API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 22nd, 2015
212
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 11.65 KB | None | 0 0
raw download clone embed print report
  1. #include <ntddk.h>
  2. //#include <ntddkbd.h>
  3. //#include <ntstrsafe.h>
  4. #include <windef.h>
  5. #include <ntifs2.h>
  6. //#include <WinNT.h>
  7.  
  8. #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
  9. #define IMAGE_SIZEOF_SHORT_NAME 8
  10. #define IMAGE_DIRECTORY_ENTRY_IMPORT 1
  11. #define IMAGE_ORDINAL_FLAG32 0x80000000
  12. typedef struct _IMAGE_DATA_DIRECTORY {
  13. DWORD VirtualAddress;
  14. DWORD Size;
  15. } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
  16.  
  17. typedef struct _IMAGE_OPTIONAL_HEADER64 {
  18. WORD Magic;
  19. BYTE MajorLinkerVersion;
  20. BYTE MinorLinkerVersion;
  21. DWORD SizeOfCode;
  22. DWORD SizeOfInitializedData;
  23. DWORD SizeOfUninitializedData;
  24. DWORD AddressOfEntryPoint;
  25. DWORD BaseOfCode;
  26. ULONGLONG ImageBase;
  27. DWORD SectionAlignment;
  28. DWORD FileAlignment;
  29. WORD MajorOperatingSystemVersion;
  30. WORD MinorOperatingSystemVersion;
  31. WORD MajorImageVersion;
  32. WORD MinorImageVersion;
  33. WORD MajorSubsystemVersion;
  34. WORD MinorSubsystemVersion;
  35. DWORD Win32VersionValue;
  36. DWORD SizeOfImage;
  37. DWORD SizeOfHeaders;
  38. DWORD CheckSum;
  39. WORD Subsystem;
  40. WORD DllCharacteristics;
  41. ULONGLONG SizeOfStackReserve;
  42. ULONGLONG SizeOfStackCommit;
  43. ULONGLONG SizeOfHeapReserve;
  44. ULONGLONG SizeOfHeapCommit;
  45. DWORD LoaderFlags;
  46. DWORD NumberOfRvaAndSizes;
  47. IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
  48. } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
  49.  
  50. typedef struct _IMAGE_FILE_HEADER {
  51. WORD Machine;
  52. WORD NumberOfSections;
  53. DWORD TimeDateStamp;
  54. DWORD PointerToSymbolTable;
  55. DWORD NumberOfSymbols;
  56. WORD SizeOfOptionalHeader;
  57. WORD Characteristics;
  58. } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
  59.  
  60. typedef struct _IMAGE_NT_HEADERS64 {
  61. DWORD Signature;
  62. IMAGE_FILE_HEADER FileHeader;
  63. IMAGE_OPTIONAL_HEADER64 OptionalHeader;
  64. } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
  65.  
  66. typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS;
  67.  
  68. #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
  69. ((ULONG_PTR)(ntheader) + \
  70. FIELD_OFFSET( IMAGE_NT_HEADERS, OptionalHeader ) + \
  71. ((ntheader))->FileHeader.SizeOfOptionalHeader \
  72. ))
  73.  
  74. typedef struct _IMAGE_IMPORT_BY_NAME {
  75. WORD Hint;
  76. BYTE Name[1];
  77. } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
  78.  
  79. typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
  80. WORD e_magic; // Magic number
  81. WORD e_cblp; // Bytes on last page of file
  82. WORD e_cp; // Pages in file
  83. WORD e_crlc; // Relocations
  84. WORD e_cparhdr; // Size of header in paragraphs
  85. WORD e_minalloc; // Minimum extra paragraphs needed
  86. WORD e_maxalloc; // Maximum extra paragraphs needed
  87. WORD e_ss; // Initial (relative) SS value
  88. WORD e_sp; // Initial SP value
  89. WORD e_csum; // Checksum
  90. WORD e_ip; // Initial IP value
  91. WORD e_cs; // Initial (relative) CS value
  92. WORD e_lfarlc; // File address of relocation table
  93. WORD e_ovno; // Overlay number
  94. WORD e_res[4]; // Reserved words
  95. WORD e_oemid; // OEM identifier (for e_oeminfo)
  96. WORD e_oeminfo; // OEM information; e_oemid specific
  97. WORD e_res2[10]; // Reserved words
  98. LONG e_lfanew; // File address of new exe header
  99. } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
  100.  
  101.  
  102.  
  103.  
  104.  
  105.  
  106. typedef struct _IMAGE_SECTION_HEADER {
  107. BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
  108. union {
  109. DWORD PhysicalAddress;
  110. DWORD VirtualSize;
  111. } Misc;
  112. DWORD VirtualAddress;
  113. DWORD SizeOfRawData;
  114. DWORD PointerToRawData;
  115. DWORD PointerToRelocations;
  116. DWORD PointerToLinenumbers;
  117. WORD NumberOfRelocations;
  118. WORD NumberOfLinenumbers;
  119. DWORD Characteristics;
  120. } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
  121.  
  122. typedef struct _IMAGE_IMPORT_DESCRIPTOR {
  123. union {
  124. DWORD Characteristics; // 0 for terminating null import descriptor
  125. DWORD OriginalFirstThunk; // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
  126. };
  127. DWORD TimeDateStamp; // 0 if not bound,
  128. // -1 if bound, and real date\time stamp
  129. // in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
  130. // O.W. date/time stamp of DLL bound to (Old BIND)
  131.  
  132. DWORD ForwarderChain; // -1 if no forwarders
  133. DWORD Name;
  134. DWORD FirstThunk; // RVA to IAT (if bound this IAT has actual addresses)
  135. } IMAGE_IMPORT_DESCRIPTOR;
  136. typedef IMAGE_IMPORT_DESCRIPTOR __unaligned *PIMAGE_IMPORT_DESCRIPTOR;
  137.  
  138. typedef struct _IMAGE_THUNK_DATA64 {
  139. union {
  140. ULONGLONG ForwarderString; // PBYTE
  141. ULONGLONG Function; // PDWORD
  142. ULONGLONG Ordinal;
  143. ULONGLONG AddressOfData; // PIMAGE_IMPORT_BY_NAME
  144. } u1;
  145. } IMAGE_THUNK_DATA64;
  146. typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;
  147.  
  148. typedef PIMAGE_THUNK_DATA64 PIMAGE_THUNK_DATA;
  149.  
  150.  
  151.  
  152.  
  153.  
  154. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
  155. VOID UnloadRoutine(IN PDRIVER_OBJECT DriverObject);
  156. NTSTATUS CreateObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  157. NTSTATUS CloseObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  158. NTSTATUS DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  159. NTSTATUS DeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  160.  
  161. PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
  162.  
  163. HANDLE MyOpenProcess(HANDLE ProcessId);
  164.  
  165. #define THE_BUFFER_LENGTH 100
  166.  
  167. typedef struct _DEVICE_EXTENSION
  168. {
  169. unsigned char InBuffer[THE_BUFFER_LENGTH];
  170. }DEVICE_EXTENSION, *PDEVICE_EXTENSION;
  171.  
  172. //----------------------------------//
  173.  
  174. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
  175. {
  176. UNREFERENCED_PARAMETER(RegistryPath);
  177.  
  178. DbgPrint("I am in DriverEntry \n");
  179.  
  180. UNICODE_STRING DeviceName, DosDeviceName;
  181.  
  182. MyOpenProcess(2200);
  183.  
  184. return -1;
  185. }
  186.  
  187. VOID UnloadRoutine(IN PDRIVER_OBJECT DriverObject)
  188. {
  189. DbgPrint("I am in UnloadRoutine \n");
  190.  
  191. UNICODE_STRING LineDosDevice;
  192. RtlInitUnicodeString(&LineDosDevice, L"\\DosDevices\\DosDumpDevice");
  193. IoDeleteSymbolicLink(&LineDosDevice);
  194.  
  195. IoDeleteDevice(DriverObject->DeviceObject);
  196.  
  197. }
  198.  
  199. NTSTATUS CreateObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  200. {
  201. UNREFERENCED_PARAMETER(DeviceObject);
  202.  
  203. DbgPrint("I am in CreateObjectFile \n");
  204.  
  205. Irp->IoStatus.Status = STATUS_SUCCESS;
  206. Irp->IoStatus.Information = 0;
  207. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  208. return STATUS_SUCCESS;
  209. }
  210.  
  211. NTSTATUS CloseObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  212. {
  213. UNREFERENCED_PARAMETER(DeviceObject);
  214.  
  215. DbgPrint("I am in CloseObjectFile\n");
  216.  
  217. Irp->IoStatus.Status = STATUS_SUCCESS;
  218. Irp->IoStatus.Information = 0;
  219. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  220. return STATUS_SUCCESS;
  221. }
  222.  
  223. NTSTATUS DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  224. {
  225. DbgPrint("I am in DefaultHandler\n");
  226.  
  227. UNREFERENCED_PARAMETER(DeviceObject);
  228.  
  229. Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
  230. Irp->IoStatus.Information = 0;
  231. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  232.  
  233. return Irp->IoStatus.Status;
  234. }
  235.  
  236. NTSTATUS DeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  237. {
  238. DbgPrint("I am in read DeviceControl.\n");
  239. PDEVICE_EXTENSION DeviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
  240.  
  241. PIO_STACK_LOCATION IoStackLocation = IoGetCurrentIrpStackLocation(Irp);
  242. ULONG bufsize = IoStackLocation->Parameters.Read.Length;
  243. //----------------Наткнулись на буферизированное устройство-----------------------//
  244. RtlMoveMemory(DeviceExtension->InBuffer, Irp->AssociatedIrp.SystemBuffer, bufsize);
  245. Irp->IoStatus.Information = bufsize;
  246.  
  247. DeviceExtension->InBuffer[bufsize] = '\0';
  248.  
  249. DbgPrint("Name of process: %s\n", DeviceExtension->InBuffer);
  250. HANDLE ProcessId = IoStackLocation->Parameters.DeviceIoControl.IoControlCode;
  251. // DeviceExtension->PID;
  252.  
  253. MyOpenProcess(ProcessId);
  254.  
  255.  
  256. Irp->IoStatus.Status = STATUS_SUCCESS;
  257. IoCompleteRequest(Irp, IO_NO_INCREMENT);
  258.  
  259. return STATUS_SUCCESS;
  260.  
  261. }
  262.  
  263. //---------------------Снимаем Дамп--------------------//
  264. HANDLE MyOpenProcess(HANDLE ProcessId)
  265. {
  266. PEPROCESS Process = NULL;
  267. NTSTATUS Status;
  268. HANDLE hProcess = NULL;
  269. PIMAGE_DOS_HEADER dosHeader;
  270. PIMAGE_NT_HEADERS ntHeader;
  271. IMAGE_FILE_HEADER header;
  272. IMAGE_OPTIONAL_HEADER64 opHeader;
  273. PIMAGE_SECTION_HEADER pSecHeader;
  274. int i;
  275. UNREFERENCED_PARAMETER(Process);
  276. UNREFERENCED_PARAMETER(Status);
  277. UNREFERENCED_PARAMETER(hProcess);
  278.  
  279. __debugbreak();
  280.  
  281. Status = PsLookupProcessByProcessId(ProcessId, &Process);
  282. if (Status != STATUS_SUCCESS)
  283. DbgPrint("I can't in PsLookupProcessByProcessId\n");
  284.  
  285. Status = ObOpenObjectByPointer(Process, OBJ_KERNEL_HANDLE, 0, 0x1F0FFF, 0, 0, &hProcess);
  286. if (Status != STATUS_SUCCESS)
  287. DbgPrint("I can't in ObOpenObjectByPointer\n");
  288.  
  289. //---------------Attach----------------------//
  290. KeAttachProcess(Process);
  291.  
  292. PVOID BaseAddress = PsGetProcessSectionBaseAddress(Process);
  293.  
  294. //for (int i = 0; i < 10; i++)
  295. //PIMAGE_NT_HEADERS64
  296.  
  297. //CHAR Buffer[32];
  298. //ULONG CountOfRead = 0;
  299.  
  300. //NtReadVirtualMemory(hProcess, BaseAddress, Buffer, 20, &CountOfRead);
  301. dosHeader = (PIMAGE_DOS_HEADER)BaseAddress;
  302. ntHeader = (PIMAGE_NT_HEADERS)((DWORD)(dosHeader)+(dosHeader->e_lfanew));
  303. opHeader = ntHeader->OptionalHeader;
  304.  
  305. UINT64 pDataDirImportRVA = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
  306. UINT64 pDataDirImportSize = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
  307.  
  308. for (pSecHeader = IMAGE_FIRST_SECTION(ntHeader), i = 0; i < ntHeader->FileHeader.NumberOfSections; i++, pSecHeader++)
  309. {
  310. if ((pDataDirImportRVA >= pSecHeader->VirtualAddress) && ((pSecHeader->VirtualAddress + pSecHeader->Misc.VirtualSize) > pDataDirImportRVA))
  311. {
  312.  
  313. UINT64 pIAT = (pDataDirImportRVA - pSecHeader->VirtualAddress) + pSecHeader->PointerToRawData;
  314.  
  315. PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = NULL;
  316. PIMAGE_THUNK_DATA pImageThunkData = NULL;
  317.  
  318. pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(pIAT + (DWORD)BaseAddress);
  319. while (pImportDescriptor->FirstThunk != 0)
  320. {
  321.  
  322. //DbgPrint(" Module : %s\n", (pImportDescriptor->Name - pSecHeader->VirtualAddress) + pSecHeader->PointerToRawData + (DWORD)BaseAddress);
  323. pImageThunkData = (PIMAGE_THUNK_DATA)((DWORD)BaseAddress + pImportDescriptor->FirstThunk - pSecHeader->VirtualAddress + pSecHeader->PointerToRawData);
  324. while (pImageThunkData->u1.Function)
  325. {
  326. if (!(pImageThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG32))
  327. {
  328. PIMAGE_IMPORT_BY_NAME pStr = (PIMAGE_IMPORT_BY_NAME)((DWORD)BaseAddress + pImageThunkData->u1.AddressOfData - pSecHeader->VirtualAddress + pSecHeader->PointerToRawData);
  329. }
  330. else
  331. pImageThunkData++;
  332. }
  333. ++pImportDescriptor;
  334. }
  335. }
  336. DbgPrint("\n%-36s%s", "Section Header name : ", pSecHeader->Name);
  337. DbgPrint("\n%-36s%#x", "ActualSize of code or data : ", pSecHeader->Misc.VirtualSize);
  338. DbgPrint("\n%-36s%#x", "Virtual Address(RVA) :", pSecHeader->VirtualAddress);
  339. // printf("\n%-36s%#x", "Size of raw data (rounded to FA) : ", pSecHeader->SizeOfRawData);
  340. // printf("\n%-36s%#x", "Pointer to Raw Data : ", pSecHeader->PointerToRawData);
  341. }
  342.  
  343.  
  344. DbgPrint("BaseAddress: \n");
  345.  
  346. //--------------Deattach---------------------//
  347. KeDetachProcess();
  348.  
  349. ObDereferenceObject(Process);
  350.  
  351. return hProcess;
  352. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!