ืืืื ืื ืื ื ืืืฉืืืื ืืช ืืกืืคืืจ ืฉื ืืื ืื ืื ื, ืืื ืขื ืืืืจ'ื ืืืื ืืืจืกืืืช Innopolis, ืืคืชืืื ืืช ืืื ืืืืืืืช Active Restore ืืื ืืืคืฉืจ ืืืฉืชืืฉ ืืืชืืื ืืขืืื ืขื ืืืืฉื ืฉืื ืืืงืื ืืืคืฉืจื ืืืืจ ืชืงืื. ื ืืืจ ืขื ืืืฉืืื Windows ืืงืืจืืื, ืืืื ืชืืื ืืช ืืืฆืืจื ืืืืฉืงื ืฉืืื. ืืชืืช ืืืืชืื ืืฉ ืงืฆืช ืขื ืืคืจืืืงื ืฉืื ื, ืืื ืื ืืืจืื ืืขืฉื ืืืฆื ืืืชืื ืืืฉืืืื ืืงืืจืืื.
ืืคืืกืืื ืงืืืืื ืืืจ ืืืืจื ื ืขื ืื ืื , ืืืืฆื ืืชืคืชืืื ืชืืืืืื ืืืื ืืคืืืืก . ืืืื ืื ื ืจืืฆื ืืืชืืงื ืืืืฉืืืื ืืงืืจืืื, ืฉืืจืืชื ืื ืื ื ืจืืฆืื "ืืงืืืจ" ืืช ืฉืืจืืช ืืฉืืืืจ ืืคืขืื ืฉืื ื. ืื ืืื ืืกืชืืจ, ื ืืื:
- ืืคืขื ืืช ืืฉืืจืืช ืขืฆืื ืืจืื ืืืชืจ ืืืงืื
- ืฆืืจ ืงืฉืจ ืขื ืืขื ื ืฉืื ื ืืฆื ืืืืืื ืืจืื ืงืืื ืืื
- ืืจืื ืงืืื ืืื ืืืืื ืืืืื ืืฆื ืืืขืจืืช ื ืืฆืืช - ืืชืืื ืจืืื ืื ืฉืืืืจ
- ืืจืื ืคืืืช ืงืืฆืื ืืฉืืืืจ ืืจืืฉ
- ืืคืฉืจ ืืืฉืชืืฉ ืืืชืืื ืืคืืื ืืืจ ืืืชืจ.
ืืื ืืืื ืืคืืืงืฆืื ืืงืืจืืช?
ืืื ืืขื ืืช ืขื ืฉืืื ืื, ื ืกืชืื ืขื ืจืฆืฃ ืืฉืืืืช ืฉืืืขืจืืช ืืืฆืขืช, ืืืฉื, ืื ืืชืื ืช ืืืคืืืงืฆืื ืฉืื ืื ืกื ืืืฆืืจ ืงืืืฅ.
ืคืืื ืืืกืืคืืืืฅ' - ืชืื ืืช ืืืืช Windows (2019)
ืืืชืื ืช ืืฉืชืืฉ ืืคืื ืงืฆืื , ืืืืฆืืจ ืืงืืืฅ ืืืืชืจืช fileapi.h ืืืืืฉื ื-Kernel32.dll. ืขื ืืืช, ืคืื ืงืฆืื ืื ืขืฆืื ืื ืืืฆืจืช ืืช ืืงืืืฅ, ืืื ืจืง ืืืืงืช ืืช ืืจืืืื ืื ืืงืื ืืงืืจืืช ืืคืื ืงืฆืื (ืืงืืืืืช Nt ืจืง ืืฆืืื ืช ืฉืืคืื ืงืฆืื ืืงืืจืืช). ืคืื ืงืฆืื ืื ืืืฆืืจืช ืืงืืืฅ ืืืืชืจืช winternl.h ืืืืืฉืืช ื-ntdll.dll. ืืื ืืชืืื ื ืืงืคืืฅ ืืืื ืืืจืขืื ื, ืืืืืจ ืืื ืืื ืืืฆืข ืงืจืืืช ืืขืจืืช ืืืฆืืจืช ืงืืืฅ. ืืืงืจื ืื, ืืกืชืืจ ืฉ-Kernel32 ืืื ืจืง ืืขืืคืช ืขืืืจ Ntdll. ืืืช ืืกืืืืช ืฉืืืืื ืื ื ืขืฉื ืืื ืฉืืืืงืจืืกืืคื ืืฉ ืืช ืืืืืืช ืืฉื ืืช ืืช ืืคืื ืงืฆืืืช ืฉื ืืขืืื ืืืงืืื, ืืื ืื ืืืขืช ืืืืฉืงืื ืืกืื ืืจืืืื. ืืืงืจืืกืืคื ืื ืืืืืฆื ืืงืจืื ืืฉืืจืืช ืืคืื ืงืฆืืืช ืืงืืจืืืช ืืืื ื ืืชืขืืช ืืช ืจืืื. ืืื, ื ืืชื ืืืฆืื ืคืื ืงืฆืืืช ืื ืืชืืขืืืช .
ืืืชืจืื ืืขืืงืจื ืฉื ืืืฉืืืื ืืงืืจืืื ืืื ืฉ-ntdll ื ืืขื ืืืขืจืืช ืืจืื ืืืชืจ ืืืงืื ืืืฉืจ kernel32. ืื ืืืืื ื, ืื kernel32 ืืืจืฉ ntdll ืืขืืื. ืืชืืฆืื ืืื, ืืคืืืงืฆืืืช ืืืฉืชืืฉืืช ืืคืื ืงืฆืืืช ืืงืืจืืืช ืืืืืืช ืืืชืืื ืืขืืื ืืจืื ืืืชืจ ืืืงืื.
ืืคืืื, ืืืฉืืื Windows Native ืื ืชืืื ืืืช ืฉืืืืืืช ืืืชืืื ืืืงืื ืืืชืืื ืฉื Windows. ืื ืืฉืชืืฉืื ืจืง ืืคืื ืงืฆืืืช ื-ntdll. ืืืืื ืืืืฉืื ืืื: ืื ืืืฆืข ืืื ืืืืืง ืื ืืฉ ืฉืืืืืช ืืืืกืง ืืคื ื ืืคืขืืช ืืฉืืจืืชืื ืืจืืฉืืื. ืื ืืืืืง ืืจืื ืฉืื ืื ื ืจืืฆืื ืฉื-Active Restore ืฉืื ื ืชืืื.
ืืฉืืื ืื ืื ืื ื ืฆืจืืืื?
- (ืขืจืืช ืคืืชืื ืื ืืื ืืชืงื ืื), ืืืืืขื ืืืื ืื ืืฉื WDK 7 (ืขืจืืช ืื ืืื ืืชืงื ืฉื Windows).
- ืืืื ื ืืืจืืืืืืช (ืืืืืื, Windows 7 x64)
- ืื ืืืจืื, ืืื ืงืืฆื ืืืชืจืืช ืฉื ืืชื ืืืืจืื ืขืฉืืืื ืืขืืืจ
ืื ืืฉ ืืงืื?
ืืืื ื ืชืืื ืงืฆืช, ืืืืืืื, ื ืืชืื ืืคืืืงืฆืื ืงืื ื ืฉ:
- ืืฆืื ืืืืขื ืขื ืืืกื
- ืืงืฆื ืงืฆืช ืืืืจืื
- ืืืชืื ืืงืื ืืงืืืช
- ืืคื ื ืืืืจืื ืืฉืืืฉ
ืืืืฉืืืื ืืงืืจืืื, ื ืงืืืช ืืื ืืกื ืืื ืื ืจืืฉื ืื winmain, ืืื ืคืื ืงืฆืืืช NtProcessStartup, ืืืืืื ืฉืื ื ืืืขืฉื ืืฉืืงืื ืืฉืืจืืช ืชืืืืืื ืืืฉืื ืืืขืจืืช.
ื ืชืืื ืืืฆืืช ืืืืขื ืขื ืืืกื. ืืฉืืื ืื ืืฉ ืื ื ืคืื ืงืฆืื ืืงืืืืช , ืฉืืืงื ืืืจืืืื ื ืืฆืืืข ืืืืืืืงื ืืื ื UNICODE_STRING. RtlInitUnicodeString ืืขืืืจ ืื ื ืืืชืื ืืืชื. ืืชืืฆืื ืืื, ืืื ืืืฆืื ืืงืกื ืขื ืืืกื ื ืืื ืืืชืื ืืช ืืคืื ืงืฆืื ืืงืื ื ืืื:
//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}ืืืืืื ืฉืจืง ืคืื ืงืฆืืืช ื-ntdll ืืืื ืืช ืื ื, ืืคืฉืื ืืื ืขืืืื ืกืคืจืืืช ืืืจืืช ืืืืืจืื, ืืืืื ืืืื ืื ื ืืขืืืช ืืืฆื ืืืงืฆืืช ืืืืจืื. ืืืืคืจืืืจ ืืืืฉ ืขืืืื ืื ืงืืื (ืืืืืื ืฉืืื ืืืืข ืืืขืืื ืืืืื ืืื ืฉื C++), ืืืื ืคืื ืงืฆืืืช malloc (ืื ืืืจืฉ ืกืคืจืืืช C ืืืื ืจืืฆื). ืืืืื, ืืชื ืืืื ืืืฉืชืืฉ ืจืง ืืขืจืืื. ืืื ืื ื ืฆืืจื ืืืงืฆืืช ืืืืคื ืืื ืื ืืืืจืื, ื ืฆืืจื ืืขืฉืืช ืืืช ืืขืจืืื (ืืืืืจ ืขืจืืื). ืื ืืืื ื ืืฆืืจ ืืขืฆืื ื ืขืจืืื ืื ืืงื ืืื ื ืืืืจืื ืืื ืคืขื ืฉื ืฆืืจื ืืืชื.
ืืคืื ืงืฆืื ืืชืืืื ืืืฉืืื ืื . ืืืืจ ืืื, ืืืืฆืขืืช RtlAllocateHeap ื-RtlFreeHeap, ื ืืืืฉ ืื ืคื ื ืืืืจืื ืืฉื ืฆืืจื ืืืชื.
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);ืืืื ื ืขืืืจ ืืืืชื ื ืืงืื ืืงืืืช.
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//...
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}ืื ืื ืฉืื ืื ื ืฆืจืืืื ืื ืืืฉืชืืฉ ืืืืฉืืจ ืคืชืื, ืืืืชื ืขื ืฉืืืงืืืช ืชืืืืจ ืื ื ืื ืืืืฆื. ืื ืืงืฉ ESC ื ืืืฅ, ื ืืฉืื ืืขืืื. ืืื ืืคืชืื ืืช ืืืืฉืืจ, ื ืฆืืจื ืืงืจืื ืืคืื ืงืฆืื NtCreateFile (ื ืฆืืจื ืืคืชืื ืืช DeviceKeyboardClass0). ืื ืื ืื ื ื ืชืงืฉืจ ืืื ืืืชืื ืืช ืืืืืืงื ืืืืชื ื. ืื ื ื ืืจืื ืืขืฆืื ื ืขื ืืื ื KEYBOARD_INPUT_DATA, ืืืืืฆื ืืช ื ืชืื ื ืืืงืืืช. ืื ืืงื ืขื ืืขืืืื ืฉืื ื.
ืืืคืืืงืฆืื ืืืงืืจืืช ืืกืชืืืืช ืืงืจืืืช ืคืื ืงืฆืื ืื ืื ืื ื ืคืฉืื ืืืจืืื ืืช ืืชืืืื ืฉืื ื.
ืื ืืงืื ืืืคืืืงืฆืื ืืงืื ื ืฉืื ื:
#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"
//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
IN PUNICODE_STRING String
);
NTSTATUS
NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------
// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
void NtProcessStartup(void* StartupArgument)
{
// it is important to declare all variables at the beginning
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
//use it if debugger connected to break
//DbgBreakPoint();
WriteLn(L"Hello Native World!n");
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
WriteLn(L"Keyboard readyn");
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
WriteLn(L"Heap readyn");
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
WriteLn(L"Buffer allocatedn");
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
WriteLn(L"Heap destroyedn");
WriteLn(L"Press ESC to continue...n");
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
NtTerminateProcess(NtCurrentProcess(), 0);
}ื .ื.: ืื ื ืืืืืื ืืืฉืชืืฉ ืืงืืืช ืืคืื ืงืฆืื DbgBreakPoint() ืืงืื ืฉืื ื ืืื ืืขืฆืืจ ืืืชื ื-debugger. ื ืืื, ืชืฆืืจื ืืืืจ ืืช WinDbg ืืืืื ื ืืืจืืืืืืช ืืฆืืจื ืืืชืืจ ืืืืื ืืืืื. ื ืืชื ืืืฆืื ืืืจืืืช ืืืฆื ืืขืฉืืช ืืืช ืื ืคืฉืื ืืืฉืชืืฉ .
ืงืืืคืืืฆืื ืืืจืืื
ืืืจื ืืงืื ืืืืชืจ ืืื ืืช ืืคืืืงืฆืื ืืงืืจืืช ืืื ืืืฉืชืืฉ (ืขืจืืช ืคืืชืื ืืจืืืืจืื). ืื ื ืืงืืงืื ืืืจืกื ืืฉืืืขืืช ืืขืชืืงื, ืืืืืื ืฉืืืจืกืืืช ืืืืืจืืช ืืืชืจ ืืฉ ืืืฉื ืืขื ืฉืื ื ืืขืืืืืช ืืฉืืชืืฃ ืคืขืืื ืืืืง ืขื Visual Studio. ืื ืื ืื ื ืืฉืชืืฉืื ื-DDK, ืื ืืคืจืืืงื ืฉืื ื ืฆืจืื ืจืง Makefile ืืืงืืจืืช.
ืงืืืฅ Makefile
!INCLUDE $(NTMAKEENV)makefile.defืืงืืจืืช:
TARGETNAME = MyNative
TARGETTYPE = PROGRAM
UMTYPE = nt
BUFFER_OVERFLOW_CHECKS = 0
MINWIN_SDK_LIB_PATH = $(SDK_LIB_PATH)
SOURCES = source.c
INCLUDES = $(DDK_INC_PATH);
C:WinDDK7600.16385.1ndk;
TARGETLIBS = $(DDK_LIB_PATH)ntdll.lib
$(DDK_LIB_PATH)nt.lib
USE_NTDLL = 1ื-Makefile ืฉืื โโืืืื ืืื ืืืืืืื, ืืื ืืืื ื ืกืชืื ืขื ืืงืืจืืช ืงืฆืช ืืืชืจ ืืคืืจืื. ืงืืืฅ ืื ืืฆืืื ืืช ืืงืืจืืช ืืชืืื ืืช ืฉืื (ืงืืฆื.c), ืืคืฉืจืืืืช ืื ืืื ืืคืจืืืจืื ืืืจืื.
- TARGETNAME - ืฉื ืงืืืฅ ืืืคืขืื ืฉืืืืจ ืืืืืช ืืืคืง ืืกืืคื ืฉื ืืืจ.
- TARGETTYPE โ ืกืื ืฉื ืงืืืฅ ืืคืขืื, ืื ืืืื ืืืืืช ืืจืืืืจ (.sys), ืื ืขืจื ืืฉืื ืฆืจืื ืืืืืช DRIVER, ืื ืกืคืจืืื (.lib), ืื ืืขืจื ืืื LIBRARY. ืืืงืจื ืฉืื ื, ืื ืื ื ืฆืจืืืื ืงืืืฅ ืืคืขืื (.exe), ืื ืื ืื ื ืืืืืจืื ืืช ืืขืจื ื-PROGRAM.
- UMTYPE - ืขืจืืื ืืคืฉืจืืื ืืฉืื ืื: ืืกืืฃ ืขืืืจ ืืืฉืื ืืกืืฃ, ืืืื ืืช ืืขืืืื ืืืฆื ืืืื ืืช. ืืื ืื ืื ื ืฆืจืืืื ืืฆืืื nt ืืื ืืงืื ืืืฉืื ืืงืืจื.
- BUFFER_OVERFLOW_CHECKS - ืืืืงืช ืืืืกื ืืช ืืืืชืืจ ืืืืฉืช ืืืืจ, ืืืจืื ืืฆืขืจ ืื ืืืงืจื ืฉืื ื, ืื ื ืืืืื ืืืชื.
- MINWIN_SDK_LIB_PATH โ ืขืจื ืื ืืชืืืืก ืืืฉืชื ื SDK_LIB_PATH, ืื ืชืืื ืฉืืื ืื ืืฉืชื ื ืืขืจืืช ืฉืืื, ืืืฉืจ ื ืจืืฅ build checked ืื-DDK, ืืฉืชื ื ืื ืืืืจื ืืืฆืืืข ืขื ืืกืคืจืืืช ืืืจืืฉืืช.
- SOURCES - ืจืฉืืืช ืืงืืจืืช ืืชืืื ืืช ืฉืื.
- ืืืื - ืงืืฆื ืืืชืจืืช ืื ืืจืฉืื ืืืจืืื. ืืื ืื ืืืจื ืืื ืืฆืืื ืื ืืช ืื ืชืื ืืงืืฆืื ืฉืืืืขืื ืขื ื-DDK, ืืื ืืชื ืืืื ืื ืืฆืืื ืื ืงืืฆืื ืืืจืื.
- TARGETLIBS - ืจืฉืืืช ืกืคืจืืืช ืฉืฆืจืื ืืงืฉืจ.
- USE_NTDLL ืืื ืฉืื ืืืื ืฉืืฉ ืืืืืืจ ื-1 ืืกืืืืช ืืจืืจืืช.
- USER_C_FLAGS - ืื ืืืืืื ืฉืืื ืืชื ืืืื ืืืฉืชืืฉ ืืื ืืืืช ืืขืื ืงืื ืืขืช ืืื ืช ืงืื ืืืฉืื.
ืื ืืื ืืื ืืช, ืื ืื ื ืฆืจืืืื ืืืจืืฅ ืืช x86 (ืื x64) ืืกืืื Build, ืืฉื ืืช ืืช ืกืคืจืืืช ืืขืืืื ืืชืืงืืืช ืืคืจืืืงื ืืืืคืขืื ืืช ืืคืงืืื Build. ืืชืืฆืื ืืฆืืืื ืืืกื ืืจืื ืฉืืฉ ืื ื ืงืืืฅ ืืคืขืื ืืื.
ืื ื ืืชื ืืืคืขืื ืืช ืืงืืืฅ ืืื ืื ืื ืืงืืืช, ืืืขืจืืช ืืงืืืช ืืฉืืืืช ืืืชื ื ืืืฉืื ืขื ืืืชื ืืืืช ืฉืื ืขื ืืฉืืืื ืืืื:
ืืื ืืืคืขืื ืืคืืืงืฆืื ืืงืืจืืช?
ืืืฉืจ autochk ืืืคืขื, ืจืฆืฃ ืืืชืืื ืฉื ืชืืื ืืืช ื ืงืืข ืืคื ืืขืจื ืฉื ืืคืชื ืืจืืฉืื:
HKLMSystemCurrentControlSetControlSession ManagerBootExecuteืื ืื ืืคืืืฉืืช ืืืฆืข ืชืืื ืืืช ืืจืฉืืื ืื ืืืช ืืืช. ืื ืื ืืคืืืฉืืช ืืืคืฉ ืืช ืงืืฆื ืืืคืขืื ืขืฆืื ืืกืคืจืืืช system32. ืคืืจืื ืขืจื ืืคืชื ืืจืืฉืื ืืื ืืืืงืื:
autocheck autochk *MyNativeืืขืจื ืืืื ืืืืืช ืืคืืจืื ืืงืกืืฆืืืื, ืื ื-ASCII ืืจืืื, ืื ืฉืืืคืชื ืืืืฆื ืืขืื ืืืื ืืคืืจืื:
61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00ืืื ืืืืืจ ืืช ืืืืชืจืช, ืืชื ืืืื ืืืฉืชืืฉ ืืฉืืจืืช ืืงืืื, ืืืฉื, .
ืืกืชืืจ ืฉืืื ืืืฉืืง ืืคืืืงืฆืื ืืงืืจืืช, ืื ืื ื ืฆืจืืืื:
- ืืขืชืง ืืช ืงืืืฅ ืืืคืขืื ืืชืืงืืืช system32
- ืืืกืฃ ืืคืชื ืืจืืฉืื
- ืืคืขื ืืืืฉ ืืช ืืืืื ื
ืืืขืื ื ืืืืช, ืื ื ืกืงืจืืคื ืืืื ืืืชืงื ืช ืืคืืืงืฆืื ืืงืืจืืช:
install.bat
@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pauseadd.reg
REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00ืืืืจ ืืืชืงื ื ืืืืชืืื ืืืืฉ, ืขืื ืืคื ื ืืืคืขืช ืืกื ืืืืจืช ืืืฉืชืืฉ, ื ืงืื ืืช ืืชืืื ื ืืืื:
ืกื ืืื
ืืืืฆืขืืช ืืืืืื ืฉื ืืคืืืงืฆืื ืื ืื ืงืื ื, ืืฉืชืื ืขื ื ืฉืืคืฉืจ ืืืืื ืืืจืืฅ ืืช ืืืคืืืงืฆืื ืืจืืช Windows Native. ืืฉืื ืืื, ืืืืจ'ื ืืืื ืืืจืกืืืช ืืื ื ืืคืืืืก ืืื ื ื ืืฉืื ืืื ืืช ืฉืืจืืช ืฉืืชืืื ืืช ืชืืืื ืืืื ืืจืืงืฆืื ืขื ืื ืื ืืจืื ืืืชืจ ืืืงืื ืืืฉืจ ืืืจืกื ืืงืืืืช ืฉื ืืคืจืืืงื ืฉืื ื. ืืขื ืืืคืขืช ืืขืืคืช win32, ืื ืืืื ืืืืื ื ืืืขืืืจ ืืช ืืฉืืืื ืืฉืืจืืช ืืื ืฉืืืจ ืคืืชื (ืขืื ืขื ืื ).
ืืืืืจ ืืื ื ืืืข ืืจืืื ื ืืกืฃ ืฉื ืฉืืจืืช Active Restore, ืืืืืจ ืื ืื ืืืชืงื ืฉื UEFI. ืืืจืฉืื ืืืืื ืฉืื ื ืืื ืฉืื ืชืคืกืคืกื ืืช ืืคืืกื ืืื.
ืืงืืจ: www.habr.com