ááá±á· áá»áœááºá¯ááºááá¯á·ááẠInnopolis University á០áá±á¬ááºá»á¬ážáá±ážáá»á¬ážááŸáá·áºá¡áá° áá¯á¶ážá áœá²áá°á¡á¬áž áááºážááá¯á·áá ááºááœáẠáááºááá¯ááºááá»áŸá¡ááŒááºáá¯á¶ážá áááºáá¯ááºáá±á¬ááºááá¯ááºá á±ááẠActive Restore áááºážááá¬ááᯠáá®ááœááºáá±áá¯á¶á¡ááŒá±á¬ááºážááᯠáááºáááºáá±á¬áºááŒáá«áááºá áááºážááá¯á·ááááºáá®ážááŸá¯ááŸáá·áº á áááºááŒááºážáá¡ááºá¹áá«áááºáá»á¬ážá¡áá«á¡ááẠáá°áááºáž Windows á¡ááá®áá±ážááŸááºážáá»á¬ážá¡ááŒá±á¬ááºáž ááœá±ážááœá±ážáá«áááºá ááŒááºáá±á¬ááºááŸá¯á¡á±á¬ááºááœáẠáá»áœááºá¯ááºááá¯á·á ááá±á¬áá»ááºá¡ááŒá±á¬ááºáž á¡áááºážáááºá¡ááŒáẠáá°áááºážá¡ááºááºáá®áá±ážááŸááºážáá»á¬ážááᯠáááºááá¯á·áá±ážáá¬ážááááºááᯠáááºááœá±á·áááºážááœáŸááºáá»ááºáá«ááŸááááºá
á¡áááºá ááá¯á·á
áºááœá±ááŸá¬ áá¬á¡ááŒá±á¬ááºážááŒá±á¬ááŒá®ážááŒá®áá²á
- áááºáá±á¬ááºááŸá¯ááᯠá¡áááºááááºážá á áááºááá¯ááºáá«á
- á¡áááºááááºážáááºážááŸá¯ á á±á¬á áœá¬áááºááŸáááá·áº ááááºááá¯ááºááᯠáááºááœááºáá«á
- á áá áºááœáẠáááºááá·áºáá¯ááºááᯠáá¬ážáááºááẠá á±á¬á á±á¬ááá¯ááºážááœáẠ- áá¯á¶ááŸáẠboot ááá¯á·ááá¯áẠááŒááºáááºááá°ááŒááºážá
- ááŒáá¯áááºááŒááºáááºááá°ááẠááá¯ááºáá»á¬ážá áœá¬áááºážáááºá
- á¡áá¯á¶ážááŒá¯áá°ááᯠááá¯ááá¯ááŒááºáááºá áœá¬ á áááºááœáá·áºááŒá¯áá«á
áá¬áá²ááŒá áºááŒá Ạáá°áááºážá¡ááºááºá áá¬áá²á
á€áá±ážááœááºážááá¯ááŒá±ááá¯áááºá á¥ááá¬á¡á¬ážááŒáá·áºá áááºážáá¡ááá®áá±ážááŸááºážááŸá áááá¯ááááºáá¬áá áºáŠážááẠááá¯ááºáá áºáá¯áááºáá®ážáááºááŒáá¯ážá á¬ážáá«áá á áá áºááŸááŒá¯áá¯ááºáá±á¬áá±á«áºááá¯ááŸá¯á¡áá±á¡ááœááºááᯠááŒáá·áºááŒáá«á áá¯á·á
Pavel Yosifovich - Windows Kernel Programming (2019)
áááá¯ááááºáá¬ááẠáá¯ááºáá±á¬ááºáá»ááºááᯠá¡áá¯á¶ážááŒá¯áááºá
Native Application áá»á¬ážá á¡áááá¡á¬ážáá¬áá»ááºááŸá¬ ntdll ááᯠkernel32 ááẠáá»á¬ážá áœá¬á á±á¬á á áá áºáá²ááá¯á· áááºáá±ážááŒááºážááŒá áºáááºá kernel32 ááẠá¡áá¯ááºáá¯ááºááẠntdll ááá¯á¡ááºáá±á¬ááŒá±á¬áá·áºá ááááºá¡áá±ááŒáá·áº áá°áááºážáá¯ááºáá±á¬ááºáá»ááºáá»á¬ážááᯠá¡áá¯á¶ážááŒá¯ááá·áº á¡ááá®áá±ážááŸááºážáá»á¬ážááẠááá¯ááá¯á á±á¬á áœá¬ á¡áá¯ááºáá¯ááºááá¯ááºáááºááŒá áºáááºá
ááá¯á·ááŒá±á¬áá·áº Windows Native Applications áá»á¬ážááẠWindows boot ááœáẠá
á±á¬á
á±á¬á
áááºááá¯ááºáá±á¬ áááá¯ááááºáá»á¬ážááŒá
áºáááºá áááºážááá¯á·ááẠntdll á០áá¯ááºáá±á¬ááºáá»ááºáá»á¬ážááá¯áᬠá¡áá¯á¶ážááŒá¯áááºá ááá¯áá²á·ááá¯á·áá±á¬ áá»áŸá±á¬ááºááœáŸá¬á á¥ááá¬áá
áºáá¯á
á¡áá»áœááºá¯ááºááá¯á·áááºá¡áááºááá¯á·ááá¯á¡ááºááá²?
DDK (Driver Development Kit)á ááᯠWDK 7 (Windows Driver Kit) áá¯áááºáž áá±á«áºáááºá- á ááºá¡áᯠ(á¥ááá¬á Windows 7 x64)
- áááá¯á¡ááºáá±á¬áºáááºáž áá±á«ááºážáá¯ááºáá¯ááºááá¯ááºáá±á¬ áá±á«ááºážá
á®ážááá¯ááºáá»á¬ážááẠá¡áá±á¬ááºá¡áá°ááŒá
áºááá¯ááºáááºá
áá®ááŸá¬
áá¯ááºááŸá¬ áá¬áá«áá²á
áááºážáááºáž áá±á·áá»áá·áºááŒáá·áºáá¡á±á¬áẠá¥ááᬠá¡ááºááá®áá±ážááŸááºážáá±ážáá áºáá¯áá±ážáá«-
- áá»ááºááŸá¬ááŒááºáá±á«áºááœáẠáááºáá±á·áá»áºáá áºáá¯ááᯠááŒááá±ážáááºá
- ááŸááºáá¬ááºá¡áá»áá¯á·ááᯠááœá²áá±áá±ážáááºá
- áá®ážáá¯ááºááá·áºááœááºážááŸá¯ááᯠá á±á¬áá·áºáá±áááºá
- á¡áá¯á¶ážááŒá¯áá¬ážáá±á¬ ááŸááºáá¬ááºááᯠááœááºá á±áááºá
áá°áááºážá¡ááá®áá±ážááŸááºážáá»á¬ážááœááºá áááºááœáá·áºá¡ááŸááºááẠáááºá ááá¯á·ááá¯áẠwinmain ááá¯ááºáá±á¬áºáááºážá áá»áœááºá¯ááºááá¯á·ááẠá áá áºá¡ááœááºážááŸá áá¯ááºáááºážá ááºá¡áá áºáá»á¬ážááᯠá¡ááŸááºáááẠááá¯ááºááá¯ááºá áááºáá±á¬ááŒá±á¬áá·áº NtProcessStartup áá¯ááºáá±á¬ááºáá»ááºááŒá áºáááºá
á
ááááºáá±á«áºááœáẠáááºáá±á·áá»áºáá
áºáá¯ááᯠááŒáááŒááºážááŒáá·áº á
áááºááŒáá«á
áá¯á·á áááºážá¡ááœáẠáá»áœááºá¯ááºááá¯á·ááœáẠáá°ááá¯ááºáá±á¬ááºáá»ááºáá
áºáá¯ááŸááááºá
//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
ntdll á០áá¯ááºáá±á¬ááºáá»ááºáá»á¬ážááá¯áᬠáá»áœááºá¯ááºááá¯á·á¡ááœááºáááŸáááá¯ááºááŒá®áž Memory ááœáẠá¡ááŒá¬ážá á¬ááŒáá·áºááá¯ááºáá»á¬áž áááŸááá±ážááá·áºá¡ááœááºááŒá±á¬áá·áº Memory ááœá²áá±áá¯á¶ááŸáá·áº áááºáááºá ááŒá¿áá¬áá»á¬ážááŸááá±áááºááŸá¬ áá±áá»á¬áá«áááºá á¡á±á¬áºááá±áá¬á¡áá áºááá±á«áºáá±ážáá« (áááºážááẠC++ áá¡ááá·áºááŒáá·áºááœááºážáá±á¬ááá¹áá¬ááŸáá¬áá±á¬ááŒá±á¬áá·áº) ááŸáá·áº malloc áá¯ááºáá±á¬ááºáá»ááºáááŸááá« (áááºážááẠruntime C libraries ááá¯á¡ááºáááº)á áá¯ááºáá«áááºá áááºá stack áá áºáá¯áá²áá¯á¶ážááá¯ááºáááºá ááá¯á·áá±á¬áº áá»áœááºá¯ááºááá¯á·ááẠáááºááá¯áá®ááᯠááá¯ááºááá áºáá»áá»ááœá²áá±ááẠááá¯á¡ááºáá«áá áá»áœááºá¯ááºááá¯á· áááºážááᯠá¡ááŸáá¯ááºáá¯á¶ (á¥ááᬠá¡ááŸáá¯ááºáá¯á¶) ááœáẠááŒá¯áá¯ááºááááºááŒá áºáááºá áá«ááŒá±á¬áá·áº ááá¯áá·áºá¡ááœáẠá¡ááŸáá¯ááºáá¯á¶áá áºáᯠáááºáá®ážááŒá®áž ááá¯á¡ááºáá²á·á¡áá«ááá¯ááºáž á¡á²áá®áá²á ááŸááºáá¬ááºááᯠáá°ááá¯ááºááŒáá¡á±á¬ááºá
áá¯ááºáá±á¬ááºáá»ááºááẠá€áá¯ááºáááºážá¡ááœáẠááá·áºáá»á±á¬áºáááºá
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
áá®ážáá¯ááºááá·áºááœááºážááŸá¯ááᯠá á±á¬áá·áºááá¯ááºážááŒááºážááá¯á· áááºááœá¬ážááŒáá«á áá¯á·á
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//...
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
áá»áœááºá¯ááºááá¯á·ááá¯á¡ááºááá»áŸááẠá¡áá¯á¶ážááŒá¯áááºááŒá
áºáááºá
áá°áááºážá¡ááºááºááẠáá¯ááºáá±á¬ááºáá»ááºáá±á«áºááá¯ááŸá¯ááŒáá·áº á¡áá¯á¶ážáááºáááºá
áá»áœááºá¯ááºááá¯á·á á¡ááá®áá±ážááŸááºážáááºáá±ážá¡ááœáẠáá¯ááºá¡á¬ážáá¯á¶áž
#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"
//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
IN PUNICODE_STRING String
);
NTSTATUS
NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------
// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
void NtProcessStartup(void* StartupArgument)
{
// it is important to declare all variables at the beginning
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
//use it if debugger connected to break
//DbgBreakPoint();
WriteLn(L"Hello Native World!n");
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
WriteLn(L"Keyboard readyn");
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
WriteLn(L"Heap readyn");
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
WriteLn(L"Buffer allocatedn");
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
WriteLn(L"Heap destroyedn");
WriteLn(L"Press ESC to continue...n");
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
NtTerminateProcess(NtCurrentProcess(), 0);
}
PS: áá»áœááºá¯ááºááá¯á·ááẠá¡ááŸá¬ážááŸá¬ááŒááºááŒááºážááœáẠáááºážááá¯áááºááá·áºááẠáá»áœááºá¯ááºááá¯á·ááá¯ááºááŸá DbgBreakPoint() áá¯ááºáá±á¬ááºáá»ááºááᯠá¡ááœááºááá°á¡áá¯á¶ážááŒá¯ááá¯ááºáá«áááºá ááŸááºáá«áááºá áááºááẠkernel á¡ááŸá¬ážááŸá¬ááŒááºážá¡ááœáẠWinDbg ááᯠvirtual machine áá
áºáá¯ááá¯á· áá»áááºáááºááẠááá¯á¡ááºáááºááŒá
áºáá«áááºá áá®ááá¯áá¯ááºááá¯á· áááºážááœáŸááºáá»ááºááœá±ááᯠááœá±á·ááá¯ááºáá«áááºá
á á¯á ááºážááŸá¯ááŸáá·áº á á¯á ááºážááŸá¯
Native application áá
áºáá¯ááᯠáááºáá±á¬ááºááẠá¡ááœááºáá¯á¶ážáááºážáááºážááŸá¬ á¡áá¯á¶ážááŒá¯áááºááŒá
áºáááºá
ááááºáááº
!INCLUDE $(NTMAKEENV)makefile.def
ááááºážáááºážááŒá áº:
TARGETNAME = MyNative
TARGETTYPE = PROGRAM
UMTYPE = nt
BUFFER_OVERFLOW_CHECKS = 0
MINWIN_SDK_LIB_PATH = $(SDK_LIB_PATH)
SOURCES = source.c
INCLUDES = $(DDK_INC_PATH);
C:WinDDK7600.16385.1ndk;
TARGETLIBS = $(DDK_LIB_PATH)ntdll.lib
$(DDK_LIB_PATH)nt.lib
USE_NTDLL = 1
áááºá Makefile ááẠá¡ááá¡áá»áá°áá®áá±á¬áºáááºáž á¡áááºážáááºááá¯á¡áá±ážá áááºááŒáá·áº á¡áááºážá¡ááŒá áºáá»á¬ážááᯠááŒáá·áºááŒáá«á áá¯á·á á€ááá¯ááºááẠááá·áºáááá¯ááááºááááºážááŒá áºáá»á¬áž (.c ááá¯ááºáá»á¬áž)á áááºáá±á¬ááºááŸá¯ááœá±ážáá»ááºá áá¬áá»á¬ážááŸáá·áº á¡ááŒá¬ážááá·áºáááºáá»ááºáá»á¬ážááᯠáááºááŸááºáá±ážáá«áááºá
- TARGETNAME â á¡áá¯á¶ážááœááºáá¯ááºáá¯ááºááá·áºáá±á¬ executable file áá¡áááºá
- TARGETTYPE â áááºáááºááá¯ááºáá±á¬ááá¯ááºá¡áá»áá¯ážá¡á á¬ážá áááºážááẠáááá¯ááºáᬠ(.sys) ááŒá áºááá¯ááºáááºá ááá¯á·áá±á¬áẠááœááºáááºáááºááá¯ážááẠDRIVER ááŒá áºááá·áºáááºá áá áºáá»á áºááá¯áẠ(.lib) ááŒá áºáá«á áááºááá¯ážááẠLIBRARY ááŒá áºáááºá áá»áœááºá¯ááºááá¯á·áá¡ááŒá±á¡áá±ááœááºá áá»áœááºá¯ááºááá¯á·ááẠexecutable file (.exe) ááá¯á¡ááºáá±á¬ááŒá±á¬áá·áº áááºááá¯ážááᯠPROGRAM ááœáẠáááºááŸááºáá«áááºá
- UMTYPE â á€á¡ááœááºá¡ááœáẠááŒá áºááá¯ááºááá·áºáááºááá¯ážáá»á¬áž- ááœááºááá¯ážááºá¡ááá®áá±ážááŸááºážáá áºáá¯á¡ááœáẠááœááºááá¯ážá áááºážááá¯ážáá¯ááºááœáẠá¡áá¯ááºáá¯ááºáááºá¡ááœáẠááŒáááºážáá±á«ááºáá»á¬ážá áá«áá±ááá·áº áá°áááºážáá»áŸá±á¬ááºááœáŸá¬ááá¯áááá¯á·á¡ááœáẠnt ááᯠáááºááŸááºááá«áááºá
- BUFFER_OVERFLOW_CHECKS â ááŒá¬ážáá¶ááŒáá·áºáá»áŸá¶ááŸá¯á¡ááœáẠá¡á á¯á¡áá±ážááᯠá á áºáá±ážáá±áááºá áá¶ááá±á¬ááºážá áœá¬ááŒáá·áº áá»áœááºá¯ááºááá¯á·áááá á¹á ááá¯ááºáá«á áá»áœááºá¯ááºááá¯á· áááºážááᯠááááºááá¯ááºáá«áááºá
- MINWIN_SDK_LIB_PATH â á€áááºááá¯ážááẠSDK_LIB_PATH ááááºážááŸááºááᯠáááºááœáŸááºážáááºá ááá·áºááœáẠááá¯ááá¯á·áá±á¬ á áá áºááŒá±á¬ááºážááá·áºáá¯á¶á á¶ááᯠááŒá±áá¬áá¬ážááŒááºáž áááŸáááá·áºá¡ááœáẠá áááºááá°áá«ááŸáá·áºá áá»áœááºá¯ááºááá¯á· DDK á០á á áºáá±ážáá¬ážáá±á¬ áááºáá±á¬ááºááŸá¯ááᯠáá¯ááºáá±á¬ááºáá±á¬á¡áá«á á€ááááºážááŸááºááᯠááŒá±áá¬ááŒá®áž ááá¯á¡ááºáá±á¬ á á¬ááŒáá·áºááá¯ááºáá»á¬ážááᯠááœáŸááºáá±ážáááºááŒá áºáááºá
- á¡áááºážá¡ááŒá áºáá»á¬áž â ááá·áºáááá¯ááááºá¡ááœáẠá¡áááºážá¡ááŒá áºáá»á¬ážá á¬áááºážá
- áá«áááºááẠâ á ááºážáá±ážááœá²á¡ááœáẠááá¯á¡ááºáá±á¬ áá±á«ááºážá á®ážááá¯ááºáá»á¬ážá á€áá±áá¬ááœáẠáááºážááá¯á·ááẠDDK áá«áá¬áá±á¬ ááá¯ááºáá»á¬ážáá®ááá¯á· áááºážááŒá±á¬ááºážááᯠááœáŸááºááŒáá±á·ááŸááá±á¬áºáááºáž á¡ááŒá¬ážáááºááá·áºá¡áá¬ááá¯áááᯠáááºáááºáá±á¬ááºážáááºááŸááºááá¯ááºáááºá
- TARGETLIBS â áá»áááºáááºáááºááá¯á¡ááºáá±á¬ á á¬ááŒáá·áºááá¯ááºáá»á¬ážá á¬áááºážá
- USE_NTDLL ááẠáááºááŸá¬ážáá±á¬á¡ááŒá±á¬ááºážááŒáá»ááºáá»á¬ážá¡ááœáẠ1 ááá¯á·áááºááŸááºáá¬ážááááºááŒá áºááŒá®áž ááá¯á¡ááºáá±á¬á¡ááœááºáá áºáá¯ááŒá áºáááºá
- USER_C_FLAGS â á¡ááá®áá±ážááŸááºážáá¯ááºááᯠááŒááºáááºáá¬ááœáẠááŒáá¯áááºáááá¯áááºáá¬áááºážááœáŸááºáá»ááºáá»á¬ážááœáẠáááºá¡áá¯á¶ážááŒá¯ááá¯ááºááá·áº áááºááá·áºá¡áá¶áá»á¬ážáááá¯á
ááá¯á·ááŒá±á¬áá·áº áááºáá±á¬ááºáááºá¡ááœááºá áá»áœááºá¯ááºááá¯á·ááẠx86 (ááá¯á·ááá¯áẠx64) Checked Build ááᯠrun áááºá á¡áá¯ááºáá¯ááºááá·áºáááºážááœáŸááºááᯠproject folder ááá¯á·ááŒá±á¬ááºážááŒá®áž Build command ááᯠrun áááºááá¯á¡ááºáááºá á ááááºááŸá±á¬á·ááŸá ááááºááẠáá»áœááºá¯ááºááá¯á·ááœáẠáá¯ááºáá±á¬ááºááá¯ááºáá±á¬ ááá¯ááºáá áºáá¯ááŸááááºááᯠááŒááááºá
á€ááá¯ááºááᯠá¡ááœááºááá° áááœáá·áºááá¯ááºáá«á á
áá
áºá áá»áááºáá²ááŒá®áž á¡á±á¬ááºáá±á¬áºááŒáá« á¡ááŸá¬ážá¡ááœááºážááŒáá·áº áááºážá á¡ááŒá¯á¡áá°ááᯠá
ááºážá
á¬ážááẠáá»áœááºá¯ááºááá¯á·ááᯠááá¯á·áá±ážáááº-
áá°áááºážá¡ááºááºááᯠáááºááá¯ááœáá·áºáááá²á
autochk á áááºáá±á¬á¡áá«á áááá¯ááááºáá»á¬ážá startup sequence ááᯠregistry key ááááºááá¯ážááŒáá·áº áá¯á¶ážááŒááºáááº-
HKLMSystemCurrentControlSetControlSession ManagerBootExecute
á ááºááŸááºáááºáá±áá»á¬ááẠá€á á¬áááºážá០áááá¯ááááºáá»á¬ážááᯠáá áºáá¯ááŒá®ážáá áºáᯠáá¯ááºáá±á¬ááºáááºá session manager ááẠsystem32 directory ááœáẠexecutable files áá»á¬ážááá¯ááŸá¬ááœá±áááºá á á¬áááºážááœááºážáá±á¬á·áááºááá¯áž áá±á¬áºáááºááẠá¡á±á¬ááºáá«á¡ááá¯ááºážááŒá áºáááº-
autocheck autochk *MyNative
áááºááá¯ážááẠáá¯á¶ááŸáẠASCII ááá¯ááºáá² hexadecimal áá±á¬áºáááºááŒáá·áº ááŒá áºááááºá ááá¯á·ááŒá±á¬áá·áº á¡áááºááœááºááŒáá¬ážááá·áº áá±á¬á·ááẠáá±á¬áºáááºááŒá áºáááº-
61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00
áá±á«ááºážá
ááºááᯠááŒá±á¬ááºážáááºá á¥ááá¬á á¡áœááºááá¯ááºážáááºáá±á¬ááºááŸá¯ááᯠáááºáá¯á¶ážááá¯ááºáááºá
áá¬ááááá®áá±ážááŸááºážááᯠá
áááºááẠáá»áœááºá¯ááºááá¯á· ááá¯á¡ááºáááº-
- áááºáááºááá¯ááºáá±á¬ááá¯ááºááᯠsystem32 ááá¯áá«ááá¯á· áá°ážáá°áá«á
- Registry ááœáẠáá±á¬á·áá áºáá¯ááá·áºáá«á
- á ááºááᯠreboot áá¯ááºáá«á
á¡áááºááŒá±á á±áááºá¡ááœááºá á€ááœáẠáá°áááºážá¡ááºááºááᯠááá·áºááœááºážáááºá¡ááœáẠá¡áááºááá·áºáá¯ááºáá¬ážáá±á¬ script áá áºáá¯ááŒá áºáááºá
install.bat
@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pause
add.reg
REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00
áááºáááºááŒááºážááŸáá·áº ááŒááºáááºá áááºááŒá®ážáá±á¬ááºá á¡áá¯á¶ážááŒá¯áá°ááœá±ážáá»ááºááŸá¯á ááááºááá±á«áºáá®ááœááºáááºá áá»áœááºá¯ááºááá¯á·ááẠá¡á±á¬ááºáá«áá¯á¶ááᯠáááŸááááá·áºáááº-
ááááº
ááá¯áá²á·ááá¯á·áá±á¬ áá±ážáááºáá±á¬ á¡ááá®áá±ážááŸááºážá á¥ááá¬ááᯠá¡áá¯á¶ážááŒá¯á Windows Native á¡ááá·áºááœáẠá¡ááá®áá±ážááŸááºážááᯠá¡áá¯á¶ážááŒá¯ááẠá¡áá±á¬áºáá±áž ááŒá
áºááá¯ááºááŒá±á¬ááºáž áá»áœááºá¯ááºááá¯á· áá¯á¶ááŒááºáá²á·áá«áááºá ááá¯á·áá±á¬ááºá Innopolis University á០áá±á¬ááºá»á¬ážáá±ážáá»á¬ážááŸáá·áº áá»áœááºá¯ááºááẠáá»áœááºá¯ááºááá¯á·áááá±á¬áá»ááºá ááááºáá¬ážááŸááºážááẠáá»á¬ážá
áœá¬á
á±á¬ááŒá®áž áá¬ááºáá±á¬ááºážááŸáá·áº á¡ááŒááºá¡ááŸááºáááºáá¶ááŸá¯áá¯ááºáááºážá
ááºááᯠá
áááºááá·áº áááºáá±á¬ááºááŸá¯ááᯠáááºáááºáááºáá±á¬ááºááœá¬ážáá«áááºá win32 shell ááœááºážáá¬ážáá¬áááºááŸáá·áºá¡áá»áŸá áá®ááœááºáá¬ážááŒá®ážááŒá
áºáá±á¬ ááŒáá·áºá
á¯á¶áá±á¬áááºáá±á¬ááºááŸá¯ááá¯á· ááááºážáá»á¯ááºááŸá¯ááœáŸá²ááŒá±á¬ááºážááŒááºážááẠáá¯áá¹ááááŸááááá·áºááẠ(á€á¡ááŒá±á¬ááºážááá¯ááá¯
áá±á¬ááºáá±á¬ááºážáá«ážááœáẠáá»áœááºá¯ááºááá¯á·ááẠActive Restore áááºáá±á¬ááºááŸá¯ááŒá
áºáá±á¬ UEFI áááá¯ááºáá¬á á¡ááŒá¬ážá¡á
áááºá¡ááá¯ááºážááᯠááááœá±á·áá«áááºá áá±á¬ááºááá¯á·á
áºááᯠáááºáááœááºá
á±áá² áá»áœááºá¯ááºááá¯á·áááá±á¬á·ááºááᯠá
á¬áááºážááœááºážáá«á
source: www.habr.com