CNtdll__Ntdll的NativeAPI声明类
一直想写一个很完善的CNtdll类,只要初始化了CNtdll的实例对象之后,就能使用Ntdll.dll里的API了.
所以花了一整个晚上,翻出以前写过的CNtdll类,重新写了一遍,虽然只实现了Ntdll.dll里的20个常用的NtAPI,但是已经尽量确保自己写的类是非常完善的.
如果这20个常用的NtAPI还是不足以满足需求的话,可以自行按照已经写好的模版添加自己需要的NtAPI.
//编写和测试环境: Microsoft Visual Studio 2015 Enterprise RC / Microsoft Windows 7 Ultimate x86
1 /*///////////////////////////////////////////////////////////////////////////////////////////////////////// 2 FileName: CNtdll.h 3 NeedOther: "CNtdll.cpp" 4 BasedOn: <stdio.h> <Windows.h> 5 Author: [email protected] 6 LastCodeDate: 20150707 7 Description: Reference the undeclared native API in Ntdll.dll 8 9 Before useing the undeclared native API, include the necessary "CNtdll.h" and "CNtdll.cpp" headfile 10 and initialize a CNtdll class instance. To ensure safety, the program should call the CNtdll::isInit() 11 function to confirm if the class initialize succeed. 12 /////////////////////////////////////////////////////////////////////////////////////////////////////////*/ 13 14 #pragma once 15 16 #ifndef CNTDLL_H 17 #define CNTDLL_H 18 19 #include <cstdio> 20 #include <windows.h> 21 22 #ifndef STATUS_SUCCESS 23 #define STATUS_SUCCESS ERROR_SUCCESS 24 #endif // def STATUS_SUCCESS 25 26 typedef LONG NTSTATUS; 27 28 /////////////////////////////////////////////////////////////// 29 30 typedef struct _CLIENT_ID 31 { 32 DWORD UniqueProcess; // the type is DWORD or HANDLE? 33 DWORD UniqueThread; // 34 } CLIENT_ID, *PCLIENT_ID; 35 36 typedef struct _OBJECT_ATTRIBUTES 37 { 38 ULONG Length; 39 HANDLE RootDirectory; 40 PVOID ObjectName; 41 ULONG Attributes; 42 PVOID SecurityDescriptor; 43 PVOID SecurityQualityOfService; 44 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 45 46 /////////////////////////////////////////////////////////////// 47 48 typedef NTSTATUS (NTAPI *pNtAssignProcessToJobObject) 49 ( 50 IN HANDLE JobHandle, 51 IN HANDLE ProcessHandle 52 ); 53 54 typedef NTSTATUS (NTAPI *pNtClose) 55 ( 56 IN HANDLE Handle 57 ); 58 59 typedef NTSTATUS (NTAPI *pNtCreateDebugObject) 60 ( 61 OUT PHANDLE DebugObject, 62 IN ULONG AccessRequired, 63 IN POBJECT_ATTRIBUTES ObjectAttributes, 64 IN BOOLEAN KillProcessOnExit 65 ); 66 67 typedef NTSTATUS (NTAPI *pNtCreateJobObject) 68 ( 69 OUT PHANDLE JobHandle, 70 IN ACCESS_MASK DesiredAccess, 71 IN POBJECT_ATTRIBUTES ObjectAttributess 72 ); 73 74 typedef NTSTATUS (NTAPI *pNtDebugActiveProcess) 75 ( 76 IN HANDLE Process, 77 IN HANDLE DebugObject 78 ); 79 80 typedef NTSTATUS (NTAPI *pNtDuplicateObject) 81 ( 82 IN HANDLE SourceProcessHandle, 83 IN HANDLE SourceHandle, 84 IN HANDLE TargetProcessHandle, 85 OUT PHANDLE TargetHandle, OPTIONAL 86 IN ACCESS_MASK DesiredAccess, 87 IN ULONG Attributes, 88 IN ULONG Options 89 ); 90 91 typedef NTSTATUS (NTAPI *pNtOpenProcess) 92 ( 93 OUT PHANDLE ProcessHandle, 94 IN ACCESS_MASK DesiredAccess, 95 IN POBJECT_ATTRIBUTES ObjectAttributes, 96 IN PCLIENT_ID ClientId OPTIONAL 97 ); 98 99 typedef NTSTATUS (NTAPI *pNtOpenThread) 100 ( 101 OUT PHANDLE ThreadHandle, 102 IN ACCESS_MASK DesiredAccess, 103 IN POBJECT_ATTRIBUTES ObjectAttributes, 104 IN PCLIENT_ID ClientId 105 ); 106 107 typedef NTSTATUS (NTAPI *pNtProtectVirtualMemory) 108 ( 109 IN HANDLE ProcessHandle, 110 IN OUT PVOID *BaseAddress, 111 IN OUT PULONG ProtectSize, 112 IN ULONG NewProtect, 113 OUT PULONG OldProtect 114 ); 115 116 typedef NTSTATUS (NTAPI *pNtReadVirtualMemory) 117 ( 118 IN HANDLE ProcessHandle, 119 IN PVOID BaseAddress, 120 OUT PVOID Buffer, 121 IN ULONG BufferLength, 122 OUT PULONG ReturnLength OPTIONAL 123 ); 124 125 typedef NTSTATUS (NTAPI *pNtResumeProcess) 126 ( 127 IN HANDLE ProcessHandle 128 ); 129 130 typedef NTSTATUS (NTAPI *pNtResumeThread) 131 ( 132 IN HANDLE ThreadHandle, 133 OUT PULONG PreviousSuspendCount OPTIONAL 134 ); 135 136 typedef NTSTATUS (NTAPI *pNtSuspendProcess) 137 ( 138 IN HANDLE ProcessHandle 139 ); 140 141 typedef NTSTATUS (NTAPI *pNtSuspendThread) 142 ( 143 IN HANDLE ThreadHandle, 144 OUT PULONG PreviousSuspendCount OPTIONAL 145 ); 146 147 typedef NTSTATUS (NTAPI *pNtTerminateJobObject) 148 ( 149 IN HANDLE JobHandle, 150 IN NTSTATUS ExitStatus 151 ); 152 153 typedef NTSTATUS (NTAPI *pNtTerminateProcess) 154 ( 155 IN HANDLE ProcessHandle, OPTIONAL 156 IN ULONG ExitStatus 157 ); 158 159 typedef NTSTATUS (NTAPI *pNtTerminateThread) 160 ( 161 IN HANDLE ThreadHandle, OPTIONAL 162 IN NTSTATUS ExitStatus 163 ); 164 165 typedef NTSTATUS (NTAPI *pNtUnmapViewOfSection) 166 ( 167 IN HANDLE ProcessHandle, 168 IN PVOID BaseAddress 169 ); 170 171 typedef NTSTATUS (NTAPI *pNtWriteVirtualMemory) 172 ( 173 IN HANDLE ProcessHandle, 174 IN PVOID BaseAddress, 175 IN PVOID Buffer, 176 IN ULONG BufferLength, 177 OUT PULONG ReturnLength OPTIONAL 178 ); 179 180 typedef NTSTATUS (NTAPI *pRtlAdjustPrivilege) 181 ( 182 IN ULONG Privilege, 183 IN BOOLEAN Enable, 184 IN BOOLEAN CurrentThread, 185 OUT PBOOLEAN Enabled 186 ); 187 188 /////////////////////////////////////////////////////////////// 189 190 extern pNtAssignProcessToJobObject NtAssignProcessToJobObject; 191 extern pNtClose NtClose; 192 extern pNtCreateDebugObject NtCreateDebugObject; 193 extern pNtCreateJobObject NtCreateJobObject; 194 extern pNtDebugActiveProcess NtDebugActiveProcess; 195 extern pNtDuplicateObject NtDuplicateObject; 196 extern pNtOpenProcess NtOpenProcess; 197 extern pNtOpenThread NtOpenThread; 198 extern pNtProtectVirtualMemory NtProtectVirtualMemory; 199 extern pNtReadVirtualMemory NtReadVirtualMemory; 200 extern pNtResumeProcess NtResumeProcess; 201 extern pNtResumeThread NtResumeThread; 202 extern pNtSuspendProcess NtSuspendProcess; 203 extern pNtSuspendThread NtSuspendThread; 204 extern pNtTerminateJobObject NtTerminateJobObject; 205 extern pNtTerminateProcess NtTerminateProcess; 206 extern pNtTerminateThread NtTerminateThread; 207 extern pNtUnmapViewOfSection NtUnmapViewOfSection; 208 extern pNtWriteVirtualMemory NtWriteVirtualMemory; 209 extern pRtlAdjustPrivilege RtlAdjustPrivilege; 210 211 /////////////////////////////////////////////////////////////// 212 213 class CNtdll 214 { 215 private: 216 bool status; 217 HMODULE hModule; 218 219 void Init(LPCSTR lpNtdllFileName); 220 221 public: 222 CNtdll(); 223 CNtdll(LPCSTR lpNtdllFileName); 224 ~CNtdll(); 225 226 bool isInit(); 227 228 }; 229 230 #endif // def CNTDLL_H
1 /*///////////////////////////////////////////////////////////////////////////////////////////////////////// 2 FileName: CNtdll.cpp 3 NeedOther: "CNtdll.h" 4 BasedOn: <stdio.h> <Windows.h> 5 Author: [email protected] 6 LastCodeDate: 20150707 7 Description: Reference the undeclared native API in Ntdll.dll 8 9 Before useing the undeclared native API, include the necessary "CNtdll.h" and "CNtdll.cpp" headfile 10 and initialize a CNtdll class instance. To ensure safety, the program should call the CNtdll::isInit() 11 function to confirm if the class initialize succeed. 12 /////////////////////////////////////////////////////////////////////////////////////////////////////////*/ 13 14 #include "CNtdll.h" 15 16 pNtAssignProcessToJobObject NtAssignProcessToJobObject; 17 pNtClose NtClose; 18 pNtCreateDebugObject NtCreateDebugObject; 19 pNtCreateJobObject NtCreateJobObject; 20 pNtDebugActiveProcess NtDebugActiveProcess; 21 pNtDuplicateObject NtDuplicateObject; 22 pNtOpenProcess NtOpenProcess; 23 pNtOpenThread NtOpenThread; 24 pNtProtectVirtualMemory NtProtectVirtualMemory; 25 pNtReadVirtualMemory NtReadVirtualMemory; 26 pNtResumeProcess NtResumeProcess; 27 pNtResumeThread NtResumeThread; 28 pNtSuspendProcess NtSuspendProcess; 29 pNtSuspendThread NtSuspendThread; 30 pNtTerminateJobObject NtTerminateJobObject; 31 pNtTerminateProcess NtTerminateProcess; 32 pNtTerminateThread NtTerminateThread; 33 pNtUnmapViewOfSection NtUnmapViewOfSection; 34 pNtWriteVirtualMemory NtWriteVirtualMemory; 35 pRtlAdjustPrivilege RtlAdjustPrivilege; 36 37 CNtdll::CNtdll() 38 { 39 char cNtdllFileName[MAX_PATH] = ""; 40 UINT rSize = GetSystemDirectoryA(cNtdllFileName, MAX_PATH); 41 if (strlen(cNtdllFileName) == 0 || rSize != strlen(cNtdllFileName)) 42 return; 43 44 strcat(cNtdllFileName, "\\Ntdll.dll"); 45 46 Init(cNtdllFileName); 47 } 48 49 CNtdll::CNtdll(LPCSTR lpNtdllFileName) 50 { 51 Init(lpNtdllFileName); 52 } 53 54 CNtdll::~CNtdll() 55 { 56 if (status && hModule != NULL) 57 FreeLibrary(hModule); 58 59 memset(this, 0, sizeof(CNtdll)); 60 } 61 62 void CNtdll::Init(LPCSTR lpNtdllFileName) 63 { 64 memset(this, 0, sizeof(CNtdll)); 65 66 if (strlen(lpNtdllFileName) >= MAX_PATH) 67 return; 68 69 hModule = GetModuleHandleA(lpNtdllFileName); 70 if (hModule == NULL) 71 { 72 hModule = LoadLibraryA(lpNtdllFileName); 73 if (hModule == NULL) 74 return; 75 } 76 77 NtAssignProcessToJobObject = (pNtAssignProcessToJobObject)GetProcAddress(hModule, "NtAssignProcessToJobObject"); 78 NtClose = (pNtClose)GetProcAddress(hModule, "NtClose"); 79 NtCreateDebugObject = (pNtCreateDebugObject)GetProcAddress(hModule, "NtCreateDebugObject"); 80 NtCreateJobObject = (pNtCreateJobObject)GetProcAddress(hModule, "NtCreateJobObject"); 81 NtDebugActiveProcess = (pNtDebugActiveProcess)GetProcAddress(hModule, "NtDebugActiveProcess"); 82 NtDuplicateObject = (pNtDuplicateObject)GetProcAddress(hModule, "NtDuplicateObject"); 83 NtOpenProcess = (pNtOpenProcess)GetProcAddress(hModule, "NtOpenProcess"); 84 NtOpenThread = (pNtOpenThread)GetProcAddress(hModule, "NtOpenThread"); 85 NtProtectVirtualMemory = (pNtProtectVirtualMemory)GetProcAddress(hModule, "NtProtectVirtualMemory"); 86 NtReadVirtualMemory = (pNtReadVirtualMemory)GetProcAddress(hModule, "NtReadVirtualMemory"); 87 NtResumeProcess = (pNtResumeProcess)GetProcAddress(hModule, "NtResumeProcess"); 88 NtResumeThread = (pNtResumeThread)GetProcAddress(hModule, "NtResumeThread"); 89 NtSuspendProcess = (pNtSuspendProcess)GetProcAddress(hModule, "NtSuspendProcess"); 90 NtSuspendThread = (pNtSuspendThread)GetProcAddress(hModule, "NtSuspendThread"); 91 NtTerminateJobObject = (pNtTerminateJobObject)GetProcAddress(hModule, "NtTerminateJobObject"); 92 NtTerminateProcess = (pNtTerminateProcess)GetProcAddress(hModule, "NtTerminateProcess"); 93 NtTerminateThread = (pNtTerminateThread)GetProcAddress(hModule, "NtTerminateThread"); 94 NtUnmapViewOfSection = (pNtUnmapViewOfSection)GetProcAddress(hModule, "NtUnmapViewOfSection"); 95 NtWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hModule, "NtWriteVirtualMemory"); 96 RtlAdjustPrivilege = (pRtlAdjustPrivilege)GetProcAddress(hModule, "RtlAdjustPrivilege"); 97 98 if (NtAssignProcessToJobObject == NULL || 99 NtClose == NULL || 100 NtCreateDebugObject == NULL || 101 NtCreateJobObject == NULL || 102 NtDebugActiveProcess == NULL || 103 NtDuplicateObject == NULL || 104 NtOpenProcess == NULL || 105 NtOpenThread == NULL || 106 NtProtectVirtualMemory == NULL || 107 NtReadVirtualMemory == NULL || 108 NtResumeProcess == NULL || 109 NtResumeThread == NULL || 110 NtSuspendProcess == NULL || 111 NtSuspendThread == NULL || 112 NtTerminateJobObject == NULL || 113 NtTerminateProcess == NULL || 114 NtTerminateThread == NULL || 115 NtUnmapViewOfSection == NULL || 116 NtWriteVirtualMemory == NULL || 117 RtlAdjustPrivilege == NULL 118 ) 119 { 120 FreeLibrary(hModule); 121 hModule = NULL; 122 123 return; 124 } 125 126 status = true; 127 } 128 129 bool CNtdll::isInit() 130 { 131 return status; 132 }
1 #include <cstdio> 2 #include <windows.h> 3 4 #include "CNtdll.h" 5 6 using namespace std; 7 8 CNtdll ntdll; 9 10 int main() 11 { 12 printf("Ntdll.dll Load %s...\n", ntdll.isInit() ? "Succeeds" : "Fails"); 13 14 if (ntdll.isInit()) 15 { 16 system("echo Press any key to create Notepad.exe... && pause > nul"); 17 18 STARTUPINFOA si = {}; 19 si.cb = sizeof(si); 20 PROCESS_INFORMATION pi = {}; 21 CreateProcessA(NULL, "C:\\Windows\\Notepad.exe", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); 22 23 system("echo Press any key to shutdown Notepad.exe... && pause > nul"); 24 25 HANDLE ProcessHandle; 26 OBJECT_ATTRIBUTES oa = {}; 27 oa.Length = sizeof(oa); 28 CLIENT_ID cid = {}; 29 cid.UniqueProcess = pi.dwProcessId; 30 NtOpenProcess(&ProcessHandle, PROCESS_ALL_ACCESS, &oa, &cid); 31 32 NtTerminateProcess(ProcessHandle, NULL); 33 NtClose(ProcessHandle); 34 } 35 36 system("echo Press any key to continue... && pause > nul"); 37 return 0; 38 }