Forum | | | | | Halla alle zusammen...
Beim Durchstöbern de diesem [...] avons sich chez mir une la quantité à Fragen aufgehäuft - avec cela on vous besser abarbeiten peux, werde je vous la fois nummerieren :
1.) und dir mir ici um cela Memmory-Scanning im Kernelmode. Um dans den Kernelmode trop gelangen, doit je une Service écrivons - genauer dit une Service avec dem Flag SERVICE_KERNEL_DRIVER. Hat quelqu'un à gauche trop Quelltexten pour qui Programmation de Services (seulement la fois sans cette Flag) - égal dans quel Discours? und dir pas à Installierung, cela peux je, seulement um den Service selbst.
2.) là Profan de sich aus déjà User-APIs aufruft (u.a. aus qui User32) et cet APIs chez einem Kernelmode-Treiber pas zur Disposition stehen, ist qui Programmation eines Services avec dem Flag SERVICE_KERNEL_DRIVER dans Profan pas possible - vois je cela richtig?
3.) [quote-part:f7bf3être205]Unfortunately, some of le important APIs needed for memory scanning sont not exported by nom à partir de NTOSKRNL.EXE for le use of a Kernel mode driver.[/quote-part:f7bf3être205] Demnach pourrait je seulement APIs aus NTOSKRNL.EXE, qui WIN32K.SYS et qui HAL.DLL verwenden, ist cela richtig (Native APIs)?
4.) Pour une Service besoin je qui API RegisterServiceCtrlHandler. qui API venez aus qui ADVAPI32 et steht mir c'est pourquoi chez qui Programmation eines Kernelmode-Treibers pas zur Disposition, vois je cela richtig? quelle Funktion verwende je stattdessen?
5.) [quote-part:f7bf3être205]When a User mode application calls le KERNEL32.DLLÞVirtualQueryEx() API le call is redirected to le NTDLL.DLLÞNtQueryVirtualMemory() function. This API is not available à partir de NTOSKRNL.EXE.[/quote-part:f7bf3être205] je crois, cela habe je verstanden . [quote-part:f7bf3être205]A driver can solve this problem dans two different ways. It can être linked against NTDLL.DLL. is le easiest way.[/quote-part:f7bf3être205] simple ist imer bien - doch comment verlinke je vers NTDLL? Steht mir NTDLL überhaupt zur Disposition ? comment verlinke je vers NTDLL sans cela mir LoadLibrary zur Disposition steht?
6.) [quote-part:f7bf3être205]NtQueryVirtualMemory() queries le pages of a particular process. It is not documented but is only a translation of le VirtualQueryEx() API. ZwQueryVirtualMemory() is placed dans NTOSKRNL.EXE and its nom is shown by le Windows NT kernel debugger since le debug information contains le nom of le function.[/quote-part:f7bf3être205] qui Funkton, qui je alors zum bestimmen qui zugewiesenen Seiten besoin, est alors ZwQueryVirtualMemory(), richtig? |
| | | | |
| | | So, Frage numéro 1 hat sich déjà la fois erledigt . Habe grad une (entier) kleinen Service geschrieben ... |
| | | | |
| | Frank Abbing | ici un Assemblercode, um une Service trop proggen: KompilierenMarqueSéparation!; --------------------------------------------
; Framework for Windows NT/2000/XP service application
; Written by Franck hitchhikr Charlet 10-2002.
; --------------------------------------------
; This is a skeleton for an auto loading/shutting down NT service.
; That service will un/register itself too.
; --------------------------------------------
; buildblock RELEASE
; CAPT [BINDIR]ml.exe /c /coff "%1.asm"
; CAPT [BINDIR]Link.exe /SUBSYSTEM:WINDOWS "%1.obj"
; buildblockend
; buildblock DEBUG
; CAPT [BINDIR]ml.exe /Zd /Zi /c /coff "%1.asm"
; CAPT [BINDIR]Link.exe /DEBUG /DEBUGTYPE:CV /SUBSYSTEM:WINDOWS "%1.obj"
; buildblockend
.386
.model flat,stdcall
option casemap:none
; --------------- Includes
include masm32includewindows.inc
include masm32includekernel32.inc
include masm32includeuser32.inc
include masm32includeadvapi32.inc
includelib masm32libkernel32.lib
includelib masm32libuser32.lib
includelib masm32libadvapi32.lib
; Not defined in Windows.inc (as usual)
SERVICE_CONFIG_DESCRIPTION equ 1
SERVICE_DESCRIPTIONA STRUCT
lpDescription LPSTR 0
SERVICE_DESCRIPTIONA ENDS
SERVICE_DESCRIPTION TEXTEQU <SERVICE_DESCRIPTION>
; --------------- Service datas
.data
ServiceHandle dd 0
ServicesDatabase dd 0
ServiceCurrentStatus dd 0
ServiceEvent dd 0
hServiceThread dd 0
OsVer OSVERSIONINFO <>
ServiceDesc dd 0
ServiceStatus dd 0
; must be grouped
ServiceTable SERVICE_TABLE_ENTRY <0,0>
SERVICE_TABLE_ENTRY <0,0>
;
ServiceStatusTable SERVICE_STATUS <>
FileName db MAX_PATH + 1 dup (0)
ErrStartMsg db "Cant initialize control dispatcher.",0
ErrServiceDBMsg db "Cant open services database.",0
ErrCreateServiceMsg db "Cant create service.",0
ErrOpenServiceMsg db "Cant open service.",0
ErrRemoveServiceMsg db "Cant remove service.",0
ServiceInstalledMsg db "Service installed.",0
ServiceRemovedMsg db "Service removed.",0
; --------------- User datas
; Real name of the service
ServiceName db "MyService",0
; Description shown in windows 2000 and above
ServiceDescription db "Service description here",0
; The service should start as soon as it is installed or not
ServiceStartRightNow dd TRUE
; How and when the service should start
; SERVICE_BOOT_START
; SERVICE_SYSTEM_START
; SERVICE_AUTO_START
; SERVICE_DEMAND_START < Start it with the service manager of Windows.
ServiceStartFlag dd SERVICE_DEMAND_START
; Type of service
ServiceTypeFlag dd SERVICE_WIN32_OWN_PROCESS or SERVICE_INTERACTIVE_PROCESS
; --------------------------------------------
; User code
; --------------------------------------------
.code
; --------------- Perform tasks right before service effective creation
; Out: 0 = Stop install process
; 1 = Proceed with install
; ---------------
; ServicesDatabase variable is initialized
; ---------------
; (Tip: This routine can be used to display dialogs or whatever)
ServiceStart proc
xor eax,eax
inc eax
ret
ServiceStart endp
; --------------- Perform tasks right before service effective removal
; Out: 0 = Stop removal process
; 1 = Proceed with removal
; ---------------
; ServicesDatabase variable is initialized
; ServiceHandle variable is initialized
; ---------------
; (Tip: This routine can be used to display dialogs or whatever)
ServiceRemove proc
xor eax,eax
inc eax
ret
ServiceRemove endp
; --------------- Background Thread (infinite) of the service
ServiceThread proc param:dword
; Put your code here
ThreadLoop: invoke Sleep,1
jmp ThreadLoop
ServiceThread endp
; --------------------------------------------
; Background code
; --------------------------------------------
; --------------- Display an error and terminate process
RaiseError proc ErrorMsg:dword
invoke MessageBoxA,0,ErrorMsg,addr ServiceName,MB_OK or MB_ICONERROR
invoke ExitProcess,0
ret
RaiseError endp
; --------------- Display an informative message
RaiseInformation proc InfoMsg:dword
invoke MessageBoxA,0,InfoMsg,addr ServiceName,MB_OK or MB_ICONINFORMATION
ret
RaiseInformation endp
; --------------- Service entry point
; Must run 3 in ways with the same procedure:
; 1. Install
; 2. Start
; 3. Remove
start: invoke OpenSCManager,0,0,SC_MANAGER_CREATE_SERVICE
mov ServicesDatabase,eax
test eax,eax
jnz DatabaseObtained
invoke RaiseError,addr ErrServiceDBMsg
DatabaseObtained: ; Check if the service is in starting state
invoke OpenService,ServicesDatabase,addr ServiceName,SERVICE_ALL_ACCESS
mov ServiceHandle,eax
test eax,eax
jz InvalidService
invoke QueryServiceStatus,ServiceHandle,addr ServiceStatusTable
test eax,eax
jz NoServiceState
mov eax,ServiceStatusTable.dwCurrentState
; Feed service manager with our thread if starting state
cmp eax,SERVICE_START_PENDING
je ServiceStartup
NoServiceState: invoke CloseServiceHandle,ServiceHandle
jmp InstallProceed
InvalidService: ; Call user procedure
call ServiceStart
test eax,eax
jnz InstallProceed
invoke CloseServiceHandle,ServicesDatabase
invoke ExitProcess,0
InstallProceed: invoke GetModuleFileName,0,addr FileName,MAX_PATH
; Try to install
invoke CreateService,ServicesDatabase,addr ServiceName,addr ServiceName,SERVICE_ALL_ACCESS,ServiceTypeFlag,ServiceStartFlag,SERVICE_ERROR_NORMAL,addr FileName,0,0,0,0,0
mov ServiceHandle,eax
test eax,eax
jnz ServiceCreated
invoke GetLastError
cmp eax,ERROR_SERVICE_EXISTS
jne ServiceAlreadyExists
; Perform removal
invoke OpenService,ServicesDatabase,addr ServiceName,SERVICE_ALL_ACCESS or DELETE
mov ServiceHandle,eax
test eax,eax
jnz ServiceOpened
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseError,addr ErrOpenServiceMsg
ServiceOpened: invoke QueryServiceStatus,ServiceHandle,addr ServiceStatusTable
mov eax,ServiceStatusTable.dwCurrentState
cmp eax,SERVICE_STOPPED
je ServiceAlreadyStopped
invoke ControlService,ServiceHandle,SERVICE_CONTROL_STOP,addr ServiceStatusTable
invoke Sleep,500
ServiceAlreadyStopped: ; Call user procedure
call ServiceRemove
test eax,eax
jnz RemoveProceed
invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke ExitProcess,0
RemoveProceed: invoke DeleteService,ServiceHandle
test eax,eax
jnz ServiceRemoved
invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseError,addr ErrRemoveServiceMsg
ServiceRemoved: invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseInformation,addr ServiceRemovedMsg
invoke ExitProcess,0
ServiceAlreadyExists: invoke CloseServiceHandle,ServicesDatabase
invoke RaiseError,addr ErrCreateServiceMsg
ServiceCreated: mov [OsVer.dwOSVersionInfoSize],sizeof OsVer;
invoke GetVersionEx,addr OsVer
test eax,eax
jz CantObtainOSVersion
.if [OsVer.dwOSVersionInfoSize] >= 5
; Add a description if OS >= Win2k
.if [OsVer.dwPlatformId] == VER_PLATFORM_WIN32_NT
mov eax,offset ServiceDescription
mov [ServiceDesc], eax
invoke ChangeServiceConfig2, ServiceHandle, SERVICE_CONFIG_DESCRIPTION, addr ServiceDesc
.endif
.endif
CantObtainOSVersion: .if ServiceStartRightNow != FALSE
invoke StartService,ServiceHandle,0,0
.endif
invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
invoke RaiseInformation,addr ServiceInstalledMsg
invoke ExitProcess,0
ServiceStartup: invoke CloseServiceHandle,ServiceHandle
invoke CloseServiceHandle,ServicesDatabase
mov ServiceTable.lpServiceName,offset ServiceName
mov ServiceTable.lpServiceProc,offset ServiceMain
invoke StartServiceCtrlDispatcher,addr ServiceTable
test eax,eax
jnz ServiceDispatch
invoke RaiseError,addr ErrStartMsg
ServiceDispatch: invoke ExitProcess,eax
; --------------- Initialize service thread
InitServiceThread proc
local ThreadID:dword
invoke CreateThread,0,0,addr ServiceThread,0,0,addr ThreadID
mov hServiceThread,eax
test eax,eax
jz Err_InitThread
xor eax,eax
inc eax
or ServiceCurrentStatus,eax
Err_InitThread: ret
InitServiceThread endp
; --------------- Resume service
ResumeService: and ServiceCurrentStatus,0fffffffdh
invoke ResumeThread,hServiceThread
ret
; --------------- Pause service
PauseService: or ServiceCurrentStatus,2
invoke SuspendThread,hServiceThread
ret
; --------------- Stop service
StopService: and ServiceCurrentStatus,0fffffffeh
invoke SetEvent,ServiceEvent
ret
; --------------- Send message to system
SendStatus proc dwCurrentState:dword,dwWin32ExitCode:dword,dwServiceSpecificExitCode:dword,dwCheckPoint:dword,dwWaitHint:dword
mov ServiceStatusTable.dwServiceType,SERVICE_WIN32_OWN_PROCESS
push dwCurrentState
pop ServiceStatusTable.dwCurrentState
cmp dwCurrentState,SERVICE_START_PENDING
jne SStatusStartPending
mov ServiceStatusTable.dwControlsAccepted,0
jmp CheckSStatusPending
SStatusStartPending: mov ServiceStatusTable.dwControlsAccepted,SERVICE_ACCEPT_STOP or SERVICE_ACCEPT_PAUSE_CONTINUE or SERVICE_ACCEPT_SHUTDOWN
CheckSStatusPending: cmp dwServiceSpecificExitCode,0
jne SStatusSetExitCode
push dwWin32ExitCode
pop ServiceStatusTable.dwWin32ExitCode
jmp CheckSStatusExitCode
SStatusSetExitCode: mov ServiceStatusTable.dwWin32ExitCode,ERROR_SERVICE_SPECIFIC_ERROR
CheckSStatusExitCode: push dwServiceSpecificExitCode
pop ServiceStatusTable.dwServiceSpecificExitCode
push dwCheckPoint
pop ServiceStatusTable.dwCheckPoint
push dwWaitHint
pop ServiceStatusTable.dwWaitHint
invoke SetServiceStatus,ServiceStatus,addr ServiceStatusTable
xor eax,eax
inc eax
ret
SendStatus endp
; --------------- Terminate service
TerminateService proc ProvidedErr:dword
mov eax,ServiceEvent
test eax,eax
jz NoEventToTerminate
push eax
call CloseHandle
NoEventToTerminate: mov eax,ServiceStatus
test eax,eax
jz NoWorkingService
invoke SendStatus,SERVICE_STOPPED,ProvidedErr,0,0,0
NoWorkingService: mov eax,hServiceThread
test eax,eax
jz NoThreadToTerminate
push eax
call CloseHandle
NoThreadToTerminate: xor eax,eax
ret
TerminateService endp
; --------------- Answer to system messages
CtrlHandler proc CtrlCode:dword
local StatetoSend:dword
mov StatetoSend,0
cmp CtrlCode,SERVICE_CONTROL_STOP
jne HandleServStop
invoke SendStatus,SERVICE_STOP_PENDING,NO_ERROR,0,1,5000
call StopService
mov StatetoSend,SERVICE_STOPPED
jmp SCHandler
HandleServStop: cmp CtrlCode,SERVICE_CONTROL_PAUSE
jne HandleServPause
cmp ServiceCurrentStatus,1
jne HandleServPause
invoke SendStatus,SERVICE_PAUSE_PENDING,NO_ERROR,0,1,1000
call PauseService
mov StatetoSend,SERVICE_PAUSED
jmp SCHandler
HandleServPause: cmp CtrlCode,SERVICE_CONTROL_CONTINUE
jne HandleServResume
cmp ServiceCurrentStatus,3
jne HandleServResume
invoke SendStatus,SERVICE_CONTINUE_PENDING,NO_ERROR,0,1,1000
call ResumeService
mov StatetoSend,SERVICE_RUNNING
jmp SCHandler
HandleServResume: cmp CtrlCode,SERVICE_CONTROL_INTERROGATE
je SCHandler
cmp CtrlCode,SERVICE_CONTROL_SHUTDOWN
jne SCHandler
ret
SCHandler: invoke SendStatus,StatetoSend,NO_ERROR,0,0,0
ret
CtrlHandler endp
; --------------- Service main handler
ServiceMain proc ArgC:dword,ArgV:dword
invoke RegisterServiceCtrlHandler,addr ServiceName,addr CtrlHandler
mov ServiceStatus,eax
test eax,eax
jnz RegisteredCtrlHandler
invoke GetLastError
invoke TerminateService,eax
ret
RegisteredCtrlHandler: invoke SendStatus,SERVICE_START_PENDING,NO_ERROR,0,1,5000
invoke CreateEvent,0,TRUE,FALSE,0
mov ServiceEvent,eax
test eax,eax
jnz RegisteredEvent
invoke GetLastError
invoke TerminateService,eax
ret
RegisteredEvent: invoke SendStatus,SERVICE_START_PENDING,NO_ERROR,0,2,1000
invoke SendStatus,SERVICE_START_PENDING,NO_ERROR,0,3,5000
invoke InitServiceThread
test eax,eax
jnz RegisteredThread
invoke GetLastError
invoke TerminateService,eax
ret
RegisteredThread: invoke SendStatus,SERVICE_RUNNING,NO_ERROR,0,0,0
invoke WaitForSingleObject, ss=s4 href='./../../funktionsreferenzen/XProfan/serviceevent/'>ServiceEvent, INFINITE
invoke TerminateService, 0
ret
ServiceMain endp
end start
|
| | | | |
| | | Besten Dank! Den werde je encore gebrauchen peut!
PS: avant allen Dingen à qui Proc, qui sur qui Statusmessages reagiert, habe je im opposition trop deinem ASM-Code extrem gespart . |
| | | | |
| | | Frage 4 et 5 avons sich erledigt. |
| | | | |
| | | [quote-part:3a9089c8fa][quote-part:3a9089c8fa]A driver can solve this problem dans two different ways. It can être linked against NTDLL.DLL. is le easiest way.[/quote-part:3a9089c8fa] simple ist imer bien - doch comment verlinke je vers NTDLL? Steht mir NTDLL überhaupt zur Disposition ? comment verlinke je vers NTDLL sans cela mir LoadLibrary zur Disposition steht? [/quote-part:3a9089c8fa] qui Autor des Artikels verschleiert ici aus Sicherheitsgründen scheinbar exprès quelque chose: Bien sûr peux on pas vers NTDLL verlinken, si NTDLL gar pas zur Disposition steht - mais il y a une weitere Native-API, avec qui on bestimmte Module dans den Kernel nachladen peux (et qui ist ici pas erwähnt). Über cet API ist es aussi possible une Treiber trop starten, sans cette comme Service trop registrieren. je suis eigentlich en ausgegangen, qui on zum Effectuer cette speziellen API un bestimmtes Privileg aktivieren doit et était ensuite seulement très erschrocken, qui cela gar pas qui le cas ist. cet Privileg doit mais définitif (et zum Glück) vorhanden son.
Salut
Andreas |
| | | | |
| | Sebastian König | allô Andreas,
j'ai avant un paire Tagen [...] très interessanten Artikel gelesen. Bien sûr sais je pas, si là quelque chose drinsteht, quoi Du encore pas savoir...
MfG
Sebastian |
| | | | |
| | | je fang oui grade seulement à - her avec cela! |
| | | | |
| | Sebastian König | [quote-part:0e34cddc70]je fang oui grade seulement à - her avec cela![/quote-part:0e34cddc70] Folge simple dem Link - aussi qui anderen Artikel sur qui page (verschiedene Sujets) finde je très lesenswert. |
| | | | |
| | | Hab den Link übersehen - sieht bien aus, merci! |
| | | | |
| | | Ist sogar oui c'est ca cela, quoi je encore brauchte. merci! |
| | | | |
|
répondreOptions du sujet | 1.418 Views |
Themeninformationencet Thema hat 3 participant: |
|