Ring0 call ring3-apc

Recently, ring0 has been solving the problem of calling the ring3 function.

To start an application in the middle of the driver, this application may be exe or dll, but there is no API like WinExec or LoadLibrary in the core layer for us to call, in addition, the address space of the driver and application is different. One is in the high address space and the other is in the low address space. How can we implement ring0 to call the ring3 function, these functions cannot be directly executed in the middle of the driver's address space, because they cannot be parsed in the middle of the high address space, or they cannot be passed during compilation.

Therefore, you must place user-State functions or code in the middle of the application's address space for execution.

Ring0 has three methods to call the ring3 function:

Http://hi.baidu.com/%CE%F7%B7%E7%B9% AB %C9%E7/blog/item/0febbd355d0904bfd1a2d320.html

I used the method of inserting APC.

There are still many problems in the process of use. The main part of the Assembly Code to be inserted is

mov eax,0x7c86114d
push 1
nop
push 0xabcd
call eax
jmp end       
nop
nop

0x7c86114d is the address of the winexec function in the middle of the system. The address varies with the system.

At the beginning of the operation, there was no response. The address was changed to the address of the winexec function in the current system, but this also brought about a problem and was not universal, if you want to manually change the value to another system, it is best to dynamically obtain the value.

The next step is to dynamically obtain the winexec function address.

The address of the retrieved function is to obtain the base address of the loaded module through PEB (process environment block), winexec is in kernel32.dll, so first obtain the memory base address of kernel32.dll, and then traverse to obtain the address of the winexec function.

Question 1: How to obtain the PEB address?

The PsGetCurrentProcess function can get the EPROCESS address. + 0x088 can get the ActiveProcessLinks header of the Process list. You can find the assumer.exeprocess path again, and then obtain the PEB address in the assumer.exe process EPROCESS structure + 0x1b0.

Question 2: How does one obtain the memory base address of Kernel32.dll from PEB?

Generally, NTDLL is first loaded for an application. Dll and kernel32.dll, peb + 0x0c get the address of PEB_LDR_DATA. In PEB_LDR_DATA + 0X1C, the header pointer pointing to the module initialization linked list InInitializationOrderModuleList is stored. The first linked list node is ntdll. dll, the node of the second linked list is Kernel32.dll, + 0x08 get the memory base address of kernel32

Question 3: How can I obtain the function address through the memory base address?

The memory base address is actually the address of the DOS header structure of the PE Structure. + 0x3c gets the address of the PE File Header, 0x78 gets the address of the output table, and the output table stores information about the output function, the Winexec function address can be obtained through traversal.

Question 4: how to pass the address to the user code after obtaining the Dynamic Address

Mov eax, fun_addr; this operation is absolutely not feasible, because this line of code has been run in the user space, and fun_addr is the variable in the middle of the kernel, the user space can not access the variables in the kernel space, what needs to be done here is the offset of mov eax and fun_adr commands on your computer... in the driver copy .. replace it with OK.

Notes:

1. because they are all operated by addresses, ULONG is used to represent the addresses, and the base address + offset address is used to find a value instead of the structure. If the structure is involved, the structure needs to be defined during programming, and the structure is nested with each other, which brings a lot of work.

2. in the kernel space, you cannot directly access the address space of the process. To switch to the address space, the required function is KeStackAttachProcess (ULONG *) pSystemProcess, & ApcState). pSystemProcess is the EPROCESS address of the process, otherwise, a system error will be generated, and KeUnstackDetachProcess (& ApcState) will be used when not used );

3. finally, when getting the function address, because the 32-bit variables are used to save the data, but the serial number is only stored in two bytes, therefore, there is a way to obtain 32-bit data with a high 16-bit value or a low 16-bit value. Naturally, we should use and operate the NumberOfNames & 0x00001111 command to obtain low 16-bit data, at first glance, it's right. Actually it's wrong. It should be NumberOfNames & 0x0000ffff.

OK. The link to the relevant information is as follows:

Http://bbs.pediy.com/showthread.php? T = 46068

Http://topic.csdn.net/u/20090630/14/d04aae5d-14f3-42c3-9c4b-9b4ae37fe01c.html

Http://www.debugman.com/read.php? Tid = 3983

Http://www.101d1.cn/read.php? 87

1. PE Structure Information (all PE structure information can be obtained in winnt. h)

Https://forum.eviloctal.com/thread-32393-1-7.html

Http://blog.csdn.net/strongxu/archive/2009/11/04/4766062.aspx

Http://hi.baidu.com/hnxyy/blog/item/c2bfec24400be5014d088d47.html

2. WinDbg debugging command

Http://www.zhizihua.com/blog/post/248.html

Http://bbs.pediy.com/showthread.php? T = 98183

3. EPROCESS structure information (this can be seen in the windbg tool)

Http://hi.baidu.com/id404notfound/blog/item/375b8c478c87400e6a63e556.html

Http://bbs.driverdevelop.com/read.php? Tid = 112877

4. Obtain the api address

Http://blog.csdn.net/syf442/archive/2009/07/27/4383254.aspx

Http://www.jb51.net/article/14594.htm

Http://forum.eviloctal.com/thread-34974-1-3.html