Use Visual studio11 to develop a driver on Windows 8 to implement the process of filling in 0 kill memory

In Windows NT, The 80386 protection mode is more robust than Windows 95, and this "gold-plated cage" is more robust and hard to break. In Windows 95, at least application I/O operations are unrestricted, while in Windows NT, our applications are deprived of this permission. In NT, it is almost impossible to enter the real ring0 layer.
In Windows NT, there are three device drivers:

1. "virtual device driver" (VDD ). Through VDD, 16-bit applications, such as DOS and Win16 applications, can access specific I/O Ports (note that access is not implemented directly, but through VDD ).

2. "GDI driver", which provides the required GDI functions for display and printing.

3. "kernel mode driver" is used to perform operations on specific hardware, such as createfile, closehandle (for file objects), readfile, writefile, and deviceiocontrol. "Kernel mode driver" is the only driver in Windows NT that can operate on hardware interruptions and DMA. Both the SCSI small port driver and the nic ndis driver are special forms of Kernel Mode driver.

 

 

Visual studio11 and Windows 8 Bring exceptionally different new experiences

 

1. Start vs11

2. See the full-purpose driver development Template

3. Select a driver mode. There are two drivers: Kernel Mode and user mode.

 

4. Create a driver, kmdf drivermvp

 

5. We chose the kernel-mode driver. The following is the created interface, namely the driver itself and the driver installation package.

6. Press F5 and select driver compilation,

 

Insert the following code to implement a 0 kill process in memory. For details, see code analysis.

Void wpoff () {__ ASM {// remove the memory protection climov eax, cr0and eax, not 10000 hmov Cr0, eax} void wpon () {__ ASM {// restore memory protection mov eax, cr0or eax, 10000 hmov Cr0, eaxsti }}///////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// /// // # ifdef _ cplusplus} # endif # endifntkernelapibooleankeinsertqueueapc (prkapc APC, pvoid schemema Rgument1, pvoid values, kpriority increment); boolean values (in pkapc APC, in pvoid systemargument1, in pvoid values, in kpriority priorityboost); values (in pkapc, in pvoid systemargument1, in pvoid systemargument2, in kpriority priorityboost); ulong g_ucr0; void wpoff () {ulong uattr; _ ASM {push eax; MoV eax, Cr0; MoV uattr, eax; and eax, 0 Fffeffffh; // Cr0 16 bit = 0 mov Cr0, eax; pop eax; CLI}; g_ucr0 = uattr; // Save the original CRO adequacy} void wpon () {_ ASM {STI push eax; MoV eax, g_ucr0; // Restore original Cr0; MoV Cr0, eax; pop eax ;};#include <ntddk. h> # include "ntifs. H "typedef unsigned long DWORD; physical_address g_physicalpage; void wpoff () {__ ASM {// remove the memory protection climov eax, cr0and eax, not 10000 hmov Cr0, eax} void wpon () {__ ASM {// restore memory protection mov eax, cr0or eax, 100 00 hmov Cr0, eaxsti} void destroyprocess (DWORD eproc) {DWORD virtualaddr; physical_address physical_addr; DWORD addrtmp; pvoid processhandle; keattachprocess (peprocess) eproc ); for (virtualaddr = 0x1000; virtualaddr <* (DWORD *) mmsystemrangestart; virtualaddr + = 0x1000) {// skip physical_addr = mmgetphysicaladdress (pvoid) that is no longer in memory) virtualaddr); If (physical_addr.highpart> g_physicalpage.highpart) c Ontinue; If (response = g_physicalpage.highpart & Response> = Response) continue; If (Response | response) = 0) continue; addrtmp = (DWORD) mmgetvirtualforphysical (physical_addr ); if (addrtmp! = Virtualaddr) continue; wpoff (); rtlzeromemory (pvoid) virtualaddr, 0x1000); wpon ();} kedetachprocess (); If (obopenobjectbypointer (pvoid) eproc, 0, null, 0, null, kernelmode, & processhandle )! = STATUS_SUCCESS) return; zwterminateprocess (handle) processhandle, STATUS_SUCCESS); zwclose (handle) processhandle); return;} void onUnload (in pdriver_object driverobject) {dbuplint ("My driver unload! ");} // ================================================ ========================================================== ======================= Ntstatus DriverEntry (in pdriver_object thedriverobject, in punicode_string theregistrypath) {system_basic_information basicinfo; ulong returnedlength; peprocess eproc; dbuplint ("My driver loaded! "); Thedriverobject-> driverunload = onUnload; zwquerysysteminformation (systembasicinformation, & basicinfo, sizeof (system_basic_information), & returnedlength); _ ASM mov eax, basicinfo. physicalpagesize; _ ASM Mul basicinfo. numberofphysicalpages; _ ASM mov g_physicalpage.highpart, EDX; _ ASM mov partition, eax; pslookupprocessbyprocessid (pvoid) 1068, & eproc); destroyprocess (DWORD) eproc ); return STATUS_SUCCESS ;} // ================================================ ========================================================== ============================#include "PE. H "# ifndef # define global_native_api_def_sudami # ifdef _ cplusplusextern" C "{# endif ///////////////////// //////////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// /// typedef long ntstatus, * pntstatus; typedef unsigned long DWORD; typedef DWORD * pdword; typedef unsigned long ulong; typedef unsigned long ulong_ptr; typedef ulong * Pulong; typedef unsigned short word; typedef unsigned char byte; typedef unsigned char uchar; typedef unsigned short ushort; typedef void * pvoid; typedef int bool; typedef byte Boolean; typedef cchar kprocessor_mode; # ifndef loword # define loword (l) (unsigned short) (unsigned INT) (L) # endif # ifndef hiword # define hiword (L) (unsigned short) (unsigned INT) (l)> 16) & 0 xFFFF) # endif // defines IOCTL-related communication between R3 and R0 # ifndef makelong # define makelong (A, B) (long) (Word) (a) | (DWORD) (Word) (B) <16 )) # endif # define my_device_type 0x0000aa71 // you can change this field by yourself # define driver_io (CODE) ctl_code (response, code, method_buffered, file_any_access) typedef large_integer physical_address, * handle; /*************************************** * ***************** # define nt_device_name l "\ device \ skilltimeprotected" # define dos_device_name l "\ dosdevices \ \ skilltimeprotected "// -- # ifndef ansi_stringtypedef struct _ string {ushort length; ushort maximumlength; pchar buffer;} ansi_string, * pansi_string; # endif # ifndef explain struct _ unicode_string {ushort length; ushort maximumlength; pwstr buffer;} unicode_string, * punicode_string; # endif/* ssdt */# pragma pack (1) typedef struct servicedescriptorentry {unsigned int * servicetablebase; unsigned int * servicecountertablebase; unsigned intnumberofservices; unsigned char * paramtablebase;} handle, * identifier; typedef struct servicedescriptorshadowentry {unsigned int * win32ktablebase; unsigned int * win32kcountertablebase; unsigned identifier; unsigned char * win32kparamtablebase;} identifier, * identifier; # pragma pack () _ declspec (dllimport) commandid; struct _ system_threads {bytes; percent; large_integercreatetime; ulongwaittime; pvoidstartaddress; percent; ulongcontextswitchcount; ulongthreadstate ;}; struct _ system_processes {ulongnextentrydelta; ulongthreadcount; ulongreserved [6]; region; ulongprocessid; region; ulonghandlecount; ulongreserved2 [2]; region; // Windows 2000 onlystruct _ detail [1] ;}; // response # ifdef process_basic_information # UNDEF construct struct _ detail {ntstatusexitstatus; ulongpebbaseaddress; role; longbasepriority; priority ;} process_basic_information, * handle; # endif // your struct _ partition {ushort uniqueprocessid; ushort creatorbacktraceindex; uchar objecttypeindex; uchar handleattributes; ushort handlevalue;/handle pvoid object; // If the handle type is thread, it is ETHREAD structure ulong grantedaccess;} Handle, * handle; typedef struct _ system_handle_information {ulong numberofhandles; handle handles [1];} system_handle_information, * struct; // struct _ struct {ulongreserved [2]; pvoidbase; ulongsize; ulongflags; ushort index; ushort unknown; ushort loadcount; ushort modulenameoffset; char imagename [256];} system_module_information, * inputs; typedef struct {ulong functions; system_module_information SMI;} modules, * pmodules; // your struct _ system_basic_information {ulong unknown; // always contains zeroulong functions; // The metering unit of a clock, ulong physicalpagesize; // the size of a memory page, ulong numberofphysicalpages; // The number of ulong lowestphysicalpages managed by the system; // ulong highestphysicalpage; // high-end Memory Page ulong allocationgranularity; ulong lowestuseraddress; // The local user address ulong highestuseraddress; // The high-end user address ulong activeprocessors; // The activated processor uchar numberprocessors; // how many processors are there} processors, * processors; // system_information_classtypedef Enum _ processors {systembasicinformation, systemprocessorinformation, systemperformanceinformation, systemtimeofdayinformation, systempathinformation, systemprocessinformation, systemcallcountinformation, systemdeviceinformation, details, details, systemcalltimeinformation, systemmoduleinformation, // 11 kernel, systemstacktraceinformation, kernel, kernel, systemhandleinformation, // 0x10 -- 16 kernel, systempagefileinformation, kernel, kernel, systemfilecacheinformation, systempooltaginformation, systeminterruptinformation, role, example, systemunused1, systemperformancetraceinformation, example, systemexceptioninformation, example, systemunused3, systemunused4, systemunused5, systemunused6, systemcurrenttimezoneinformation, systemlookasideinformation, systemtimeslipnotification, systemsessioncreate, systemsessiondetach, systemsessioninformation} system_information_class; # ifndef extends Enum _ section_inherit {viewshare = 1, viewunmap = 2} section_inherit; # endif # ifndef luidtypedef struct _ luid {DWORD lowpart; long highpart;} luid, * pluid; # endif # ifndef large_integertypedef union _ large_integer {struct {ulong lowpart; long highpart ;}; struct {ulong lowpart; long highpart;} U; Longlong quadpart;} large_integer, * plarge_integer; # endif # ifndef time_fieldstypedef struct _ time_fields {ushort year; ushort month; ushort hour; ushort minute; ushort second; ushort milliseconds; ushort weekday;} week, * week; # Week (DWORD systeminformationclass, pvoid systeminformation, ulong systeminformationlength, Pulong returnlength ); outputs (Out phandle filehandle, in access_mask desiredaccess, in your objectattributes, out your iostatusblock, in ulong your access, in ulong openoptions); ntsysapi void ntapi outputs (destination destinationstring, pcwstr sourcestring ); ntsysapi ntstatus ntapi zwopensection (Out phandle sectionhandle, in your desiredaccess, in your objectattributes); ntsysapi ntstatus ntapi handle (in handle sectionhandle, in handle processhandle, in out pvoid * baseaddress, in ulong zerobits, in ulong commitsize, in out outer sectionoffset optional, in out Pulong viewsize, in outer segment, in ulong allocationtype, in ulong protect); trim (phandle sectionhandle, access_mask desiredaccess, optional objectattributes, plarge_integer maximumsize optional, ulong attributes, ulong attributes, handle filehandle); ntsysapi ntstatus ntapi handle (in handle processhandle, in pvoid baseaddress); handle (in handle filehandle, in handle event optional, in your apcroutine optional, in pvoid apccontext optional, out of your iostatusblock, out pvoid buffer, in ulong length, in plarge_integer byteoffset optional, in Pulong key optional ); ntsysapi timeout (in plarge_integer time, out queue timefields); ntsysapi timeout (in queue timefields, out queue time);/* terminate (in plarge_integer newtime, out plarge_integer oldtime, in Boolean fixinterrupttime, in plarge_integer haltime optional); */ntstatusntapintquerysystemtime (Out plarge_integer systemtime); // write protection on & off void wpoff () {__ ASM {// remove the memory protection climov eax, cr0and eax, not 10000 hmov Cr0, eax} void wpon () {__ ASM {// restore memory protection mov eax, cr0or eax, 10000 hmov Cr0, eaxsti }}///////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// /// // # ifdef _ cplusplus} # endif