Kajeno re tsoela pele pale ea kamoo rona, hammoho le bashanyana ba tsoang Univesithing ea Innopolis, re hlahisang theknoloji ea Active Restore ho lumella mosebedisi ho qala ho sebetsa mochine oa bona kapele kamoo ho ka khonehang ka mor'a ho hlōleha. Re tla bua ka lits'ebetso tsa Windows tsa matsoalloa, ho kenyelletsa le likarolo tsa popo ea tsona le ho qala. Ka tlase ho sehiloeng ke hanyane ka morero oa rona, hammoho le tataiso e sebetsang ea ho ngola likopo tsa matsoalloa.
Li-post tse fetileng re se re buile ka hore na ke eng , le kamoo liithuti tse tsoang Innopolis li hōlang kateng . Kajeno ke batla ho tsepamisa maikutlo lits'ebetsong tsa matsoalloa, ho isa boemong boo re batlang ho "pata" ts'ebeletso ea rona e sebetsang ea ho hlaphoheloa. Haeba tsohle li sebetsa, re tla khona ho:
- Qala tšebeletso ka boeona pele ho nako
- Ikopanye le leru moo bekapo e leng teng pejana
- Haholo pele ho utloisisa hore na sistimi e maemong afe - boot e tloaelehileng kapa ho hlaphoheloa
- Lifaele tse fokolang haholo tseo u ka li fumanang esale pele
- Lumella mosebelisi ho qala kapele le ho feta.
Leha ho le joalo, app ea lehae ke eng?
Ho araba potso ena, a re shebeng tatellano ea mehala eo sistimi e e etsang, mohlala, haeba moqapi oa kopo ea hae a leka ho etsa faele.
Pavel Yosifovich - Windows Kernel Programming (2019)
Moetsi oa lenaneo o sebelisa ts'ebetso , e phatlalalitsoeng faeleng ea sehlooho fileapi.h le ho kengoa tšebetsong Kernel32.dll. Leha ho le joalo, ts'ebetso ena ka boeona ha e bōpe faele, e hlahloba feela likhang tsa ho kenya le ho bitsa mosebetsi (sehlongoapele Nt se bontša feela hore mosebetsi ke oa tlhaho). Ts'ebetso ena e phatlalatsoa faeleng ea lihlooho tsa winternl.h mme e kenngoe tšebetsong ho ntdll.dll. E itokisetsa ho tlolela sebakeng sa nyutlelie, ka mor'a moo e etsa mohala oa sistimi ho theha faele. Tabeng ena, ho ile ha fumaneha hore Kernel32 ke sekoaelo sa Ntdll feela. E 'ngoe ea mabaka a entseng hore sena se etsoe ke hore Microsoft ka hona e na le bokhoni ba ho fetola mesebetsi ea lefatše la matsoalloa, empa eseng ho ama li-interfaces tse tloaelehileng. Microsoft ha e khothaletse ho letsetsa mesebetsi ea lehae ka kotloloho mme ha e ngole boholo ba eona. Ka tsela, mesebetsi e sa ngolisoang e ka fumanoa .
Monyetla o ka sehloohong oa lits'ebetso tsa matsoalloa ke hore ntdll e kentsoe ka har'a sistimi pejana ho feta kernel32. Sena sea utloahala, hobane kernel32 e hloka hore ntdll e sebetse. Ka lebaka leo, lits'ebetso tse sebelisang mesebetsi ea tlhaho li ka qala ho sebetsa pejana.
Kahoo, Windows Native Applications ke mananeo a ka qalang qalong ea Windows boot. Ba sebelisa FEELA mesebetsi ho tsoa ho ntdll. Mohlala oa kopo e joalo: ya etsang ho hlahloba disk bakeng sa liphoso pele o qala litšebeletso tse kholo. Sena ke sona hantle boemo boo re batlang hore Puseletso ea rona e Matla e be eona.
Re hloka eng?
- (Driver Development Kit), eo hona joale e tsejoang hape e le WDK 7 (Windows Driver Kit).
- Mochini oa Virtual (mohlala, Windows 7 x64)
- Ha ho hlokahale, empa lifaele tsa hlooho tse ka kopitsoang li ka thusa
Ke eng e ka har'a khoutu?
Ha re ikoetlise hanyane, ho etsa mohlala, re ngole ts'ebeliso e nyane e reng:
- E hlahisa molaetsa skrineng
- E abela memori e itseng
- E emetse ho kenngoa ha keyboard
- E lokolla memori e sebelisitsoeng
Lits'ebetsong tsa matsoalloa, ntlha ea ho kena ha se ntho e ka sehloohong kapa winmain, empa ke mosebetsi oa NtProcessStartup, kaha ha e le hantle re qala mekhoa e mecha ka ho toba tsamaisong.
Ha re qaleng ka ho hlahisa molaetsa skrineng. Bakeng sa sena re na le mosebetsi oa tlhaho , e leng khang sesupa sa sebopeho sa UNICODE_STRING ntho. RtlInitUnicodeString e tla re thusa ho e qala. Ka lebaka leo, ho hlahisa mongolo skrineng re ka ngola mosebetsi ona o monyane:
//usage: WriteLn(L"Here is my textn");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}Kaha ke lits'ebetso tse tsoang ho ntdll feela tse fumanehang ho rona, 'me ha ho na lilaebrari tse ling tse mohopolong, ka sebele re tla ba le mathata a ho fana ka memori. Opereishene e ncha ha e e-so be teng (hobane e tsoa lefats'eng la boemo bo phahameng haholo ba C ++), 'me ha ho na mosebetsi oa malloc (o hloka lilaebrari tsa nako ea ho sebetsa). Ha e le hantle, u ka sebelisa stack feela. Empa haeba re hloka ho fana ka memori ka mokhoa o matla, re tla tlameha ho e etsa ka qubu (ke hore qubu). Kahoo ha re ipopeng qubu bakeng sa rona 'me re nke mohopolo ho eona neng kapa neng ha re e hloka.
Mosebetsi o loketse mosebetsi ona . Ka mor'a moo, re sebelisa RtlAllocateHeap le RtlFreeHeap, re tla lula le ho lokolla memori ha re e hloka.
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);Ha re tsoeleng pele ho emela ho kenya keyboard.
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//...
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}Seo re se hlokang feela ke ho sebelisa sesebelisoa se bulehileng, 'me u eme ho fihlela keyboard e khutlisetsa khatiso leha e le efe ho rona. Haeba senotlolo sa ESC se hatelloa, re tla tsoela pele ho sebetsa. Ho bula sesebelisoa, re tla hloka ho letsetsa mosebetsi oa NtCreateFile (re tla hloka ho bula DeviceKeyboardClass0). Re tla bitsa hape ho qala ntho e emetseng. Re tla phatlalatsa sebopeho sa KEYBOARD_INPUT_DATA ka borona, se emelang data ea keyboard. Sena se tla nolofatsa mosebetsi oa rona.
Sesebelisoa sa tlhaho se qetella ka mohala oa tšebetso hobane re mpa re bolaea mokhoa oa rona.
Khoutu eohle bakeng sa ts'ebeliso ea rona e nyane:
#include "ntifs.h" // WinDDK7600.16385.1incddk
#include "ntdef.h"
//------------------------------------
// Following function definitions can be found in native development kit
// but I am too lazy to include `em so I declare it here
//------------------------------------
NTSYSAPI
NTSTATUS
NTAPI
NtTerminateProcess(
IN HANDLE ProcessHandle OPTIONAL,
IN NTSTATUS ExitStatus
);
NTSYSAPI
NTSTATUS
NTAPI
NtDisplayString(
IN PUNICODE_STRING String
);
NTSTATUS
NtWaitForSingleObject(
IN HANDLE Handle,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Timeout
);
NTSYSAPI
NTSTATUS
NTAPI
NtCreateEvent(
OUT PHANDLE EventHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN EVENT_TYPE EventType,
IN BOOLEAN InitialState
);
// https://docs.microsoft.com/en-us/windows/win32/api/ntddkbd/ns-ntddkbd-keyboard_input_data
typedef struct _KEYBOARD_INPUT_DATA {
USHORT UnitId;
USHORT MakeCode;
USHORT Flags;
USHORT Reserved;
ULONG ExtraInformation;
} KEYBOARD_INPUT_DATA, *PKEYBOARD_INPUT_DATA;
//----------------------------------------------------------
// Our code goes here
//----------------------------------------------------------
// usage: WriteLn(L"Hello Native World!n");
void WriteLn(LPWSTR Message)
{
UNICODE_STRING string;
RtlInitUnicodeString(&string, Message);
NtDisplayString(&string);
}
void NtProcessStartup(void* StartupArgument)
{
// it is important to declare all variables at the beginning
HANDLE hKeyBoard, hEvent;
UNICODE_STRING skull, keyboard;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK Iosb;
LARGE_INTEGER ByteOffset;
KEYBOARD_INPUT_DATA kbData;
PVOID memory = NULL;
PVOID buffer = NULL;
ULONG bufferSize = 42;
//use it if debugger connected to break
//DbgBreakPoint();
WriteLn(L"Hello Native World!n");
// inialize variables
RtlInitUnicodeString(&keyboard, L"DeviceKeyboardClass0");
InitializeObjectAttributes(&ObjectAttributes, &keyboard, OBJ_CASE_INSENSITIVE, NULL, NULL);
// open keyboard device
NtCreateFile(&hKeyBoard,
SYNCHRONIZE | GENERIC_READ | FILE_READ_ATTRIBUTES,
&ObjectAttributes,
&Iosb,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,FILE_DIRECTORY_FILE,
NULL, 0);
// create event to wait on
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
NtCreateEvent(&hEvent, EVENT_ALL_ACCESS, &ObjectAttributes, 1, 0);
WriteLn(L"Keyboard readyn");
// create heap in order to allocate memory later
memory = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
1000,
0, NULL, NULL
);
WriteLn(L"Heap readyn");
// allocate buffer of size bufferSize
buffer = RtlAllocateHeap(
memory,
HEAP_ZERO_MEMORY,
bufferSize
);
WriteLn(L"Buffer allocatedn");
// free buffer (actually not needed because we destroy heap in next step)
RtlFreeHeap(memory, 0, buffer);
RtlDestroyHeap(memory);
WriteLn(L"Heap destroyedn");
WriteLn(L"Press ESC to continue...n");
while (TRUE)
{
NtReadFile(hKeyBoard, hEvent, NULL, NULL, &Iosb, &kbData, sizeof(KEYBOARD_INPUT_DATA), &ByteOffset, NULL);
NtWaitForSingleObject(hEvent, TRUE, NULL);
if (kbData.MakeCode == 0x01) // if ESC pressed
{
break;
}
}
NtTerminateProcess(NtCurrentProcess(), 0);
}PES: Re ka sebelisa ts'ebetso ea DbgBreakPoint() habonolo khoutu ea rona ho e emisa ho debugger. Ke 'nete, o tla hloka ho hokela WinDbg mochining oa sebele bakeng sa ho lokisa kernel. Litaelo tsa ho etsa sena li ka fumanoa kapa sebelisa feela .
Pokello le kopano
Mokhoa o bonolo ka ho fetisisa oa ho etsa kopo ea lehae ke ho sebelisa (Mokhanni Development Kit). Re hloka mofuta oa khale oa bosupa, kaha liphetolelo tsa morao-rao li na le mokhoa o fapaneng hanyane mme li sebetsa haufi-ufi le Visual Studio. Haeba re sebelisa DDK, joale morero oa rona o hloka feela Makefile le mehloli.
makefile
!INCLUDE $(NTMAKEENV)makefile.defmehloli:
TARGETNAME = MyNative
TARGETTYPE = PROGRAM
UMTYPE = nt
BUFFER_OVERFLOW_CHECKS = 0
MINWIN_SDK_LIB_PATH = $(SDK_LIB_PATH)
SOURCES = source.c
INCLUDES = $(DDK_INC_PATH);
C:WinDDK7600.16385.1ndk;
TARGETLIBS = $(DDK_LIB_PATH)ntdll.lib
$(DDK_LIB_PATH)nt.lib
USE_NTDLL = 1Makefile ea hau e tla tšoana hantle, empa ha re shebeng mehloli ka botlalo. Faele ena e hlakisa mehlodi ya lenaneo la hao (.c difaele), dikgetho tsa kaho, le diparamente tse ding.
- TARGETNAME - lebitso la faele e sebetsang e lokelang ho hlahisoa qetellong.
- TARGETTYPE - mofuta oa faele e sebetsang, e ka ba mokhanni (.sys), joale boleng ba tšimo bo lokela ho ba DRIVER, haeba laebrari (.lib), joale boleng ke LIBRARY. Tabeng ea rona, re hloka faele e sebetsang (.exe), kahoo re beha boleng ho PROGRAM.
- UMTYPE - litekanyetso tse ka khonehang bakeng sa tšimo ena: console bakeng sa kopo ea console, lifensetere bakeng sa ho sebetsa ka mokhoa oa fensetere. Empa re hloka ho hlakisa nt ho fumana kopo ea lehae.
- BUFFER_OVERFLOW_CHECKS - ho lekola stack bakeng sa ho phalla ha buffer, ka bomalimabe ha se nyeoe ea rona, rea e tima.
- MINWIN_SDK_LIB_PATH - boleng bona bo bua ka SDK_LIB_PATH e fapaneng, o seke oa tšoenyeha ka hore ha o na mofuta o joalo oa sistimi e phatlalalitsoeng, ha re tsamaisa moaho o hlahlobiloeng ho tsoa ho DDK, phapang ena e tla phatlalatsoa mme e tla supa lilaebraring tse hlokahalang.
- SOURCES - lethathamo la mehloli ea lenaneo la hau.
- E kenyeletsoa - lifaele tsa hlooho tse hlokahalang bakeng sa kopano. Mona hangata ba bonts'a tsela ea lifaele tse tlang le DDK, empa u ka kenyelletsa tse ling.
- TARGETLIBS - lethathamo la lilaebrari tse hlokang ho hokahana.
- USE_NTDLL ke karolo e hlokahalang e tlamehang ho hlophisoa ho 1 ka mabaka a hlakileng.
- USER_C_FLAGS - lifolakha life kapa life tseo u ka li sebelisang ho litaelo tsa preprocessor ha u lokisa khoutu ea kopo.
Kahoo ho aha, re hloka ho tsamaisa x86 (kapa x64) E hlahlobiloe Haha, fetola bukana ea ho sebetsa ho foldara ea projeke ebe o tsamaisa taelo ea Haha. Sephetho se skrineng se bontša hore re na le faele e le 'ngoe e sebetsang.
Faele ena e ke ke ea hlahisoa habonolo, sistimi e rohaka mme e re romella ho nahana ka boitšoaro ba eona ka phoso e latelang:
Joang ho qala kopo ea lehae?
Ha autochk e qala, tatellano ea ho qala ea mananeo e khethoa ke boleng ba senotlolo sa ngoliso:
HKLMSystemCurrentControlSetControlSession ManagerBootExecuteMotsamaisi oa seboka o etsa mananeo a tsoang lethathamong lena ka bonngoe. Motsamaisi oa seboka o batla lifaele tse ka phethoang ka botsona bukeng ea system32. Sebopeho sa bohlokoa sa registry ke se latelang:
autocheck autochk *MyNativeBoleng bo tlameha ho ba ka sebopeho sa hexadecimal, eseng se tloaelehileng sa ASCII, kahoo senotlolo se bontšitsoeng ka holimo se tla ba ka sebopeho:
61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00Ho fetolela sehlooho, o ka sebelisa tšebeletso ea inthaneteng, mohlala, .
Hoa fumaneha hore ho qala kopo ea lehae, re hloka:
- Kopitsa faele e sebetsang ho foldara ea system32
- Kenya senotlolo ho registry
- Qala mochine hape
Bakeng sa boiketlo, mona ke sengoloa se lokiselitsoeng ho kenya ts'ebeliso ea lehae:
kenya.bat
@echo off
copy MyNative.exe %systemroot%system32.
regedit /s add.reg
echo Native Example Installed
pauseeketsa.reg
REGEDIT4
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,4d,79,4e,61,74,69,76,65,00,00Kamora ho kenya le ho qala bocha, le pele skrini sa khetho ea mosebelisi se hlaha, re tla fumana setšoantšo se latelang:
Phello
Re sebelisa mohlala oa kopo e nyane joalo, re ne re kholisehile hore ho ka khoneha ho tsamaisa kopo boemong ba Windows Native. Ka mor'a moo, 'na le bashanyana ba tsoang Univesithing ea Innopolis re tla tsoelapele ho haha ts'ebeletso e tla qala ts'ebetso ea ho sebelisana le mokhanni pejana ho feta phetolelong e fetileng ea morero oa rona. 'Me ka ho fihla ha khetla ea win32, e ka ba ho utloahalang ho fetisetsa taolo ho tšebeletso e feletseng e seng e ntlafalitsoe (ho feta ka sena. ).
Sehloohong se latelang re tla ama karolo e 'ngoe ea ts'ebeletso ea Active Restore, e leng mokhanni oa UEFI. Ingolise ho blog ea rona e le hore u se ke oa fetoa ke poso e latelang.
Source: www.habr.com