Taupānga Maori Windows me te ratonga Whakaora Acronis Active

I tenei ra ka haere tonu te korero mo te mahi a matou, me nga taangata mai i te Whare Wananga o Innopolis, ki te whakawhanake i te hangarau Active Restore kia taea ai e te kaiwhakamahi te timata ki te mahi i a raatau miihini i muri i te korenga. Ka korero tatou mo nga tono Windows taketake, tae atu ki nga ahuatanga o te hanganga me te whakarewatanga. Kei raro iho i te tapahanga he paku korero mo to maatau kaupapa, me te aratohu whaihua mo te tuhi tono Maori.

I nga korero o mua kua korero kee matou mo te aha Whakaora Hohe, me pehea te whakawhanaketanga o nga akonga o Innopolis ratonga. I tenei ra e hiahia ana ahau ki te aro ki nga tono Maori, ki te taumata e hiahia ana matou ki te "tanu" i ta matou ratonga whakaora kaha. Mena ka pai nga mea katoa, katahi ka taea e tatou:

• Whakarewa i te ratonga ake i mua noa atu
• Whakapā atu ki te kapua kei reira te pūrua i mua noa atu
• He nui ake te maarama he aha te ahua o te punaha - he whawhai noa, he whakaora ranei
• He iti ake nga konae hei whakaora i mua
• Tukua te kaiwhakamahi kia tere ake te tiimata.

He aha te taupānga taketake?

Hei whakautu i tenei patai, me titiro ki te raupapa o nga waea ka mahia e te punaha, hei tauira, mena ka ngana tetahi kaiwhakaputa i tana tono ki te hanga i tetahi konae.

Pavel Yosifovich - Papatono Kernel Windows (2019)

Ka whakamahi te kaihātaka i te mahi Waihanga Kōnae, e whakapuakihia ana i te konae pane fileapi.h ka whakatinanahia ki Kernel32.dll. Heoi, ko tenei mahi tonu kaore e hanga i te konae, ka tirotirohia e ia nga tohenga whakauru me te karanga i te mahi NtCreateFile (ko te tohu mua Nt he mea taketake te mahi). Ka whakaatuhia tenei mahi i roto i te konae pane pane winternl.h ka whakatinanahia ki ntdll.dll. Ka whakareri ki te peke ki te waahi karihi, muri iho ka karangahia e ia he punaha ki te hanga i tetahi konae. I tenei keehi, ka puta ko Kernel32 he takai noa mo Ntdll. Ko tetahi o nga take i penei ai ko te kaha o Microsoft ki te whakarereke i nga mahi o te ao taketake, engari kaua e pa ki nga atanga paerewa. Karekau a Microsoft e taunaki kia waea tika ki nga mahi taketake, kaore hoki e tuhia te nuinga o aua mahi. Ma te ara, ka kitea nga mahi kaore i tuhia konei.

Ko te painga nui o nga tono taketake ko te ntdll ka utaina ki te punaha i mua atu i te kernel32. He arorau tenei, na te mea e hiahia ana a kernel32 ki te mahi ntdll. Ko te mutunga, ko nga tono e whakamahi ana i nga mahi taketake ka timata te mahi i mua ake.

No reira, ko nga Taupānga Maori o Windows he kaupapa ka taea te tiimata wawe i te wa e whawhai ana a Windows. Ka whakamahia ANAKE e ratou nga mahi mai i te ntdll. He tauira o taua tono: autochk ko wai e mahi ana whaipainga chkdisk ki te tirotiro i te kōpae mo nga hapa i mua i te tiimata i nga ratonga matua. Koia tonu te taumata e pirangi ana matou ki te Whakaora Hohe.

He aha ta tatou e hiahia ana?

• DDK (Kete Whakawhanake Atekōkiri), e mōhiotia ana ināianei ko WDK 7 (Kete Atekōkiri Windows).
• Mīhini mariko (hei tauira, Windows 7 x64)
• Ehara i te mea tika, engari ka awhina nga konae pane ka taea te tango konei

He aha kei roto i te waehere?

Me parakatihi tatou, hei tauira, tuhia he tono iti e:

1. Ka whakaatu i tetahi karere ki te mata
2. Ka tohatoha etahi mahara
3. Ka tatari mo te whakauru papapātuhi
4. Ka whakawāteahia te pūmahara kua whakamahia

I roto i nga tono taketake, ehara i te mea matua, i te winmain ranei te urunga, engari ko te mahi NtProcessStartup, na te mea ka tukuna tika e matou nga tikanga hou i roto i te punaha.

Me timata ma te whakaatu i tetahi karere ki te mata. Mo tenei he mahi taketake ta matou NtDisplayString, he tohu tohenga ki tetahi ahanoa hanganga UNICODE_STRING. Ka awhina a RtlInitUnicodeString i a maatau ki te arawhiti. Ko te mutunga, ki te whakaatu i nga tuhinga ki te mata ka taea e tatou te tuhi i tenei mahi iti:

//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
    UNICODE_STRING string;
    RtlInitUnicodeString(&string, Message);
    NtDisplayString(&string);
}

I te mea ko nga mahi mai i te ntdll anake e waatea ana ki a maatau, kaore ano he whare pukapuka i roto i te maharatanga, ka raru pea me pehea te tohatoha mahara. Ko te kaiwhakahaere hou kaore ano kia noho (na te mea i ahu mai i te ao taumata tiketike rawa o C++), kaore he mahi malloc (e hiahia ana ki nga whare pukapuka C wa mahi). Ko te tikanga, ka taea e koe anake te whakamahi i te puranga. Engari ki te hiahia tatou ki te tohatoha mahara, me mahi i runga i te puranga (ara te puranga). No reira me hanga he puranga ma tatou ake ka maumahara mai i nga wa e hiahia ana tatou.

He pai te mahi mo tenei mahi RtlCreateHeap. I muri mai, ma te whakamahi i te RtlAllocateHeap me te RtlFreeHeap, ka noho tatou me te kore mahara ina hiahia ana tatou.

PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;

// create heap in order to allocate memory later
memory = RtlCreateHeap(
  HEAP_GROWABLE, 
  NULL, 
  1000, 
  0, NULL, NULL
);

// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
  memory, 
  HEAP_ZERO_MEMORY, 
  bufferSize
);

// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);

RtlDestroyHeap(memory);

Me haere ki te tatari mo te whakauru papapātuhi.

// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
  USHORT UnitId;
  USHORT MakeCode;
  USHORT Flags;
  USHORT Reserved;
  ULONG  ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;

//...

HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;

// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);

// open keyboard device
NtCreateFile(&hKeyBoard,
			SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
			&ObjectAttributes,
			&Iosb,
			NULL,
			FILE_ATTRIBUTE_NORMAL,
			0,
			FILE_OPEN,FILE_DIRECTORY_FILE,
			NULL, 0);

// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);

while (TRUE)
{
	NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
	NtWaitForSingleObject(hEvent, TRUE, NULL);

	if (kbData.MakeCode == 0x01)    // if ESC pressed
	{
			break;
	}
}

Ko nga mea katoa e hiahiatia ana ko te whakamahi NtReadFile i runga i tetahi taputapu tuwhera, ka tatari kia whakahokia mai e te papapātuhi tetahi perehi ki a matou. Mēnā ka pēhia te kī ESC, ka mahi tonu mātou. Hei whakatuwhera i te taputapu, me waea atu ki te mahi NtCreateFile (me whakatuwhera i te DeviceKeyboardClass0). Ka waea atu ano matou NtCreateEventhei arawhiti i te ahanoa tatari. Ma matou ano e whakaatu te hanganga KEYBOARD_INPUT_DATA, e tohu ana i nga raraunga papapātuhi. Ma tenei ka ngawari ake a maatau mahi.

Ka mutu te tono taketake ki te waea mahi NtTerminateProcessno te mea kei te patu noa tatou i ta tatou ake mahi.

Ko nga waehere katoa mo ta maatau tono iti:

#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"

//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------

NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
  IN HANDLE               ProcessHandle OPTIONAL,
  IN NTSTATUS             ExitStatus
);

NTSYSAPI 
NTSTATUS
NTAPI
NtDisplayString(
	IN PUNICODE_STRING String
);

NTSTATUS 
NtWaitForSingleObject(
  IN HANDLE         Handle,
  IN BOOLEAN        Alertable,
  IN PLARGE_INTEGER Timeout
);

NTSYSAPI 
NTSTATUS
NTAPI
NtCreateEvent(
    OUT PHANDLE             EventHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN EVENT_TYPE           EventType,
    IN BOOLEAN              InitialState
);



// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
  USHORT UnitId;
  USHORT MakeCode;
  USHORT Flags;
  USHORT Reserved;
  ULONG  ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;

//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------

// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
    UNICODE_STRING string;
    RtlInitUnicodeString(&string, Message);
    NtDisplayString(&string);
}

void NtProcessStartup(void* StartupArgument)
{
	// it is important to declare all variables at the beginning
	HANDLE hKeyBoard, hEvent;
	UNICODE_STRING skull, keyboard;
	OBJECT_ATTRIBUTES ObjectAttributes;
	IO_STATUS_BLOCK Iosb;
	LARGE_INTEGER ByteOffset;
	KEYBOARD_INPUT_DATA kbData;
	
	PVOID memory = NULL;
	PVOID buffer = NULL;
	ULONG bufferSize = 42;

	//use it if debugger connected to break
	//DbgBreakPoint();

	WriteLn(L"Hello Native World!n");

	// inialize variables
	RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
	InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);

	// open keyboard device
	NtCreateFile(&hKeyBoard,
				SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
				&ObjectAttributes,
				&Iosb,
				NULL,
				FILE_ATTRIBUTE_NORMAL,
				0,
				FILE_OPEN,FILE_DIRECTORY_FILE,
				NULL, 0);

	// create event to wait on
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
	NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
	
	WriteLn(L"Keyboard readyn");
	
	// create heap in order to allocate memory later
	memory = RtlCreateHeap(
	  HEAP_GROWABLE, 
	  NULL, 
	  1000, 
	  0, NULL, NULL
	);
	
	WriteLn(L"Heap readyn");

	// allocate buffer of size bufferSize
	buffer = RtlAllocateHeap(
	  memory, 
	  HEAP_ZERO_MEMORY, 
	  bufferSize
	);
	
	WriteLn(L"Buffer allocatedn");

	// free buffer (actually not needed because we destroy heap in next step)
	RtlFreeHeap(memory, 0, buffer);

	RtlDestroyHeap(memory);
	
	WriteLn(L"Heap destroyedn");
	
	WriteLn(L"Press ESC to continue...n");

	while (TRUE)
	{
		NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
		NtWaitForSingleObject(hEvent, TRUE, NULL);

		if (kbData.MakeCode == 0x01)    // if ESC pressed
		{
				break;
		}
	}

	NtTerminateProcess(NtCurrentProcess(), 0);
}

PS: Ka taea e tatou te whakamahi ngawari i te mahi DbgBreakPoint() i roto i ta maatau waehere hei aukati i roto i te patuiro. Pono, me hono koe ki a WinDbg ki tetahi miihini mariko mo te patuiro kernel. Ka kitea nga tohutohu me pehea e mahi ai konei whakamahi noa ranei VirtualKD.

Te whakahiato me te huihuinga

Ko te huarahi ngawari ki te hanga tono taketake ko te whakamahi DDK (Kete Whakawhanake Kaitaraiwa). Kei te hiahia matou ki te putanga tuawhitu o mua, na te mea he ahua rereke nga ahuatanga o muri mai me te mahi tahi me te Visual Studio. Mena ka whakamahi matou i te DDK, ka hiahia noa to maatau kaupapa ki a Makefile me nga punawai.

Makefile

!INCLUDE $(NTMAKEENV)makefile.def

puna:

TARGETNAME			= MyNative
TARGETTYPE			= PROGRAM
UMTYPE				= nt
BUFFER_OVERFLOW_CHECKS 		= 0
MINWIN_SDK_LIB_PATH		= $(SDK_LIB_PATH)
SOURCES 			= source.c

INCLUDES 			= $(DDK_INC_PATH); 
				  C:WinDDK7600.16385.1ndk;

TARGETLIBS 			= $(DDK_LIB_PATH)ntdll.lib	
				  $(DDK_LIB_PATH)nt.lib

USE_NTDLL			= 1

Ka rite tonu to Makefile, engari me ata titiro ki nga puna korero. Ka tohua e tenei konae nga puna o to papatono (.c konae), nga whiringa hanga, me etahi atu tawhā.

• TARGETNAME – te ingoa o te konae ka taea te whakaputa i te mutunga.
• TARGETTYPE – te momo o te konae ka taea te whakahaere, ka taea he taraiwa (.sys), katahi ko te uara mara ko DRIVER, mena he whare pukapuka (.lib), katahi ko te wariu ko te PUKAPUKA. I roto i to maatau, me hiahia he konae ka taea te whakahaere (.exe), no reira ka tautuhia te uara ki te PROGRAM.
• UMTYPE – nga uara ka taea mo tenei mara: papatohu mo te tono papatohu, matapihi mo te mahi i te aratau matapihi. Engari me tohu nt kia whiwhi tono taketake.
• BUFFER_OVERFLOW_CHECKS – te tirotiro i te taapu mo te putunga putunga, engari kaore i a maatau, ka whakawetohia e matou.
• MINWIN_SDK_LIB_PATH – ko tenei uara e pa ana ki te taurangi SDK_LIB_PATH, kaua e manukanuka kaore koe i te whakaatu i taua taurangi punaha, ina rere ana matou i te hanga mai i te DDK, ka whakaatuhia tenei taurangi ka tohu ki nga whare pukapuka e tika ana.
• PUNA – he rarangi puna mo to hotaka.
• KAUPAPA - nga konae pane e hiahiatia ana mo te huihuinga. I konei ka tohuhia te huarahi ki nga konae ka haere mai me te DDK, engari ka taea e koe te tohu etahi atu.
• TARGETLIBS – rarangi o nga whare pukapuka me hono.
• Ko te USE_NTDLL he āpure e hiahiatia ana me tautuhi ki te 1 mo nga take marama.
• USER_C_FLAGS – nga haki ka taea e koe te whakamahi i roto i nga tohutohu i mua i te tukatuka i te wa e whakarite ana i te waehere tono.

Na ki te hanga, me whakahaere te x86 (x64 ranei) Kua Takina Hanga, huri i te raarangi mahi ki te kōpaki kaupapa me te whakahaere i te whakahau Hanga. Ko te hua o te Whakaahuamata e whakaatu ana he kotahi te konae ka taea te whakahaere.

Ko tenei konae kaore e taea te whakarewa ngawari, ka kanga te punaha me te tuku mai ki a maatau ki te whakaaro mo tana whanonga me te hapa e whai ake nei:

Me pehea te whakarewa i tetahi tono taketake?

Ka timata te autochk, ka whakatauhia te raupapa whakaoho o nga papatono e te uara o te taviri rehita:

HKLMSystemCurrentControlSetControlSession ManagerBootExecute

Ka mahia e te kaiwhakahaere hui nga kaupapa mai i tenei rarangi takitahi. Ko te kaiwhakahaere o te huihuinga e rapu ana i nga konae ka taea te whakahaere i roto i te raarangi punaha32. Ko te whakatakotoranga uara matua rehita e whai ake nei:

autocheck autochk *MyNative

Me noho te uara ki te whakatakotoranga hautekauono, kaua ki te ASCII o mua, no reira ko te taviri e whakaatuhia ana i runga ake nei kei te whakatakotoranga:

61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00

Hei huri i te taitara, ka taea e koe te whakamahi i tetahi ratonga ipurangi, hei tauira, tenei.

Te ahua nei ki te whakarewa i tetahi tono taketake, me:

1. Tāruatia te kōnae kawe ki te kōpaki system32
2. Tāpirihia he kī ki te rehita
3. Whakahouhia te miihini

Mo te waatea, tenei he tuhinga kua rite mo te whakauru i tetahi tono taketake:

tāuta.bat

@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pause

tāpiri.reg

REGEDIT4

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00

I muri i te whakaurunga me te whakaara ano, ahakoa i mua i te puta o te mata whiriwhiringa kaiwhakamahi, ka whiwhi tatou i te pikitia e whai ake nei:

Ko te hua

Ma te whakamahi i te tauira o taua tono iti, i whakapono matou ka taea te whakahaere i te tono ki te taumata Maori o Windows. I muri mai, ko nga taangata mai i te Whare Wananga o Innopolis ka haere tonu matou ki te hanga i tetahi ratonga ka timata te mahi o te taunekeneke me te taraiwa i mua atu i te waahanga o mua o ta maatau kaupapa. A, i te taenga mai o te anga win32, he mea tika ki te whakawhiti i te mana whakahaere ki tetahi ratonga kua oti te whakawhanake (he nui ake mo tenei konei).

I roto i te tuhinga e whai ake nei ka pa atu tatou ki tetahi atu waahanga o te ratonga Whakaora Whakaora, ara ko te taraiwa UEFI. Ohauru ki to maatau blog kia kore koe e ngaro i te panui e whai ake nei.

Source: will.com