資源簡介
在x64下實現內嵌匯編,不是采用OBJ的模式,直接把匯編轉換成機器代碼,讓后內嵌機器代碼,參數傳遞按照x64約定。
代碼片段和文件信息
#include?“ntddk.h“
#include?
#include?
#include?“dbghelp.h“
#include?“Win7x64Drv.h“
typedef?UINT64?(__fastcall?*SCFN)(UINT64UINT64UINT64UINT64);
NTSTATUS?DriverEntry(PDRIVER_object?pDriverObj?PUNICODE_STRING?pRegistryString);
NTSTATUS?DispatchCreate(PDEVICE_object?pDevObj?PIRP?pIrp);
NTSTATUS?DispatchClose(PDEVICE_object?pDevObj?PIRP?pIrp);
VOID?DriverUnload(PDRIVER_object?pDriverObj);
NTSTATUS?DispatchIoctl(PDEVICE_object?pDevObj?PIRP?pIrp);
VOID?test()
{
SCFN?scfn;
UINT64?ret;
UCHAR?strShellCode[14]=“\x48\x03\xCA\x49\x03\xC8\x49\x03\xC9\x48\x8B\xC1\xC3“;
/*
add?rcxrdx
add?rcxr8
add?rcxr9
mov?raxrcx
ret
*/
scfn=ExAllocatePool(NonPagedPool14);
memcpy(scfnstrShellCode14);
ret=scfn(11223344);?
DbgPrint(“[x64Drv]?Inline?ASM?return:?%lld“ret);
ExFreePool(scfn);
}
NTSTATUS?DriverEntry(PDRIVER_object?pDriverObj?PUNICODE_STRING?pRegistryString)
{
NTSTATUS?status?=?STATUS_SUCCESS;
UNICODE_STRING?ustrlinkName;
UNICODE_STRING?ustrDevName;????
PDEVICE_object?pDevObj;
dprintf(“[x64Drv]?DriverEntry:?%S\n“pRegistryString->Buffer);
????//Create?dispatch?points?for?device?control?create?close.
pDriverObj->MajorFunction[IRP_MJ_CREATE]?=?DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE]?=?DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL]?=?DispatchIoctl;
pDriverObj->DriverUnload?=?DriverUnload;
RtlInitUnicodeString(&ustrDevName?DEVICE_NAME);
status?=?IoCreateDevice(pDriverObj?0&ustrDevName?FILE_DEVICE_UNKNOWN0FALSE&pDevObj);
dprintf(“[x64Drv]?Device?Name?%S“ustrDevName.Buffer);
if(!NT_SUCCESS(status))
{
dprintf(“[x64Drv]?IoCreateDevice?=?0x%x\n“?status);
return?status;
}
RtlInitUnicodeString(&ustrlinkName?link_NAME);
status?=?IoCreateSymboliclink(&ustrlinkName?&ustrDevName);??
if(!NT_SUCCESS(status))
{
dprintf(“[x64Drv]?IoCreateSymboliclink?=?0x%x\n“?status);
IoDeleteDevice(pDevObj);??
return?status;
}
dprintf(“[x64Drv]?Symboliclink:%S“ustrlinkName.Buffer);
//test?Begin
test();
//test?End
return?STATUS_SUCCESS;
}
VOID?DriverUnload(PDRIVER_object?pDriverObj)
{
UNICODE_STRING?strlink;
RtlInitUnicodeString(&strlink?link_NAME);
IoDeleteSymboliclink(&strlink);
IoDeleteDevice(pDriverObj->Deviceobject);
dprintf(“[x64Drv]?Unloaded\n“);
}
NTSTATUS?DispatchCreate(PDEVICE_object?pDevObj?PIRP?pIrp)
{
pIrp->IoStatus.Status?=?STATUS_SUCCESS;
pIrp->IoStatus.Information?=?0;
dprintf(“[x64Drv]?IRP_MJ_CREATE\n“);
IoCompleteRequest(pIrp?IO_NO_INCREMENT);
return?STATUS_SUCCESS;
}
NTSTATUS?DispatchClose(PDEVICE_object?pDevObj?PIRP?pIrp)
{
pIrp->IoStatus.Status?=?STATUS_SUCCESS;
pIrp->IoStatus.Information?=?0;
dprintf(“[x64Drv]?IRP_MJ_CLOSE\n“);
IoCompleteRequest(pIrp?IO_NO_INCREMENT);
return?STATUS_SUCCESS;
}
NTSTATUS?DispatchIoctl(PDEVICE_object?pDevObj?PIRP?pIrp)
{
NTSTATUS?status?=?STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION? ?屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----
?????目錄???????????0??2014-05-04?17:19??src\
?????文件?????????231??2010-08-10?19:19??src\dbghelp.h
?????文件?????????247??2002-12-08?22:34??src\makefile
?????目錄???????????0??2014-05-04?17:19??src\objfre_win7_amd64\
?????目錄???????????0??2013-12-22?01:44??src\objfre_win7_amd64\amd64\
?????文件?????????103??2011-02-21?02:00??src\sources
?????文件????????3648??2011-02-21?02:25??src\Win7x64Drv.c
?????文件?????????717??2011-02-21?02:00??src\Win7x64Drv.h
- 上一篇:河北專技1.0.0.3.zip
- 下一篇:Keil uVision4 STC庫文件
評論
共有 條評論
川公網安備 51152502000135號