Pulogalamu ya ProHoster > Blog > Ulamuliro > Windows Native Applications ndi Acronis Active Restore service

Windows Native Applications ndi Acronis Active Restore service

Lero tikupitiriza nkhani ya momwe ife, pamodzi ndi anyamata ochokera ku yunivesite ya Innopolis, tikupangira teknoloji ya Active Restore kuti tilole wogwiritsa ntchito kuti ayambe kugwira ntchito pamakina awo mwamsanga atalephera. Tidzakambirana za mapulogalamu a Windows, kuphatikizapo zomwe adapanga ndikuyambitsa. Pansipa padulidwe pali pang'ono za projekiti yathu, komanso kalozera wothandiza wamomwe mungalembe zolemba zakwawo.

Windows Native Applications ndi Acronis Active Restore service

M'ma posts tanena kale za zomwe zili Kubwezeretsa Mwachangu, ndi momwe ophunzira ochokera ku Innopolis amakulira utumiki. Lero ndikufuna kuyang'ana pa mapulogalamu amtundu, mpaka momwe tikufuna "kukwirira" ntchito yathu yobwezeretsa. Ngati zonse zikuyenda bwino, titha:

  • Kukhazikitsa utumiki palokha kale kwambiri
  • Lumikizanani ndi mtambo komwe zosunga zobwezeretsera zili kale kwambiri
  • Kale kwambiri kuti mumvetsetse momwe dongosololi lilili - boot yamba kapena kuchira
  • Ochepa owona kuti achire pasadakhale
  • Lolani wogwiritsa ntchito kuti ayambe mwachangu.

Kodi pulogalamu yobadwa nayo ndi chiyani?

Kuti tiyankhe funsoli, tiyeni tiwone mndandanda wa mafoni omwe dongosolo limapanga, mwachitsanzo, ngati wopanga mapulogalamu akuyesera kupanga fayilo.

Windows Native Applications ndi Acronis Active Restore service
Pavel Yosifovich - Windows Kernel Programming (2019)

Wopanga pulogalamuyo amagwiritsa ntchito CreateFile, yomwe imalengezedwa mu fayilo yamutu fileapi.h ndikukhazikitsidwa mu Kernel32.dll. Komabe, ntchitoyi palokha sipanga fayilo, imangoyang'ana mikangano yolowera ndikuyitanitsa ntchitoyi NtCreateFile (chiyambi cha Nt chimangosonyeza kuti ntchitoyi ndi yachilengedwe). Ntchitoyi imalengezedwa mufayilo yamutu wa winternl.h ndikukhazikitsidwa mu ntdll.dll. Imakonzekera kulumphira mu danga la nyukiliya, pambuyo pake imapanga foni kuti ipange fayilo. Pankhaniyi, zikuwonekeratu kuti Kernel32 ndi chomangira chabe cha Ntdll. Chimodzi mwazifukwa zomwe izi zidachitidwira ndikuti Microsoft imatha kusintha magwiridwe antchito adziko lakwawo, koma osakhudza mawonekedwe wamba. Microsoft simalimbikitsa kuyimba ntchito zachibadwidwe mwachindunji ndipo sichilemba zambiri. Mwa njira, ntchito zosalembedwa zitha kupezeka apa.

Ubwino waukulu wamapulogalamu achilengedwe ndikuti ntdll imayikidwa mudongosolo kale kwambiri kuposa kernel32. Izi ndizomveka, chifukwa kernel32 imafuna ntdll kuti igwire ntchito. Zotsatira zake, mapulogalamu omwe amagwiritsa ntchito zidziwitso zakubadwa amatha kuyamba kugwira ntchito kale kwambiri.

Chifukwa chake, Windows Native Applications ndi mapulogalamu omwe angayambe koyambirira kwa Windows boot. Amangogwiritsa ntchito ntchito kuchokera ku ntdll. Chitsanzo cha ntchito yotereyi: autoch amene amachita chkdisk zothandiza kuyang'ana disk kuti muwone zolakwika musanayambe ntchito zazikulu. Umu ndiye mulingo womwe tikufuna kuti Active Restore yathu ikhale.

Tikufuna chiyani?

  • DDK (Driver Development Kit), yomwe tsopano imadziwikanso kuti WDK 7 (Windows Driver Kit).
  • Makina owona (mwachitsanzo, Windows 7 x64)
  • Osafunikira, koma mafayilo apamutu omwe atha kutsitsidwa angathandize apa

Kodi mu code muli chiyani?

Tiyeni tiyese pang'ono ndipo, mwachitsanzo, tilembe ntchito yaying'ono kuti:

  1. Imawonetsa uthenga pa zenera
  2. Amagawira ena kukumbukira
  3. Imadikirira kulowetsa kiyibodi
  4. Imamasula kukumbukira kogwiritsidwa ntchito

M'mapulogalamu achilengedwe, malo olowera siwopambana kapena winmain, koma ntchito ya NtProcessStartup, popeza timayambitsa mwachindunji njira zatsopano.

Tiyeni tiyambe ndi kusonyeza uthenga pa zenera. Kwa ichi tili ndi ntchito yobadwa NtDisplayString, zomwe zimatengera mtsutso cholozera ku chinthu cha UNICODE_STRING. RtlInitUnicodeString itithandiza kuyiyambitsa. Zotsatira zake, kuti tiwonetse zolemba pazenera, titha kulemba ntchito yaying'ono iyi:

//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
    UNICODE_STRING string;
    RtlInitUnicodeString(&string, Message);
    NtDisplayString(&string);
}

Popeza kuti ntchito zochokera ku ntdll zokha ndizomwe zilipo kwa ife, ndipo palibe malaibulale ena okumbukirabe, tidzakhala ndi vuto la momwe tingagawire kukumbukira. Wogwiritsa ntchito watsopano kulibe (chifukwa amachokera kudziko lapamwamba kwambiri la C ++), ndipo palibe ntchito ya malloc (imafuna ma library a nthawi yothamanga C). Inde, mutha kugwiritsa ntchito stack yokha. Koma ngati tifunika kugawa kukumbukira mwamphamvu, tiyenera kutero pa mulu (ie mulu). Choncho tiyeni tidzipangire tokha mulu ndikukumbukira nthawi iliyonse yomwe tikufuna.

Ntchitoyi ndi yoyenera pa ntchitoyi RtlCreateHeap. Kenako, pogwiritsa ntchito RtlAllocateHeap ndi RtlFreeHeap, tidzakhala ndi kukumbukira nthawi zonse tikafuna.

PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;

// create heap in order to allocate memory later
memory = RtlCreateHeap(
  HEAP_GROWABLE, 
  NULL, 
  1000, 
  0, NULL, NULL
);

// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
  memory, 
  HEAP_ZERO_MEMORY, 
  bufferSize
);

// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);

RtlDestroyHeap(memory);

Tiyeni tipitirire kudikirira kulowetsa kwa kiyibodi.

// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
  USHORT UnitId;
  USHORT MakeCode;
  USHORT Flags;
  USHORT Reserved;
  ULONG  ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;

//...

HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;

// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);

// open keyboard device
NtCreateFile(&hKeyBoard,
			SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
			&ObjectAttributes,
			&Iosb,
			NULL,
			FILE_ATTRIBUTE_NORMAL,
			0,
			FILE_OPEN,FILE_DIRECTORY_FILE,
			NULL, 0);

// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);

while (TRUE)
{
	NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
	NtWaitForSingleObject(hEvent, TRUE, NULL);

	if (kbData.MakeCode == 0x01)    // if ESC pressed
	{
			break;
	}
}

Zomwe timafunikira ndikugwiritsa ntchito NtReadFile pa chipangizo chotseguka, ndipo dikirani mpaka kiyibodi ibweze makina osindikizira aliwonse kwa ife. Ngati kiyi ya ESC ikanikizidwa, tipitiliza kugwira ntchito. Kuti titsegule chipangizocho, tidzafunika kuyimbira NtCreateFile ntchito (tidzafunika kutsegula DeviceKeyboardClass0). Tiyimbanso NtCreateEventkuyambitsa chinthu chodikirira. Tilengeza za KEYBOARD_INPUT_DATA tokha, zomwe zikuyimira data ya kiyibodi. Izi zipangitsa kuti ntchito yathu ikhale yosavuta.

Ntchito yoyambira imatha ndi kuyimbira foni NtTerminateProcesschifukwa tikungopha zochita zathu zokha.

Nambala yonse ya pulogalamu yathu yaying'ono:

#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"

//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------

NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
  IN HANDLE               ProcessHandle OPTIONAL,
  IN NTSTATUS             ExitStatus
);

NTSYSAPI 
NTSTATUS
NTAPI
NtDisplayString(
	IN PUNICODE_STRING String
);

NTSTATUS 
NtWaitForSingleObject(
  IN HANDLE         Handle,
  IN BOOLEAN        Alertable,
  IN PLARGE_INTEGER Timeout
);

NTSYSAPI 
NTSTATUS
NTAPI
NtCreateEvent(
    OUT PHANDLE             EventHandle,
    IN ACCESS_MASK          DesiredAccess,
    IN POBJECT_ATTRIBUTES   ObjectAttributes OPTIONAL,
    IN EVENT_TYPE           EventType,
    IN BOOLEAN              InitialState
);



// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
  USHORT UnitId;
  USHORT MakeCode;
  USHORT Flags;
  USHORT Reserved;
  ULONG  ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;

//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------

// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
    UNICODE_STRING string;
    RtlInitUnicodeString(&string, Message);
    NtDisplayString(&string);
}

void NtProcessStartup(void* StartupArgument)
{
	// it is important to declare all variables at the beginning
	HANDLE hKeyBoard, hEvent;
	UNICODE_STRING skull, keyboard;
	OBJECT_ATTRIBUTES ObjectAttributes;
	IO_STATUS_BLOCK Iosb;
	LARGE_INTEGER ByteOffset;
	KEYBOARD_INPUT_DATA kbData;
	
	PVOID memory = NULL;
	PVOID buffer = NULL;
	ULONG bufferSize = 42;

	//use it if debugger connected to break
	//DbgBreakPoint();

	WriteLn(L"Hello Native World!n");

	// inialize variables
	RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
	InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);

	// open keyboard device
	NtCreateFile(&hKeyBoard,
				SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
				&ObjectAttributes,
				&Iosb,
				NULL,
				FILE_ATTRIBUTE_NORMAL,
				0,
				FILE_OPEN,FILE_DIRECTORY_FILE,
				NULL, 0);

	// create event to wait on
	InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
	NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
	
	WriteLn(L"Keyboard readyn");
	
	// create heap in order to allocate memory later
	memory = RtlCreateHeap(
	  HEAP_GROWABLE, 
	  NULL, 
	  1000, 
	  0, NULL, NULL
	);
	
	WriteLn(L"Heap readyn");

	// allocate buffer of size bufferSize
	buffer = RtlAllocateHeap(
	  memory, 
	  HEAP_ZERO_MEMORY, 
	  bufferSize
	);
	
	WriteLn(L"Buffer allocatedn");

	// free buffer (actually not needed because we destroy heap in next step)
	RtlFreeHeap(memory, 0, buffer);

	RtlDestroyHeap(memory);
	
	WriteLn(L"Heap destroyedn");
	
	WriteLn(L"Press ESC to continue...n");

	while (TRUE)
	{
		NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
		NtWaitForSingleObject(hEvent, TRUE, NULL);

		if (kbData.MakeCode == 0x01)    // if ESC pressed
		{
				break;
		}
	}

	NtTerminateProcess(NtCurrentProcess(), 0);
}

PS: Titha kugwiritsa ntchito DbgBreakPoint() mosavuta mu code yathu kuti tiyimitse mu debugger. Zowona, muyenera kulumikiza WinDbg ku makina enieni kuti muchotse zolakwika za kernel. Malangizo amomwe mungachitire izi angapezeke apa kapena kugwiritsa ntchito VirtualKD.

Kusonkhanitsa ndi kusonkhanitsa

Njira yosavuta yopangira pulogalamu yachibadwidwe ndiyo kugwiritsa ntchito DDK (Driver Development Kit). Tikufuna mtundu wakale wachisanu ndi chiwiri, popeza mitundu yamtsogolo ili ndi njira yosiyana pang'ono ndipo imagwira ntchito limodzi ndi Visual Studio. Ngati tigwiritsa ntchito DDK, ndiye kuti polojekiti yathu imangofunika Makefile ndi magwero.

Makefile

!INCLUDE $(NTMAKEENV)makefile.def

magwero:

TARGETNAME			= MyNative
TARGETTYPE			= PROGRAM
UMTYPE				= nt
BUFFER_OVERFLOW_CHECKS 		= 0
MINWIN_SDK_LIB_PATH		= $(SDK_LIB_PATH)
SOURCES 			= source.c

INCLUDES 			= $(DDK_INC_PATH); 
				  C:WinDDK7600.16385.1ndk;

TARGETLIBS 			= $(DDK_LIB_PATH)ntdll.lib	
				  $(DDK_LIB_PATH)nt.lib

USE_NTDLL			= 1

Makefile anu adzakhala ofanana ndendende, koma tiyeni tiwone magwero mwatsatanetsatane. Fayiloyi imafotokoza komwe pulogalamu yanu imayambira (mafayilo a.c), zosankha zamapangidwe, ndi magawo ena.

  • TARGETNAME - dzina la fayilo yomwe ikuyenera kuchitika yomwe iyenera kupangidwa kumapeto.
  • TARGETTYPE - mtundu wa fayilo yowonongeka, ikhoza kukhala dalaivala (.sys), ndiye mtengo wamunda uyenera kukhala DRIVER, ngati laibulale (.lib), ndiye kuti mtengo wake ndi LIBRARY. Kwa ife, tikufuna fayilo yotheka (.exe), kotero timayika mtengo ku PROGRAM.
  • UMTYPE - zomwe zingatheke pagawoli: console ya pulogalamu ya console, windows yogwira ntchito pawindo. Koma tiyenera kutchula nt kuti tipeze pulogalamu yachibadwidwe.
  • BUFFER_OVERFLOW_CHECKS - kuyang'ana kuchuluka kwa buffer, mwatsoka osati mlandu wathu, timazimitsa.
  • MINWIN_SDK_LIB_PATH - mtengo uwu umatanthawuza kusinthika kwa SDK_LIB_PATH, musadandaule kuti mulibe kusintha kwadongosolo kotereku, tikamayendetsa kufufuzidwa kuchokera ku DDK, kusinthaku kudzalengezedwa ndikuloza ku malaibulale ofunikira.
  • SOURCES - mndandanda wamagwero a pulogalamu yanu.
  • ZOKHUDZA - mafayilo amutu omwe amafunikira kuti asonkhanitse. Apa nthawi zambiri amawonetsa njira yopita kumafayilo omwe amabwera ndi DDK, koma mutha kufotokozeranso zina zilizonse.
  • TARGETLIBS - mndandanda wama library omwe amafunikira kulumikizidwa.
  • USE_NTDLL ndi gawo lofunikira lomwe liyenera kukhazikitsidwa ku 1 pazifukwa zodziwikiratu.
  • USER_C_FLAGS - mbendera zilizonse zomwe mungagwiritse ntchito powongolera pokonzekera ma code.

Chifukwa chake kuti timange, tifunika kuyendetsa x86 (kapena x64) Chofufuzidwa Pangani, sinthani chikwatu chogwirira ntchito ku foda ya polojekiti ndikuyendetsa lamulo la Build. Zotsatira pazithunzi zikuwonetsa kuti tili ndi fayilo imodzi yomwe ingathe kuchitika.

Windows Native Applications ndi Acronis Active Restore service

Fayiloyi siyingakhazikitsidwe mosavuta, dongosololi limatemberera ndikutitumiza kuti tiganizire zamakhalidwe ake ndi zolakwika zotsatirazi:

Windows Native Applications ndi Acronis Active Restore service

Kodi mungayambitse bwanji pulogalamu yachibadwidwe?

Autochk ikayamba, kutsatizana kwa mapulogalamu kumatsimikiziridwa ndi mtengo wa kiyi yolembetsa: 

HKLMSystemCurrentControlSetControlSession ManagerBootExecute

Woyang'anira gawo amapanga mapulogalamu kuchokera pamndandandawu m'modzim'modzi. Woyang'anira gawo amayang'ana mafayilo omwe angathe kuchitidwa okha mu chikwatu cha system32. Mtundu wa mtengo wa registry uli motere: 

autocheck autochk *MyNative

Mtengowo uyenera kukhala wamtundu wa hexadecimal, osati wa ASCII wanthawi zonse, chifukwa chake kiyi yomwe yawonetsedwa pamwambapa ikhala yofanana:

61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00

Kuti musinthe mutuwo, mutha kugwiritsa ntchito intaneti, mwachitsanzo, izi.

Windows Native Applications ndi Acronis Active Restore service
Zinapezeka kuti kuti tiyambitse pulogalamu yachibadwidwe, tifunika:

  1. Lembani fayilo yomwe ingathe kuchitidwa ku chikwatu cha system32
  2. Onjezani kiyi ku registry
  3. Yambitsaninso makinawo

Kuti mumve mosavuta, nayi script yokonzeka kukhazikitsa pulogalamu yoyambira:

install.bat

@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pause

add.reg

REGEDIT4

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00

Pambuyo kukhazikitsa ndi kuyambiranso, ngakhale chinsalu chosankha cha ogwiritsa ntchito chisanawonekere, tidzapeza chithunzi ichi:

Windows Native Applications ndi Acronis Active Restore service

Zotsatira

Pogwiritsa ntchito chitsanzo cha pulogalamu yaying'ono yotere, tinali otsimikiza kuti ndizotheka kuyendetsa pulogalamuyi pa Windows Native level. Kenako, ine ndi anyamata ochokera ku yunivesite ya Innopolis tipitiliza kupanga ntchito yomwe idzayambitse njira yolumikizirana ndi dalaivala kale kwambiri kuposa momwe tawonera kale. Ndipo kubwera kwa chipolopolo cha win32, zingakhale zomveka kusamutsa ulamuliro ku utumiki wathunthu womwe wapangidwa kale (zambiri pa izi. apa).

M'nkhani yotsatira tidzakhudza gawo lina la ntchito ya Active Restore, yomwe ndi yoyendetsa UEFI. Lembetsani ku blog yathu kuti musaphonye positi yotsatira.

Source: www.habr.com

Kuwonjezera ndemanga