API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 22nd, 2015
245
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 13.47 KB | None | 0 0
raw download clone embed print report
  1. #include <ntddk.h>
  2. #include <ntddkbd.h>
  3. #include <ntstrsafe.h>
  4. #include "ntifs.h"
  5. #include <windef.h>
  6.  
  7. #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES    16
  8. #define IMAGE_SIZEOF_SHORT_NAME              8
  9. #define IMAGE_DIRECTORY_ENTRY_IMPORT          1
  10. #define IMAGE_ORDINAL_FLAG32 0x80000000
  11.  
  12. typedef struct _IMAGE_DATA_DIRECTORY {
  13.     DWORD   VirtualAddress;
  14.     DWORD   Size;
  15. } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
  16.  
  17. typedef struct _IMAGE_OPTIONAL_HEADER64 {
  18.     WORD        Magic;
  19.     BYTE        MajorLinkerVersion;
  20.     BYTE        MinorLinkerVersion;
  21.     DWORD       SizeOfCode;
  22.     DWORD       SizeOfInitializedData;
  23.     DWORD       SizeOfUninitializedData;
  24.     DWORD       AddressOfEntryPoint;
  25.     DWORD       BaseOfCode;
  26.     ULONGLONG   ImageBase;
  27.     DWORD       SectionAlignment;
  28.     DWORD       FileAlignment;
  29.     WORD        MajorOperatingSystemVersion;
  30.     WORD        MinorOperatingSystemVersion;
  31.     WORD        MajorImageVersion;
  32.     WORD        MinorImageVersion;
  33.     WORD        MajorSubsystemVersion;
  34.     WORD        MinorSubsystemVersion;
  35.     DWORD       Win32VersionValue;
  36.     DWORD       SizeOfImage;
  37.     DWORD       SizeOfHeaders;
  38.     DWORD       CheckSum;
  39.     WORD        Subsystem;
  40.     WORD        DllCharacteristics;
  41.     ULONGLONG   SizeOfStackReserve;
  42.     ULONGLONG   SizeOfStackCommit;
  43.     ULONGLONG   SizeOfHeapReserve;
  44.     ULONGLONG   SizeOfHeapCommit;
  45.     DWORD       LoaderFlags;
  46.     DWORD       NumberOfRvaAndSizes;
  47.     IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
  48. } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
  49.  
  50. typedef struct _IMAGE_FILE_HEADER {
  51.     WORD    Machine;
  52.     WORD    NumberOfSections;
  53.     DWORD   TimeDateStamp;
  54.     DWORD   PointerToSymbolTable;
  55.     DWORD   NumberOfSymbols;
  56.     WORD    SizeOfOptionalHeader;
  57.     WORD    Characteristics;
  58. } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
  59.  
  60. typedef struct _IMAGE_NT_HEADERS64 {
  61.     DWORD Signature;
  62.     IMAGE_FILE_HEADER FileHeader;
  63.     IMAGE_OPTIONAL_HEADER64 OptionalHeader;
  64. } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
  65.  
  66. typedef IMAGE_NT_HEADERS64                  IMAGE_NT_HEADERS;
  67.  
  68. #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER)        \
  69.     ((ULONG_PTR)(ntheader)+\
  70.     FIELD_OFFSET(IMAGE_NT_HEADERS, OptionalHeader) + \
  71.     ((ntheader))->FileHeader.SizeOfOptionalHeader   \
  72.     ))
  73.  
  74. typedef struct _IMAGE_IMPORT_BY_NAME {
  75.     WORD    Hint;
  76.     BYTE    Name[1];
  77. } IMAGE_IMPORT_BY_NAME, *PIMAGE_IMPORT_BY_NAME;
  78.  
  79. typedef struct _IMAGE_DOS_HEADER {      // DOS .EXE header
  80.     WORD   e_magic;                     // Magic number
  81.     WORD   e_cblp;                      // Bytes on last page of file
  82.     WORD   e_cp;                        // Pages in file
  83.     WORD   e_crlc;                      // Relocations
  84.     WORD   e_cparhdr;                   // Size of header in paragraphs
  85.     WORD   e_minalloc;                  // Minimum extra paragraphs needed
  86.     WORD   e_maxalloc;                  // Maximum extra paragraphs needed
  87.     WORD   e_ss;                        // Initial (relative) SS value
  88.     WORD   e_sp;                        // Initial SP value
  89.     WORD   e_csum;                      // Checksum
  90.     WORD   e_ip;                        // Initial IP value
  91.     WORD   e_cs;                        // Initial (relative) CS value
  92.     WORD   e_lfarlc;                    // File address of relocation table
  93.     WORD   e_ovno;                      // Overlay number
  94.     WORD   e_res[4];                    // Reserved words
  95.     WORD   e_oemid;                     // OEM identifier (for e_oeminfo)
  96.     WORD   e_oeminfo;                   // OEM information; e_oemid specific
  97.     WORD   e_res2[10];                  // Reserved words
  98.     LONG   e_lfanew;                    // File address of new exe header
  99. } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
  100.  
  101. typedef struct _IMAGE_SECTION_HEADER {
  102.     BYTE    Name[IMAGE_SIZEOF_SHORT_NAME];
  103.     union {
  104.         DWORD   PhysicalAddress;
  105.         DWORD   VirtualSize;
  106.     } Misc;
  107.     DWORD   VirtualAddress;
  108.     DWORD   SizeOfRawData;
  109.     DWORD   PointerToRawData;
  110.     DWORD   PointerToRelocations;
  111.     DWORD   PointerToLinenumbers;
  112.     WORD    NumberOfRelocations;
  113.     WORD    NumberOfLinenumbers;
  114.     DWORD   Characteristics;
  115. } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
  116.  
  117. typedef struct _IMAGE_IMPORT_DESCRIPTOR {
  118.     union {
  119.         DWORD   Characteristics;            // 0 for terminating null import descriptor
  120.         DWORD   OriginalFirstThunk;         // RVA to original unbound IAT (PIMAGE_THUNK_DATA)
  121.     };
  122.     DWORD   TimeDateStamp;                  // 0 if not bound,
  123.     // -1 if bound, and real date\time stamp
  124.     //     in IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT (new BIND)
  125.     // O.W. date/time stamp of DLL bound to (Old BIND)
  126.  
  127.     DWORD   ForwarderChain;                 // -1 if no forwarders
  128.     DWORD   Name;
  129.     DWORD   FirstThunk;                     // RVA to IAT (if bound this IAT has actual addresses)
  130. } IMAGE_IMPORT_DESCRIPTOR;
  131.  
  132. typedef IMAGE_IMPORT_DESCRIPTOR __unaligned *PIMAGE_IMPORT_DESCRIPTOR;
  133.  
  134. typedef struct _IMAGE_THUNK_DATA64 {
  135.     union {
  136.         ULONGLONG ForwarderString;  // PBYTE
  137.         ULONGLONG Function;         // PDWORD
  138.         ULONGLONG Ordinal;
  139.         ULONGLONG AddressOfData;    // PIMAGE_IMPORT_BY_NAME
  140.     } u1;
  141. } IMAGE_THUNK_DATA64;
  142. typedef IMAGE_THUNK_DATA64 * PIMAGE_THUNK_DATA64;
  143.  
  144. typedef PIMAGE_THUNK_DATA64             PIMAGE_THUNK_DATA;
  145.  
  146. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
  147. VOID UnloadRoutine(IN PDRIVER_OBJECT DriverObject);
  148. NTSTATUS CreateObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  149. NTSTATUS CloseObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  150. NTSTATUS DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  151. NTSTATUS DeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
  152.  
  153. PVOID PsGetProcessSectionBaseAddress(__in PEPROCESS Process);
  154.  
  155. HANDLE MyOpenProcess(HANDLE ProcessId);
  156.  
  157. #define THE_BUFFER_LENGTH 100
  158.  
  159. typedef struct _DEVICE_EXTENSION
  160. {
  161.     unsigned char InBuffer[THE_BUFFER_LENGTH];
  162. }DEVICE_EXTENSION, *PDEVICE_EXTENSION;
  163.  
  164. //----------------------------------//
  165.  
  166. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
  167. {
  168.     UNREFERENCED_PARAMETER(RegistryPath);
  169.  
  170.     DbgPrint("I am in DriverEntry \n");
  171.  
  172.     UNICODE_STRING DeviceName, DosDeviceName;
  173.  
  174.     RtlInitUnicodeString(&DeviceName, L"\\Device\\DumpDevice");
  175.     RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\DosDumpDevice");
  176.  
  177.     DriverObject->DriverUnload = UnloadRoutine;
  178.  
  179.     for (int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
  180.         DriverObject->MajorFunction[i] = DefaultHandler;
  181.  
  182.     DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateObjectFile;
  183.     DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseObjectFile;
  184.  
  185.     DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControl;
  186.  
  187.     PDEVICE_OBJECT Device;
  188.     NTSTATUS Status = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &Device);
  189.  
  190.     if (!NT_SUCCESS(Status))
  191.         return Status;
  192.     if (!Device)
  193.         return STATUS_UNEXPECTED_IO_ERROR;
  194.  
  195.     Status = IoCreateSymbolicLink(&DosDeviceName, &DeviceName);
  196.  
  197.     if (Status != STATUS_SUCCESS)
  198.     {
  199.         DbgPrint("I can't create symbolic link Filter\n");
  200.         return STATUS_FAILED_DRIVER_ENTRY;
  201.     }
  202.     else
  203.         DbgPrint("I am create symbolic link Filter\n");
  204.  
  205.     Device->Flags |= DO_BUFFERED_IO;
  206.     Device->Flags &= ~DO_DEVICE_INITIALIZING;
  207.  
  208.     return STATUS_SUCCESS;
  209. }
  210.  
  211. VOID UnloadRoutine(IN PDRIVER_OBJECT DriverObject)
  212. {
  213.     DbgPrint("I am in UnloadRoutine \n");
  214.  
  215.     UNICODE_STRING LineDosDevice;
  216.     RtlInitUnicodeString(&LineDosDevice, L"\\DosDevices\\DosDumpDevice");
  217.     IoDeleteSymbolicLink(&LineDosDevice);
  218.  
  219.     IoDeleteDevice(DriverObject->DeviceObject);
  220.  
  221. }
  222.  
  223. NTSTATUS CreateObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  224. {
  225.     UNREFERENCED_PARAMETER(DeviceObject);
  226.  
  227.     DbgPrint("I am in CreateObjectFile \n");
  228.  
  229.     Irp->IoStatus.Status = STATUS_SUCCESS;
  230.     Irp->IoStatus.Information = 0;
  231.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
  232.     return STATUS_SUCCESS;
  233. }
  234.  
  235. NTSTATUS CloseObjectFile(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  236. {
  237.     UNREFERENCED_PARAMETER(DeviceObject);
  238.  
  239.     DbgPrint("I am in CloseObjectFile\n");
  240.  
  241.     Irp->IoStatus.Status = STATUS_SUCCESS;
  242.     Irp->IoStatus.Information = 0;
  243.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
  244.     return STATUS_SUCCESS;
  245. }
  246.  
  247. NTSTATUS DefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  248. {
  249.     DbgPrint("I am in DefaultHandler\n");
  250.  
  251.     UNREFERENCED_PARAMETER(DeviceObject);
  252.  
  253.     Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
  254.     Irp->IoStatus.Information = 0;
  255.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
  256.  
  257.     return Irp->IoStatus.Status;
  258. }
  259.  
  260. NTSTATUS DeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
  261. {
  262.     DbgPrint("I am in read DeviceControl.\n");
  263.     PDEVICE_EXTENSION DeviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
  264.  
  265.     PIO_STACK_LOCATION IoStackLocation = IoGetCurrentIrpStackLocation(Irp);
  266.     ULONG bufsize = IoStackLocation->Parameters.Read.Length;
  267.     //----------------Наткнулись на буферизированное устройство-----------------------//
  268.     RtlMoveMemory(DeviceExtension->InBuffer, Irp->AssociatedIrp.SystemBuffer, bufsize);
  269.     Irp->IoStatus.Information = bufsize;
  270.  
  271.     DeviceExtension->InBuffer[bufsize] = '\0';
  272.  
  273.     DbgPrint("Name of process: %s\n", DeviceExtension->InBuffer);
  274.     HANDLE ProcessId = IoStackLocation->Parameters.DeviceIoControl.IoControlCode;
  275.     // DeviceExtension->PID;
  276.  
  277.     MyOpenProcess(ProcessId);
  278.  
  279.  
  280.     Irp->IoStatus.Status = STATUS_SUCCESS;
  281.     IoCompleteRequest(Irp, IO_NO_INCREMENT);
  282.  
  283.     return STATUS_SUCCESS;
  284.  
  285. }
  286.  
  287. //---------------------Снимаем Дамп--------------------//
  288. HANDLE MyOpenProcess(HANDLE ProcessId)
  289. {
  290.     PEPROCESS Process = NULL;
  291.     NTSTATUS Status;
  292.     HANDLE hProcess = NULL;
  293.     PIMAGE_DOS_HEADER dosHeader;
  294.     PIMAGE_NT_HEADERS64 ntHeader;
  295.     IMAGE_FILE_HEADER header;
  296.     IMAGE_OPTIONAL_HEADER64 opHeader;
  297.     PIMAGE_SECTION_HEADER pSecHeader;
  298.     int i;
  299.     UNREFERENCED_PARAMETER(Process);
  300.     UNREFERENCED_PARAMETER(Status);
  301.     UNREFERENCED_PARAMETER(hProcess);
  302.     UNREFERENCED_PARAMETER(header);
  303.  
  304.     __debugbreak();
  305.  
  306.     Status = PsLookupProcessByProcessId(ProcessId, &Process);
  307.     if (Status != STATUS_SUCCESS)
  308.         DbgPrint("I can't in PsLookupProcessByProcessId\n");
  309.  
  310.     Status = ObOpenObjectByPointer(Process, OBJ_KERNEL_HANDLE, 0, 0x1F0FFF, 0, 0, &hProcess);
  311.     if (Status != STATUS_SUCCESS)
  312.         DbgPrint("I can't in ObOpenObjectByPointer\n");
  313.  
  314.     //---------------Attach----------------------//
  315.     KeAttachProcess(Process);
  316.  
  317.     PVOID BaseAddress = PsGetProcessSectionBaseAddress(Process);
  318.  
  319.     //for (int i = 0; i < 10; i++)
  320.     //PIMAGE_NT_HEADERS64
  321.  
  322.     //CHAR Buffer[32];
  323.     //ULONG CountOfRead = 0;
  324.  
  325.     //NtReadVirtualMemory(hProcess, BaseAddress, Buffer, 20, &CountOfRead);
  326.     dosHeader = (PIMAGE_DOS_HEADER)BaseAddress;
  327.     ntHeader = (PIMAGE_NT_HEADERS64)((DWORD)(dosHeader)+(dosHeader->e_lfanew));
  328.     opHeader = ntHeader->OptionalHeader;
  329.  
  330.     UINT64 pDataDirImportRVA = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
  331.     UINT64 pDataDirImportSize = ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size;
  332.  
  333.     UNREFERENCED_PARAMETER(pDataDirImportSize);
  334.  
  335.     for (pSecHeader = IMAGE_FIRST_SECTION(ntHeader), i = 0; i < ntHeader->FileHeader.NumberOfSections; i++, pSecHeader++)
  336.     {
  337.         if ((pDataDirImportRVA >= pSecHeader->VirtualAddress) && ((pSecHeader->VirtualAddress + pSecHeader->Misc.VirtualSize) > pDataDirImportRVA))
  338.         {
  339.  
  340.             UINT64 pIAT = (pDataDirImportRVA - pSecHeader->VirtualAddress) + pSecHeader->PointerToRawData;
  341.  
  342.             PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor = NULL;
  343.             PIMAGE_THUNK_DATA pImageThunkData = NULL;
  344.  
  345.             pImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)(pIAT + (DWORD)BaseAddress);
  346.             while (pImportDescriptor->FirstThunk != 0)
  347.             {
  348.  
  349.                 //DbgPrint("  Module : %s\n", (pImportDescriptor->Name - pSecHeader->VirtualAddress) + pSecHeader->PointerToRawData + (DWORD)BaseAddress);
  350.                 pImageThunkData = (PIMAGE_THUNK_DATA)((DWORD)BaseAddress + pImportDescriptor->FirstThunk - pSecHeader->VirtualAddress + pSecHeader->PointerToRawData);
  351.                 while (pImageThunkData->u1.Function)
  352.                 {
  353.                     if (!(pImageThunkData->u1.Ordinal & IMAGE_ORDINAL_FLAG32))
  354.                     {
  355.                         PIMAGE_IMPORT_BY_NAME  pStr = (PIMAGE_IMPORT_BY_NAME)((DWORD)BaseAddress + pImageThunkData->u1.AddressOfData - pSecHeader->VirtualAddress + pSecHeader->PointerToRawData);
  356.                         UNREFERENCED_PARAMETER(pStr);
  357.                     }
  358.                     else
  359.                         pImageThunkData++;
  360.                 }
  361.                 ++pImportDescriptor;
  362.             }
  363.         }
  364.  
  365.         //-------------------------Пишем в файл----------------------------//
  366.  
  367.         __debugbreak();
  368.         UNICODE_STRING FileName;
  369.         OBJECT_ATTRIBUTES ObjectAttributes;
  370.         HANDLE HandleFile;
  371.         IO_STATUS_BLOCK StatusBlock;
  372.        
  373.         RtlInitUnicodeString(&FileName, L"\\DosDevices\\C:\\DumpProcess.txt");
  374.  
  375.         IO_STATUS_BLOCK StatusBlock2;
  376.  
  377.         InitializeObjectAttributes(&ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
  378.  
  379.         NTSTATUS Status = ZwCreateFile(&HandleFile, FILE_APPEND_DATA, &ObjectAttributes, &StatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
  380.  
  381.         PBYTE Pointer = BaseAddress;
  382.        
  383.         Status = ZwWriteFile(HandleFile, NULL, NULL, NULL, &StatusBlock2, Pointer + pSecHeader->VirtualAddress, pSecHeader->Misc.VirtualSize, NULL, NULL);
  384.  
  385.         ZwClose(HandleFile);
  386.         HandleFile = NULL;
  387.         //-----------------------------------------------------------------//      
  388.         DbgPrint("\n%-36s%s", "Section Header name : ", pSecHeader->Name);
  389.         DbgPrint("\n%-36s%#x", "ActualSize of code or data : ", pSecHeader->Misc.VirtualSize);
  390.         DbgPrint("\n%-36s%#x", "Virtual Address(RVA) :", pSecHeader->VirtualAddress);
  391.     }
  392.  
  393.  
  394.     DbgPrint("BaseAddress: \n");
  395.  
  396.     //--------------Deattach---------------------//
  397.     KeDetachProcess();
  398.  
  399.     ObDereferenceObject(Process);
  400.  
  401.     return hProcess;
  402. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!