当前位置:学Delphi网文档资料技术资料其他

delphi将任意函数执行权限提高到Ring0源代码

减小字体 增大字体 作者:佚名  来源:转载  发布时间:2010-11-10 00:01:02

传说中的delphi将任意函数执行权限提高到Ring0源代码!转载的供参考!请自行慎重测试!部分地方代码字符有误!

// 随意将函数执行权限提高到Ring0源代码
// Windows 2K以上的操作系统,
// 用途: 提供超级简单使用的APIrocessRing0(),
// 可将delphi中的任意函数由原來的Ring3权限提升到系统的最高级别Ring 0,
// 这样我们就可以随意对系统的I/O进行操作了。
// ===================WinRing.pas===========================
unit WinRing;

interface

uses Windows, WinSvc, Dialogs, Forms;

Type
  TRingData = Record
    AdjRing0Entry: ULONG;
    RegData: array [0 .. 6] of ULONG;
  end;

  TRing0Proc = Procedure; StdCall;

procedure OpenWinRing;
function CloseDriver: boolean;
procedure ProcessRing0(Ring0Proc: TRing0Proc); StdCall;

const
  DRIVER = 'WINRING';

implementation

var
  DriverHandle: THandle;
  Ring: TRingData;
  RetByte: Word;
  OSVersion: byte;

Function WINRING_Access: Cardinal;
Begin
  Result := (($22) shl 16) or (($999) shl 2);
End;

Procedure _WinRing;
Begin
  DeviceIoControl(DriverHandle, WINRING_Access, @Ring, sizeof(Ring), @Ring,
    sizeof(Ring), RetByte, Nil);
End;

function BuildDriverService: boolean;
var
  scHandle, srvHandle: SC_Handle;
  a: char;
begin
  Result := False;
  scHandle := OpenSCManager(Nil, Nil, SC_MANAGER_ALL_ACCESS);
  if (scHandle <> 0) then
  Begin
    srvHandle := OpenService(scHandle, DRIVER, SERVICE_ALL_ACCESS);
    if (srvHandle = 0) then
    begin
      srvHandle := CreateService(scHandle, DRIVER, DRIVER, SERVICE_ALL_ACCESS,
        SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
        '.\WINRING.sys', Nil, Nil, Nil, nil, nil);
    end;
    if (srvHandle <> 0) then
    Begin
      a := '';
      StartService(srvHandle, 0, a);
      CloseServiceHandle(srvHandle);
      CloseServiceHandle(scHandle);
      Result := true;
    End;
  end;
end;

function OpenDriver: boolean;
begin
  if (BuildDriverService) then
  begin
    DriverHandle := CreateFile('\\.\' + DRIVER, GENERIC_READ or GENERIC_WRITE,
      0, nil, OPEN_EXISTING, 0, 0);

    Result := (DriverHandle <> INVALID_HANDLE_VALUE);
  end
  else
    Result := False;
end;

function DeleteDriverService: boolean;
var
  srvStatus: TServiceStatus;
  scHandle, srvHandle: SC_Handle;
begin
  scHandle := OpenSCManager(Nil, Nil, SC_MANAGER_ALL_ACCESS);
  if (scHandle <> 0) then
  begin
    srvHandle := OpenService(scHandle, DRIVER, SERVICE_ALL_ACCESS);
    if (srvHandle <> 0) then
    begin
      ControlService(srvHandle, SERVICE_CONTROL_STOP, srvStatus);
      DeleteService(srvHandle);
    end;
    CloseServiceHandle(srvHandle);
    CloseServiceHandle(scHandle);
    Result := true;
  end
  Else
    Result := False;
end;

function CloseDriver: boolean;
begin
  CloseHandle(DriverHandle);
  Result := DeleteDriverService;
end;

procedure OpenWinRing;
begin
  OSVersion := LOBYTE(LOWORD(GetVersion));
  if (OSVersion <> 4) then
  begin
    if (not OpenDriver) then
    begin
      ShowMessage('Driver not ready!!!');
      CloseDriver;
      Application.Terminate;
    end;
  end;
end;

procedure SaveAllReg; stdcall;
Begin
  Asm
    push eax
    mov eax, offset Ring.RegData
    mov [eax][04], ebx
    mov [eax][08], ecx
    mov [eax][12], edx
    mov [eax][16], esi
    mov [eax][20], edi
    mov [eax][24], ebp
    mov ebx, eax
    pop eax
    mov [ebx], eax
  End;
end;

procedure ProcessRing0(Ring0Proc: TRing0Proc); StdCall;
var
  RetByte: Word;
Label ADJRing0, ADJRing;
Begin
  SaveAllReg();
  Asm
    Mov Ring.AdjRing0Entry, offset ADJRing0
  End;
  DeviceIoControl(DriverHandle, WINRING_Access, @Ring, sizeof(Ring), @Ring,
  sizeof(Ring), RetByte, Nil);
  Asm
    jmp ADJRing
    ADJRing0:
    mov eax, [esp+4]
  End;
  Ring0Proc;
  Asm
    Ret
    ADJRing:
  End;
end;

end.

[1] [2]  下一页

Tags:

作者:佚名
  • 好的评价 如果您觉得此文章好,就请您
      0%(0)
  • 差的评价 如果您觉得此文章差,就请您
      0%(0)

文章评论评论内容只代表网友观点,与本站立场无关!

   评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论

广告位置B