U
userful
Unregistered / Unconfirmed
GUEST, unregistred user!
(******************************************************************************
* CopyRight (c) By 姚佩云 2004
* All Right Reserved
* Email : i_rock_1001@163.com www.jynx.com.cn
* Date :
* New Develop : 2004-x-x
* Modified : 2004-03-24
* Description :
* 这是一个从ring3层不用驱动直接进入ring0层的例子,参考的网上资料
* Export :
* ReadWritePhyMem : ring3下读写物理内存
* ExecRing0Proc : ring3下执行ring0级别的函数
* Thanks :
* alphax(多喝了三五杯) http://expert.csdn.net/Expert/topic/2718/2718748.xml?temp=8.550662E-02
* tt.t http://www.delphibbs.com/delphibbs/dispq.asp?lid=2470866
* 首发大富翁(www.delphibbs.com)blog,转载请保留
******************************************************************************)
unit Ring0;
interface
uses
Windows,SysUtils,Aclapi,Accctrl,NtDll{这是ntdll.dll的函数声明};
type
_GDTENTRYR = packed record
Limit : WORD ;
BaseLow : WORD ;
BaseHigh : WORD ;
end;
TGDTENTRYR = _GDTENTRYR;
PGDTENTRYR = ^TGDTENTRYR;
_CALLGATE_DESCRIPTOR = packed record
Offset_0_15 : WORD;
Selector : WORD ;
ParamCount_SomeBits : Byte ; // ParamCount:4 SomeBits:4
Type_AppSystem_Dpl_Present : Byte ; // Type:4 AppSystem:1 Dpl:2 Present:1
Offset_16_31 : WORD ;
end;
TCALLGATE_DESCRIPTOR = _CALLGATE_DESCRIPTOR;
PCALLGATE_DESCRIPTOR = ^TCALLGATE_DESCRIPTOR;
const
ObjectPhysicalMemoryDeviceName = '/Device/Physicalmemory';
function ReadWritePhyMem(Address: DWORD; Length: DWORD; Buffer: PChar;ReadOrNot: Boolean = True): Boolean;
function ExecRing0Proc( Entry,seglen : ULONG):Boolean;
implementation
function SetPhysicalMemorySectionCanBeWrited(hSection: THandle): Boolean;
var
pDacl: PACL;
pNewDacl: PACL;
pSD: PPSECURITY_DESCRIPTOR;
dwRes: Cardinal;
ea: EXPLICIT_ACCESS_A;
label CleanUp;
begin
Result:=False;
pDacl:=Nil;
pNewDacl:=Nil;
pSD:=Nil;
dwres:=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,nil,
nil,@pDacl,nil,pSD);
try
if dwres<>ERROR_SUCCESS then
Exit;
FillChar(ea,SizeOf(EXPLICIT_ACCESS),0);
ea.grfAccessPermissions:=SECTION_MAP_WRITE;
ea.grfAccessMode:=GRANT_ACCESS;
ea.grfInheritance:=NO_INHERITANCE;
ea.Trustee.TrusteeForm:=TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType:=TRUSTEE_IS_USER;
ea.Trustee.ptstrName:='CURRENT_USER';
SetEntriesInAcl(1,@ea,Nil,pNewDacl);
dwRes:=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
Nil,Nil,pNewDacl,Nil);
if dwRes=ERROR_SUCCESS then
Exit;
Result:=True;
finally
if pSD<>Nil then
LocalFree(Cardinal(pSD^));
if pNewDacl<>Nil then
LocalFree(Cardinal(pSD^));
end;
end;
function GetPhysicalAddress(vAddress:ULONG):LARGE_INTEGER;
begin
if (vAddress < $80000000) or (vAddress >= $A0000000) then
Result.QuadPart := vAddress and $FFFF000
else
Result.QuadPart := vAddress and $1FFFF000;
end;
function OpenPhysicalMemory(ReadOrNot: Boolean): THandle;
var
Status: NTSTATUS;
PhysMem: THandle;
PhysMemString: UNICODE_STRING;
Attributes: TNtObjectAttributes;
SectionAttrib: Integer;
begin
Result:=0;
RtlInitUnicodeString(@PhysMemString,ObjectPhysicalMemoryDeviceName);
InitializeObjectAttributes(@Attributes,
@PhysMemString,
OBJ_CASE_INSENSITIVE or OBJ_KERNEL_HANDLE,
0,
Nil);
if ReadOrNot then
SectionAttrib:=SECTION_MAP_READ
else
SectionAttrib:=SECTION_MAP_READ or SECTION_MAP_WRITE;
Status:=ZwOpenSection(@PhysMem,SectionAttrib,@Attributes);
if not ReadOrNot then
begin
if Status=STATUS_ACCESS_DENIED then
begin
Status:=ZwOpenSection(@PhysMem,READ_CONTROL or WRITE_DAC,@Attributes);
SetPhysicalMemorySectionCanBeWrited(PhysMem);
ZwClose(PhysMem);
Status:=ZwOpenSection(@PhysMem,SectionAttrib,@Attributes);
end;
end;
if not NT_SUCCESS(Status) then
Exit;
Result:=PhysMem;
end;
调试不通。。找不到ntdll.dcu
* CopyRight (c) By 姚佩云 2004
* All Right Reserved
* Email : i_rock_1001@163.com www.jynx.com.cn
* Date :
* New Develop : 2004-x-x
* Modified : 2004-03-24
* Description :
* 这是一个从ring3层不用驱动直接进入ring0层的例子,参考的网上资料
* Export :
* ReadWritePhyMem : ring3下读写物理内存
* ExecRing0Proc : ring3下执行ring0级别的函数
* Thanks :
* alphax(多喝了三五杯) http://expert.csdn.net/Expert/topic/2718/2718748.xml?temp=8.550662E-02
* tt.t http://www.delphibbs.com/delphibbs/dispq.asp?lid=2470866
* 首发大富翁(www.delphibbs.com)blog,转载请保留
******************************************************************************)
unit Ring0;
interface
uses
Windows,SysUtils,Aclapi,Accctrl,NtDll{这是ntdll.dll的函数声明};
type
_GDTENTRYR = packed record
Limit : WORD ;
BaseLow : WORD ;
BaseHigh : WORD ;
end;
TGDTENTRYR = _GDTENTRYR;
PGDTENTRYR = ^TGDTENTRYR;
_CALLGATE_DESCRIPTOR = packed record
Offset_0_15 : WORD;
Selector : WORD ;
ParamCount_SomeBits : Byte ; // ParamCount:4 SomeBits:4
Type_AppSystem_Dpl_Present : Byte ; // Type:4 AppSystem:1 Dpl:2 Present:1
Offset_16_31 : WORD ;
end;
TCALLGATE_DESCRIPTOR = _CALLGATE_DESCRIPTOR;
PCALLGATE_DESCRIPTOR = ^TCALLGATE_DESCRIPTOR;
const
ObjectPhysicalMemoryDeviceName = '/Device/Physicalmemory';
function ReadWritePhyMem(Address: DWORD; Length: DWORD; Buffer: PChar;ReadOrNot: Boolean = True): Boolean;
function ExecRing0Proc( Entry,seglen : ULONG):Boolean;
implementation
function SetPhysicalMemorySectionCanBeWrited(hSection: THandle): Boolean;
var
pDacl: PACL;
pNewDacl: PACL;
pSD: PPSECURITY_DESCRIPTOR;
dwRes: Cardinal;
ea: EXPLICIT_ACCESS_A;
label CleanUp;
begin
Result:=False;
pDacl:=Nil;
pNewDacl:=Nil;
pSD:=Nil;
dwres:=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,nil,
nil,@pDacl,nil,pSD);
try
if dwres<>ERROR_SUCCESS then
Exit;
FillChar(ea,SizeOf(EXPLICIT_ACCESS),0);
ea.grfAccessPermissions:=SECTION_MAP_WRITE;
ea.grfAccessMode:=GRANT_ACCESS;
ea.grfInheritance:=NO_INHERITANCE;
ea.Trustee.TrusteeForm:=TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType:=TRUSTEE_IS_USER;
ea.Trustee.ptstrName:='CURRENT_USER';
SetEntriesInAcl(1,@ea,Nil,pNewDacl);
dwRes:=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
Nil,Nil,pNewDacl,Nil);
if dwRes=ERROR_SUCCESS then
Exit;
Result:=True;
finally
if pSD<>Nil then
LocalFree(Cardinal(pSD^));
if pNewDacl<>Nil then
LocalFree(Cardinal(pSD^));
end;
end;
function GetPhysicalAddress(vAddress:ULONG):LARGE_INTEGER;
begin
if (vAddress < $80000000) or (vAddress >= $A0000000) then
Result.QuadPart := vAddress and $FFFF000
else
Result.QuadPart := vAddress and $1FFFF000;
end;
function OpenPhysicalMemory(ReadOrNot: Boolean): THandle;
var
Status: NTSTATUS;
PhysMem: THandle;
PhysMemString: UNICODE_STRING;
Attributes: TNtObjectAttributes;
SectionAttrib: Integer;
begin
Result:=0;
RtlInitUnicodeString(@PhysMemString,ObjectPhysicalMemoryDeviceName);
InitializeObjectAttributes(@Attributes,
@PhysMemString,
OBJ_CASE_INSENSITIVE or OBJ_KERNEL_HANDLE,
0,
Nil);
if ReadOrNot then
SectionAttrib:=SECTION_MAP_READ
else
SectionAttrib:=SECTION_MAP_READ or SECTION_MAP_WRITE;
Status:=ZwOpenSection(@PhysMem,SectionAttrib,@Attributes);
if not ReadOrNot then
begin
if Status=STATUS_ACCESS_DENIED then
begin
Status:=ZwOpenSection(@PhysMem,READ_CONTROL or WRITE_DAC,@Attributes);
SetPhysicalMemorySectionCanBeWrited(PhysMem);
ZwClose(PhysMem);
Status:=ZwOpenSection(@PhysMem,SectionAttrib,@Attributes);
end;
end;
if not NT_SUCCESS(Status) then
Exit;
Result:=PhysMem;
end;
调试不通。。找不到ntdll.dcu