov rau lwm yam ntawm Active Restore kev pabcuam, uas yog tus tsav tsheb UEFI. Sau npe yuav mus rau peb blog kom koj tsis txhob nco cov ntawv tom ntej.
Tau qhov twg los: www.hab.com