ä»æ¥ã¯ãã€ãããªã¹å€§åŠã®äººã ãšååããŠããŠãŒã¶ãŒãé害çºçåŸã«ã§ããã ãæ©ããã·ã³ã§äœæ¥ãéå§ã§ããããã«ããã¢ã¯ãã£ã ãªã¹ã㢠ãã¯ãããžãã©ã®ããã«éçºããŠãããã«ã€ããŠã®è©±ãç¶ããŸãã ãã€ãã£ã Windows ã¢ããªã±ãŒã·ã§ã³ã«ã€ããŠããã®äœæãšèµ·åã®æ©èœãå«ããŠèª¬æããŸãã ãã®äžã«ã¯ãç§ãã¡ã®ãããžã§ã¯ãã«ã€ããŠå°ã説æãããšãšãã«ããã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ã®äœææ¹æ³ã«é¢ããå®è·µçãªã¬ã€ãã瀺ããŸãã
以åã®æçš¿ã§ããããäœã§ãããã«ã€ããŠãã§ã«èª¬æããŸãã
- ãµãŒãã¹èªäœããã£ãšæ©ãç«ã¡äžãã
- ããªãæ©ã段éã§ããã¯ã¢ãããä¿åãããŠããã¯ã©ãŠãã«é£çµ¡ããŸãã
- ã·ã¹ãã ãéåžžã®ããŒããŸãã¯ãªã«ããªã®ã©ã®ã¢ãŒãã«ããããããæ©ã段éã§ç解ãã
- äºåã«ãªã«ããªããå¿ èŠã®ãããã¡ã€ã«ãã¯ããã«å°ãªããªããŸã
- ãŠãŒã¶ãŒãããã«æ©ãå§ããããããã«ããŸãã
ãããããã€ãã£ãã¢ããªãšã¯äœã§ããããïŒ
ãã®è³ªåã«çããããã«ãããšãã°ã¢ããªã±ãŒã·ã§ã³ã®ããã°ã©ãããã¡ã€ã«ãäœæããããšããå Žåã«ãã·ã¹ãã ãè¡ãäžé£ã®åŒã³åºããèŠãŠã¿ãŸãããã
Pavel Yosifovich - Windows ã«ãŒãã« ããã°ã©ãã³ã° (2019)
ããã°ã©ãã¯é¢æ°ã䜿çšããŸã
ãã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ã®äž»ãªå©ç¹ã¯ãntdll ã kernel32 ãããã¯ããã«æ©ãã·ã¹ãã ã«ããŒããããããšã§ãã kernel32 ãåäœããã«ã¯ ntdll ãå¿ èŠã§ãããããããã¯è«ççã§ãã ãã®çµæããã€ãã£ãé¢æ°ã䜿çšããã¢ããªã±ãŒã·ã§ã³ã¯ãããæ©ãåäœãéå§ã§ããããã«ãªããŸãã
ãããã£ãŠãWindows ãã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ã¯ãWindows èµ·åã®æ©ã段éã§éå§ã§ããããã°ã©ã ã§ãã ntdll ã®é¢æ°ã®ã¿ã䜿çšããŸãã ãã®ãããªã¢ããªã±ãŒã·ã§ã³ã®äŸ:
äœãå¿ èŠã§ããïŒ
DDK (ãã©ã€ããŒéçºããã)ãçŸåšã¯ WDK 7 (Windows ãã©ã€ã㌠ããã) ãšããŠãç¥ãããŠããŸãã- ä»®æ³ãã·ã³ (Windows 7 x64 ãªã©)
- å¿
é ã§ã¯ãããŸããããããŠã³ããŒãã§ããããã㌠ãã¡ã€ã«ã圹ç«ã€å ŽåããããŸã
ããã§
ã³ãŒãã«ã¯äœãå ¥ã£ãŠããã®ã§ããããïŒ
å°ãç·Žç¿ããŠãããšãã°æ¬¡ã®ãããªå°ããªã¢ããªã±ãŒã·ã§ã³ãæžããŠã¿ãŸãããã
- ç»é¢ã«ã¡ãã»ãŒãžã衚瀺ããŸã
- äžéšã®ã¡ã¢ãªãå²ãåœãŠãŸã
- ããŒããŒãå ¥åãåŸ ã¡ãŸã
- 䜿çšæžã¿ã¡ã¢ãªã解æŸããŸã
ãã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ã§ã¯ãå®éã«ã¯ã·ã¹ãã å ã§æ°ããããã»ã¹ãçŽæ¥èµ·åããããããšã³ã㪠ãã€ã³ã㯠main ã winmain ã§ã¯ãªããNtProcessStartup é¢æ°ã§ãã
ãŸãã¯ç»é¢ã«ã¡ãã»ãŒãžã衚瀺ããŠã¿ãŸãããã ãã®ããã«ãã€ãã£ãé¢æ°ããããŸã
//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
䜿çšã§ããã®ã¯ ntdll ã®é¢æ°ã ãã§ãããã¡ã¢ãªå ã«ä»ã®ã©ã€ãã©ãªããŸã ãªããããã¡ã¢ãªãå²ãåœãŠãæ¹æ³ã§ééããªãåé¡ãçºçããŸãã new æŒç®åã¯ãŸã ååšãã (C++ ã®é«ã¬ãã«ã®äžçã«ç±æ¥ãããã)ãmalloc é¢æ°ããããŸãã (ã©ã³ã¿ã€ã C ã©ã€ãã©ãªãå¿ èŠã§ã)ã ãã¡ãããã¹ã¿ãã¯ã®ã¿ã䜿çšããããšãã§ããŸãã ãã ããã¡ã¢ãªãåçã«å²ãåœãŠãå¿ èŠãããå Žåã¯ãããŒã (ã€ãŸãããŒã) äžã§è¡ãå¿ èŠããããŸãã ããã§ãèªåçšã®ããŒããäœæããå¿ èŠãªãšãã«ãã€ã§ãããããã¡ã¢ãªãåãåºããŠã¿ãŸãããã
ãã®æ©èœã¯ãã®ã¿ã¹ã¯ã«é©ããŠããŸã
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
ããŒããŒãå ¥åã®åŸ æ©ã«é²ã¿ãŸãããã
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//...
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
å¿
èŠãªã®ã¯äœ¿çšããããšã ãã§ã
ãã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ã¯é¢æ°åŒã³åºãã§çµäºããŸã
ç§ãã¡ã®å°ããªã¢ããªã±ãŒã·ã§ã³ã®ãã¹ãŠã®ã³ãŒã:
#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"
//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
IN PUNICODE_STRING String
);
NTSTATUS
NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------
// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
void NtProcessStartup(void* StartupArgument)
{
// it is important to declare all variables at the beginning
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
//use it if debugger connected to break
//DbgBreakPoint();
WriteLn(L"Hello Native World!n");
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
WriteLn(L"Keyboard readyn");
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
WriteLn(L"Heap readyn");
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
WriteLn(L"Buffer allocatedn");
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
WriteLn(L"Heap destroyedn");
WriteLn(L"Press ESC to continue...n");
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
NtTerminateProcess(NtCurrentProcess(), 0);
}
PSïŒ ã³ãŒãå
㧠DbgBreakPoint() é¢æ°ã䜿çšãããšããããã¬ãŒã§é¢æ°ãç°¡åã«åæ¢ã§ããŸãã 確ãã«ãã«ãŒãã« ãããã°ã®ããã« WinDbg ãä»®æ³ãã·ã³ã«æ¥ç¶ããå¿
èŠããããŸãã ãããè¡ãæ¹æ³ã«ã€ããŠã¯ããã¡ããã芧ãã ããã
ã³ã³ãã€ã«ãšã¢ã»ã³ããª
ãã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ãæ§ç¯ããæãç°¡åãªæ¹æ³ã¯ã次ã®ãšããã§ãã
ã¡ãŒã¯ãã¡ã€ã«
!INCLUDE $(NTMAKEENV)makefile.def
æ å ±æºïŒ
TARGETNAME = MyNative
TARGETTYPE = PROGRAM
UMTYPE = nt
BUFFER_OVERFLOW_CHECKS = 0
MINWIN_SDK_LIB_PATH = $(SDK_LIB_PATH)
SOURCES = source.c
INCLUDES = $(DDK_INC_PATH);
C:WinDDK7600.16385.1ndk;
TARGETLIBS = $(DDK_LIB_PATH)ntdll.lib
$(DDK_LIB_PATH)nt.lib
USE_NTDLL = 1
Makefile ã¯ãŸã£ããåãã«ãªããŸããããœãŒã¹ãããå°ã詳ããèŠãŠã¿ãŸãããã ãã®ãã¡ã€ã«ã¯ãããã°ã©ã ã®ãœãŒã¹ (.c ãã¡ã€ã«)ããã«ã ãªãã·ã§ã³ãããã³ãã®ä»ã®ãã©ã¡ãŒã¿ãŒãæå®ããŸãã
- TARGETNAME â æçµçã«çæãããå®è¡å¯èœãã¡ã€ã«ã®ååã
- TARGETTYPE â å®è¡å¯èœãã¡ã€ã«ã®ã¿ã€ãããã©ã€ã㌠(.sys) ã®å Žåããã£ãŒã«ãå€ã¯ DRIVER ã«ããå¿ èŠããããŸããã©ã€ãã©ãª (.lib) ã®å Žåãå€ã¯ LIBRARY ã§ãã ãã®äŸã§ã¯ãå®è¡å¯èœãã¡ã€ã« (.exe) ãå¿ èŠãªã®ã§ãå€ã PROGRAM ã«èšå®ããŸãã
- UMTYPE â ãã®ãã£ãŒã«ãã«æå®ã§ããå€: ã³ã³ãœãŒã« ã¢ããªã±ãŒã·ã§ã³ã®å Žå㯠consoleããŠã£ã³ã㊠ã¢ãŒãã§åäœããå Žå㯠windowsã ãã ãããã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ãååŸããã«ã¯ nt ãæå®ããå¿ èŠããããŸãã
- BUFFER_OVERFLOW_CHECKS â ã¹ã¿ãã¯ã®ãããã¡ ãªãŒããŒãããŒããã§ãã¯ããŸããæ®å¿µãªããä»åã®å Žåã¯ããã§ã¯ãªãããªãã«ããŸãã
- MINWIN_SDK_LIB_PATH â ãã®å€ã¯ SDK_LIB_PATH å€æ°ãåç §ããŸãããã®ãããªã·ã¹ãã å€æ°ã宣èšãããŠããªãããšãå¿é ããå¿ èŠã¯ãããŸãããDDK ãããã§ã㯠ãã«ããå®è¡ãããšããã®å€æ°ã宣èšãããå¿ èŠãªã©ã€ãã©ãªãæããŸãã
- SOURCES â ããã°ã©ã ã®ãœãŒã¹ã®ãªã¹ãã
- INCLUDES â ã¢ã»ã³ããªã«å¿ èŠãªããã㌠ãã¡ã€ã«ã ããã§ã¯éåžžãDDK ã«ä»å±ãããã¡ã€ã«ãžã®ãã¹ã瀺ããŸããããã®ä»ã®ãã¹ãè¿œå ã§æå®ããããšãã§ããŸãã
- TARGETLIBS â ãªã³ã¯ããå¿ èŠãããã©ã€ãã©ãªã®ãªã¹ãã
- USE_NTDLL ã¯å¿ é ãã£ãŒã«ãã§ãããæãããªçç±ãã 1 ã«èšå®ããå¿ èŠããããŸãã
- USER_C_FLAGS â ã¢ããªã±ãŒã·ã§ã³ ã³ãŒããæºåãããšãã«ããªããã»ããµ ãã£ã¬ã¯ãã£ãã§äœ¿çšã§ãããã©ã°ã
ãããã£ãŠããã«ãããã«ã¯ãx86 (ãŸã㯠x64) Checked Build ãå®è¡ããäœæ¥ãã£ã¬ã¯ããªããããžã§ã¯ã ãã©ã«ããŒã«å€æŽããŠãBuild ã³ãã³ããå®è¡ããå¿ èŠããããŸãã ã¹ã¯ãªãŒã³ã·ã§ããã®çµæã¯ãå®è¡å¯èœãã¡ã€ã«ã XNUMX ã€ããããšã瀺ããŠããŸãã
ãã®ãã¡ã€ã«ã¯ããç°¡åã«ã¯èµ·åã§ããªããããã·ã¹ãã ã¯æ¬¡ã®ãšã©ãŒã衚瀺ããŠãã®åäœã«ã€ããŠèããããã«æ瀺ããŸãã
ãã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ãèµ·åããã«ã¯ã©ãããã°ããã§ãã?
autochk ãéå§ããããšããããã°ã©ã ã®èµ·åé åºã¯ã¬ãžã¹ã㪠ããŒã®å€ã«ãã£ãŠæ±ºãŸããŸãã
HKLMSystemCurrentControlSetControlSession ManagerBootExecute
ã»ãã·ã§ã³ ãããŒãžã£ãŒã¯ããã®ãªã¹ãã«ããããã°ã©ã ã 32 ã€ãã€å®è¡ããŸãã ã»ãã·ã§ã³ ãããŒãžã£ãŒã¯ãsystemXNUMX ãã£ã¬ã¯ããªã§å®è¡å¯èœãã¡ã€ã«èªäœãæ¢ããŸãã ã¬ãžã¹ã㪠ããŒå€ã®åœ¢åŒã¯æ¬¡ã®ãšããã§ãã
autocheck autochk *MyNative
å€ã¯éåžžã® ASCII ã§ã¯ãªã XNUMX é²åœ¢åŒã§ããå¿ èŠããããããäžèšã®ããŒã¯æ¬¡ã®åœ¢åŒã«ãªããŸãã
61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00
ã¿ã€ãã«ãå€æããã«ã¯ã次ã®ãããªãªã³ã©ã€ã³ ãµãŒãã¹ã䜿çšã§ããŸãã
ãã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ãèµ·åããã«ã¯ã次ã®ãã®ãå¿
èŠã§ããããšãããããŸããã
- å®è¡å¯èœãã¡ã€ã«ã system32 ãã©ã«ããŒã«ã³ããŒããŸã
- ã¬ãžã¹ããªã«ããŒãè¿œå ãã
- ãã·ã³ãåèµ·åããŸã
䟿å®äžããã€ãã£ã ã¢ããªã±ãŒã·ã§ã³ãã€ã³ã¹ããŒã«ããããã®æ¢è£œã®ã¹ã¯ãªããã次ã«ç€ºããŸãã
INSTALL.BAT
@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pause
è¿œå ç»é²
REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00
ã€ã³ã¹ããŒã«ããŠåèµ·åããåŸããŠãŒã¶ãŒéžæç»é¢ã衚瀺ãããåã§ãã次ã®ç»åã衚瀺ãããŸãã
åèš
ãã®ãããªå°ããªã¢ããªã±ãŒã·ã§ã³ã®äŸã䜿çšãããšãã¢ããªã±ãŒã·ã§ã³ã Windows ãã€ãã£ã ã¬ãã«ã§å®è¡ããããšãããªãå¯èœã§ãããšç¢ºä¿¡ããŸããã 次ã«ãã€ãããªã¹å€§åŠã®ã¹ã¿ãããšç§ã¯ããããžã§ã¯ãã®åã®ããŒãžã§ã³ãããã¯ããã«æ©ããã©ã€ããŒãšã®å¯Ÿè©±ããã»ã¹ãéå§ãããµãŒãã¹ã®æ§ç¯ãç¶ããŸãã ãããŠãwin32 ã·ã§ã«ã®åºçŸã«ããããã§ã«éçºãããŠããæ¬æ ŒçãªãµãŒãã¹ã«å¶åŸ¡ã移ãã®ãè«ççã§ã (詳现ã¯ãã¡ã)
次ã®èšäºã§ã¯ãActive Restore ãµãŒãã¹ã®å¥ã®ã³ã³ããŒãã³ããã€ãŸã UEFI ãã©ã€ããŒã«ã€ããŠè§ŠããŸãã 次ã®æçš¿ãèŠéããªãããã«ãããã°ã賌èªããŠãã ããã
åºæïŒ habr.com