mirror of
https://github.com/ciyze0101/Windows-Rootkits
synced 2024-06-30 18:50:51 +00:00
Add files via upload
This commit is contained in:
parent
05c9629d25
commit
4b1fff00a8
356
ZwQueryVirtualMemory/CommonR0.c
Normal file
356
ZwQueryVirtualMemory/CommonR0.c
Normal file
@ -0,0 +1,356 @@
|
||||
#include "CommonR0.h"
|
||||
|
||||
|
||||
ULONG_PTR ObjectTableOffsetOf_EPROCESS = 0;
|
||||
ULONG_PTR PreviousModeOffsetOf_KTHREAD = 0;
|
||||
ULONG_PTR IndexOffsetOfFunction = 0;
|
||||
ULONG_PTR SSDTDescriptor = 0;
|
||||
|
||||
ULONG_PTR HighUserAddress = 0;
|
||||
|
||||
WIN_VERSION WinVersion = WINDOWS_UNKNOW;
|
||||
ULONG_PTR LdrInPebOffset = 0;
|
||||
ULONG_PTR ModListInLdrOffset = 0;
|
||||
ULONG_PTR ObjectHeaderSize = 0;
|
||||
ULONG_PTR ObjectTypeOffsetOf_Object_Header =0;
|
||||
|
||||
|
||||
|
||||
WIN_VERSION GetWindowsVersion()
|
||||
{
|
||||
RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)};
|
||||
pfnRtlGetVersion RtlGetVersion = NULL;
|
||||
WIN_VERSION WinVersion;
|
||||
WCHAR wzRtlGetVersion[] = L"RtlGetVersion";
|
||||
RtlGetVersion = GetFunctionAddressByName(wzRtlGetVersion); //Ntoskrnl.exe 导出表
|
||||
if (RtlGetVersion)
|
||||
{
|
||||
RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo);
|
||||
}
|
||||
else
|
||||
{
|
||||
PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL); //Documet
|
||||
}
|
||||
DbgPrint("Build Number: %d\r\n", osverInfo.dwBuildNumber);
|
||||
if (osverInfo.dwMajorVersion == 5 && osverInfo.dwMinorVersion == 1)
|
||||
{
|
||||
DbgPrint("WINDOWS_XP\r\n");
|
||||
WinVersion = WINDOWS_XP;
|
||||
}
|
||||
else if (osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1)
|
||||
{
|
||||
DbgPrint("WINDOWS 7\r\n");
|
||||
WinVersion = WINDOWS_7;
|
||||
}
|
||||
else if (osverInfo.dwMajorVersion == 6 &&
|
||||
osverInfo.dwMinorVersion == 2 &&
|
||||
osverInfo.dwBuildNumber == 9200)
|
||||
{
|
||||
DbgPrint("WINDOWS 8\r\n");
|
||||
WinVersion = WINDOWS_8;
|
||||
}
|
||||
else if (osverInfo.dwMajorVersion == 6 &&
|
||||
osverInfo.dwMinorVersion == 3 &&
|
||||
osverInfo.dwBuildNumber == 9600)
|
||||
{
|
||||
DbgPrint("WINDOWS 8.1\r\n");
|
||||
WinVersion = WINDOWS_8_1;
|
||||
}
|
||||
else
|
||||
{
|
||||
DbgPrint("WINDOWS_UNKNOW\r\n");
|
||||
WinVersion = WINDOWS_UNKNOW;
|
||||
}
|
||||
return WinVersion;
|
||||
}
|
||||
|
||||
|
||||
|
||||
PVOID
|
||||
GetFunctionAddressByName(WCHAR *wzFunction)
|
||||
{
|
||||
UNICODE_STRING uniFunction;
|
||||
PVOID AddrBase = NULL;
|
||||
if (wzFunction && wcslen(wzFunction) > 0)
|
||||
{
|
||||
RtlInitUnicodeString(&uniFunction, wzFunction); //常量指针
|
||||
AddrBase = MmGetSystemRoutineAddress(&uniFunction); //在System 进程 第一个模块 Ntosknrl.exe ExportTable
|
||||
}
|
||||
return AddrBase;
|
||||
}
|
||||
|
||||
|
||||
VOID InitGlobalVariable()
|
||||
{
|
||||
WinVersion = GetWindowsVersion();
|
||||
switch(WinVersion)
|
||||
{
|
||||
case WINDOWS_XP:
|
||||
{
|
||||
ObjectHeaderSize = 0x18;
|
||||
ObjectTypeOffsetOf_Object_Header = 0x8;
|
||||
LdrInPebOffset = 0x00c;
|
||||
ModListInLdrOffset = 0x00c;
|
||||
ObjectHeaderSize = 0x18;
|
||||
ObjectTableOffsetOf_EPROCESS = 0x0c4;
|
||||
PreviousModeOffsetOf_KTHREAD = 0x140;
|
||||
HighUserAddress = 0x80000000;
|
||||
|
||||
break;
|
||||
}
|
||||
case WINDOWS_7:
|
||||
{
|
||||
LdrInPebOffset = 0x018;
|
||||
ModListInLdrOffset = 0x010;
|
||||
ObjectTableOffsetOf_EPROCESS = 0x200;
|
||||
PreviousModeOffsetOf_KTHREAD = 0x1f6;
|
||||
HighUserAddress = 0x80000000000;
|
||||
|
||||
break;
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
BOOLEAN IsRealProcess(PEPROCESS EProcess)
|
||||
{
|
||||
ULONG_PTR ObjectType;
|
||||
ULONG_PTR ObjectTypeAddress;
|
||||
BOOLEAN bRet = FALSE;
|
||||
|
||||
ULONG_PTR ProcessType = ((ULONG_PTR)*PsProcessType);
|
||||
|
||||
if (ProcessType && EProcess && MmIsAddressValid((PVOID)(EProcess)))
|
||||
{
|
||||
ObjectType = KeGetObjectType((PVOID)EProcess); //*PsProcessType
|
||||
if (ObjectType &&
|
||||
ProcessType == ObjectType &&
|
||||
!IsProcessDie(EProcess))
|
||||
{
|
||||
bRet = TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
return bRet;
|
||||
}
|
||||
|
||||
|
||||
|
||||
ULONG_PTR KeGetObjectType(PVOID Object)
|
||||
{
|
||||
ULONG_PTR ObjectType = NULL;
|
||||
pfnObGetObjectType ObGetObjectType = NULL;
|
||||
|
||||
if (!MmIsAddressValid ||!Object||!MmIsAddressValid(Object))
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (WinVersion==WINDOWS_XP)
|
||||
{
|
||||
ULONG SizeOfObjectHeader = 0, ObjectTypeOffset = 0, ObjectTypeAddress = 0;
|
||||
|
||||
ObjectTypeAddress = (ULONG_PTR)Object - ObjectHeaderSize + ObjectTypeOffsetOf_Object_Header;
|
||||
|
||||
if (MmIsAddressValid((PVOID)ObjectTypeAddress))
|
||||
{
|
||||
ObjectType = *(ULONG_PTR*)ObjectTypeAddress;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
//高版本使用函数
|
||||
|
||||
ObGetObjectType = (pfnObGetObjectType)GetFunctionAddressByName(L"ObGetObjectType");
|
||||
|
||||
|
||||
if (ObGetObjectType)
|
||||
{
|
||||
ObjectType = ObGetObjectType(Object);
|
||||
}
|
||||
}
|
||||
|
||||
return ObjectType;
|
||||
}
|
||||
|
||||
BOOLEAN IsProcessDie(PEPROCESS EProcess)
|
||||
{
|
||||
BOOLEAN bDie = FALSE;
|
||||
|
||||
if (MmIsAddressValid &&
|
||||
EProcess &&
|
||||
MmIsAddressValid(EProcess) &&
|
||||
MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS)))
|
||||
{
|
||||
PVOID ObjectTable = *(PVOID*)((ULONG_PTR)EProcess + ObjectTableOffsetOf_EPROCESS );
|
||||
|
||||
if (!ObjectTable||!MmIsAddressValid(ObjectTable) )
|
||||
{
|
||||
DbgPrint("Process is Die\r\n");
|
||||
bDie = TRUE;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
DbgPrint("Process is Die2\r\n");
|
||||
bDie = TRUE;
|
||||
}
|
||||
return bDie;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
CHAR ChangePreMode(PETHREAD EThread)
|
||||
{
|
||||
|
||||
CHAR PreMode = *(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD);
|
||||
*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = KernelMode;
|
||||
return PreMode;
|
||||
}
|
||||
|
||||
VOID RecoverPreMode(PETHREAD EThread, CHAR PreMode)
|
||||
{
|
||||
*(PCHAR)((ULONG_PTR)EThread + PreviousModeOffsetOf_KTHREAD) = PreMode;
|
||||
}
|
||||
|
||||
|
||||
|
||||
BOOLEAN NtPathToDosPathW(WCHAR* wzFullNtPath,WCHAR* wzFullDosPath)
|
||||
{
|
||||
WCHAR wzDosDevice[4] = {0};
|
||||
WCHAR wzNtDevice[64] = {0};
|
||||
WCHAR *RetStr = NULL;
|
||||
size_t NtDeviceLen = 0;
|
||||
short i = 0;
|
||||
if(!wzFullNtPath||!wzFullDosPath)
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
for(i=65;i<26+65;i++)
|
||||
{
|
||||
wzDosDevice[0] = i;
|
||||
wzDosDevice[1] = L':';
|
||||
if(NtQueryDosDevice(wzDosDevice,wzNtDevice,64))
|
||||
{
|
||||
if(wzNtDevice)
|
||||
{
|
||||
NtDeviceLen = wcslen(wzNtDevice);
|
||||
if(!_wcsnicmp(wzNtDevice,wzFullNtPath,NtDeviceLen))
|
||||
{
|
||||
wcscpy(wzFullDosPath,wzDosDevice);
|
||||
wcscat(wzFullDosPath,wzFullNtPath+NtDeviceLen);
|
||||
return TRUE;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
ULONG
|
||||
NtQueryDosDevice(WCHAR* wzDosDevice,WCHAR* wzNtDevice,
|
||||
ULONG ucchMax)
|
||||
{
|
||||
NTSTATUS Status;
|
||||
POBJECT_DIRECTORY_INFORMATION ObjectDirectoryInfor;
|
||||
OBJECT_ATTRIBUTES oa;
|
||||
UNICODE_STRING uniString;
|
||||
HANDLE hDirectory;
|
||||
HANDLE hDevice;
|
||||
ULONG ulReturnLength;
|
||||
ULONG ulNameLength;
|
||||
ULONG ulLength;
|
||||
ULONG Context;
|
||||
BOOLEAN bRestartScan;
|
||||
WCHAR* Ptr = NULL;
|
||||
UCHAR szBuffer[512] = {0};
|
||||
RtlInitUnicodeString (&uniString,L"\\??");
|
||||
InitializeObjectAttributes(&oa,
|
||||
&uniString,
|
||||
OBJ_CASE_INSENSITIVE,
|
||||
NULL,
|
||||
NULL);
|
||||
Status = ZwOpenDirectoryObject(&hDirectory,DIRECTORY_QUERY,&oa);
|
||||
if(!NT_SUCCESS(Status))
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
ulLength = 0;
|
||||
if (wzDosDevice != NULL)
|
||||
{
|
||||
RtlInitUnicodeString (&uniString,(PWSTR)wzDosDevice);
|
||||
InitializeObjectAttributes(&oa,&uniString,OBJ_CASE_INSENSITIVE,hDirectory,NULL);
|
||||
Status = ZwOpenSymbolicLinkObject(&hDevice,GENERIC_READ,&oa);
|
||||
if(!NT_SUCCESS (Status))
|
||||
{
|
||||
ZwClose(hDirectory);
|
||||
return 0;
|
||||
}
|
||||
uniString.Length = 0;
|
||||
uniString.MaximumLength = (USHORT)ucchMax * sizeof(WCHAR);
|
||||
uniString.Buffer = wzNtDevice;
|
||||
ulReturnLength = 0;
|
||||
Status = ZwQuerySymbolicLinkObject (hDevice,&uniString,&ulReturnLength);
|
||||
ZwClose(hDevice);
|
||||
ZwClose(hDirectory);
|
||||
if (!NT_SUCCESS (Status))
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
ulLength = uniString.Length / sizeof(WCHAR);
|
||||
if (ulLength < ucchMax)
|
||||
{
|
||||
wzNtDevice[ulLength] = UNICODE_NULL;
|
||||
ulLength++;
|
||||
}
|
||||
else
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
bRestartScan = TRUE;
|
||||
Context = 0;
|
||||
Ptr = wzNtDevice;
|
||||
ObjectDirectoryInfor = (POBJECT_DIRECTORY_INFORMATION)szBuffer;
|
||||
while (TRUE)
|
||||
{
|
||||
Status = ZwQueryDirectoryObject(hDirectory,szBuffer,sizeof (szBuffer),TRUE,bRestartScan,&Context,&ulReturnLength);
|
||||
if(!NT_SUCCESS(Status))
|
||||
{
|
||||
if (Status == STATUS_NO_MORE_ENTRIES)
|
||||
{
|
||||
*Ptr = UNICODE_NULL;
|
||||
ulLength++;
|
||||
Status = STATUS_SUCCESS;
|
||||
}
|
||||
else
|
||||
{
|
||||
ulLength = 0;
|
||||
}
|
||||
break;
|
||||
}
|
||||
if (!wcscmp (ObjectDirectoryInfor->TypeName.Buffer, L"SymbolicLink"))
|
||||
{
|
||||
ulNameLength = ObjectDirectoryInfor->Name.Length / sizeof(WCHAR);
|
||||
if (ulLength + ulNameLength + 1 >= ucchMax)
|
||||
{
|
||||
ulLength = 0;
|
||||
break;
|
||||
}
|
||||
memcpy(Ptr,ObjectDirectoryInfor->Name.Buffer,ObjectDirectoryInfor->Name.Length);
|
||||
Ptr += ulNameLength;
|
||||
ulLength += ulNameLength;
|
||||
*Ptr = UNICODE_NULL;
|
||||
Ptr++;
|
||||
ulLength++;
|
||||
}
|
||||
bRestartScan = FALSE;
|
||||
}
|
||||
ZwClose(hDirectory);
|
||||
}
|
||||
return ulLength;
|
||||
}
|
53
ZwQueryVirtualMemory/CommonR0.h
Normal file
53
ZwQueryVirtualMemory/CommonR0.h
Normal file
@ -0,0 +1,53 @@
|
||||
#pragma once
|
||||
#include "ZwQueryVirtualMemory.h"
|
||||
|
||||
|
||||
typedef enum WIN_VERSION {
|
||||
WINDOWS_UNKNOW,
|
||||
WINDOWS_XP,
|
||||
WINDOWS_7,
|
||||
WINDOWS_8,
|
||||
WINDOWS_8_1
|
||||
} WIN_VERSION;
|
||||
|
||||
WIN_VERSION GetWindowsVersion();
|
||||
PVOID
|
||||
GetFunctionAddressByName(WCHAR *wzFunction);
|
||||
typedef
|
||||
NTSTATUS
|
||||
(*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
|
||||
ULONG_PTR KeGetObjectType(PVOID Object);
|
||||
typedef ULONG_PTR
|
||||
(*pfnObGetObjectType)(PVOID pObject);
|
||||
BOOLEAN IsProcessDie(PEPROCESS EProcess);
|
||||
ULONG_PTR KeGetObjectType(PVOID Object);
|
||||
BOOLEAN IsRealProcess(PEPROCESS EProcess) ;
|
||||
CHAR ChangePreMode(PETHREAD EThread);
|
||||
VOID RecoverPreMode(PETHREAD EThread, CHAR PreMode);
|
||||
VOID InitGlobalVariable();//³õʼ»¯Ò»Ð©Æ«ÒÆ
|
||||
BOOLEAN NtPathToDosPathW(WCHAR* wzFullNtPath,WCHAR* wzFullDosPath);
|
||||
extern
|
||||
NTSTATUS
|
||||
NTAPI
|
||||
ZwQueryDirectoryObject (
|
||||
__in HANDLE DirectoryHandle,
|
||||
__out_bcount_opt(Length) PVOID Buffer,
|
||||
__in ULONG Length,
|
||||
__in BOOLEAN ReturnSingleEntry,
|
||||
__in BOOLEAN RestartScan,
|
||||
__inout PULONG Context,
|
||||
__out_opt PULONG ReturnLength
|
||||
);
|
||||
|
||||
typedef struct _OBJECT_DIRECTORY_INFORMATION
|
||||
{
|
||||
UNICODE_STRING Name;
|
||||
UNICODE_STRING TypeName;
|
||||
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
|
||||
|
||||
|
||||
ULONG
|
||||
NtQueryDosDevice(WCHAR* wzDosDevice,WCHAR* wzNtDevice,
|
||||
ULONG ucchMax);
|
||||
|
||||
|
278
ZwQueryVirtualMemory/GetSSDTFuncAddress.c
Normal file
278
ZwQueryVirtualMemory/GetSSDTFuncAddress.c
Normal file
@ -0,0 +1,278 @@
|
||||
#include "GetSSDTFuncAddress.h"
|
||||
#include "CommonR0.h"
|
||||
|
||||
|
||||
|
||||
ULONG_PTR IndexOffset = 0;
|
||||
|
||||
extern WIN_VERSION WinVersion;
|
||||
|
||||
|
||||
ULONG_PTR GetFuncAddress(char* szFuncName)
|
||||
{
|
||||
|
||||
ULONG_PTR SSDTDescriptor = 0;
|
||||
ULONG_PTR ulIndex = 0;
|
||||
ULONG_PTR SSDTFuncAddress = 0;
|
||||
|
||||
WinVersion = GetWindowsVersion();
|
||||
|
||||
switch(WinVersion)
|
||||
{
|
||||
case WINDOWS_7:
|
||||
{
|
||||
|
||||
SSDTDescriptor = GetKeServiceDescriptorTable64();
|
||||
IndexOffset = 4;
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
case WINDOWS_XP:
|
||||
{
|
||||
SSDTDescriptor = (ULONG_PTR)GetFunctionAddressByName(L"KeServiceDescriptorTable");
|
||||
IndexOffset = 1;
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
ulIndex = GetSSDTApiFunIndex(szFuncName);
|
||||
|
||||
|
||||
SSDTFuncAddress = GetSSDTApiFunAddress(ulIndex,SSDTDescriptor);
|
||||
|
||||
|
||||
return SSDTFuncAddress;
|
||||
}
|
||||
|
||||
|
||||
|
||||
ULONG_PTR GetSSDTApiFunAddress(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
||||
{
|
||||
ULONG_PTR SSDTFuncAddress = 0;
|
||||
switch(WinVersion)
|
||||
{
|
||||
case WINDOWS_7:
|
||||
{
|
||||
SSDTFuncAddress = GetSSDTFunctionAddress64(ulIndex,SSDTDescriptor);
|
||||
break;
|
||||
}
|
||||
|
||||
case WINDOWS_XP:
|
||||
{
|
||||
SSDTFuncAddress = GetSSDTFunctionAddress32(ulIndex,SSDTDescriptor);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
ULONG_PTR GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
||||
{
|
||||
ULONG_PTR ServiceTableBase= 0 ;
|
||||
PSYSTEM_SERVICE_TABLE32 SSDT = (PSYSTEM_SERVICE_TABLE32)SSDTDescriptor;
|
||||
|
||||
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
|
||||
|
||||
return (ULONG_PTR)(((ULONG*)ServiceTableBase)[(ULONG)ulIndex]);
|
||||
}
|
||||
|
||||
|
||||
|
||||
ULONG_PTR GetSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor)
|
||||
{
|
||||
LONG dwTemp=0;
|
||||
ULONG_PTR qwTemp=0;
|
||||
ULONG_PTR ServiceTableBase= 0 ;
|
||||
ULONG_PTR FuncAddress =0;
|
||||
PSYSTEM_SERVICE_TABLE64 SSDT = (PSYSTEM_SERVICE_TABLE64)SSDTDescriptor;
|
||||
ServiceTableBase=(ULONG_PTR)(SSDT ->ServiceTableBase);
|
||||
qwTemp = ServiceTableBase + 4 * ulIndex;
|
||||
dwTemp = *(PLONG)qwTemp;
|
||||
dwTemp = dwTemp>>4;
|
||||
FuncAddress = ServiceTableBase + (ULONG_PTR)dwTemp;
|
||||
return FuncAddress;
|
||||
}
|
||||
|
||||
|
||||
LONG GetSSDTApiFunIndex(IN LPSTR lpszFunName)
|
||||
{
|
||||
LONG Index = -1;
|
||||
NTSTATUS Status = STATUS_UNSUCCESSFUL;
|
||||
PVOID MapBase = NULL;
|
||||
PIMAGE_NT_HEADERS NtHeader;
|
||||
PIMAGE_EXPORT_DIRECTORY ExportTable;
|
||||
ULONG* FunctionAddresses;
|
||||
ULONG* FunctionNames;
|
||||
USHORT* FunIndexs;
|
||||
ULONG ulFunIndex;
|
||||
ULONG i;
|
||||
CHAR* FunName;
|
||||
SIZE_T ViewSize=0;
|
||||
ULONG_PTR FunAddress;
|
||||
WCHAR wzNtdll[] = L"\\SystemRoot\\System32\\ntdll.dll";
|
||||
|
||||
Status = MapFileInUserSpace(wzNtdll, NtCurrentProcess(), &MapBase, &ViewSize);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
|
||||
return STATUS_UNSUCCESSFUL;
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
__try{
|
||||
NtHeader = RtlImageNtHeader(MapBase);
|
||||
if (NtHeader && NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress){
|
||||
ExportTable =(IMAGE_EXPORT_DIRECTORY *)((ULONG_PTR)MapBase + NtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
|
||||
FunctionAddresses = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfFunctions);
|
||||
FunctionNames = (ULONG*)((ULONG_PTR)MapBase + ExportTable->AddressOfNames);
|
||||
FunIndexs = (USHORT*)((ULONG_PTR)MapBase + ExportTable->AddressOfNameOrdinals);
|
||||
for(i = 0; i < ExportTable->NumberOfNames; i++)
|
||||
{
|
||||
FunName = (LPSTR)((ULONG_PTR)MapBase + FunctionNames[i]);
|
||||
if (_stricmp(FunName, lpszFunName) == 0)
|
||||
{
|
||||
ulFunIndex = FunIndexs[i];
|
||||
FunAddress = (ULONG_PTR)((ULONG_PTR)MapBase + FunctionAddresses[ulFunIndex]);
|
||||
Index=*(ULONG*)(FunAddress+IndexOffset);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
}__except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
;
|
||||
}
|
||||
}
|
||||
|
||||
if (Index == -1)
|
||||
{
|
||||
DbgPrint("%s Get Index Error\n", lpszFunName);
|
||||
}
|
||||
|
||||
ZwUnmapViewOfSection(NtCurrentProcess(), MapBase);
|
||||
return Index;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
ULONG_PTR GetKeServiceDescriptorTable64()
|
||||
{
|
||||
PUCHAR StartSearchAddress = (PUCHAR)__readmsr(0xC0000082);
|
||||
PUCHAR EndSearchAddress = StartSearchAddress + 0x500;
|
||||
PUCHAR i = NULL;
|
||||
UCHAR b1=0,b2=0,b3=0;
|
||||
ULONG_PTR Temp = 0;
|
||||
ULONG_PTR Address = 0;
|
||||
for(i=StartSearchAddress;i<EndSearchAddress;i++)
|
||||
{
|
||||
if( MmIsAddressValid(i) && MmIsAddressValid(i+1) && MmIsAddressValid(i+2) )
|
||||
{
|
||||
b1=*i;
|
||||
b2=*(i+1);
|
||||
b3=*(i+2);
|
||||
if( b1==0x4c && b2==0x8d && b3==0x15 ) //4c8d15
|
||||
{
|
||||
memcpy(&Temp,i+3,4);
|
||||
Address = (ULONG_PTR)Temp + (ULONG_PTR)i + 7;
|
||||
return Address;
|
||||
}
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
NTSTATUS
|
||||
MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
|
||||
OUT PVOID *BaseAddress,
|
||||
OUT PSIZE_T ViewSize OPTIONAL)
|
||||
{
|
||||
NTSTATUS Status = STATUS_INVALID_PARAMETER;
|
||||
HANDLE hFile = NULL;
|
||||
HANDLE hSection = NULL;
|
||||
OBJECT_ATTRIBUTES oa;
|
||||
SIZE_T MapViewSize = 0;
|
||||
IO_STATUS_BLOCK Iosb;
|
||||
UNICODE_STRING uniFileName;
|
||||
|
||||
if (!lpszFileName || !BaseAddress){
|
||||
return Status;
|
||||
}
|
||||
|
||||
RtlInitUnicodeString(&uniFileName, lpszFileName);
|
||||
InitializeObjectAttributes(&oa,
|
||||
&uniFileName,
|
||||
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
|
||||
NULL,
|
||||
NULL
|
||||
);
|
||||
|
||||
Status = IoCreateFile(&hFile,
|
||||
GENERIC_READ | SYNCHRONIZE,
|
||||
&oa,
|
||||
&Iosb,
|
||||
NULL,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
FILE_SHARE_READ,
|
||||
FILE_OPEN,
|
||||
FILE_SYNCHRONOUS_IO_NONALERT,
|
||||
NULL,
|
||||
0,
|
||||
CreateFileTypeNone,
|
||||
NULL,
|
||||
IO_NO_PARAMETER_CHECKING
|
||||
);
|
||||
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DbgPrint("ZwCreateFile Failed! Error=%08x\n",Status);
|
||||
return Status;
|
||||
}
|
||||
|
||||
oa.ObjectName = NULL;
|
||||
Status = ZwCreateSection(&hSection,
|
||||
SECTION_QUERY | SECTION_MAP_READ,
|
||||
&oa,
|
||||
NULL,
|
||||
PAGE_WRITECOPY,
|
||||
SEC_IMAGE,
|
||||
hFile
|
||||
);
|
||||
ZwClose(hFile);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DbgPrint("ZwCreateSection Failed! Error=%08x\n",Status);
|
||||
return Status;
|
||||
|
||||
}
|
||||
|
||||
if (!ProcessHandle){
|
||||
ProcessHandle = NtCurrentProcess();
|
||||
}
|
||||
|
||||
Status = ZwMapViewOfSection(hSection,
|
||||
ProcessHandle,
|
||||
BaseAddress,
|
||||
0,
|
||||
0,
|
||||
0,
|
||||
ViewSize ? ViewSize : &MapViewSize,
|
||||
ViewUnmap,
|
||||
0,
|
||||
PAGE_WRITECOPY
|
||||
);
|
||||
ZwClose(hSection);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
DbgPrint("ZwMapViewOfSection Failed! Error=%08x\n",Status);
|
||||
return Status;
|
||||
}
|
||||
|
||||
return Status;
|
||||
}
|
43
ZwQueryVirtualMemory/GetSSDTFuncAddress.h
Normal file
43
ZwQueryVirtualMemory/GetSSDTFuncAddress.h
Normal file
@ -0,0 +1,43 @@
|
||||
#pragma once
|
||||
#include "ZwQueryVirtualMemory.h"
|
||||
#include <ntimage.h>
|
||||
|
||||
#define MEM_IMAGE SEC_IMAGE
|
||||
#define SEC_IMAGE 0x01000000
|
||||
|
||||
typedef struct _SYSTEM_SERVICE_TABLE64{
|
||||
PVOID ServiceTableBase;
|
||||
PVOID ServiceCounterTableBase;
|
||||
ULONG64 NumberOfServices;
|
||||
PVOID ParamTableBase;
|
||||
} SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64;
|
||||
|
||||
typedef struct _SYSTEM_SERVICE_TABLE32 {
|
||||
PVOID ServiceTableBase;
|
||||
PVOID ServiceCounterTableBase;
|
||||
ULONG32 NumberOfServices;
|
||||
PVOID ParamTableBase;
|
||||
} SYSTEM_SERVICE_TABLE32, *PSYSTEM_SERVICE_TABLE32;
|
||||
|
||||
NTSYSAPI
|
||||
PIMAGE_NT_HEADERS
|
||||
NTAPI
|
||||
RtlImageNtHeader(PVOID Base);
|
||||
|
||||
ULONG_PTR GetFuncAddress(char* szFuncName);
|
||||
|
||||
LONG GetSSDTApiFunIndex(IN LPSTR lpszFunName);
|
||||
|
||||
NTSTATUS
|
||||
MapFileInUserSpace(IN LPWSTR lpszFileName,IN HANDLE ProcessHandle OPTIONAL,
|
||||
OUT PVOID *BaseAddress,
|
||||
OUT PSIZE_T ViewSize OPTIONAL);
|
||||
|
||||
ULONG_PTR GetSSDTApiFunAddress(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
||||
|
||||
ULONG_PTR GetSSDTFunctionAddress32(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
||||
ULONG_PTR GetSSDTFunctionAddress64(ULONG_PTR ulIndex,ULONG_PTR SSDTDescriptor);
|
||||
ULONG_PTR GetKeServiceDescriptorTable64();
|
||||
|
||||
|
||||
|
147
ZwQueryVirtualMemory/ZwQueryVirtualMemory.c
Normal file
147
ZwQueryVirtualMemory/ZwQueryVirtualMemory.c
Normal file
@ -0,0 +1,147 @@
|
||||
/***************************************************************************************
|
||||
* AUTHOR : MZ
|
||||
* DATE : 2016-3-18
|
||||
* MODULE : ZwQueryVirtualMemory.C
|
||||
*
|
||||
* Command:
|
||||
* Source of IOCTRL Sample Driver
|
||||
*
|
||||
* Description:
|
||||
* Demonstrates communications between USER and KERNEL.
|
||||
*
|
||||
****************************************************************************************
|
||||
* Copyright (C) 2010 MZ.
|
||||
****************************************************************************************/
|
||||
|
||||
//#######################################################################################
|
||||
//# I N C L U D E S
|
||||
//#######################################################################################
|
||||
|
||||
#ifndef CXX_ZWQUERYVIRTUALMEMORY_H
|
||||
# include "ZwQueryVirtualMemory.h"
|
||||
#include "CommonR0.h"
|
||||
#include "GetSSDTFuncAddress.h"
|
||||
#endif
|
||||
|
||||
|
||||
extern ULONG_PTR ObjectTableOffsetOf_EPROCESS;
|
||||
extern ULONG_PTR PreviousModeOffsetOf_KTHREAD;
|
||||
extern ULONG_PTR IndexOffsetOfFunction;
|
||||
|
||||
extern ULONG_PTR ObjectHeaderSize;
|
||||
extern ULONG_PTR ObjectTypeOffsetOf_OBJECT_HEADER;
|
||||
extern ULONG_PTR HighUserAddress;
|
||||
|
||||
extern WIN_VERSION WinVersion;
|
||||
extern ULONG_PTR LdrInPebOffset;
|
||||
extern ULONG_PTR ModListInLdrOffset;
|
||||
|
||||
extern ULONG_PTR HighUserAddress;
|
||||
|
||||
pfnNtQueryVirtualMemory NtQueryVirtualMemoryAddress = NULL;
|
||||
|
||||
NTSTATUS
|
||||
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
|
||||
{
|
||||
NTSTATUS status = STATUS_SUCCESS;
|
||||
UNICODE_STRING ustrLinkName;
|
||||
UNICODE_STRING ustrDevName;
|
||||
PDEVICE_OBJECT pDevObj;
|
||||
int i = 0;
|
||||
PEPROCESS Eprocess ;
|
||||
HANDLE Id ;
|
||||
|
||||
WinVersion = GetWindowsVersion();
|
||||
InitGlobalVariable();
|
||||
NtQueryVirtualMemoryAddress = (pfnNtQueryVirtualMemory)GetFuncAddress("NtQueryVirtualMemory");
|
||||
|
||||
|
||||
//Eprocess = PsGetCurrentProcess();
|
||||
//Id= PsGetProcessId(Eprocess);
|
||||
EnumMoudleByNtQueryVirtualMemory((ULONG)1592);
|
||||
pDriverObj->DriverUnload = DriverUnload;
|
||||
|
||||
|
||||
return STATUS_SUCCESS;
|
||||
}
|
||||
|
||||
VOID
|
||||
DriverUnload(IN PDRIVER_OBJECT pDriverObj)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
NTSTATUS EnumMoudleByNtQueryVirtualMemory(ULONG ProcessId)
|
||||
{
|
||||
NTSTATUS Status;
|
||||
PEPROCESS EProcess = NULL;
|
||||
HANDLE hProcess = NULL;
|
||||
ULONG ulRet = 0;
|
||||
WCHAR DosPath[260] = {0};
|
||||
|
||||
if (ProcessId)
|
||||
{
|
||||
Status = PsLookupProcessByProcessId((HANDLE)ProcessId, &EProcess);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
return Status;
|
||||
}
|
||||
}
|
||||
if (IsRealProcess(EProcess)) //判断是否为僵尸进程,我只是判断了对象类型和句柄表是否存在
|
||||
{
|
||||
ObfDereferenceObject(EProcess);
|
||||
Status = ObOpenObjectByPointer(EProcess,
|
||||
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
|
||||
NULL,
|
||||
GENERIC_ALL,
|
||||
*PsProcessType,
|
||||
KernelMode,
|
||||
&hProcess
|
||||
);
|
||||
if (NT_SUCCESS(Status))
|
||||
{
|
||||
ULONG_PTR ulBase = 0;
|
||||
//改变PreviousMode
|
||||
PETHREAD EThread = PsGetCurrentThread();
|
||||
CHAR PreMode = ChangePreMode(EThread); //KernelMode
|
||||
do
|
||||
{
|
||||
MEMORY_BASIC_INFORMATION mbi = {0};
|
||||
Status = NtQueryVirtualMemoryAddress(hProcess,
|
||||
(PVOID)ulBase,
|
||||
MemoryBasicInformation,
|
||||
&mbi,
|
||||
sizeof(MEMORY_BASIC_INFORMATION),
|
||||
&ulRet);
|
||||
if (NT_SUCCESS(Status))
|
||||
{
|
||||
//如果是Image 再查询SectionName,即FileObject Name
|
||||
if (mbi.Type==MEM_IMAGE)
|
||||
{
|
||||
MEMORY_SECTION_NAME msn = {0};
|
||||
Status = NtQueryVirtualMemoryAddress(hProcess,
|
||||
(PVOID)ulBase,
|
||||
MemorySectionName,
|
||||
&msn,
|
||||
sizeof(MEMORY_SECTION_NAME),
|
||||
&ulRet);
|
||||
if (NT_SUCCESS(Status))
|
||||
{
|
||||
DbgPrint("SectionName:%wZ\r\n",&(msn.Name));
|
||||
NtPathToDosPathW(msn.Name.Buffer,DosPath);
|
||||
DbgPrint("DosName:%S\r\n",DosPath);
|
||||
}
|
||||
}
|
||||
ulBase += mbi.RegionSize;
|
||||
}
|
||||
else ulBase += PAGE_SIZE;
|
||||
} while (ulBase < (ULONG_PTR)HighUserAddress);
|
||||
NtClose(hProcess);
|
||||
RecoverPreMode(EThread,PreMode);
|
||||
}
|
||||
}
|
||||
return Status;
|
||||
}
|
||||
|
||||
|
49
ZwQueryVirtualMemory/ZwQueryVirtualMemory.h
Normal file
49
ZwQueryVirtualMemory/ZwQueryVirtualMemory.h
Normal file
@ -0,0 +1,49 @@
|
||||
|
||||
#ifndef CXX_ZWQUERYVIRTUALMEMORY_H
|
||||
#define CXX_ZWQUERYVIRTUALMEMORY_H
|
||||
|
||||
|
||||
#include <ntifs.h>
|
||||
#include <devioctl.h>
|
||||
typedef unsigned long DWORD;
|
||||
|
||||
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString);
|
||||
|
||||
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj);
|
||||
|
||||
|
||||
typedef enum _MEMORY_INFORMATION_CLASS
|
||||
{
|
||||
MemoryBasicInformation, //内存基本信息
|
||||
MemoryWorkingSetList,
|
||||
MemorySectionName //内存映射文件名信息
|
||||
}MEMORY_INFORMATION_CLASS;
|
||||
|
||||
|
||||
typedef NTSTATUS
|
||||
(*pfnNtQueryVirtualMemory)(HANDLE ProcessHandle,PVOID BaseAddress,
|
||||
MEMORY_INFORMATION_CLASS MemoryInformationClass,
|
||||
PVOID MemoryInformation,
|
||||
SIZE_T MemoryInformationLength,
|
||||
PSIZE_T ReturnLength);
|
||||
|
||||
//MemoryBasicInformation
|
||||
typedef struct _MEMORY_BASIC_INFORMATION {
|
||||
PVOID BaseAddress; //查询内存块所占的第一个页面基地址
|
||||
PVOID AllocationBase; //内存块所占的第一块区域基地址,小于等于BaseAddress,
|
||||
DWORD AllocationProtect; //区域被初次保留时赋予的保护属性
|
||||
SIZE_T RegionSize; //从BaseAddress开始,具有相同属性的页面的大小,
|
||||
DWORD State; //页面的状态,有三种可能值MEM_COMMIT、MEM_FREE和MEM_RESERVE
|
||||
DWORD Protect; //页面的属性,其可能的取值与AllocationProtect相同
|
||||
DWORD Type; //该内存块的类型,有三种可能值:MEM_IMAGE、MEM_MAPPED和MEM_PRIVATE
|
||||
} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
|
||||
NTSTATUS EnumMoudleByNtQueryVirtualMemory(ULONG ProcessId);
|
||||
//MemorySectionName
|
||||
typedef struct _MEMORY_SECTION_NAME {
|
||||
UNICODE_STRING Name;
|
||||
WCHAR Buffer[260];
|
||||
}MEMORY_SECTION_NAME,*PMEMORY_SECTION_NAME;
|
||||
|
||||
|
||||
|
||||
#endif
|
16
ZwQueryVirtualMemory/ZwQueryVirtualMemory.sln
Normal file
16
ZwQueryVirtualMemory/ZwQueryVirtualMemory.sln
Normal file
@ -0,0 +1,16 @@
|
||||
Microsoft Visual Studio Solution File, Format Version 11.00
|
||||
# Visual Studio 2010
|
||||
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ZwQueryVirtualMemory", "ZwQueryVirtualMemory.vcxproj", "{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}"
|
||||
EndProject
|
||||
Global
|
||||
GlobalSection(SolutionConfigurationPlatforms) = preSolution
|
||||
WinDDK|Win32 = WinDDK|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(ProjectConfigurationPlatforms) = postSolution
|
||||
{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.ActiveCfg = WinDDK|Win32
|
||||
{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.Build.0 = WinDDK|Win32
|
||||
EndGlobalSection
|
||||
GlobalSection(SolutionProperties) = preSolution
|
||||
HideSolutionNode = FALSE
|
||||
EndGlobalSection
|
||||
EndGlobal
|
BIN
ZwQueryVirtualMemory/ZwQueryVirtualMemory.suo
Normal file
BIN
ZwQueryVirtualMemory/ZwQueryVirtualMemory.suo
Normal file
Binary file not shown.
BIN
ZwQueryVirtualMemory/ZwQueryVirtualMemory.sys
Normal file
BIN
ZwQueryVirtualMemory/ZwQueryVirtualMemory.sys
Normal file
Binary file not shown.
68
ZwQueryVirtualMemory/ZwQueryVirtualMemory.vcxproj
Normal file
68
ZwQueryVirtualMemory/ZwQueryVirtualMemory.vcxproj
Normal file
@ -0,0 +1,68 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
<ItemGroup Label="ProjectConfigurations">
|
||||
<ProjectConfiguration Include="WinDDK|Win32">
|
||||
<Configuration>WinDDK</Configuration>
|
||||
<Platform>Win32</Platform>
|
||||
</ProjectConfiguration>
|
||||
</ItemGroup>
|
||||
<PropertyGroup Label="Globals">
|
||||
<ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid>
|
||||
<Keyword>Win32Proj</Keyword>
|
||||
<RootNamespace>"ZwQueryVirtualMemory"</RootNamespace>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
</ImportGroup>
|
||||
<PropertyGroup Label="UserMacros" />
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
|
||||
<TargetExt>.sys</TargetExt>
|
||||
<GenerateManifest>false</GenerateManifest>
|
||||
<ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath>
|
||||
<IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath>
|
||||
<ReferencePath />
|
||||
<LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath>
|
||||
<SourcePath />
|
||||
<ExcludePath />
|
||||
</PropertyGroup>
|
||||
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
|
||||
<ClCompile>
|
||||
<PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions>
|
||||
<ExceptionHandling>false</ExceptionHandling>
|
||||
<BufferSecurityCheck>false</BufferSecurityCheck>
|
||||
<CallingConvention>StdCall</CallingConvention>
|
||||
<CompileAs>CompileAsC</CompileAs>
|
||||
<AdditionalIncludeDirectories>
|
||||
</AdditionalIncludeDirectories>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
</Link>
|
||||
<Link>
|
||||
<IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
|
||||
<SubSystem>Native</SubSystem>
|
||||
<Driver>Driver</Driver>
|
||||
<EntryPointSymbol>DriverEntry</EntryPointSymbol>
|
||||
<SetChecksum>true</SetChecksum>
|
||||
<BaseAddress>0x10000</BaseAddress>
|
||||
<RandomizedBaseAddress>
|
||||
</RandomizedBaseAddress>
|
||||
<DataExecutionPrevention>
|
||||
</DataExecutionPrevention>
|
||||
</Link>
|
||||
</ItemDefinitionGroup>
|
||||
<ItemGroup>
|
||||
<ClCompile Include=".\ZwQueryVirtualMemory.c" />
|
||||
<ClCompile Include=".\ZwQueryVirtualMemory.h" />
|
||||
<ClCompile Include="CommonR0.c" />
|
||||
<ClCompile Include="GetSSDTFuncAddress.c" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ClInclude Include="CommonR0.h" />
|
||||
<ClInclude Include="GetSSDTFuncAddress.h" />
|
||||
</ItemGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
|
||||
<ImportGroup Label="ExtensionTargets">
|
||||
</ImportGroup>
|
||||
</Project>
|
3
ZwQueryVirtualMemory/ZwQueryVirtualMemory.vcxproj.user
Normal file
3
ZwQueryVirtualMemory/ZwQueryVirtualMemory.vcxproj.user
Normal file
@ -0,0 +1,3 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
|
||||
</Project>
|
28
ZwQueryVirtualMemory/clean.bat
Normal file
28
ZwQueryVirtualMemory/clean.bat
Normal file
@ -0,0 +1,28 @@
|
||||
rem /////////////////
|
||||
rem / Add by ChiChou
|
||||
rem /
|
||||
rem / FileName:Clean.bat
|
||||
rem / Description:Clean
|
||||
rem /
|
||||
rem ////////////////
|
||||
rd .\bin /s /q
|
||||
rd .\WinDDK /s /q
|
||||
rd .\objchk_w2k_x86 /s /q
|
||||
rd .\objchk_wxp_x86 /s /q
|
||||
rd .\objchk_wnet_x86 /s /q
|
||||
rd .\objchk_wlh_x86 /s /q
|
||||
rd .\objfre_w2k_x86 /s /q
|
||||
rd .\objfre_wxp_x86 /s /q
|
||||
rd .\objfre_wnet_x86 /s /q
|
||||
rd .\objfre_wlh_x86 /s /q
|
||||
del .\*.log
|
||||
del .\*.err
|
||||
del .\*.xml
|
||||
rem ***** del VS2005 file *****
|
||||
del .\*.ncb
|
||||
del .\*.user
|
||||
del .\*.suo /A:H
|
||||
rem ***** del VS6.0 file *****
|
||||
del .\*.plg
|
||||
del .\*.opt
|
||||
exit
|
1122
ZwQueryVirtualMemory/ddkbuild.cmd
Normal file
1122
ZwQueryVirtualMemory/ddkbuild.cmd
Normal file
File diff suppressed because it is too large
Load Diff
6
ZwQueryVirtualMemory/makefile
Normal file
6
ZwQueryVirtualMemory/makefile
Normal file
@ -0,0 +1,6 @@
|
||||
#
|
||||
# DO NOT EDIT THIS FILE!!! Edit .\sources. if you want to add a new source
|
||||
# file to this component. This file merely indirects to the real make file
|
||||
# that is shared by all the components of NT OS/2
|
||||
#
|
||||
!INCLUDE $(NTMAKEENV)\makefile.def
|
3
ZwQueryVirtualMemory/mybuild.bat
Normal file
3
ZwQueryVirtualMemory/mybuild.bat
Normal file
@ -0,0 +1,3 @@
|
||||
set WLHBASE=C:\WINDDK\6001.18002
|
||||
set WDF_ROOT=C:\WINDDK\6001.18002
|
||||
ddkbuild.cmd -WLHXP chk . -cZ -WDF
|
Loading…
Reference in New Issue
Block a user