日期:2011-04-05 01:16:00 来源:本站整理
<b>Windows NT/2000/XP下不用驱动的Ring0代码实现</b>[Windows安全]
本文“<b>Windows NT/2000/XP下不用驱动的Ring0代码实现</b>[Windows安全]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:
大家知道,Windows NT/2000为实现其坚固性,严峻将系统划分为内核情势与用户情势,在i386系统中辨别对应CPU的 Ring0与Ring3级别.Ring0下,可以履行特权级指令,对任何I/O设备都有拜候权等等.要实现从用户态进入核心态,即从Ring 3进入 Ring 0必须借助CPU的某种门机制,如中止门、调用门等.而Windows NT/2000供利用户态履行系统服务(Ring 0例程)的此类机制即System Service的int 2eh中止服务等,严峻的参数查抄,只能严峻的履行Windows NT/2000供应的服务,而假如想履行用户供应的Ring 0代码(指运行在Ring 0权限的代码),通例办法仿佛只有编写设备驱动程序.本文将介绍一种在用户态不借助任何驱动程序履行 Ring0代码的办法.
Windows NT/2000将设备驱动程序调入内核区域(常见的位于地址0x80000000上),由DPL为0的GDT项8,即cs为8时实现Ring 0权限.本文通过在系统中构造一个指向我们的代码的调用门(CallGate),实现Ring0代码.基于这个思绪,为实现这个目的主如果构造自己的CallGate.CallGate由系统中叫Global Descriptor Table (GDT)的全局表指定.GDT地址可由i386指令sgdt得到(sgdt不是特权级指令,普通Ring 3程序都可履行).GDT地址在Windows NT/2000保存于KPCR(Processor Control Region)构造中(见《再谈 Windows NT/2000环境切换》).GDT中的CallGate是以下的格局:
typedef struct
{
unsigned short offset_0_15;
unsigned short selector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system : 1;
unsigned char dpl : 2;
unsigned char present : 1;
unsigned short offset_16_31;
} CALLGATE_DESCRIPTOR;
GDT 位于内核区域,普通用户态的程序是不大概对这段内存区域有直接的拜候权.幸运的是Windows NT/2000供应了一个叫 PhysicalMemory的Section内查对象位于\Device的途径下.顾名思义,通过这个Section对象可以对物理内存举行操作.用 objdir.exe对这个对象解析以下:
C:\NTDDK\bin>objdir /D \Device
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0xf001f - NT AUTHORITY\SYSTEM
Inherit:
Access: 0x001F and ( D RCtl WOwn WDacl )
Ace[ 1] - Grant - 0x2000d - BUILTIN\Administrators
Inherit:
Access: 0x000D and ( RCtl )
从dump出的这个对象DACL的Ace可以看出默许情形下只有SYSTEM用户才有对这个对象的读写权限,即对物理内存有读写本领,而 Administrator只有读权限,普通用户根本就没有权限.不过假如我们有Administrator权限便可以通过 GetSecurityInfo、SetEntriesInAcl与SetSecurityInfo这些API来改正这个对象的ACE.这也是我供应的代码需求Administrator的缘由.实现的代码以下:
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
printf( "GetSecurityInfo Error %u\n", dwRes );
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
printf( "SetEntriesInAcl %u\n", dwRes );
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
printf("SetSecurityInfo %u\n",dwRes);
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pSD);
}
这段代码对给定HANDLE的对象增添了以下的ACE:
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0x2 - WEBCRAZY\Administrator
Inherit:
Access: 0x0002 //SECTION_MAP_WRITE
这样我们在有Administrator权限的条件下就有了对物理内存的读写本领.但假如要改正GDT表实现Ring 0代码.我们将面对着另一个难题,因为sgdt指令得到的GDT地址是虚拟地址(线性地址),我们只有知道GDT表的物理地址后才能通过\Device\PhysicalMemory对象改正GDT表,这就牵扯到了线性地址转化成物理地址的问题.我们先来看一看Windows NT/2000是若何实现这个的:
kd> u nt!MmGetPhysicalAddress l 30
ntoskrnl!MmGetPhysicalAddress:
801374e0 56 push esi
801374e1 8b742408 mov esi,[esp+0x8]
801374e5 33d2 xor edx,edx
801374e7 81fe00000080 cmp esi,0x80000000
801374ed 722c jb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ef 81fe000000a0 cmp esi,0xa0000000
801374f5 7324 jnb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374f7 39153ce71780 cmp [ntoskrnl!MmKseg2Frame (8017e73c)],edx
801374fd 741c jz ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ff 8bc6 mov eax,esi
80137501 c1e80c shr eax,0xc
80137504 25ffff0100 and eax,0x1ffff
80137509 6a0c push 0xc
8013750b 59 pop ecx
8013750c e8d3a7fcff call ntoskrnl!_allshl (80101ce4)
80137511 81e6ff0f0000 and esi,0xfff
80137517 03c6 add eax,esi
80137519 eb17 jmp ntoskrnl!MmGetPhysicalAddress+0x57 (80137532)
8013751b 8bc6 mov eax,esi
8013751d c1e80a shr eax,0xa
80137520 25fcff3f00 and eax,0x3ffffc
80137525 2d00000040 sub eax,0x40000000
8013752a 8b00 mov eax,[eax]
8013752c a801 test al,0x1
8013752e 7506 jnz ntoskrnl!MmGetPhysicalAddress+0x44 (80137536)
80137530 33c0 xor eax,eax
80137532 5e pop esi
80137533 c20400 ret 0x4
从这段汇编代码可看出假如线性地址在0x80000000与0xa0000000范围内,只是简单的举行移位操作(位于801374ff- 80137519指令间),并未查页表.我想Microsoft这样安置必定是出于履行效率的考虑.这也为我们指明了一线曙光,因为GDT表在 Windows NT/2000中普通情形下均位于这个区域(我不知道/3GB开关的Windows NT/2000是不是这种情形).
经过这样的解析,我们便可以只通过用户态程序改正GDT表了.而增添一个CallGate就不是我可以介绍的了,找本Intel手册自己看一看了.具体实现代码以下:
typedef struct gdtr {
short Limit;
short BaseLow;
short BaseHigh;
} Gdtr_t, *PGdtr_t;
ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
}
BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
Gdtr_t gdt;
__asm sgdt gdt;
ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return 0;
HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
status = STATUS_SUCCESS;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
}
if(status != STATUS_SUCCESS)
{
printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
return 0;
}
PVOID BaseAddress;
BaseAddress=MapViewOfFile(hSection,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
mapAddr, //low part
(gdt.Limit+1));
if(!BaseAddress)
{
printf("Error MapViewOfFile:");
PrintWin32Error(GetLastError());
return 0;
}
BOOL setcg=FALSE;
for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));(ULONG)cg>(ULONG)BaseAddress;cg--)
if(cg->type == 0){
cg->offset_0_15 = LOWORD(Entry);
cg->selector = 8;
cg->param_count = 0;
cg->some_bits = 0;
cg->type = 0xC; // 386 call gate
cg->app_system = 0; // A system descriptor
cg->dpl = 3; // Ring 3 code can call
cg->present = 1;
cg->offset_16_31 = HIWORD(Entry);
setcg=TRUE;
break;
}
if(!setcg){
ZwClose(hSection);
return 0;
}
short farcall[3];
farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
if(!VirtualLock((PVOID)Entry,seglen))
{
printf("Error VirtualLock:");
PrintWin32Error(GetLastError());
return 0;
}
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
Sleep(0);
_asm call fword ptr [farcall]
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
VirtualUnlock((PVOID)Entry,seglen);
//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg+1)=0;
ZwClose(hSection);
return TRUE;
}
我在供应的代码中演示了对Control Register与I/O端口的操作.CIH病毒在Windows 9X中就是因为得到Ring 0权限才有了一定的危害,但Windows NT/2000毕竟不是Windows 9X,她已经有了对比多的安全考核机制,本文供应的代码也要求具有 Administrator权限,但假如系统存在某种漏洞,如缓冲区溢出等等,还是有大概得到这种权限的,所以我不对本文供应的办法负有任何的责任,全部谈论只是一个技术酷爱者在谈论技术罢了.谢谢! 以上是“<b>Windows NT/2000/XP下不用驱动的Ring0代码实现</b>[Windows安全]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
<b>hosts是什么 hosts文件在什么位置 若何改正hosts</b>
<b>在 Windows 8 中手动安装语言包</b>
<b>五个常见 PHP数据库问题</b>
Windows中Alt键的12个高效快速的利用本领介绍
<b>MySQL ORDER BY 的实现解析</b>
<b>详解MySQL存储历程参数有三种范例(in、out、inout)</b>
<b>Win8系统恢复出来经典的开始菜单的办法</b>
<b>Win8系统花屏怎么办 Win8系统花屏的办理办法</b>
<b>Windows 7系统下无线网卡安装</b>
<b>为什么 Linux不需求碎片整理</b>
<b>Windows 8中删除账户的几种办法(图)</b>
<b>教你如安在win7下配置路由器</b>
Windows NT/2000将设备驱动程序调入内核区域(常见的位于地址0x80000000上),由DPL为0的GDT项8,即cs为8时实现Ring 0权限.本文通过在系统中构造一个指向我们的代码的调用门(CallGate),实现Ring0代码.基于这个思绪,为实现这个目的主如果构造自己的CallGate.CallGate由系统中叫Global Descriptor Table (GDT)的全局表指定.GDT地址可由i386指令sgdt得到(sgdt不是特权级指令,普通Ring 3程序都可履行).GDT地址在Windows NT/2000保存于KPCR(Processor Control Region)构造中(见《再谈 Windows NT/2000环境切换》).GDT中的CallGate是以下的格局:
typedef struct
{
unsigned short offset_0_15;
unsigned short selector;
unsigned char param_count : 4;
unsigned char some_bits : 4;
unsigned char type : 4;
unsigned char app_system : 1;
unsigned char dpl : 2;
unsigned char present : 1;
unsigned short offset_16_31;
} CALLGATE_DESCRIPTOR;
GDT 位于内核区域,普通用户态的程序是不大概对这段内存区域有直接的拜候权.幸运的是Windows NT/2000供应了一个叫 PhysicalMemory的Section内查对象位于\Device的途径下.顾名思义,通过这个Section对象可以对物理内存举行操作.用 objdir.exe对这个对象解析以下:
C:\NTDDK\bin>objdir /D \Device
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0xf001f - NT AUTHORITY\SYSTEM
Inherit:
Access: 0x001F and ( D RCtl WOwn WDacl )
Ace[ 1] - Grant - 0x2000d - BUILTIN\Administrators
Inherit:
Access: 0x000D and ( RCtl )
从dump出的这个对象DACL的Ace可以看出默许情形下只有SYSTEM用户才有对这个对象的读写权限,即对物理内存有读写本领,而 Administrator只有读权限,普通用户根本就没有权限.不过假如我们有Administrator权限便可以通过 GetSecurityInfo、SetEntriesInAcl与SetSecurityInfo这些API来改正这个对象的ACE.这也是我供应的代码需求Administrator的缘由.实现的代码以下:
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;
if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)
{
printf( "GetSecurityInfo Error %u\n", dwRes );
goto CleanUp;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)
{
printf( "SetEntriesInAcl %u\n", dwRes );
goto CleanUp;
}
if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
printf("SetSecurityInfo %u\n",dwRes);
goto CleanUp;
}
CleanUp:
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pSD);
}
这段代码对给定HANDLE的对象增添了以下的ACE:
PhysicalMemory
Section
DACL -
Ace[ 0] - Grant - 0x2 - WEBCRAZY\Administrator
Inherit:
Access: 0x0002 //SECTION_MAP_WRITE
这样我们在有Administrator权限的条件下就有了对物理内存的读写本领.但假如要改正GDT表实现Ring 0代码.我们将面对着另一个难题,因为sgdt指令得到的GDT地址是虚拟地址(线性地址),我们只有知道GDT表的物理地址后才能通过\Device\PhysicalMemory对象改正GDT表,这就牵扯到了线性地址转化成物理地址的问题.我们先来看一看Windows NT/2000是若何实现这个的:
kd> u nt!MmGetPhysicalAddress l 30
ntoskrnl!MmGetPhysicalAddress:
801374e0 56 push esi
801374e1 8b742408 mov esi,[esp+0x8]
801374e5 33d2 xor edx,edx
801374e7 81fe00000080 cmp esi,0x80000000
801374ed 722c jb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ef 81fe000000a0 cmp esi,0xa0000000
801374f5 7324 jnb ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374f7 39153ce71780 cmp [ntoskrnl!MmKseg2Frame (8017e73c)],edx
801374fd 741c jz ntoskrnl!MmGetPhysicalAddress+0x2b (8013751b)
801374ff 8bc6 mov eax,esi
80137501 c1e80c shr eax,0xc
80137504 25ffff0100 and eax,0x1ffff
80137509 6a0c push 0xc
8013750b 59 pop ecx
8013750c e8d3a7fcff call ntoskrnl!_allshl (80101ce4)
80137511 81e6ff0f0000 and esi,0xfff
80137517 03c6 add eax,esi
80137519 eb17 jmp ntoskrnl!MmGetPhysicalAddress+0x57 (80137532)
8013751b 8bc6 mov eax,esi
8013751d c1e80a shr eax,0xa
80137520 25fcff3f00 and eax,0x3ffffc
80137525 2d00000040 sub eax,0x40000000
8013752a 8b00 mov eax,[eax]
8013752c a801 test al,0x1
8013752e 7506 jnz ntoskrnl!MmGetPhysicalAddress+0x44 (80137536)
80137530 33c0 xor eax,eax
80137532 5e pop esi
80137533 c20400 ret 0x4
从这段汇编代码可看出假如线性地址在0x80000000与0xa0000000范围内,只是简单的举行移位操作(位于801374ff- 80137519指令间),并未查页表.我想Microsoft这样安置必定是出于履行效率的考虑.这也为我们指明了一线曙光,因为GDT表在 Windows NT/2000中普通情形下均位于这个区域(我不知道/3GB开关的Windows NT/2000是不是这种情形).
经过这样的解析,我们便可以只通过用户态程序改正GDT表了.而增添一个CallGate就不是我可以介绍的了,找本Intel手册自己看一看了.具体实现代码以下:
typedef struct gdtr {
short Limit;
short BaseLow;
short BaseHigh;
} Gdtr_t, *PGdtr_t;
ULONG MiniMmGetPhysicalAddress(ULONG virtualaddress)
{
if(virtualaddress<0x80000000||virtualaddress>=0xA0000000)
return 0;
return virtualaddress&0x1FFFF000;
}
BOOL ExecRing0Proc(ULONG Entry,ULONG seglen)
{
Gdtr_t gdt;
__asm sgdt gdt;
ULONG mapAddr=MiniMmGetPhysicalAddress(gdt.BaseHigh<<16U|gdt.BaseLow);
if(!mapAddr) return 0;
HANDLE hSection=NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES objectAttributes;
UNICODE_STRING objName;
CALLGATE_DESCRIPTOR *cg;
status = STATUS_SUCCESS;
RtlInitUnicodeString(&objName,L"\\Device\\PhysicalMemory");
InitializeObjectAttributes(&objectAttributes,
&objName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
(PSECURITY_DESCRIPTOR) NULL);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&objectAttributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&objectAttributes);
SetPhyscialMemorySectionCanBeWrited(hSection);
ZwClose(hSection);
status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
}
if(status != STATUS_SUCCESS)
{
printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
return 0;
}
PVOID BaseAddress;
BaseAddress=MapViewOfFile(hSection,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
mapAddr, //low part
(gdt.Limit+1));
if(!BaseAddress)
{
printf("Error MapViewOfFile:");
PrintWin32Error(GetLastError());
return 0;
}
BOOL setcg=FALSE;
for(cg=(CALLGATE_DESCRIPTOR *)((ULONG)BaseAddress+(gdt.Limit&0xFFF8));(ULONG)cg>(ULONG)BaseAddress;cg--)
if(cg->type == 0){
cg->offset_0_15 = LOWORD(Entry);
cg->selector = 8;
cg->param_count = 0;
cg->some_bits = 0;
cg->type = 0xC; // 386 call gate
cg->app_system = 0; // A system descriptor
cg->dpl = 3; // Ring 3 code can call
cg->present = 1;
cg->offset_16_31 = HIWORD(Entry);
setcg=TRUE;
break;
}
if(!setcg){
ZwClose(hSection);
return 0;
}
short farcall[3];
farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
if(!VirtualLock((PVOID)Entry,seglen))
{
printf("Error VirtualLock:");
PrintWin32Error(GetLastError());
return 0;
}
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_TIME_CRITICAL);
Sleep(0);
_asm call fword ptr [farcall]
SetThreadPriority(GetCurrentThread(),THREAD_PRIORITY_NORMAL);
VirtualUnlock((PVOID)Entry,seglen);
//Clear callgate
*(ULONG *)cg=0;
*((ULONG *)cg+1)=0;
ZwClose(hSection);
return TRUE;
}
我在供应的代码中演示了对Control Register与I/O端口的操作.CIH病毒在Windows 9X中就是因为得到Ring 0权限才有了一定的危害,但Windows NT/2000毕竟不是Windows 9X,她已经有了对比多的安全考核机制,本文供应的代码也要求具有 Administrator权限,但假如系统存在某种漏洞,如缓冲区溢出等等,还是有大概得到这种权限的,所以我不对本文供应的办法负有任何的责任,全部谈论只是一个技术酷爱者在谈论技术罢了.谢谢! 以上是“<b>Windows NT/2000/XP下不用驱动的Ring0代码实现</b>[Windows安全]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
本文地址: | 与您的QQ/BBS好友分享! |
评论内容只代表网友观点,与本站立场无关!
评论摘要(共 0 条,得分 0 分,平均 0 分)
查看完整评论