336
[原创]和DriverStudio过不去之加强版:)
和DriverStudio"过不去"之加强版
(<<抢先DriverStudio夺取机器控制权>>系列2)
a. 使用 MmMapIoSpace
内核已经进入保护模式,并且开了分页。要想读写物理地址必须做
这样的映射(我的
《Windows 核心编程研究系列之二:读取指定物理内存地址中的内容 》
一篇中有更为详细的说明)。
该函数原形如下:
PVOID
MmMapIoSpace(
IN PHYSICAL_ADDRESS PhysicalAddress,
IN ULONG NumberOfBytes,
IN MEMORY_CACHING_TYPE CacheType
Screen_W equ 50h
Screen_H equ 19h ;1ch
Show_Pos_Line0 equ (Screen_W * (Screen_H - 2) + 5) * 2
Show_Pos_Line1 equ (Screen_W * (Screen_H - 1) + 5) * 2
;*************************************************************************
_DisplayString proc _lpstr,_pos
local pa:qword
local lpvmem:dword
;mov dword ptr [pa+1],Video_Addr
;mov dword ptr [pa+5],0
mov dword ptr [pa],Video_Addr
mov dword ptr [pa+4],0
push 0 ;MmNonCached
push 8000h ;NumberOfBytes
;push dword ptr [pa+5]
;push dword ptr [pa+1]
push dword ptr [pa+4]
push dword ptr [pa]
call MmMapIoSpace
mov lpvmem,eax
mov esi,_lpstr
mov edi,lpvmem
add edi,_pos
mov bh,84h ;char show_attribute
.while TRUE
.if byte ptr [esi] != 0
mov bl,byte ptr [esi]
mov word ptr [edi],bx
inc esi
inc edi
inc edi
.else
.break
.endif
.endw
_DisplayString endp
KeDelayExecutionThread,其原形如下:
KeDelayExecutionThread(
IN KPROCESSOR_MODE WaitMode,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Interval
);
其中 WaitMode选择KernelMode,将可报警置为FALSE.值得注意的
是第3个参数Interval,这个参数说明如下:
Interval
Specifies the absolute or relative time, in units of 100 nanoseconds, for which the wait is to occur. A negative value indicates relative time. Absolute expiration times track any changes in system time; relative expiration times are not affected by system time changes.
我们最好是用相对时间的延时方式,这就需要写成负数的形式将前导位
全部置1。为了达到捕获键盘输入,需要直接访问IO端口64h和60h,
这在ring0种都不成问题 。我同样写了一个子函数方便使用,代码如下:
;*************************************************************************
_WaitForInput proc
local al_tmp:byte
local interval:LARGE_INTEGER
local turnsNow:dword
mov dword ptr [interval],0ffffe000h
mov dword ptr [interval+4],0ffffffffh
mov turnsNow,0
.while TRUE
.if turnsNow == Turns
.break
.else
inc turnsNow
in al,64h
test al,1
jz Delay
in al,60h
mov al_tmp,al
movzx eax,al_tmp
cmp eax,1
jz ExitWhile
cmp eax,1eh
jz ExitWhile
cmp eax,0b0h
jz ExitWhile
cmp eax,1ch
jnz Delay
ExitWhile:
.break
Delay:
invoke KeDelayExecutionThread,0,0,addr interval
.endif
.endw
xor eax,eax
mov al,al_tmp
ret
_WaitForInput endp
;*************************************************************************
d. 剩下来做的事就是在Main中判断用户输入的键码:
invoke _DisplayString,addr szhopysay,Show_Pos_Line0
invoke _DisplayString,addr szchoose,Show_Pos_Line1
invoke _WaitForInput
.if al == 01h
;do nothing
.elseif al == 0b0h
invoke _TryBS
.else
;do nothing
.endif
运行的效果如图3所示:
图3
最后更新:2017-04-02 00:06:21