336
[原創]和DriverStudio過不去之加強版:)
和DriverStudio"過不去"之加強版
(<<搶先DriverStudio奪取機器控製權>>係列2)
a. 使用 MmMapIoSpace
內核已經進入保護模式,並且開了分頁。要想讀寫物理地址必須做
這樣的映射(我的
《Windows 核心編程研究係列之二:讀取指定物理內存地址中的內容 》
一篇中有更為詳細的說明)。
該函數原形如下:
PVOID
MmMapIoSpace(
IN PHYSICAL_ADDRESS PhysicalAddress,
IN ULONG NumberOfBytes,
IN MEMORY_CACHING_TYPE CacheType
Screen_W equ 50h
Screen_H equ 19h ;1ch
Show_Pos_Line0 equ (Screen_W * (Screen_H - 2) + 5) * 2
Show_Pos_Line1 equ (Screen_W * (Screen_H - 1) + 5) * 2
;*************************************************************************
_DisplayString proc _lpstr,_pos
local pa:qword
local lpvmem:dword
;mov dword ptr [pa+1],Video_Addr
;mov dword ptr [pa+5],0
mov dword ptr [pa],Video_Addr
mov dword ptr [pa+4],0
push 0 ;MmNonCached
push 8000h ;NumberOfBytes
;push dword ptr [pa+5]
;push dword ptr [pa+1]
push dword ptr [pa+4]
push dword ptr [pa]
call MmMapIoSpace
mov lpvmem,eax
mov esi,_lpstr
mov edi,lpvmem
add edi,_pos
mov bh,84h ;char show_attribute
.while TRUE
.if byte ptr [esi] != 0
mov bl,byte ptr [esi]
mov word ptr [edi],bx
inc esi
inc edi
inc edi
.else
.break
.endif
.endw
_DisplayString endp
KeDelayExecutionThread,其原形如下:
KeDelayExecutionThread(
IN KPROCESSOR_MODE WaitMode,
IN BOOLEAN Alertable,
IN PLARGE_INTEGER Interval
);
其中 WaitMode選擇KernelMode,將可報警置為FALSE.值得注意的
是第3個參數Interval,這個參數說明如下:
Interval
Specifies the absolute or relative time, in units of 100 nanoseconds, for which the wait is to occur. A negative value indicates relative time. Absolute expiration times track any changes in system time; relative expiration times are not affected by system time changes.
我們最好是用相對時間的延時方式,這就需要寫成負數的形式將前導位
全部置1。為了達到捕獲鍵盤輸入,需要直接訪問IO端口64h和60h,
這在ring0種都不成問題 。我同樣寫了一個子函數方便使用,代碼如下:
;*************************************************************************
_WaitForInput proc
local al_tmp:byte
local interval:LARGE_INTEGER
local turnsNow:dword
mov dword ptr [interval],0ffffe000h
mov dword ptr [interval+4],0ffffffffh
mov turnsNow,0
.while TRUE
.if turnsNow == Turns
.break
.else
inc turnsNow
in al,64h
test al,1
jz Delay
in al,60h
mov al_tmp,al
movzx eax,al_tmp
cmp eax,1
jz ExitWhile
cmp eax,1eh
jz ExitWhile
cmp eax,0b0h
jz ExitWhile
cmp eax,1ch
jnz Delay
ExitWhile:
.break
Delay:
invoke KeDelayExecutionThread,0,0,addr interval
.endif
.endw
xor eax,eax
mov al,al_tmp
ret
_WaitForInput endp
;*************************************************************************
d. 剩下來做的事就是在Main中判斷用戶輸入的鍵碼:
invoke _DisplayString,addr szhopysay,Show_Pos_Line0
invoke _DisplayString,addr szchoose,Show_Pos_Line1
invoke _WaitForInput
.if al == 01h
;do nothing
.elseif al == 0b0h
invoke _TryBS
.else
;do nothing
.endif
運行的效果如圖3所示:
圖3
最後更新:2017-04-02 00:06:21