1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228
|
//---------------------------------------------------------------------------
#include <vcl.h>
#pragma hdrstop
#include "Unit1.h"
//#include "SysUtils.hpp"
//#include "windows.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
typedef LONG NTSTATUS;
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}UNICODE_STRING, *PUNICODE_STRING;
typedef enum _SECTION_INHERIT{
ViewShare = 1,
ViewUnmap = 2
}SECTION_INHERIT, *PSECTION_INHERIT;
//Valid values for the Attributes field
#define OBJ_INHERIT 0X00000002L
#define OBJ_CASE_INSENSITIVE 0X00000040L
#define OBJ_KERNEL_HANDLE 0X00000200L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;// Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService;// Points to type SECURITY_QUALITY_OF_SERVICE
}OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
static VOID InitializeObjectAttributes
( OUT POBJECT_ATTRIBUTES InitializedAttributes,
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN HANDLE RootDirectory,
IN PSECURITY_DESCRIPTOR SecurityDescriptor )
{
InitializedAttributes->Length = sizeof( OBJECT_ATTRIBUTES );
InitializedAttributes->RootDirectory = RootDirectory;
InitializedAttributes->Attributes = Attributes;
InitializedAttributes->ObjectName = ObjectName;
InitializedAttributes->SecurityDescriptor = SecurityDescriptor;
InitializedAttributes->SecurityQualityOfService = NULL;
return;
} /* end of InitializeObjectAttributes */
// Interesting functions in NTDLL
typedef NTSTATUS (WINAPI *ZwOpenSectionProc)
( PHANDLE SectionHandle,
DWORD DesiredAccess,
/*
#define SECTION_QUERY 0x0001
#define SECTION_MAP_WRITE 0x0002
#define SECTION_MAP_READ 0x0004
#define SECTION_MAP_EXECUTE 0x0008
#define SECTION_EXTEND_SIZE 0x0010
#define SECTION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|\
SECTION_MAP_WRITE | \
SECTION_MAP_READ | \
SECTION_MAP_EXECUTE | \
SECTION_EXTEND_SIZE)*/
POBJECT_ATTRIBUTES ObjectAttributes
);
typedef NTSTATUS (WINAPI *ZwMapViewOfSectionProc)
(
HANDLE SectionHandle,
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
ULONG CommitSize,
PLARGE_INTEGER SectionOffset,
PULONG ViewSize,
SECTION_INHERIT InheritDisposition,
ULONG AllocationType,
ULONG Protect
);
typedef NTSTATUS (WINAPI *ZwUnmapViewOfSectionProc)
(
HANDLE ProcessHandle,
PVOID BaseAddress
);
typedef VOID (WINAPI *RtlInitUnicodeStringProc)
(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
// Global variables
static HMODULE hModule = NULL;
static HANDLE hPhysicalMemory = NULL;
static ZwOpenSectionProc ZwOpenSection;
static ZwMapViewOfSectionProc ZwMapViewOfSection;
static ZwUnmapViewOfSectionProc ZwUnmapViewOfSection;
static RtlInitUnicodeStringProc RtlInitUnicodeString;
//---------------------------------------------------------------------------
__fastcall TForm1::TForm1(TComponent* Owner)
: TForm(Owner)
{
}
//---------------------------------------------------------------------------
void __fastcall TForm1::Button1Click(TObject *Sender)
{
UCHAR buf[4096]={0};
InitPhysicalMemory();
ReadPhysicalMemory(buf, 0x000fe000, 4096);
ExitPhysicalMemory();
//return 0;
}
//---------------------------------------------------------------------------
BOOL TForm1::InitPhysicalMemory()
{
// initialize
hModule = LoadLibrary("ntdll.dll");
if(hModule == NULL)
{
ListBox1->Items->Add("Erreur ntdll.dll");
return FALSE;
}
ZwOpenSection = (ZwOpenSectionProc)GetProcAddress(hModule, "ZwOpenSection");
if(ZwOpenSection == NULL)
{
ListBox1->Items->Add("Erreur ZwOpenSection");
return FALSE;
}
ZwMapViewOfSection = (ZwMapViewOfSectionProc)GetProcAddress(hModule, "ZwMapViewOfSection");
if(ZwMapViewOfSection == NULL)
{
ListBox1->Items->Add("Erreur ZwMapViewOfSection");
return FALSE;
}
ZwUnmapViewOfSection = (ZwUnmapViewOfSectionProc)GetProcAddress(hModule, "ZwUnmapViewOfSection");
if(ZwUnmapViewOfSection == NULL)
{
ListBox1->Items->Add("Erreur ZwUnmapViewOfSection");
return FALSE;
}
RtlInitUnicodeString = (RtlInitUnicodeStringProc)GetProcAddress(hModule, "RtlInitUnicodeString");
if(RtlInitUnicodeString == NULL)
{
ListBox1->Items->Add("Erreur RtlInitUnicodeString");
return FALSE;
}
//
WCHAR PhysicalMemoryName[] = L"<a href="file://\\Device\\PhysicalMemory" target="_blank">\\Device\\PhysicalMemory</a>";
UNICODE_STRING PhysicalMemoryString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString(&PhysicalMemoryString, PhysicalMemoryName);
InitializeObjectAttributes(&attributes, &PhysicalMemoryString, OBJ_CASE_INSENSITIVE, NULL, NULL);
//
NTSTATUS status = ZwOpenSection(&hPhysicalMemory, SECTION_MAP_READ, &attributes );
// &hPhysicalMemory = NULL
// &attributes -> Length:24, RootDirectory:NULL, ObjectName::0018E478,
// Attributes:64, SecurityDescriptor:NULL, SecurityQualityOfService:NULL
if(!NT_SUCCESS(status))
{
// erreur NTSTATUS
// -1073741790
// 0xC0000005
// STATUS_ACCESS_VIOLATION
// The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
ListBox1->Items->Add("Erreur status: " + (String)status);
return FALSE;
}
return TRUE;
}
// terminate -- free
//---------------------------------------------------------------------------
void TForm1::ExitPhysicalMemory()
{
if (hPhysicalMemory != NULL)
{ CloseHandle(hPhysicalMemory); }
if (hModule != NULL)
{ FreeLibrary(hModule); }
}
//---------------------------------------------------------------------------
BOOL TForm1::ReadPhysicalMemory(PVOID buffer, DWORD address, DWORD length)
{
DWORD outlen; //
PVOID vaddress;
NTSTATUS status;
LARGE_INTEGER base; //
unsigned char buftest[4096];
vaddress = 0;
outlen = length;
base.QuadPart = (ULONGLONG)(address);
//
status = ZwMapViewOfSection(
hPhysicalMemory,
(HANDLE) -1, //0xffffffff
(PVOID *) &vaddress,//
0,
length,
&base,
&outlen,
ViewShare,
0,//
PAGE_READONLY
);
if (status /*0*/)
{ return FALSE; }
//
memmove(buffer, vaddress, length);
memcpy(buftest, buffer, length);
for (int j=0; j<4096; j++)
{
ListBox1->Items->Add("c: " + *(buftest+j));
// printf("%c",*(buftest+j));
}
ListBox1->Items->Add("-");
// printf("\n");
//
status = ZwUnmapViewOfSection((HANDLE)-1, (PVOID)vaddress);
return (status >= 0);
}
//--------------------------------------------------------------------------- |
Partager