Lero tikupitiriza nkhani ya momwe ife, pamodzi ndi anyamata ochokera ku yunivesite ya Innopolis, tikupangira teknoloji ya Active Restore kuti tilole wogwiritsa ntchito kuti ayambe kugwira ntchito pamakina awo mwamsanga atalephera. Tidzakambirana za mapulogalamu a Windows, kuphatikizapo zomwe adapanga ndikuyambitsa. Pansipa padulidwe pali pang'ono za projekiti yathu, komanso kalozera wothandiza wamomwe mungalembe zolemba zakwawo.
M'ma posts tanena kale za zomwe zili
- Kukhazikitsa utumiki palokha kale kwambiri
- Lumikizanani ndi mtambo komwe zosunga zobwezeretsera zili kale kwambiri
- Kale kwambiri kuti mumvetsetse momwe dongosololi lilili - boot yamba kapena kuchira
- Ochepa owona kuti achire pasadakhale
- Lolani wogwiritsa ntchito kuti ayambe mwachangu.
Kodi pulogalamu yobadwa nayo ndi chiyani?
Kuti tiyankhe funsoli, tiyeni tiwone mndandanda wa mafoni omwe dongosolo limapanga, mwachitsanzo, ngati wopanga mapulogalamu akuyesera kupanga fayilo.
Pavel Yosifovich - Windows Kernel Programming (2019)
Wopanga pulogalamuyo amagwiritsa ntchito
Ubwino waukulu wamapulogalamu achilengedwe ndikuti ntdll imayikidwa mudongosolo kale kwambiri kuposa kernel32. Izi ndizomveka, chifukwa kernel32 imafuna ntdll kuti igwire ntchito. Zotsatira zake, mapulogalamu omwe amagwiritsa ntchito zidziwitso zakubadwa amatha kuyamba kugwira ntchito kale kwambiri.
Chifukwa chake, Windows Native Applications ndi mapulogalamu omwe angayambe koyambirira kwa Windows boot. Amangogwiritsa ntchito ntchito kuchokera ku ntdll. Chitsanzo cha ntchito yotereyi:
Tikufuna chiyani?
DDK (Driver Development Kit), yomwe tsopano imadziwikanso kuti WDK 7 (Windows Driver Kit).- Makina owona (mwachitsanzo, Windows 7 x64)
- Osafunikira, koma mafayilo apamutu omwe atha kutsitsidwa angathandize
apa
Kodi mu code muli chiyani?
Tiyeni tiyese pang'ono ndipo, mwachitsanzo, tilembe ntchito yaying'ono kuti:
- Imawonetsa uthenga pa zenera
- Amagawira ena kukumbukira
- Imadikirira kulowetsa kiyibodi
- Imamasula kukumbukira kogwiritsidwa ntchito
M'mapulogalamu achilengedwe, malo olowera siwopambana kapena winmain, koma ntchito ya NtProcessStartup, popeza timayambitsa mwachindunji njira zatsopano.
Tiyeni tiyambe ndi kusonyeza uthenga pa zenera. Kwa ichi tili ndi ntchito yobadwa
//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
Popeza kuti ntchito zochokera ku ntdll zokha ndizomwe zilipo kwa ife, ndipo palibe malaibulale ena okumbukirabe, tidzakhala ndi vuto la momwe tingagawire kukumbukira. Wogwiritsa ntchito watsopano kulibe (chifukwa amachokera kudziko lapamwamba kwambiri la C ++), ndipo palibe ntchito ya malloc (imafuna ma library a nthawi yothamanga C). Inde, mutha kugwiritsa ntchito stack yokha. Koma ngati tifunika kugawa kukumbukira mwamphamvu, tiyenera kutero pa mulu (ie mulu). Choncho tiyeni tidzipangire tokha mulu ndikukumbukira nthawi iliyonse yomwe tikufuna.
Ntchitoyi ndi yoyenera pa ntchitoyi
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
Tiyeni tipitirire kudikirira kulowetsa kwa kiyibodi.
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//...
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
Zomwe timafunikira ndikugwiritsa ntchito
Ntchito yoyambira imatha ndi kuyimbira foni
Nambala yonse ya pulogalamu yathu yaying'ono:
#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"
//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
IN PUNICODE_STRING String
);
NTSTATUS
NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------
// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
void NtProcessStartup(void* StartupArgument)
{
// it is important to declare all variables at the beginning
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
//use it if debugger connected to break
//DbgBreakPoint();
WriteLn(L"Hello Native World!n");
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
WriteLn(L"Keyboard readyn");
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
WriteLn(L"Heap readyn");
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
WriteLn(L"Buffer allocatedn");
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
WriteLn(L"Heap destroyedn");
WriteLn(L"Press ESC to continue...n");
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
NtTerminateProcess(NtCurrentProcess(), 0);
}
PS: Titha kugwiritsa ntchito DbgBreakPoint() mosavuta mu code yathu kuti tiyimitse mu debugger. Zowona, muyenera kulumikiza WinDbg ku makina enieni kuti muchotse zolakwika za kernel. Malangizo amomwe mungachitire izi angapezeke
Kusonkhanitsa ndi kusonkhanitsa
Njira yosavuta yopangira pulogalamu yachibadwidwe ndiyo kugwiritsa ntchito
Makefile
!INCLUDE $(NTMAKEENV)makefile.def
magwero:
TARGETNAME = MyNative
TARGETTYPE = PROGRAM
UMTYPE = nt
BUFFER_OVERFLOW_CHECKS = 0
MINWIN_SDK_LIB_PATH = $(SDK_LIB_PATH)
SOURCES = source.c
INCLUDES = $(DDK_INC_PATH);
C:WinDDK7600.16385.1ndk;
TARGETLIBS = $(DDK_LIB_PATH)ntdll.lib
$(DDK_LIB_PATH)nt.lib
USE_NTDLL = 1
Makefile anu adzakhala ofanana ndendende, koma tiyeni tiwone magwero mwatsatanetsatane. Fayiloyi imafotokoza komwe pulogalamu yanu imayambira (mafayilo a.c), zosankha zamapangidwe, ndi magawo ena.
- TARGETNAME - dzina la fayilo yomwe ikuyenera kuchitika yomwe iyenera kupangidwa kumapeto.
- TARGETTYPE - mtundu wa fayilo yowonongeka, ikhoza kukhala dalaivala (.sys), ndiye mtengo wamunda uyenera kukhala DRIVER, ngati laibulale (.lib), ndiye kuti mtengo wake ndi LIBRARY. Kwa ife, tikufuna fayilo yotheka (.exe), kotero timayika mtengo ku PROGRAM.
- UMTYPE - zomwe zingatheke pagawoli: console ya pulogalamu ya console, windows yogwira ntchito pawindo. Koma tiyenera kutchula nt kuti tipeze pulogalamu yachibadwidwe.
- BUFFER_OVERFLOW_CHECKS - kuyang'ana kuchuluka kwa buffer, mwatsoka osati mlandu wathu, timazimitsa.
- MINWIN_SDK_LIB_PATH - mtengo uwu umatanthawuza kusinthika kwa SDK_LIB_PATH, musadandaule kuti mulibe kusintha kwadongosolo kotereku, tikamayendetsa kufufuzidwa kuchokera ku DDK, kusinthaku kudzalengezedwa ndikuloza ku malaibulale ofunikira.
- SOURCES - mndandanda wamagwero a pulogalamu yanu.
- ZOKHUDZA - mafayilo amutu omwe amafunikira kuti asonkhanitse. Apa nthawi zambiri amawonetsa njira yopita kumafayilo omwe amabwera ndi DDK, koma mutha kufotokozeranso zina zilizonse.
- TARGETLIBS - mndandanda wama library omwe amafunikira kulumikizidwa.
- USE_NTDLL ndi gawo lofunikira lomwe liyenera kukhazikitsidwa ku 1 pazifukwa zodziwikiratu.
- USER_C_FLAGS - mbendera zilizonse zomwe mungagwiritse ntchito powongolera pokonzekera ma code.
Chifukwa chake kuti timange, tifunika kuyendetsa x86 (kapena x64) Chofufuzidwa Pangani, sinthani chikwatu chogwirira ntchito ku foda ya polojekiti ndikuyendetsa lamulo la Build. Zotsatira pazithunzi zikuwonetsa kuti tili ndi fayilo imodzi yomwe ingathe kuchitika.
Fayiloyi siyingakhazikitsidwe mosavuta, dongosololi limatemberera ndikutitumiza kuti tiganizire zamakhalidwe ake ndi zolakwika zotsatirazi:
Kodi mungayambitse bwanji pulogalamu yachibadwidwe?
Autochk ikayamba, kutsatizana kwa mapulogalamu kumatsimikiziridwa ndi mtengo wa kiyi yolembetsa:
HKLMSystemCurrentControlSetControlSession ManagerBootExecute
Woyang'anira gawo amapanga mapulogalamu kuchokera pamndandandawu m'modzim'modzi. Woyang'anira gawo amayang'ana mafayilo omwe angathe kuchitidwa okha mu chikwatu cha system32. Mtundu wa mtengo wa registry uli motere:
autocheck autochk *MyNative
Mtengowo uyenera kukhala wamtundu wa hexadecimal, osati wa ASCII wanthawi zonse, chifukwa chake kiyi yomwe yawonetsedwa pamwambapa ikhala yofanana:
61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00
Kuti musinthe mutuwo, mutha kugwiritsa ntchito intaneti, mwachitsanzo,
Zinapezeka kuti kuti tiyambitse pulogalamu yachibadwidwe, tifunika:
- Lembani fayilo yomwe ingathe kuchitidwa ku chikwatu cha system32
- Onjezani kiyi ku registry
- Yambitsaninso makinawo
Kuti mumve mosavuta, nayi script yokonzeka kukhazikitsa pulogalamu yoyambira:
install.bat
@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pause
add.reg
REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00
Pambuyo kukhazikitsa ndi kuyambiranso, ngakhale chinsalu chosankha cha ogwiritsa ntchito chisanawonekere, tidzapeza chithunzi ichi:
Zotsatira
Pogwiritsa ntchito chitsanzo cha pulogalamu yaying'ono yotere, tinali otsimikiza kuti ndizotheka kuyendetsa pulogalamuyi pa Windows Native level. Kenako, ine ndi anyamata ochokera ku yunivesite ya Innopolis tipitiliza kupanga ntchito yomwe idzayambitse njira yolumikizirana ndi dalaivala kale kwambiri kuposa momwe tawonera kale. Ndipo kubwera kwa chipolopolo cha win32, zingakhale zomveka kusamutsa ulamuliro ku utumiki wathunthu womwe wapangidwa kale (zambiri pa izi.
M'nkhani yotsatira tidzakhudza gawo lina la ntchito ya Active Restore, yomwe ndi yoyendetsa UEFI. Lembetsani ku blog yathu kuti musaphonye positi yotsatira.
Source: www.habr.com