Foro | | | | |  | Halla todos zusammen...
Beim Durchstöbern de diesem [...]  haben se en me una Menge a Fragen aufgehäuft - así uno ellos mejor abarbeiten kann, voluntad Yo ellos veces nummerieren  :
1.) Lo va me hier en el Memmory-Scanning en el Kernelmode. Um en el Kernelmode a gelangen, muß Soy un Service escribir - genauer dijo una Service con el Flag SERVICE_KERNEL_DRIVER. Sombrero alguien Links a Quelltexten para el Programación de Services (sólo veces sin esta Flag) - egal en welcher Lingua? Lo va no a Installierung, el kann Yo, sólo en el Service incluso.
2.) Como Profano de se de ya User-APIs aufruft (u.a. de el User32) y esta APIs en una Kernelmode-Treiber no disponible posición, Es el Programación uno Services con el Flag SERVICE_KERNEL_DRIVER en Profano no posible - Veo el correcto?
3.) [quote:f7bf3be205]Unfortunately, some of the important APIs needed for memory scanning are not exported by name from
NTOSKRNL.EXE for the use of a Kernel mode driver.[/quote:f7bf3be205]
Demnach dürfte Yo sólo APIs de NTOSKRNL.EXE, el WIN32K.SYS y HAL.DLL uso, es el correcto (Nativo APIs)?
4.) Für una Service necesidad Yo el API RegisterServiceCtrlHandler. El API kommt de el ADVAPI32 y es me deshalb en Programación uno Kernelmode-Treibers no disponible, Veo el correcto? Welche Función verwende Yo stattdessen?
5.) [quote:f7bf3be205]When a User mode application calls the
KERNEL32.DLLÞVirtualQueryEx() API the call is redirected to the
NTDLL.DLLÞNtQueryVirtualMemory() function. This API is not available from NTOSKRNL.EXE.[/quote:f7bf3be205]
Yo glaube, el Yo verstanden  .
[quote:f7bf3be205]A driver can solve this problem en two different ways.
It can be linked against NTDLL.DLL. is the easiest way.[/quote:f7bf3be205]
Einfach es imer bien - doch como verlinke Yo gegen NTDLL? Steht me NTDLL überhaupt disponible  ? Como verlinke Yo gegen NTDLL sin el me LoadLibrary disponible es?
6.) [quote:f7bf3be205]NtQueryVirtualMemory() queries the pages of a particular process. It is not documented but is only a
translation of the VirtualQueryEx() API. ZwQueryVirtualMemory() is placed en NTOSKRNL.EXE and
its name is shown by the Windows NT kernel debugger since the debug information contains the name of
the function.[/quote:f7bf3be205]
El Funkton, el Yo also para bestimmen el zugewiesenen Páginas necesidad, heißt also ZwQueryVirtualMemory(), correcto? |
| | | | | | |
| | | So, Cuestión Nummer 1 ha se ya veces hecho  . Posesiones grad una (bastante) pequeño Service geschrieben  ... |
| | | | | | |
| |
Frank
Abbing | Hier una Assemblercode, en una Service a proggen:
KompilierenMarcaSeparación!; --------------------------------------------
; Framework for Windows NT/2000/XP service application
; Written by Franck hitchhikr Charlet 10-2002.
; --------------------------------------------
; This is a skeleton for an auto loading/shutting down NT service.
; That service will un/register itself too.
; --------------------------------------------
; buildblock RELEASE
; CAPT [BINDIR]ml.exe /c /coff "%1.asm"
; CAPT [BINDIR]Link.exe /SUBSYSTEM:WINDOWS "%1.obj"
; buildblockend
; buildblock DEBUG
; CAPT [BINDIR]ml.exe /Zd /Zi /c /coff "%1.asm"
; CAPT [BINDIR]Link.exe /DEBUG /DEBUGTYPE:CV /SUBSYSTEM:WINDOWS "%1.obj"
; buildblockend
.386
.model flat,stdcall
option casemap:none
; --------------- Includes
include masm32includewindows.inc
include masm32includekernel32.inc
include masm32includeuser32.inc
include masm32includeadvapi32.inc
includelib masm32libkernel32.lib
includelib masm32libuser32.lib
includelib masm32libadvapi32.lib
; Not defined in Windows.inc (as usual)
SERVICE_CONFIG_DESCRIPTION equ 1
SERVICE_DESCRIPTIONA STRUCT
lpDescription LPSTR 0
SERVICE_DESCRIPTIONA ENDS
SERVICE_DESCRIPTION TEXTEQU <SERVICE_DESCRIPTION>
; --------------- Service datas
.data
ServiceHandle dd 0
ServicesDatabase dd 0
ServiceCurrentStatus dd 0
ServiceEvent dd 0
hServiceThread dd 0
OsVer OSVERSIONINFO <>
ServiceDesc dd 0
ServiceStatus dd 0
; must be grouped
ServiceTable SERVICE_TABLE_ENTRY <0,0>
SERVICE_TABLE_ENTRY <0,0>
;
ServiceStatusTable SERVICE_STATUS <>
FileName db MAX_PATH + 1 dup (0)
ErrStartMsg db "Cant initialize control dispatcher.",0
ErrServiceDBMsg db "Cant open services database.",0
ErrCreateServiceMsg db "Cant create service.",0
ErrOpenServiceMsg db "Cant open service.",0
ErrRemoveServiceMsg db "Cant remove service.",0
ServiceInstalledMsg db "Service installed.",0
ServiceRemovedMsg db "Service removed.",0
; --------------- User datas
; Real name of the service
ServiceName db "MyService",0
; Description shown in windows 2000 and above
ServiceDescription db "Service description here",0
; The service should start as soon as it is installed or not
ServiceStartRightNow dd TRUE
; How and when the service should start
; SERVICE_BOOT_START
; SERVICE_SYSTEM_START
; SERVICE_AUTO_START
; SERVICE_DEMAND_START < Start it with the service manager of Windows.
ServiceStartFlag dd SERVICE_DEMAND_START
; Type of service
ServiceTypeFlag dd SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS
; --------------------------------------------
; User code
; --------------------------------------------
.code
; --------------- Perform tasks right before service effective creation
; Out: 0 = Stop install process
; 1 = Proceed with install
; ---------------
; ServicesDatabase variable is initialized
; ---------------
; (Tip: This routine can be used to display dialogs or whatever)
ServiceStart proc
xor eax,eax
inc eax
ret
ServiceStart endp
; --------------- Perform tasks right before service effective removal
; Out: 0 = Stop removal process
; 1 = Proceed with removal
; ---------------
; ServicesDatabase variable is initialized
; ServiceHandle variable is initialized
; ---------------
; (Tip: This routine can be used to display dialogs or whatever)
ServiceRemove proc
xor eax,eax
inc eax
ret
ServiceRemove endp
; --------------- Background Thread (infinite) of the service
ServiceThread proc param:dword
; Put your code here
ThreadLoop: invoke Sleep,1
jmp ThreadLoop
ServiceThread endp
; --------------------------------------------
; Background code
; --------------------------------------------
; --------------- Display an error and terminate process
RaiseError proc ErrorMsg:dword
invoke MessageBoxA,0,ErrorMsg,addr ServiceName,MB_OK or MB_ICONERROR
invoke ExitProcess,0
ret
RaiseError endp
; --------------- Display an informative message
RaiseInformation proc InfoMsg:dword
invoke MessageBoxA,0,InfoMsg,addr ServiceName,MB_OK or MB_ICONINFORMATION
ret
RaiseInformation endp
; --------------- Service entry point
; Must run 3 in ways with the same procedure:
; 1. Install
; 2. Start
; 3. Remove
start: invoke OpenSCManager,0,0,SC_MANAGER_CREATE_SERVICE
mov ServicesDatabase,eax
test eax,eax
jnz DatabaseObtained
invoke RaiseError,addr ErrServiceDBMsg
DatabaseObtained: ; Check if the service is in starting state
invoke OpenService,ServicesDatabase,addr ServiceName,SERVICE_ALL_ACCESS
mov ServiceHandle,eax
test eax,eax
jz InvalidService
invoke QueryServiceStatus,ServiceHandle,addr ServiceStatusTable
test eax,eax
jz NoServiceState
mov eax,ServiceStatusTable.dwCurrentState
; Feed service manager with our thread if starting state
cmp eax,SERVICE_START_PENDING
je ServiceStartup
NoServiceState: invoke CloseServiceHandle,ServiceHandle
jmp InstallProceed
InvalidService: ; Call user procedure
call ServiceStart
test eax,eax
jnz InstallProceed
invoke CloseServiceHandle,ServicesDatabase
invoke ExitProcess,0
InstallProceed: invoke GetModuleFileName,0,addr FileName,MAX_PATH
; Try to install
invoke CreateService,ServicesDatabase,addr ServiceName,addr ServiceName,SERVICE_ALL_ACCESS,ServiceTypeFlag,ServiceStartFlag,SERVICE_ERROR_NORMAL,addr FileName,0,0,0,0,0
mov ServiceHandle,eax
test eax,eax
jnz ServiceCreated
invoke GetLastError
cmp eax,ERROR_SERVICE_EXISTS
jne ServiceAlreadyExists
; Perform removal
invoke OpenService,ServicesDatabase,addr ServiceName,SERVICE_ALL_ACCESS or DELETE
mov ServiceHandle,eax
test eax,eax
jnz ServiceOpened
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseError,addr ErrOpenServiceMsg
ServiceOpened: invoke QueryServiceStatus,ServiceHandle,addr ServiceStatusTable
mov eax,ServiceStatusTable.dwCurrentState
cmp eax,SERVICE_STOPPED
je ServiceAlreadyStopped
invoke ControlService,ServiceHandle,SERVICE_CONTROL_STOP,addr ServiceStatusTable
invoke Sleep,500
ServiceAlreadyStopped: ; Call user procedure
call ServiceRemove
test eax,eax
jnz RemoveProceed
invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke ExitProcess,0
RemoveProceed: invoke DeleteService,ServiceHandle
test eax,eax
jnz ServiceRemoved
invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseError,addr ErrRemoveServiceMsg
ServiceRemoved: invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseInformation,addr ServiceRemovedMsg
invoke ExitProcess,0
ServiceAlreadyExists: invoke CloseServiceHandle,ServicesDatabase
invoke RaiseError,addr ErrCreateServiceMsg
ServiceCreated: mov [OsVer.dwOSVersionInfoSize],sizeof OsVer;
invoke GetVersionEx,addr OsVer
test eax,eax
jz CantObtainOSVersion
.if [OsVer.dwOSVersionInfoSize] >= 5
; Add a description if OS >= Win2k
.if [OsVer.dwPlatformId] == VER_PLATFORM_WIN32_NT
mov eax,offset ServiceDescription
mov [ServiceDesc], eax
invoke ChangeServiceConfig2, ServiceHandle, SERVICE_CONFIG_DESCRIPTION, addr ServiceDesc
.endif
.endif
CantObtainOSVersion: .if ServiceStartRightNow != FALSE
invoke StartService,ServiceHandle,0,0
.endif
invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseInformation,addr ServiceInstalledMsg
invoke ExitProcess,0
ServiceStartup: invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
mov ServiceTable.lpServiceName,offset ServiceName
mov ServiceTable.lpServiceProc,offset ServiceMain
invoke StartServiceCtrlDispatcher,addr ServiceTable
test eax,eax
jnz ServiceDispatch
invoke RaiseError,addr ErrStartMsg
ServiceDispatch: invoke ExitProcess,eax
; --------------- Initialize service thread
InitServiceThread proc
local ThreadID:dword
invoke CreateThread,0,0,addr ServiceThread,0,0,addr ThreadID
mov hServiceThread,eax
test eax,eax
jz Err_InitThread
xor eax,eax
inc eax
or ServiceCurrentStatus,eax
Err_InitThread: ret
InitServiceThread endp
; --------------- Resume service
ResumeService: and ServiceCurrentStatus,0fffffffdh
invoke ResumeThread,hServiceThread
ret
; --------------- Pause service
PauseService: or ServiceCurrentStatus,2
invoke SuspendThread,hServiceThread
ret
; --------------- Stop service
StopService: and ServiceCurrentStatus,0fffffffeh
invoke SetEvent,ServiceEvent
ret
; --------------- Send message to system
SendStatus proc dwCurrentState:dword,dwWin32ExitCode:dword,dwServiceSpecificExitCode:dword,dwCheckPoint:dword,dwWaitHint:dword
mov ServiceStatusTable.dwServiceType,SERVICE_WIN32_OWN_PROCESS
push dwCurrentState
pop ServiceStatusTable.dwCurrentState
cmp dwCurrentState,SERVICE_START_PENDING
jne SStatusStartPending
mov ServiceStatusTable.dwControlsAccepted,0
jmp CheckSStatusPending
SStatusStartPending: mov ServiceStatusTable.dwControlsAccepted,SERVICE_ACCEPT_STOP or SERVICE_ACCEPT_PAUSE_CONTINUE or SERVICE_ACCEPT_SHUTDOWN
CheckSStatusPending: cmp dwServiceSpecificExitCode,0
jne SStatusSetExitCode
push dwWin32ExitCode
pop ServiceStatusTable.dwWin32ExitCode
jmp CheckSStatusExitCode
SStatusSetExitCode: mov ServiceStatusTable.dwWin32ExitCode,ERROR_SERVICE_SPECIFIC_ERROR
CheckSStatusExitCode: push dwServiceSpecificExitCode
pop ServiceStatusTable.dwServiceSpecificExitCode
push dwCheckPoint
pop ServiceStatusTable.dwCheckPoint
push dwWaitHint
pop ServiceStatusTable.dwWaitHint
invoke SetServiceStatus,ServiceStatus,addr ServiceStatusTable
xor eax,eax
inc eax
ret
SendStatus endp
; --------------- Terminate service
TerminateService proc ProvidedErr:dword
mov eax,ServiceEvent
test eax,eax
jz NoEventToTerminate
push eax
call CloseHandle
NoEventToTerminate: mov eax,ServiceStatus
test eax,eax
jz NoWorkingService
invoke SendStatus,SERVICE_STOPPED,ProvidedErr,0,0,0
NoWorkingService: mov eax,hServiceThread
test eax,eax
jz NoThreadToTerminate
push eax
call CloseHandle
NoThreadToTerminate: xor eax,eax
ret
TerminateService endp
; --------------- Answer to system messages
CtrlHandler proc CtrlCode:dword
local StatetoSend:dword
mov StatetoSend,0
cmp CtrlCode,SERVICE_CONTROL_STOP
jne HandleServStop
invoke SendStatus,SERVICE_STOP_PENDING,NO_ERROR,0,1,5000
call StopService
mov StatetoSend,SERVICE_STOPPED
jmp SCHandler
HandleServStop: cmp CtrlCode,SERVICE_CONTROL_PAUSE
jne HandleServPause
cmp ServiceCurrentStatus,1
jne HandleServPause
invoke SendStatus,SERVICE_PAUSE_PENDING,NO_ERROR,0,1,1000
call PauseService
mov StatetoSend,SERVICE_PAUSED
jmp SCHandler
HandleServPause: cmp CtrlCode,SERVICE_CONTROL_CONTINUE
jne HandleServResume
cmp ServiceCurrentStatus,3
jne HandleServResume
invoke SendStatus,SERVICE_CONTINUE_PENDING,NO_ERROR,0,1,1000
call ResumeService
mov StatetoSend,SERVICE_RUNNING
jmp SCHandler
HandleServResume: cmp CtrlCode,SERVICE_CONTROL_INTERROGATE
je SCHandler
cmp CtrlCode,SERVICE_CONTROL_SHUTDOWN
jne SCHandler
ret
SCHandler: invoke SendStatus,StatetoSend,NO_ERROR,0,0,0
ret
CtrlHandler endp
; --------------- Service main handler
ServiceMain proc ArgC:dword,ArgV:dword
invoke RegisterServiceCtrlHandler,addr ServiceName,addr CtrlHandler
mov ServiceStatus,eax
test eax,eax
jnz RegisteredCtrlHandler
invoke GetLastError
invoke TerminateService,eax
ret
RegisteredCtrlHandler: invoke SendStatus,SERVICE_START_PENDING,NO_ERROR,0,1,5000
invoke CreateEvent,0,TRUE,FALSE,0
mov ServiceEvent,eax
test eax,eax
jnz RegisteredEvent
invoke GetLastError
invoke TerminateService,eax
ret
RegisteredEvent: invoke SendStatus,SERVICE_START_PENDING,NO_ERROR,0,2,1000
invoke SendStatus,SERVICE_START_PENDING,NO_ERROR,0,3,5000
invoke InitServiceThread
test eax,eax
jnz RegisteredThread
invoke GetLastError
invoke TerminateService,eax
ret
RegisteredThread: invoke SendStatus,SERVICE_RUNNING,NO_ERROR,0,0,0
invoke WaitForSingleObject, ss=s4 href='./../../funktionsreferenzen/XProfan/serviceevent/'>ServiceEvent, INFINITE
invoke TerminateService, 0
ret
ServiceMain endp
end start
|
| | | | | | |
| | | Besten Dank! Den voluntad Todavía gebrauchen puede!
PS: Vor allen Dingen a el Proc, el en el Statusmessages reagiert, Yo en el Gegensatz a deinem ASM-Code extremo gespart  . |
| | | | | | |
| | | | Cuestión 4 y 5 haben se hecho. |
| | | | | | |
| | | [quote:3a9089c8fa][quote:3a9089c8fa]A driver can solve this problem en two different ways.
It can be linked against NTDLL.DLL. is the easiest way.[/quote:3a9089c8fa]
Einfach es imer bien - doch como verlinke Yo gegen NTDLL? Steht me NTDLL überhaupt disponible ? Como verlinke Yo gegen NTDLL sin el me LoadLibrary disponible es?
[/quote:3a9089c8fa]
Der Autor des Artikels verschleiert hier de Sicherheitsgründen scheinbar absichtlich algo:
Natürlich puede ser no gegen NTDLL verlinken, si NTDLL nada disponible es - pero son una weitere Nativo-API, con el uno cierto Module en el Kernel nachladen kann (y el es hier no erwähnt). Über esta API es auch posible una Treiber a starten, sin esta como Service a registrieren.
Yo bin eigentlich su ausgegangen, daß uno para Ausführen dieser speziellen API una bestimmtes Privileg aktivieren muß y war entonces sólo muy erschrocken, daß el nada el Fall es. Diese Privileg muß aber definitiv (y para Glück) disponible ser.
Saludo
Andreas |
| | | | | | |
| | 
Sebastian
König | ¡Hola Andreas,
Yo antes unos pocos Tagen [...] muy interessanten Artikel gelesen. Natürlich weiß Yo no, si como algo drinsteht, qué Usted todavía no weißt... 
MfG
Sebastian |
| | | | | | |
| | | | Yo fang sí grade sólo a - her así! |
| | | | | | |
| |
Sebastian
König | [quote:0e34cddc70]Yo fang sí grade sólo a - her así![/quote:0e34cddc70] Folge simplemente el Link  - auch el otro Artikel en el Página (verschiedene Temas) finde Yo muy lesenswert. |
| | | | | | |
| | | | Hab el Link übersehen - sieht bien de, danke! |
| | | | | | |
| | | | Ist incluso genau el, Yo todavía brauchte. Gracias! |
| | | | | | |
|
RespuestaThemeninformationenDieses Thema ha 3 subscriber: |
|
(787)
Deutsch
English
Français
Español
Italia