当前位置:网站首页>APC(三)

APC(三)

2022-04-22 06:19:00 Misaka10046

内核APC插入

VOID KeInitializeApc (
    __out PRKAPC Apc,   //输出APC
    __in PRKTHREAD Thread,  //要插入的线程
    __in KAPC_ENVIRONMENT Environment,   //APC的线程环境
    __in PKKERNEL_ROUTINE KernelRoutine,   //内核函数
    __in_opt PKRUNDOWN_ROUTINE RundownRoutine,  //特殊函数
    __in_opt PKNORMAL_ROUTINE NormalRoutine,  //一般函数
    __in_opt KPROCESSOR_MODE ApcMode,  //用户APC还是内核APC
    __in_opt PVOID NormalContext  //传的参数
    )  //初始化APC

typedef enum _KAPC_ENVIRONMENT {
    
    OriginalApcEnvironment, //原始进程环境
    AttachedApcEnvironment,  //插入后的进程环境
    CurrentApcEnvironment,
    InsertApcEnvironment
} KAPC_ENVIRONMENT;

#include<ntifs.h>

typedef enum _KAPC_ENVIRONMENT {
    
	OriginalApcEnvironment,
	AttachedApcEnvironment,
	CurrentApcEnvironment,
	InsertApcEnvironment
} KAPC_ENVIRONMENT;

typedef VOID(*PKNORMAL_ROUTINE) (
	IN PVOID NormalContext,
	IN PVOID SystemArgument1,
	IN PVOID SystemArgument2
	);

typedef VOID(*PKKERNEL_ROUTINE) (
	IN struct _KAPC* Apc,
	IN OUT PKNORMAL_ROUTINE* NormalRoutine,
	IN OUT PVOID* NormalContext,
	IN OUT PVOID* SystemArgument1,
	IN OUT PVOID* SystemArgument2
	);

typedef VOID(*PKRUNDOWN_ROUTINE) (
	IN struct _KAPC* Apc
	);

VOID KeInitializeApc(
	__out PRKAPC Apc,
	__in PRKTHREAD Thread,
	__in KAPC_ENVIRONMENT Environment,
	__in PKKERNEL_ROUTINE KernelRoutine,
	__in_opt PKRUNDOWN_ROUTINE RundownRoutine,
	__in_opt PKNORMAL_ROUTINE NormalRoutine,
	__in_opt KPROCESSOR_MODE ApcMode,
	__in_opt PVOID NormalContext
);

BOOLEAN KeInsertQueueApc(
	__inout PRKAPC Apc,
	__in_opt PVOID SystemArgument1,
	__in_opt PVOID SystemArgument2,
	__in KPRIORITY Increment
);   //未文档化手动导入

VOID kernelRoutineFunc(
	IN struct _KAPC* Apc, IN OUT PKNORMAL_ROUTINE* NormalRoutine, IN OUT PVOID* NormalContext, IN OUT PVOID* SystemArgument1, IN OUT PVOID* SystemArgument2
)
{
    
	DbgPrintEx(77, 0, "kernelRoutineFunc\r\n");
	ExFreePool(Apc);//释放APC
}

VOID DriverUnload(PDRIVER_OBJECT pDriver) {
    
	DbgPrintEx(77, 0, "Exit");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {
    
	PKAPC pApc = ExAllocatePool(NonPagedPool, sizeof(KAPC));
	memset(pApc, 0, sizeof(KAPC));

	KeInitializeApc(pApc, //APC的值
					KeGetCurrentThread(), //当前线程
					OriginalApcEnvironment,//环境
					kernelRoutineFunc, //kernel函数 插入就立即调用
					NULL, 
					NULL, //特殊函数和一般函数都不是必须的
					KernelMode, //内核APC
					NULL);
					//初始化APC

	KeInsertQueueApc(pApc, NULL, NULL, 0);//当前线程插入APC
	DbgPrintEx(77, 0, "-----------------------\r\n");
	pDriver->DriverUnload = DriverUnload;
	return STATUS_SUCCESS;
}

在这里插入图片描述

插入其他线程

#include<ntifs.h>

typedef enum _KAPC_ENVIRONMENT {
    
	OriginalApcEnvironment,
	AttachedApcEnvironment,
	CurrentApcEnvironment,
	InsertApcEnvironment
} KAPC_ENVIRONMENT;

typedef VOID(*PKNORMAL_ROUTINE) (
	IN PVOID NormalContext,
	IN PVOID SystemArgument1,
	IN PVOID SystemArgument2
	);

typedef VOID(*PKKERNEL_ROUTINE) (
	IN struct _KAPC* Apc,
	IN OUT PKNORMAL_ROUTINE* NormalRoutine,
	IN OUT PVOID* NormalContext,
	IN OUT PVOID* SystemArgument1,
	IN OUT PVOID* SystemArgument2
	);

typedef VOID(*PKRUNDOWN_ROUTINE) (
	IN struct _KAPC* Apc
	);

VOID KeInitializeApc(
	__out PRKAPC Apc,
	__in PRKTHREAD Thread,
	__in KAPC_ENVIRONMENT Environment,
	__in PKKERNEL_ROUTINE KernelRoutine,
	__in_opt PKRUNDOWN_ROUTINE RundownRoutine,
	__in_opt PKNORMAL_ROUTINE NormalRoutine,
	__in_opt KPROCESSOR_MODE ApcMode,
	__in_opt PVOID NormalContext
);

BOOLEAN KeInsertQueueApc(
	__inout PRKAPC Apc,
	__in_opt PVOID SystemArgument1,
	__in_opt PVOID SystemArgument2,
	__in KPRIORITY Increment
);

VOID kernelRoutineFunc(
	IN struct _KAPC* Apc, IN OUT PKNORMAL_ROUTINE* NormalRoutine, IN OUT PVOID* NormalContext, IN OUT PVOID* SystemArgument1, IN OUT PVOID* SystemArgument2
)
{
    
	DbgPrintEx(77, 0, "kernelRoutineFunc\r\n");
	ExFreePool(Apc);
}

VOID NormalRoutineFunc(
	IN PVOID NormalContext, IN PVOID SystemArgument1, IN PVOID SystemArgument2
)
{
    
	DbgPrintEx(77, 0, "NormalRoutineFunc\r\n");
}


VOID DriverUnload(PDRIVER_OBJECT pDriver) {
    

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) {
    
	PKAPC pApc = ExAllocatePool(NonPagedPool, sizeof(KAPC));
	memset(pApc, 0, sizeof(KAPC));

	PETHREAD eThread = NULL;
	PsLookupThreadByThreadId(852, &eThread);//传入线程ID获取其结构体指针

	DbgPrintEx(77, 0, "---------main pid = %d--------------\r\n", PsGetCurrentProcessId());//当前线程的进程ID

	KeInitializeApc(pApc, eThread, OriginalApcEnvironment,/*最后还是要返回当前线程所以还是这个值*/
		kernelRoutineFunc, NULL, NormalRoutineFunc/*一般函数表*/, KernelMode, NULL);
	KeInsertQueueApc(pApc, NULL, NULL, 0);

	DbgPrintEx(77, 0, "-----------------------\r\n");
	pDriver->DriverUnload = DriverUnload;
	return STATUS_SUCCESS;
}

在这里插入图片描述

版权声明
本文为[Misaka10046]所创,转载请带上原文链接,感谢
https://blog.csdn.net/Misaka10046/article/details/121643352

边栏推荐

猜你喜欢

随机推荐