1. 首頁 > 生活百科 > >

驅動開發:內核中實現Dump進程轉儲( 二 )

生活百科


文章插圖
上篇文章中的代碼就不再啰嗦了,這里只給出內存轉存的核心代碼,如下代碼:

  • RtlInitUnicodeString 用于初始化轉存后的名字字符串
  • ZwCreateFile 內核中創建文件到應用層
  • ZwWriteFile 將文件寫出到文件
  • ZwClose 最后是關閉文件并釋放堆空間
很簡單只是利用了SafeCopyMemory_R3_to_R0將進程內存讀取到緩沖區內 , 并將緩沖區寫出到C盤目錄下 。
// 進程內存拷貝函數// By: LyShark.comNTSTATUS ProcessDumps(PEPROCESS pEprocess, ULONG_PTR nBase, ULONG nSize){ BOOLEAN bAttach = FALSE; KAPC_STATE ks = { 0 }; PVOID pBuffer = NULL; NTSTATUS status = STATUS_UNSUCCESSFUL; if (nSize == 0 || pEprocess == NULL) {return status; } pBuffer = ExAllocatePoolWithTag(PagedPool, nSize, 'lysh'); if (!pBuffer) {return status; } memset(pBuffer, 0, nSize); if (pEprocess != IoGetCurrentProcess()) {KeStackAttachProcess(pEprocess, &ks);bAttach = TRUE; } status = SafeCopyMemory_R3_to_R0(nBase, (ULONG_PTR)pBuffer, nSize); if (bAttach) {KeUnstackDetachProcess(&ks);bAttach = FALSE; } OBJECT_ATTRIBUTES object; IO_STATUS_BLOCK io; HANDLE hFile; UNICODE_STRING log; // 導出文件名稱 RtlInitUnicodeString(&log, L"\\??\\C:\\lyshark_dumps.exe"); InitializeObjectAttributes(&object, &log, OBJ_CASE_INSENSITIVE, NULL, NULL); status = ZwCreateFile(&hFile,GENERIC_WRITE,&object,&io,NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_WRITE,FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0); if (!NT_SUCCESS(status)) {DbgPrint("打開文件錯誤 \n");return STATUS_SUCCESS; } ZwWriteFile(hFile, NULL, NULL, NULL, &io, pBuffer, nSize, NULL, NULL); DbgPrint("寫出字節數: %d \n", io.Information); DbgPrint("[*] LyShark.exe 已轉存"); ZwClose(hFile); if (pBuffer) {ExFreePoolWithTag(pBuffer, 'lysh');pBuffer = NULL; } return status;}VOID UnDriver(PDRIVER_OBJECT driver){ DbgPrint(("Uninstall Driver Is OK \n"));}// lyshark.comNTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){ DbgPrint("hello lyshark.com \n"); NTSTATUS ntStatus; PEPROCESS pCurProcess = NULL; __try {ntStatus = PsLookupProcessByProcessId((HANDLE)272, &pCurProcess);if (NT_SUCCESS(ntStatus)){// 設置基地址以及長度ntStatus = ProcessDumps(pCurProcess, 0x140000000, 1024);ObDereferenceObject(pCurProcess);} } __except (1) {ntStatus = GetExceptionCode(); } Driver->DriverUnload = UnDriver; return STATUS_SUCCESS;}轉存后效果如下所示:
驅動開發:內核中實現Dump進程轉儲

文章插圖
至于導出的進程無法運行只是沒有修復而已(后期會講),可以打開看看是沒錯的 。
驅動開發:內核中實現Dump進程轉儲

文章插圖
【驅動開發:內核中實現Dump進程轉儲】

推薦閱讀