内核apc注入

Inject_By_kernelAPC/ring0/KeInjectApc.h

@@ -0,0 +1,184 @@
+
+
+#ifndef CXX_KEINJECTAPC_H
+#define CXX_KEINJECTAPC_H
+
+
+
+#include <ntifs.h>
+#include <devioctl.h>
+#include <ntimage.h>
+
+#endif	
+
+
+#define DEVICE_NAME       L"\\Device\\DriverDevice"
+#define LINK_NAME 	  L"\\DosDevices\\DriverLink"
+
+#define CTL_KEINJECTAPC \
+	CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS)
+
+typedef struct _SYSTEM_THREAD_INFORMATION
+{
+	LARGE_INTEGER KernelTime;
+	LARGE_INTEGER UserTime;
+	LARGE_INTEGER CreateTime;
+	ULONG WaitTime;
+	PVOID StartAddress;
+	CLIENT_ID ClientId;
+	KPRIORITY Priority;
+	LONG BasePriority;
+	ULONG ContextSwitches;
+	ULONG ThreadState;
+	KWAIT_REASON WaitReason;
+}SYSTEM_THREAD_INFORMATION,*PSYSTEM_THREAD_INFORMATION;
+
+typedef struct _SYSTEM_PROCESS_INFO
+{
+	ULONG NextEntryOffset;
+	ULONG NumberOfThreads;
+	LARGE_INTEGER WorkingSetPrivateSize;
+	ULONG HardFaultCount;
+	ULONG NumberOfThreadsHighWatermark;
+	ULONGLONG CycleTime;
+	LARGE_INTEGER CreateTime;
+	LARGE_INTEGER UserTime;
+	LARGE_INTEGER KernelTime;
+	UNICODE_STRING ImageName;
+	KPRIORITY BasePriority;
+	HANDLE UniqueProcessId;
+	HANDLE InheritedFromUniqueProcessId;
+	ULONG HandleCount;
+	ULONG SessionId;
+	ULONG_PTR UniqueProcessKey;
+	SIZE_T PeakVirtualSize;
+	SIZE_T VirtualSize;
+	ULONG PageFaultCount;
+	SIZE_T PeakWorkingSetSize;
+	SIZE_T WorkingSetSize;
+	SIZE_T QuotaPeakPagedPoolUsage;
+	SIZE_T QuotaPagedPoolUsage;
+	SIZE_T QuotaPeakNonPagedPoolUsage;
+	SIZE_T QuotaNonPagedPoolUsage;
+	SIZE_T PagefileUsage;
+	SIZE_T PeakPagefileUsage;
+	SIZE_T PrivatePageCount;
+	LARGE_INTEGER ReadOperationCount;
+	LARGE_INTEGER WriteOperationCount;
+	LARGE_INTEGER OtherOperationCount;
+	LARGE_INTEGER ReadTransferCount;
+	LARGE_INTEGER WriteTransferCount;
+	LARGE_INTEGER OtherTransferCount;
+	SYSTEM_THREAD_INFORMATION Threads[1];
+}SYSTEM_PROCESS_INFO,*PSYSTEM_PROCESS_INFO;
+
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+	LIST_ENTRY InLoadOrderLinks;
+	LIST_ENTRY InMemoryOrderLinks;
+	LIST_ENTRY InInitializationOrderLinks;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STRING FullDllName;
+	UNICODE_STRING BaseDllName;
+	ULONG Flags;
+	USHORT LoadCount;
+	USHORT TlsIndex;
+
+	union
+	{
+		LIST_ENTRY HashLinks;
+
+		struct
+		{
+			PVOID SectionPointer;
+			ULONG CheckSum;
+		};
+	};
+
+	union
+	{
+		ULONG TimeDateStamp;
+		PVOID LoadedImports;
+	};
+
+	struct _ACTIVATION_CONTEXT * EntryPointActivationContext;
+	PVOID PatchInformation;
+	LIST_ENTRY ForwarderLinks;
+	LIST_ENTRY ServiceTagLinks;
+	LIST_ENTRY StaticLinks;
+}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;
+
+
+typedef struct _INJECT_INFO
+{
+	ULONG ProcessId;
+	wchar_t DllName[1024];
+}INJECT_INFO,*PINJECT_INFO;
+
+typedef NTSTATUS (*PLDR_LOAD_DLL)(PWSTR,PULONG,PUNICODE_STRING,PVOID*);
+
+typedef struct _KINJECT
+{
+	UNICODE_STRING DllName;
+	wchar_t Buffer[1024];
+	PLDR_LOAD_DLL LdrLoadDll;
+	PVOID DllBase;
+	ULONG Executed;
+}KINJECT,*PKINJECT;
+
+typedef enum _KAPC_ENVIRONMENT
+{
+	OriginalApcEnvironment,
+	AttachedApcEnvironment,
+	CurrentApcEnvironment,
+	InsertApcEnvironment
+}KAPC_ENVIRONMENT,*PKAPC_ENVIRONMENT;
+
+typedef VOID (NTAPI *PKNORMAL_ROUTINE)(
+	PVOID NormalContext,
+	PVOID SystemArgument1,
+	PVOID SystemArgument2
+	);
+
+typedef VOID KKERNEL_ROUTINE(
+	PRKAPC Apc,
+	PKNORMAL_ROUTINE *NormalRoutine,
+	PVOID *NormalContext,
+	PVOID *SystemArgument1,
+	PVOID *SystemArgument2
+	);
+
+typedef KKERNEL_ROUTINE (NTAPI *PKKERNEL_ROUTINE);
+
+typedef VOID (NTAPI *PKRUNDOWN_ROUTINE)(
+	PRKAPC Apc
+	);
+
+void KeInitializeApc(
+	PRKAPC Apc,
+	PRKTHREAD Thread,
+	KAPC_ENVIRONMENT Environment,
+	PKKERNEL_ROUTINE KernelRoutine,
+	PKRUNDOWN_ROUTINE RundownRoutine,
+	PKNORMAL_ROUTINE NormalRoutine,
+	KPROCESSOR_MODE ProcessorMode,
+	PVOID NormalContext
+	);
+
+BOOLEAN KeInsertQueueApc(
+	PRKAPC Apc,
+	PVOID SystemArgument1,
+	PVOID SystemArgument2,
+	KPRIORITY Increment
+	);
+
+
+
+NTSTATUS ZwQuerySystemInformation(ULONG InfoClass,PVOID Buffer,ULONG Length,PULONG ReturnLength);
+LPSTR PsGetProcessImageFileName(PEPROCESS Process);
+
+NTSTATUS DefaultPassThrough(PDEVICE_OBJECT  DeviceObject,PIRP Irp);
+void UnloadDriver(PDRIVER_OBJECT DriverObject);
+NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp);

Inject_By_kernelAPC/ring0/KeInjectApc.sln

@@ -0,0 +1,16 @@
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KeInjectApc", "KeInjectApc.vcxproj", "{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		WinDDK|Win32 = WinDDK|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.ActiveCfg = WinDDK|Win32
+		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.Build.0 = WinDDK|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Inject_By_kernelAPC/ring0/KeInjectApc.vcxproj

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="WinDDK|Win32">
+      <Configuration>WinDDK</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>"KeInjectApc"</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
+    <TargetExt>.sys</TargetExt>
+    <GenerateManifest>false</GenerateManifest>
+    <ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath>
+    <IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath>
+    <ReferencePath />
+    <LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath>
+    <SourcePath />
+    <ExcludePath />
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
+    <ClCompile>
+      <PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions>
+      <ExceptionHandling>false</ExceptionHandling>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <CallingConvention>StdCall</CallingConvention>
+      <CompileAs>CompileAsC</CompileAs>
+      <AdditionalIncludeDirectories>
+      </AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies>
+    </Link>
+    <Link>
+      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
+      <SubSystem>Native</SubSystem>
+      <Driver>Driver</Driver>
+      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
+      <SetChecksum>true</SetChecksum>
+      <BaseAddress>0x10000</BaseAddress>
+      <RandomizedBaseAddress>
+      </RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include=".\KeInjectApc.c" />
+    <ClCompile Include=".\KeInjectApc.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

Inject_By_kernelAPC/ring0/KeInjectApc.vcxproj.user

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+</Project>

Inject_By_kernelAPC/ring0/clean.bat

@@ -0,0 +1,28 @@
+rem /////////////////
+rem / Add by ChiChou
+rem / 
+rem / FileName:Clean.bat
+rem / Description:Clean
+rem /
+rem ////////////////
+rd .\bin /s /q
+rd .\WinDDK /s /q
+rd .\objchk_w2k_x86 /s /q
+rd .\objchk_wxp_x86 /s /q
+rd .\objchk_wnet_x86 /s /q
+rd .\objchk_wlh_x86 /s /q
+rd .\objfre_w2k_x86 /s /q
+rd .\objfre_wxp_x86 /s /q
+rd .\objfre_wnet_x86 /s /q
+rd .\objfre_wlh_x86 /s /q
+del .\*.log
+del .\*.err
+del .\*.xml
+rem ***** del VS2005 file *****
+del .\*.ncb
+del .\*.user
+del .\*.suo /A:H
+rem ***** del VS6.0 file *****
+del .\*.plg
+del .\*.opt
+exit