NTSTATUS CreateDllSection(IN IN PUNICODE_STRING pDllName, OUT PHANDLE pSection, OUT PPVOID pBaseAddress)
{
HANDLE hFile;
OBJECT_ATTRIBUTES oa = {sizeof oa, 0, pDllName, OBJ_CASE_INSENSITIVE};
IO_STATUS_BLOCK iosb;
SIZE_T size=0;
NTSTATUS status;
PAGED_CODE();
ASSERT(pSection&&pBaseAddress);
*pBaseAddress = NULL;
status = ZwOpenFile(&hFile, FILE_EXECUTE | SYNCHRONIZE, &oa, &iosb, FILE_SHARE_READ, FILE_SYNCHRONOUS_IO_NONALERT);
if (NT_SUCCESS(status)) {
oa.ObjectName = 0;
status = ZwCreateSection(pSection, SECTION_ALL_ACCESS, &oa, 0,PAGE_EXECUTE, SEC_IMAGE, hFile);
if (NT_SUCCESS(status)) {
status = ZwMapViewOfSection(*pSection, ZwCurrentProcess(), pBaseAddress, 0, 1000, 0, &size, (SECTION_INHERIT)1, MEM_TOP_DOWN, PAGE_READWRITE);
if (!NT_SUCCESS(status)) {
ZwClose(*pSection);
}
}
ZwClose(hFile);
}
return status;
}
NTSTATUS
NTAPI
RtlpMapFile(PUNICODE_STRING ImageFileName,
ULONG Attributes,
PHANDLE Section)
{
OBJECT_ATTRIBUTES ObjectAttributes;
NTSTATUS Status;
HANDLE hFile = NULL;
IO_STATUS_BLOCK IoStatusBlock;
/* Open the Image File */
InitializeObjectAttributes(&ObjectAttributes,
ImageFileName,
Attributes & (OBJ_CASE_INSENSITIVE | OBJ_INHERIT),
NULL,
NULL);
Status = ZwOpenFile(&hFile,
SYNCHRONIZE | FILE_EXECUTE | FILE_READ_DATA,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_DELETE | FILE_SHARE_READ,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to read image file from disk, Status = 0x%08X\n", Status);
return Status;
}
/* Now create a section for this image */
Status = ZwCreateSection(Section,
SECTION_ALL_ACCESS,
NULL,
NULL,
PAGE_EXECUTE,
SEC_IMAGE,
hFile);
if (!NT_SUCCESS(Status))
{
DPRINT1("Failed to create section for image file, Status = 0x%08X\n", Status);
}
ZwClose(hFile);
return Status;
}
BOOL
ShareMemKImp::InitializeShareMem(HANDLE hFile,
LPSECURITY_ATTRIBUTES lpAttributes,
DWORD flProtect,
DWORD dwMaximumSize,
LPCWSTR lpName,
DWORD dwDesiredAccess,
ShareMemClassInit* lpInitialization,
void* lpUserContext) {
UninitializeShareMem();
DWORD size;
size = dwMaximumSize + sizeof(ShareMemHeader);
if (size < dwMaximumSize)
return FALSE;
UNICODE_STRING us;
RtlInitUnicodeString(&us,
lpName);
OBJECT_ATTRIBUTES attr;
InitializeObjectAttributes(&attr,
&us,
OBJ_OPENIF,
NULL,
NULL);
LARGE_INTEGER li;
li.QuadPart = size;
NTSTATUS status;
status = ZwCreateSection(&m_hMapSect,
READ_CONTROL|WRITE_DAC|dwDesiredAccess,
&attr,
&li,
flProtect,
SEC_COMMIT,
hFile);
BOOLEAN init;
init = status != STATUS_SUCCESS ? FALSE : TRUE;
if (m_hMapSect) {
SIZE_T v_size;
v_size = 0;
status = ZwMapViewOfSection(m_hMapSect,
ZwCurrentProcess(),
&m_hMapView,
0,
size,
NULL,
&v_size,
ViewUnmap,
0,
PAGE_READWRITE);
if (m_hMapView) {
m_hMapSize = dwMaximumSize;
ShareMemHeader* smh;
smh = (ShareMemHeader*)m_hMapView;
if (init) {
LARGE_INTEGER tick;
KeQueryTickCount(&tick);
RtlStringCchPrintfW(smh->m_LockName,
sizeof(smh->m_LockName),
L"K-%08x-%08x-%08x",
PsGetCurrentProcessId(),
PsGetCurrentThreadId(),
tick.LowPart);
if (lpInitialization)
smh->m_bResult = lpInitialization(this,
lpUserContext);
else
smh->m_bResult = TRUE;
smh->m_bInitialized = TRUE;
}
else
while(1)
if (smh->m_bInitialized)
break;
return smh->m_bResult;
}
}
return FALSE;
}
void runServer(TCHAR *ServerName)
{
UNICODE_STRING usPortName;
HANDLE hConnectPort = NULL;
OBJECT_ATTRIBUTES oa;
NTSTATUS status;
ALPC_PORT_ATTRIBUTES apa;
SECURITY_QUALITY_OF_SERVICE sqos;
LARGE_INTEGER SectionSize = {0x9000};
HANDLE hThread;
ULONG Flags = 0; //猜的
SIZE_T MaxMessageLength = PORT_MAXIMUM_MESSAGE_LENGTH;
//以下都是乱填的
SIZE_T MemoryBandwidth = 128;
SIZE_T MaxPoolUsage = 128;
SIZE_T MaxSectionSize = 512;
SIZE_T MaxViewSize = sizeof(PORT_VIEW);
SIZE_T MaxTotalSectionSize = 512;
ULONG DupObjectType = 0;
InitializeCriticalSection(&cs);
RtlZeroMemory(&sqos,sizeof(SECURITY_QUALITY_OF_SERVICE));
InitializeAlpcPortAttributes(&apa,Flags,sqos,MaxMessageLength,MemoryBandwidth,MaxPoolUsage,\
MaxSectionSize,MaxViewSize,MaxTotalSectionSize,DupObjectType);
//RtlZeroMemory(&apa,sizeof(ALPC_PORT_ATTRIBUTES));
RtlInitUnicodeString(&usPortName,ServerName);
InitializeObjectAttributes(&oa,&usPortName,0x200,0,NULL);
status = NtAlpcCreatePort(&hConnectPort,&oa,&apa);
if (!NT_SUCCESS(status))
{
printf("NtAlpcCreatePort error:%X\n",status);
return;
}
status = ZwCreateSection(&SectionHandle,
SECTION_MAP_READ | SECTION_MAP_WRITE,
NULL, //backed by the pagefile
&SectionSize,
PAGE_READWRITE,
SEC_COMMIT,
NULL);
if (!NT_SUCCESS(status))
{
printf("ZwCreateSection error:%X\n",status);
return;
}
/*
ALPC_DATA_VIEW_ATTR adva;
adva.Flags = 0; //unknown
adva.SectionHandle = SectionHandle;
adva.ViewBase = 0;
adva.ViewSize = SectionSize.LowPart;
status = NtAlpcCreateSectionView(hConnectPort,0,&adva);
if (!NT_SUCCESS(status))
{
printf("NtAlpcCreateSectionView error:%X\n",status);
return;
}
*/
si.LPCPortHandle = hConnectPort;
si.SectionHandle = SectionHandle;
if (!(hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)&ServerProc,(LPVOID)&si,0,NULL)))
{
printf("CreateThread error:%d\n",GetLastError());
return;
}
}
//
// Initializes the NRER subsystem by creating a file-backed section that is
// pointed at the NRER user-mode DLL on disk. This section is used for
// randomization purposes.
//
NTSTATUS InitializeNreSubsystem()
{
OBJECT_ATTRIBUTES Attributes;
IO_STATUS_BLOCK IoStatus;
UNICODE_STRING FilePath;
NTSTATUS Status = STATUS_SUCCESS;
HANDLE FileHandle;
HANDLE SectionHandle;
do
{
//
// Get a file handle to the user-mode DLL
//
RtlInitUnicodeString(
&FilePath,
NRER_USER_MODE_DLL_PATH);
InitializeObjectAttributes(
&Attributes,
&FilePath,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
NULL);
if (!NT_SUCCESS(Status = ZwOpenFile(
&FileHandle,
GENERIC_READ | GENERIC_EXECUTE,
&Attributes,
&IoStatus,
FILE_SHARE_READ | FILE_SHARE_WRITE,
0)))
{
DebugPrint(("InitializeNreSubsystem(): ZwCreateFile(%wZ) failed, %.8x.",
&FilePath,
Status));
break;
}
//
// Create an image file-backed section that is associated with the DLL
//
if (!NT_SUCCESS(Status = ZwCreateSection(
&SectionHandle,
SECTION_ALL_ACCESS,
NULL,
NULL,
PAGE_EXECUTE_WRITECOPY,
SEC_IMAGE,
FileHandle)))
{
DebugPrint(("InitializeNreSubsystem(): ZwCreateSection() failed, %.8x.",
Status));
break;
}
//
// Get the section object that's associated with the section handle
//
if (!NT_SUCCESS(Status = ObReferenceObjectByHandle(
SectionHandle,
0,
NULL,
KernelMode,
(PVOID *)&NrerUserModeDllSectionObject,
NULL)))
{
DebugPrint(("InitializeNreSubsystem(): ObReferenceObjectByHandle() failed, %.8x.",
Status));
break;
}
DebugPrint(("InitializeNreSubsystem(): NRER user-mode DLL section at: %p.",
NrerUserModeDllSectionObject));
NrerInitialized = TRUE;
} while (0);
//
// Close the handles that were opened
//
if (FileHandle)
ZwClose(
FileHandle);
if (SectionHandle)
ZwClose(
SectionHandle);
return Status;
}
BOOLEAN
SepRmCommandServerThreadInit(
VOID
)
/*++
Routine Description:
This function performs initialization of the Reference Monitor Server
thread. The following steps are performed.
o Wait on the LSA signalling the event. When the event is signalled,
the LSA has already created the LSA Command Server LPC Port
o Close the LSA Init Event Handle. The event is not used again.
o Listen for the LSA to connect to the Port
o Accept the connection.
o Connect to the LSA Command Server LPC Port
Arguments:
None.
Return Value:
--*/
{
NTSTATUS Status;
UNICODE_STRING LsaCommandPortName;
PORT_MESSAGE ConnectionRequest;
SECURITY_QUALITY_OF_SERVICE DynamicQos;
OBJECT_ATTRIBUTES ObjectAttributes;
PORT_VIEW ClientView;
REMOTE_PORT_VIEW LsaClientView;
BOOLEAN BooleanStatus = TRUE;
PAGED_CODE();
//
// Save a pointer to our process so we can get back into this process
// to send commands to the LSA (using a handle to an LPC port created
// below).
//
SepRmLsaCallProcess = PsGetCurrentProcess();
ObReferenceObject(SepRmLsaCallProcess);
//
// Wait on the LSA signalling the event. This means that the LSA
// has created its command port, not that LSA initialization is
// complete.
//
Status = ZwWaitForSingleObject(
SepRmState.LsaInitEventHandle,
FALSE,
NULL);
if ( !NT_SUCCESS(Status) ) {
KdPrint(("Security Rm Init: Waiting for LSA Init Event failed 0x%lx\n", Status));
goto RmCommandServerThreadInitError;
}
//
// Close the LSA Init Event Handle. The event is not used again.
//
ZwClose(SepRmState.LsaInitEventHandle);
//
// Listen for a connection to be made by the LSA to the Reference Monitor
// Command Port. This connection will be made by the LSA process.
//
ConnectionRequest.u1.s1.TotalLength = sizeof(ConnectionRequest);
ConnectionRequest.u1.s1.DataLength = (CSHORT)0;
Status = ZwListenPort(
SepRmState.RmCommandPortHandle,
&ConnectionRequest
);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security Rm Init: Listen to Command Port failed 0x%lx\n",
Status));
goto RmCommandServerThreadInitError;
}
//
// Obtain a handle to the LSA process for use when auditing.
//
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL );
Status = ZwOpenProcess(
&SepLsaHandle,
PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
&ObjectAttributes,
&ConnectionRequest.ClientId
);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security Rm Init: Open Listen to Command Port failed 0x%lx\n",
Status));
goto RmCommandServerThreadInitError;
}
//
// Accept the connection made by the LSA process.
//
LsaClientView.Length = sizeof(LsaClientView);
Status = ZwAcceptConnectPort(
&SepRmState.RmCommandPortHandle,
NULL,
&ConnectionRequest,
TRUE,
NULL,
&LsaClientView
);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security Rm Init: Accept Connect to Command Port failed 0x%lx\n",
Status));
goto RmCommandServerThreadInitError;
}
//
// Complete the connection.
//
Status = ZwCompleteConnectPort(SepRmState.RmCommandPortHandle);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security Rm Init: Complete Connect to Command Port failed 0x%lx\n",
Status));
goto RmCommandServerThreadInitError;
}
//
// Set up the security quality of service parameters to use over the
// Lsa Command LPC port. Use the most efficient (least overhead) - which
// is dynamic rather than static tracking.
//
DynamicQos.ImpersonationLevel = SecurityImpersonation;
DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
DynamicQos.EffectiveOnly = TRUE;
//
// Create the section to be used as unnamed shared memory for
// communication between the RM and LSA.
//
SepRmState.LsaCommandPortSectionSize.LowPart = PAGE_SIZE;
SepRmState.LsaCommandPortSectionSize.HighPart = 0;
Status = ZwCreateSection(
&SepRmState.LsaCommandPortSectionHandle,
SECTION_ALL_ACCESS,
NULL, // ObjectAttributes
&SepRmState.LsaCommandPortSectionSize,
PAGE_READWRITE,
SEC_COMMIT,
NULL // FileHandle
);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security Rm Init: Create Memory Section for LSA port failed: %X\n", Status));
goto RmCommandServerThreadInitError;
}
//
// Set up for a call to NtConnectPort and connect to the LSA port.
// This setup includes a description of the port memory section so that
// the LPC connection logic can make the section visible to both the
// client and server processes.
//
ClientView.Length = sizeof(ClientView);
ClientView.SectionHandle = SepRmState.LsaCommandPortSectionHandle;
ClientView.SectionOffset = 0;
ClientView.ViewSize = SepRmState.LsaCommandPortSectionSize.LowPart;
ClientView.ViewBase = 0;
ClientView.ViewRemoteBase = 0;
//
// Set up the security quality of service parameters to use over the
// port. Use dynamic tracking so that XACTSRV will impersonate the
// user that we are impersonating when we call NtRequestWaitReplyPort.
// If we used static tracking, XACTSRV would impersonate the context
// when the connection is made.
//
DynamicQos.ImpersonationLevel = SecurityImpersonation;
DynamicQos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
DynamicQos.EffectiveOnly = TRUE;
//
// Connect to the Lsa Command LPC Port. This port is used to send
// commands from the RM to the LSA.
//
RtlInitUnicodeString( &LsaCommandPortName, L"\\SeLsaCommandPort" );
Status = ZwConnectPort(
&SepRmState.LsaCommandPortHandle,
&LsaCommandPortName,
&DynamicQos,
&ClientView,
NULL, // ServerView
NULL, // MaxMessageLength
NULL, // ConnectionInformation
NULL // ConnectionInformationLength
);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security Rm Init: Connect to LSA Port failed 0x%lx\n", Status));
goto RmCommandServerThreadInitError;
}
//
// Store information about the section so that we can create pointers
// meaningful to LSA.
//
SepRmState.RmViewPortMemory = ClientView.ViewBase;
SepRmState.LsaCommandPortMemoryDelta =
(LONG)((ULONG_PTR)ClientView.ViewRemoteBase - (ULONG_PTR) ClientView.ViewBase );
SepRmState.LsaViewPortMemory = ClientView.ViewRemoteBase;
/* BugWarning - ScottBi - probably don't need the resource
//
// Create the resource serializing access to the port. This
// resource prevents the port and the shared memory from being
// deleted while worker threads are processing requests.
//
if ( !SepRmState.LsaCommandPortResourceInitialized ) {
ExInitializeResource( &SepRmState.LsaCommandPortResource );
SepRmState.LsaCommandPortResourceInitialized = TRUE;
}
SepRmState.LsaCommandPortActive = TRUE;
*/
RmCommandServerThreadInitFinish:
//
// Dont need this section handle any more, even if returning
// success.
//
if ( SepRmState.LsaCommandPortSectionHandle != NULL ) {
NtClose( SepRmState.LsaCommandPortSectionHandle );
SepRmState.LsaCommandPortSectionHandle = NULL;
}
//
// The Reference Monitor Thread has successfully initialized.
//
return BooleanStatus;
RmCommandServerThreadInitError:
if ( SepRmState.LsaCommandPortHandle != NULL ) {
NtClose( SepRmState.LsaCommandPortHandle );
SepRmState.LsaCommandPortHandle = NULL;
}
BooleanStatus = FALSE;
goto RmCommandServerThreadInitFinish;
}
static
VOID
TestPhysicalMemorySection(VOID)
{
NTSTATUS Status;
UNICODE_STRING SectionName = RTL_CONSTANT_STRING(L"\\Device\\PhysicalMemory");
OBJECT_ATTRIBUTES ObjectAttributes;
HANDLE SectionHandle;
PVOID SectionObject;
PUCHAR MyPage;
PHYSICAL_ADDRESS MyPagePhysical;
PUCHAR ZeroPageContents;
PHYSICAL_ADDRESS ZeroPagePhysical;
PVOID Mapping;
PUCHAR MappingBytes;
SIZE_T ViewSize;
SIZE_T EqualBytes;
MyPage = ExAllocatePoolWithTag(NonPagedPool, PAGE_SIZE, 'MPmK');
if (skip(MyPage != NULL, "Out of memory\n"))
return;
MyPagePhysical = MmGetPhysicalAddress(MyPage);
RtlFillMemory(MyPage + 0 * PAGE_SIZE / 4, PAGE_SIZE / 4, 0x23);
RtlFillMemory(MyPage + 1 * PAGE_SIZE / 4, PAGE_SIZE / 4, 0x67);
RtlFillMemory(MyPage + 2 * PAGE_SIZE / 4, PAGE_SIZE / 4, 0xab);
RtlFillMemory(MyPage + 3 * PAGE_SIZE / 4, PAGE_SIZE / 4, 0xef);
ZeroPageContents = ExAllocatePoolWithTag(PagedPool, PAGE_SIZE, 'ZPmK');
if (skip(ZeroPageContents != NULL, "Out of memory\n"))
{
ExFreePoolWithTag(MyPage, 'MPmK');
return;
}
ZeroPagePhysical.QuadPart = 0;
Mapping = MmMapIoSpace(ZeroPagePhysical, PAGE_SIZE, MmCached);
if (skip(Mapping != NULL, "Failed to map zero page\n"))
{
ExFreePoolWithTag(ZeroPageContents, 'ZPmK');
ExFreePoolWithTag(MyPage, 'MPmK');
return;
}
RtlCopyMemory(ZeroPageContents, Mapping, PAGE_SIZE);
MmUnmapIoSpace(Mapping, PAGE_SIZE);
InitializeObjectAttributes(&ObjectAttributes,
&SectionName,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = ZwOpenSection(&SectionHandle, SECTION_ALL_ACCESS, &ObjectAttributes);
ok_eq_hex(Status, STATUS_SUCCESS);
if (!skip(NT_SUCCESS(Status), "No section\n"))
{
/* Map zero page and compare */
Mapping = NULL;
ViewSize = PAGE_SIZE;
Status = ZwMapViewOfSection(SectionHandle,
ZwCurrentProcess(),
&Mapping,
0,
0,
&ZeroPagePhysical,
&ViewSize,
ViewUnmap,
0,
PAGE_READWRITE);
ok_eq_hex(Status, STATUS_SUCCESS);
if (!skip(NT_SUCCESS(Status), "No view\n"))
{
ok((LONG_PTR)Mapping > 0, "Mapping = %p\n", Mapping);
EqualBytes = RtlCompareMemory(Mapping,
ZeroPageContents,
PAGE_SIZE);
ok_eq_size(EqualBytes, PAGE_SIZE);
Status = ZwUnmapViewOfSection(ZwCurrentProcess(), Mapping);
ok_eq_hex(Status, STATUS_SUCCESS);
}
/* Map the zero page non-cached */
Mapping = NULL;
ViewSize = PAGE_SIZE;
Status = ZwMapViewOfSection(SectionHandle,
ZwCurrentProcess(),
&Mapping,
0,
0,
&ZeroPagePhysical,
&ViewSize,
ViewUnmap,
0,
PAGE_READWRITE | PAGE_NOCACHE);
ok_eq_hex(Status, STATUS_SUCCESS);
if (!skip(NT_SUCCESS(Status), "No view\n"))
{
ok((LONG_PTR)Mapping > 0, "Mapping = %p\n", Mapping);
EqualBytes = RtlCompareMemory(Mapping,
ZeroPageContents,
PAGE_SIZE);
ok_eq_size(EqualBytes, PAGE_SIZE);
Status = ZwUnmapViewOfSection(ZwCurrentProcess(), Mapping);
ok_eq_hex(Status, STATUS_SUCCESS);
}
/* Map our NP page, compare, and check that modifications are reflected */
Mapping = NULL;
ViewSize = PAGE_SIZE;
Status = ZwMapViewOfSection(SectionHandle,
ZwCurrentProcess(),
&Mapping,
0,
0,
&MyPagePhysical,
&ViewSize,
ViewUnmap,
0,
PAGE_READWRITE);
ok_eq_hex(Status, STATUS_SUCCESS);
if (!skip(NT_SUCCESS(Status), "No view\n"))
{
ok((LONG_PTR)Mapping > 0, "Mapping = %p\n", Mapping);
EqualBytes = RtlCompareMemory(Mapping,
MyPage,
PAGE_SIZE);
ok_eq_size(EqualBytes, PAGE_SIZE);
MappingBytes = Mapping;
ok(MappingBytes[5] == 0x23, "Mapping[5] = 0x%x\n", MappingBytes[5]);
ok(MyPage[5] == 0x23, "MyPage[5] = 0x%x\n", MyPage[5]);
MyPage[5] = 0x44;
ok(MappingBytes[5] == 0x44, "Mapping[5] = 0x%x\n", MappingBytes[5]);
ok(MyPage[5] == 0x44, "MyPage[5] = 0x%x\n", MyPage[5]);
MappingBytes[5] = 0x88;
ok(MappingBytes[5] == 0x88, "Mapping[5] = 0x%x\n", MappingBytes[5]);
ok(MyPage[5] == 0x88, "MyPage[5] = 0x%x\n", MyPage[5]);
Status = ZwUnmapViewOfSection(ZwCurrentProcess(), Mapping);
ok_eq_hex(Status, STATUS_SUCCESS);
}
Status = ZwClose(SectionHandle);
ok_eq_hex(Status, STATUS_SUCCESS);
}
/* Try flag 0x80000000, which ROS calls SEC_PHYSICALMEMORY */
InitializeObjectAttributes(&ObjectAttributes,
NULL,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = ZwCreateSection(&SectionHandle,
SECTION_ALL_ACCESS,
&ObjectAttributes,
NULL,
PAGE_READWRITE,
0x80000000,
NULL);
ok_eq_hex(Status, STATUS_INVALID_PARAMETER_6);
if (NT_SUCCESS(Status))
ZwClose(SectionHandle);
/* Assertion failure: AllocationAttributes & SEC_IMAGE | SEC_RESERVE | SEC_COMMIT */
if (!KmtIsCheckedBuild)
{
InitializeObjectAttributes(&ObjectAttributes,
NULL,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = MmCreateSection(&SectionObject,
SECTION_ALL_ACCESS,
&ObjectAttributes,
NULL,
PAGE_READWRITE,
0x80000000,
NULL,
NULL);
ok_eq_hex(Status, STATUS_INVALID_PARAMETER_6);
if (NT_SUCCESS(Status))
ObDereferenceObject(SectionObject);
}
InitializeObjectAttributes(&ObjectAttributes,
NULL,
OBJ_KERNEL_HANDLE,
NULL,
NULL);
Status = MmCreateSection(&SectionObject,
SECTION_ALL_ACCESS,
&ObjectAttributes,
NULL,
PAGE_READWRITE,
SEC_RESERVE | 0x80000000,
NULL,
NULL);
ok_eq_hex(Status, STATUS_INVALID_PARAMETER_6);
if (NT_SUCCESS(Status))
ObDereferenceObject(SectionObject);
ExFreePoolWithTag(ZeroPageContents, 'ZPmK');
ExFreePoolWithTag(MyPage, 'MPmK');
}
NTSTATUS
PsLocateSystemDll (
VOID
)
/*++
Routine Description:
This function locates the system dll and creates a section for the
DLL and maps it into the system process.
Arguments:
None.
Return Value:
TRUE - Initialization was successful.
FALSE - Initialization Failed.
--*/
{
HANDLE File;
HANDLE Section;
NTSTATUS st;
UNICODE_STRING DllPathName;
WCHAR PathBuffer[DOS_MAX_PATH_LENGTH];
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatus;
//
// Initialize the system DLL
//
DllPathName.Length = 0;
DllPathName.Buffer = PathBuffer;
DllPathName.MaximumLength = 256;
RtlInitUnicodeString(&DllPathName,L"\\SystemRoot\\System32\\ntdll.dll");
InitializeObjectAttributes(
&ObjectAttributes,
&DllPathName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL
);
st = ZwOpenFile(
&File,
SYNCHRONIZE | FILE_EXECUTE,
&ObjectAttributes,
&IoStatus,
FILE_SHARE_READ,
0
);
if (!NT_SUCCESS(st)) {
#if DBG
DbgPrint("PS: PsLocateSystemDll - NtOpenFile( NTDLL.DLL ) failed. Status == %lx\n",
st
);
#endif
KeBugCheckEx(PROCESS1_INITIALIZATION_FAILED,st,2,0,0);
return st;
}
st = MmCheckSystemImage(File);
if ( st == STATUS_IMAGE_CHECKSUM_MISMATCH ) {
ULONG ErrorParameters;
ULONG ErrorResponse;
//
// Hard error time. A driver is corrupt.
//
ErrorParameters = (ULONG)&DllPathName;
NtRaiseHardError(
st,
1,
1,
&ErrorParameters,
OptionOk,
&ErrorResponse
);
return st;
}
PsNtDllPathName.MaximumLength = DllPathName.Length + sizeof( WCHAR );
PsNtDllPathName.Length = 0;
PsNtDllPathName.Buffer = RtlAllocateStringRoutine( PsNtDllPathName.MaximumLength );
RtlCopyUnicodeString( &PsNtDllPathName, &DllPathName );
st = ZwCreateSection(
&Section,
SECTION_ALL_ACCESS,
NULL,
0,
PAGE_EXECUTE,
SEC_IMAGE,
File
);
ZwClose( File );
if (!NT_SUCCESS(st)) {
#if DBG
DbgPrint("PS: PsLocateSystemDll: NtCreateSection Status == %lx\n",st);
#endif
KeBugCheckEx(PROCESS1_INITIALIZATION_FAILED,st,3,0,0);
return st;
}
//
// Now that we have the section, reference it, store its address in the
// PspSystemDll and then close handle to the section.
//
st = ObReferenceObjectByHandle(
Section,
SECTION_ALL_ACCESS,
MmSectionObjectType,
KernelMode,
&PspSystemDll.Section,
NULL
);
ZwClose(Section);
if ( !NT_SUCCESS(st) ) {
KeBugCheckEx(PROCESS1_INITIALIZATION_FAILED,st,4,0,0);
return st;
}
//
// Map the system dll into the user part of the address space
//
st = PspMapSystemDll(PsGetCurrentProcess(),&PspSystemDll.DllBase);
PsSystemDllDllBase = PspSystemDll.DllBase;
if ( !NT_SUCCESS(st) ) {
KeBugCheckEx(PROCESS1_INITIALIZATION_FAILED,st,5,0,0);
return st;
}
PsSystemDllBase = PspSystemDll.DllBase;
return STATUS_SUCCESS;
}
NTSTATUS
MuInitializeUserModeHelper (
PMU_GLOBAL_DATA GlobalData
)
{
NTSTATUS status;
HANDLE file, proc, dllsec;
SIZE_T imgsize = 0;
PVOID secobj, dllbase = NULL;
LARGE_INTEGER secofs;
UNICODE_STRING fp;
IO_STATUS_BLOCK iosb;
OBJECT_ATTRIBUTES oa;
WCHAR path[MAX_PATH];
wcscpy(path, MU_ROOTDIR_SYSTEM32);
wcscat(path, MU_FILENAME_HELPER_DLL);
RtlInitUnicodeString(&fp, path);
InitializeObjectAttributes(&oa,
&fp,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
status = ZwOpenFile(&file,
GENERIC_READ,
&oa,
&iosb,
FILE_SHARE_READ,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);
if (NT_SUCCESS(status))
{
status = ZwCreateSection(&dllsec,
SECTION_ALL_ACCESS,
NULL,
NULL,
PAGE_EXECUTE_READWRITE,
SEC_IMAGE,
file);
ZwClose(file);
if (!NT_SUCCESS(status))
return status;
status = ObReferenceObjectByHandle(dllsec,
SECTION_ALL_ACCESS,
*MmSectionObjectType,
KernelMode,
&secobj,
NULL);
ZwClose(dllsec);
if (NT_SUCCESS(status))
{
secofs.QuadPart = 0;
status = MmMapViewOfSection(secobj,
PsGetCurrentProcess(),
&dllbase,
0,
0,
&secofs,
&imgsize,
ViewShare,
0,
PAGE_EXECUTE_READWRITE);
if (NT_SUCCESS(status))
{
status = MuLinkDll(GlobalData, dllbase);
MmUnmapViewOfSection(PsGetCurrentProcess(), dllbase);
}
if (!NT_SUCCESS(status))
{
ObDereferenceObject(secobj);
secobj = NULL;
}
GlobalData->DllSection = secobj;
GlobalData->DllImageSize = imgsize;
GlobalData->DllImageBase = dllbase;
}
}
return status;
}
int main(int argc, char *argv[])
{
if (load_ntdll_functions() == FALSE) {
printf("Failed to load NTDLL function\n");
return (-1);
}
if (load_kernel32_functions() == FALSE) {
printf("Failed to load KERNEL32 function\n");
return (-1);
}
HANDLE hSection = NULL;
PVOID ImageBaseAddress = NtCurrentTeb()->Peb->ImageBaseAddress;
PIMAGE_NT_HEADERS NtHeaders = RtlImageNtHeader(ImageBaseAddress);
if (NtHeaders == NULL)
{
printf("[ERROR] RtlImageNtHeader failed, error : %d\n", GetLastError());
system("pause");
return (-1);
}
LARGE_INTEGER MaximumSize;
ULONG ImageSize = NtHeaders->OptionalHeader.SizeOfImage;
MaximumSize.LowPart = ImageSize;
MaximumSize.HighPart = 0;
NTSTATUS Status = NULL;
if ((Status = ZwCreateSection( &hSection, SECTION_ALL_ACCESS, NULL, &MaximumSize, PAGE_EXECUTE_READWRITE, SEC_COMMIT, NULL)) != STATUS_SUCCESS)
{
printf("[ERROR] ZwCreateSection failed, status : %x\n", Status);
system("pause");
return (-1);
}
printf("Section handle: %x\n", hSection);
HANDLE hProcess = NULL;
PVOID pSectionBaseAddress = NULL;
SIZE_T ViewSize = 0;
DWORD dwInheritDisposition = 1; //VIEW_SHARE
// map the section in context of current process:
if ((Status = NtMapViewOfSection(hSection, GetCurrentProcess(), &pSectionBaseAddress, NULL, NULL, NULL, &ViewSize, dwInheritDisposition, NULL, PAGE_EXECUTE_READWRITE))!= STATUS_SUCCESS)
{
printf("[ERROR] NtMapViewOfSection failed, status : %x\n", Status);
system("pause");
return (-1);
}
printf("Created new section, BaseAddress: %p ViewSize: %p\n", pSectionBaseAddress, ViewSize);
printf("Mapping into: %p <- current image: %p %p\n", pSectionBaseAddress, ImageBaseAddress, ImageSize);
RtlCopyMemory(pSectionBaseAddress, ImageBaseAddress, ImageSize);
ZwClose(hSection);
hSection = NULL;
if (applyRelocations(NtHeaders, pSectionBaseAddress) == FALSE) {
printf("Applying relocations failed, cannot continue!");
ZwTerminateProcess(GetCurrentProcess(), STATUS_FAILURE);
}
printf("Applied relocations!\n");
ULONG_PTR offsetFromBase = (ULONG_PTR) &testFunction - (ULONG_PTR)ImageBaseAddress;
printf("testFunction offset: %p\n", offsetFromBase);
ULONG_PTR newMain = ((ULONG_PTR) pSectionBaseAddress + offsetFromBase);
printf("testFunction address in new section: %p\n", newMain);
__asm {
call newMain
};
system("pause");
return (0);
}
NTSTATUS
RtlCreateUserProcess(
IN PUNICODE_STRING NtImagePathName,
IN ULONG Attributes,
IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
IN PSECURITY_DESCRIPTOR ProcessSecurityDescriptor OPTIONAL,
IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor OPTIONAL,
IN HANDLE ParentProcess OPTIONAL,
IN BOOLEAN InheritHandles,
IN HANDLE DebugPort OPTIONAL,
IN HANDLE ExceptionPort OPTIONAL,
OUT PRTL_USER_PROCESS_INFORMATION ProcessInformation
)
/*++
Routine Description:
This function creates a user mode process with a single thread with
a suspend count of one. The address space of the new process is
initialized with the contents of specified image file. The caller
can specify the Access Control List for the new process and thread.
The caller can also specify the parent process to inherit process
priority and processor affinity from. The default is to inherit
these from the current process. Finally the caller can specify
whether the new process is to inherit any of the object handles
from the specified parent process or not.
Information about the new process and thread is returned via
the ProcessInformation parameter.
Arguments:
NtImagePathName - A required pointer that points to the NT Path string
that identifies the image file that is to be loaded into the
child process.
ProcessParameters - A required pointer that points to parameters that
are to passed to the child process.
ProcessSecurityDescriptor - An optional pointer to the Security Descriptor
give to the new process.
ThreadSecurityDescriptor - An optional pointer to the Security Descriptor
give to the new thread.
ParentProcess - An optional process handle that will used to inherit
certain properties from.
InheritHandles - A boolean value. TRUE specifies that object handles
associated with the specified parent process are to be inherited
by the new process, provided they have the OBJ_INHERIT attribute.
FALSE specifies that the new process is to inherit no handles.
DebugPort - An optional handle to the debug port associated with this
process.
ExceptionPort - An optional handle to the exception port associated with this
process.
ProcessInformation - A pointer to a variable that receives information
about the new process and thread.
--*/
{
NTSTATUS Status;
HANDLE Section, File;
OBJECT_ATTRIBUTES ObjectAttributes;
PRTL_USER_PROCESS_PARAMETERS Parameters;
SIZE_T ParameterLength;
PVOID Environment;
PWCHAR s;
SIZE_T EnvironmentLength;
SIZE_T RegionSize;
PROCESS_BASIC_INFORMATION ProcessInfo;
PPEB Peb;
UNICODE_STRING Unicode;
//
// Zero output parameter and probe the addresses at the same time
//
RtlZeroMemory( ProcessInformation, sizeof( *ProcessInformation ) );
ProcessInformation->Length = sizeof( *ProcessInformation );
//
// Open the specified image file.
//
Status = RtlpOpenImageFile( NtImagePathName,
Attributes & (OBJ_INHERIT | OBJ_CASE_INSENSITIVE),
&File,
TRUE
);
if (!NT_SUCCESS( Status )) {
return( Status );
}
//
// Create a memory section backed by the opened image file
//
Status = ZwCreateSection( &Section,
SECTION_ALL_ACCESS,
NULL,
NULL,
PAGE_EXECUTE,
SEC_IMAGE,
File
);
ZwClose( File );
if ( !NT_SUCCESS( Status ) ) {
return( Status );
}
//
// Create the user mode process, defaulting the parent process to the
// current process if one is not specified. The new process will not
// have a name nor will the handle be inherited by other processes.
//
if (!ARGUMENT_PRESENT( ParentProcess )) {
ParentProcess = NtCurrentProcess();
}
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL,
ProcessSecurityDescriptor );
if ( RtlGetNtGlobalFlags() & FLG_ENABLE_CSRDEBUG ) {
if ( wcsstr(NtImagePathName->Buffer,L"csrss") ||
wcsstr(NtImagePathName->Buffer,L"CSRSS")
) {
//
// For Hydra we don't name the CSRSS process to avoid name
// collissions when multiple CSRSS's are started
//
if (ISTERMINALSERVER()) {
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL,
ProcessSecurityDescriptor );
} else {
RtlInitUnicodeString(&Unicode,L"\\WindowsSS");
InitializeObjectAttributes( &ObjectAttributes, &Unicode, 0, NULL,
ProcessSecurityDescriptor );
}
}
}
if ( !InheritHandles ) {
ProcessParameters->CurrentDirectory.Handle = NULL;
}
Status = ZwCreateProcess( &ProcessInformation->Process,
PROCESS_ALL_ACCESS,
&ObjectAttributes,
ParentProcess,
InheritHandles,
Section,
DebugPort,
ExceptionPort
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( Section );
return( Status );
}
//
// Retrieve the interesting information from the image header
//
Status = ZwQuerySection( Section,
SectionImageInformation,
&ProcessInformation->ImageInformation,
sizeof( ProcessInformation->ImageInformation ),
NULL
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
Status = ZwQueryInformationProcess( ProcessInformation->Process,
ProcessBasicInformation,
&ProcessInfo,
sizeof( ProcessInfo ),
NULL
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
Peb = ProcessInfo.PebBaseAddress;
//
// Duplicate Native handles into new process if any specified.
// Note that the duplicated handles will overlay the input values.
//
try {
Status = STATUS_SUCCESS;
if ( ProcessParameters->StandardInput ) {
Status = ZwDuplicateObject(
ParentProcess,
ProcessParameters->StandardInput,
ProcessInformation->Process,
&ProcessParameters->StandardInput,
0L,
0L,
DUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES
);
if ( !NT_SUCCESS(Status) ) {
__leave;
}
}
if ( ProcessParameters->StandardOutput ) {
Status = ZwDuplicateObject(
ParentProcess,
ProcessParameters->StandardOutput,
ProcessInformation->Process,
&ProcessParameters->StandardOutput,
0L,
0L,
DUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES
);
if ( !NT_SUCCESS(Status) ) {
__leave;
}
}
if ( ProcessParameters->StandardError ) {
Status = ZwDuplicateObject(
ParentProcess,
ProcessParameters->StandardError,
ProcessInformation->Process,
&ProcessParameters->StandardError,
0L,
0L,
DUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES
);
if ( !NT_SUCCESS(Status) ) {
__leave;
}
}
} finally {
if ( !NT_SUCCESS(Status) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
}
}
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Possibly reserve some address space in the new process
//
if (ProcessInformation->ImageInformation.SubSystemType == IMAGE_SUBSYSTEM_NATIVE ) {
if ( ProcessParameters->Flags & RTL_USER_PROC_RESERVE_1MB ) {
Environment = (PVOID)(4);
RegionSize = (1024*1024)-(256);
Status = ZwAllocateVirtualMemory( ProcessInformation->Process,
(PVOID *)&Environment,
0,
&RegionSize,
MEM_RESERVE,
PAGE_READWRITE
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
}
}
//
// Allocate virtual memory in the new process and use NtWriteVirtualMemory
// to write a copy of the process environment block into the address
// space of the new process. Save the address of the allocated block in
// the process parameter block so the new process can access it.
//
if (s = (PWCHAR)ProcessParameters->Environment) {
while (*s++) {
while (*s++) {
}
}
EnvironmentLength = (SIZE_T)(s - (PWCHAR)ProcessParameters->Environment) * sizeof(WCHAR);
Environment = NULL;
RegionSize = EnvironmentLength;
Status = ZwAllocateVirtualMemory( ProcessInformation->Process,
(PVOID *)&Environment,
0,
&RegionSize,
MEM_COMMIT,
PAGE_READWRITE
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
Status = ZwWriteVirtualMemory( ProcessInformation->Process,
Environment,
ProcessParameters->Environment,
EnvironmentLength,
NULL
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
ProcessParameters->Environment = Environment;
}
//
// Allocate virtual memory in the new process and use NtWriteVirtualMemory
// to write a copy of the process parameters block into the address
// space of the new process. Set the initial parameter to the new thread
// to be the address of the block in the new process's address space.
//
Parameters = NULL;
ParameterLength = ProcessParameters->MaximumLength;
Status = ZwAllocateVirtualMemory( ProcessInformation->Process,
(PVOID *)&Parameters,
0,
&ParameterLength,
MEM_COMMIT,
PAGE_READWRITE
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
Status = ZwWriteVirtualMemory( ProcessInformation->Process,
Parameters,
ProcessParameters,
ProcessParameters->Length,
NULL
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
Status = ZwWriteVirtualMemory( ProcessInformation->Process,
&Peb->ProcessParameters,
&Parameters,
sizeof( Parameters ),
NULL
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
//
// Create a suspended thread in the new process. Specify the size and
// position of the stack, along with the start address, initial parameter
// and an SECURITY_DESCRIPTOR. The new thread will not have a name and its handle will
// not be inherited by other processes.
//
Status = RtlCreateUserThread(
ProcessInformation->Process,
ThreadSecurityDescriptor,
TRUE,
ProcessInformation->ImageInformation.ZeroBits,
ProcessInformation->ImageInformation.MaximumStackSize,
ProcessInformation->ImageInformation.CommittedStackSize,
(PUSER_THREAD_START_ROUTINE)
ProcessInformation->ImageInformation.TransferAddress,
(PVOID)Peb,
&ProcessInformation->Thread,
&ProcessInformation->ClientId
);
if ( !NT_SUCCESS( Status ) ) {
ZwClose( ProcessInformation->Process );
ZwClose( Section );
return( Status );
}
//
// Now close the section and file handles. The objects they represent
// will not actually go away until the process is destroyed.
//
ZwClose( Section );
//
// Return success status
//
return( STATUS_SUCCESS );
}
