天龙还原精灵卸载器源代码 (3)
- 天龙还原精灵卸载器1.0 for win9x.386P.MODEL FLAT, STDCALL ; with STDCALL we must reverse the sequence of pushes option casemap :none ; case sensitiveinclude \masm32\include\windows. ...
pop edx
mov ea.Trustee.ptstrName,edx
invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl
cmp eax,ERROR_SUCCESS
jz @f
jmp OutSet
@@:
invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,\
NULL,NULL,pNewDacl,NULL
OutSet:
cmp pSD,0
jz @f
invoke LocalFree,pSD
@@:
cmp pNewDacl,0
jz @f
invoke LocalFree,pNewDacl
@@:
ret
SetPhyscialMemorySectionCanBeWrited endp
mov ea.Trustee.ptstrName,edx
invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl
cmp eax,ERROR_SUCCESS
jz @f
jmp OutSet
@@:
invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,\
NULL,NULL,pNewDacl,NULL
OutSet:
cmp pSD,0
jz @f
invoke LocalFree,pSD
@@:
cmp pNewDacl,0
jz @f
invoke LocalFree,pNewDacl
@@:
ret
SetPhyscialMemorySectionCanBeWrited endp
MiniMmGetPhysicalAddress proc virtualaddress:dword
mov eax,virtualaddress
cmp eax,80000000h
jb @f
cmp eax,0a0000000h
jae @f
and eax,1FFFF000h
ret
@@:
mov eax,0
ret
MiniMmGetPhysicalAddress endp
ExecRing0Proc proc Entry:ULONG,seglen:ULONG
local tmpSel:dword
local setcg:dword
local BaseAddress:dword
local NtdllMod :dword ;300
local hSection:HANDLE
local status:NTSTATUS
local objectAttributes:OBJECT_ATTRIBUTES
local objName:UNICODE_STRING
mov status,STATUS_SUCCESS;
sgdt GdtLimit
invoke MiniMmGetPhysicalAddress,GdtAddr
mov mapAddr,eax
test eax,eax
jz Exit1
call @f
db "Ntdll.dll",0
@@:
call LoadLibraryA
mov NtdllMod,eax
lea edx,objnamestr
mov objnameptr,edx
lea edi,ObjAttr
and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail
push edi ;edi->ObjAttr
push 24 ;length of <\Device\PhysicalMemory>
pop ecx
push ecx
xor eax,eax
rep stosb ;put ObjAttr with 0
pop ecx
pop edi
mov esi,edi
stosd
mov dword ptr[esi],ecx
stosd
lea eax,[edx-8] ;eax->objname
stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0)
mov dword ptr [edi],240h
call @f
db "ZwOpenSection",0
@@:
push NtdllMod
call GetProcAddress
mov ebx,eax ;ebx=ZwOpenSection
push esi ;esi->ObjAttr
push SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
push edi ;edi->hSection
call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr)
mov status,eax
cmp status,STATUS_ACCESS_DENIED
jnz AccessPermit
mov eax,ebx
push esi
push READ_CONTROL or WRITE_DAC
push edi
call eax
mov status,eax
invoke SetPhyscialMemorySectionCanBeWrited,hSection
call @f
db "ZwClose",0
@@:
push NtdllMod
call GetProcAddress
push hSection
call eax ;zwClose hSection
mov eax,ebx
push esi
push SECTION_MAP_READ or SECTION_MAP_WRITE
lea edi,hSection
push edi
call eax
mov status ,eax
;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes);
AccessPermit:
cmp status ,STATUS_SUCCESS
jz @f
;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status);
;return 0;
mov eax,0
ret
@@:
movzx eax,word ptr[GdtLimit]
inc eax
invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, \
eax
mov BaseAddress,eax
cmp BaseAddress,0
jnz @f
;printf("Error MapViewOffile:");
;PrintWin32Error(GetLastError()); return 0;
mov eax,0
ret
@@:
mov esi,eax ;esi->gdt base
movzx eax,word ptr GdtLimit ;eax=gdt limit
mov IsIdtFlag,0
call Search_XDT
mov tmpSel,eax
mov setcg,FALSE;
mov esi,BaseAddress
mov ebx,eax
add ebx,esi
assume ebx:ptr MyGATE
mov edx,Entry
mov [ebx].OFFSETL,dx
mov [ebx].SELECTOR ,8
mov [ebx].DCOUNT ,0
mov [ebx].GTYPE,0ech
shr edx,16
mov [ebx].OFFSETH,dx
mov setcg,TRUE
cmp setcg,0
jnz ChangeOK
call @f
db "ZwClose",0
@@:
push NtdllMod
call GetProcAddress
push hSection
call eax
xor eax,eax
ret
ChangeOK:
and dword ptr Callgt,0
or al,3h
mov word ptr [Callgt+4],ax
;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate;
invoke VirtualLock,Entry,seglen
test eax,eax
jnz @f
xor eax,eax
ret
@@:
invoke GetCurrentThread
invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL
invoke Sleep,0
call fword ptr [Callgt] ;use callgate to Ring0!
;_asm call fword ptr [farcall]
invoke GetCurrentThread
invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL
invoke VirtualUnlock,Entry,seglen
;//Clear callgate
;*(ULONG *)cg=0;
;*((ULONG *)cg+1)=0;
mov esi,BaseAddress
mov eax,tmpSel
add eax,esi
mov dword ptr[eax],0
mov dword ptr[eax+4],0
;ZwClose(hSection);
call @f
db "ZwClose",0
@@:
push NtdllMod
call GetProcAddress
push hSection
call eax
mov eax,TRUE
ret
ExecRing0Proc endp
Search_XDT proc near ;entry esi==Base of Idt or GDT
;Eax==Limit
pushad
mov ebx,eax ;ebx=limit
mov eax,8 ; skipping null selector
@@1:
cmp IsIdtFlag,1
jz IsIdt
cmp dword ptr [esi+eax+0],0 ;gdt
jnz @@2
cmp dword ptr [esi+eax+4],0
jz @@3
jmp @@2
IsIdt:
cmp dword ptr [esi+eax+0],80000h ;idt
jnz @@2
cmp dword ptr [esi+eax+4],0
jz @@3
@@2:
add eax,8
cmp eax,ebx
jb @@1 ;if we haven’t found any free GDT entry,
;lets use the last two entries
mov eax,ebx
sub eax,7
@@3:
mov [esp+4*7],eax ; return off in eax
popad ; eax=free GDT or IDT entry selector
ret ;500
Search_XDT endp
main:
;建立文件
invoke CreateFileA,offset FileName,GENERIC_READ,FILE_SHARE_READ or FILE_SHARE_WRITE,NULL,OPEN_EXISTING,NULL,NULL
mov [hFile],eax
cmp eax,INVALID_HANDLE_value
jnz read
;显示错误信息
invoke ShowError,offset ErrCreate
read: ;读数据
invoke ReadFile,eax,offset Buffer,512,offset readed1,NULL
cmp eax,0
jnz next
;显示错误信息
invoke ShowError,offset ErrRead
ShowError proc ,MESSAGE:DWORD ;显示出错信息并退出
invoke MessageBoxA,NULL,MESSAGE,offset Caption,MB_OK
cmp [hFile],0
jz endShowErr
invoke CloseHandle ,[hFile] ;关闭句柄
endShowErr:
invoke ExitProcess,0 ;退出
ShowError endp
next:
assume fs:nothing
push offset MySEH
push fs:[0]
mov fs:[0],esp
mov OldEsp,esp
mov ax,ds ;if Win9x?
test ax,4
jnz Exit1
invoke MessageBoxA,NULL,offset ShowText,offset Caption,MB_OK
invoke VirtualLock,offset _Ring0Proc,Ring0CodeLen
;invoke VirtualLock,offset r0Data,sizeof(RING0DATA)
invoke ExecRing0Proc,offset _Ring0Proc,Ring0CodeLen
;invoke VirtualUnlock,offset r0Data,sizeof(RING0DATA)
invoke VirtualUnlock,offset _Ring0Proc,Ring0CodeLen
Exit1:
pop fs:[0]
add esp,4
invoke ExitProcess,0
MySEH :
mov esp,OldEsp
pop fs:[0]
add esp,4
invoke ExitProcess,-1
end main
0
顶一下0
踩一下
相关文章
