delphi 随意将函数执行权限提高到Ring0源代码
//随意将函数执行权限提高到Ring0源代码
//Windows 2K以上的操作系统,
//用途: 提供超级简单使用的APIrocessRing0(),
//可将delphi中的任意函数由原來的Ring3权限提升到系统的最高级别Ring 0,
//这样我们就可以随意对系统的I/O进行操作了。
//===================WinRing.pas===========================
unit WinRing;
interface
uses Windows,WinSvc,Dialogs,Forms;
Type
TRingData = Record
AdjRing0Entry:ULONG ;
RegData:array[0..6] of ULONG;
end;
TRing0Proc = Procedure;StdCall;
procedure OpenWinRing;
function CloseDriver:boolean;
procedure ProcessRing0(Ring0Proc: TRing0Proc);StdCall;
const
DRIVER = 'WINRING';
implementation
var
DriverHandle: THandle;
Ring: TRingData;
RetByteWord;
OSVersion: byte;
Function WINRING_Access:Cardinal;
Begin
Result:=(($22) shl 16) or (($999) shl 2);
End;
Procedure _WinRing;
Begin
DeviceIoControl(DriverHandle,WINRING_Access,@Ring,
sizeof(Ring),@Ring,sizeof(Ring),retbyte,Nil);
End;
function BuildDriverService:boolean;
var
scHandle, srvHandle: SC_Handle;
achar;
begin
Result:=False;
scHandle:=OpenSCManager(Nil,Nil,SC_MANAGER_ALL_ACCESS);
if (scHandle<>0) then
Begin
srvHandle:=OpenService(scHandle,DRIVER,SERVICE_ALL_ACCESS);
if (srvHandle=0) then
begin
srvHandle:=CreateService(
scHandle,
DRIVER,
DRIVER,
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
'.\WINRING.sys',
Nil,Nil,Nil,nil,nil);
end;
if (srvHandle<>0) then
Begin
A:='';
StartService(srvHandle,0,A);
CloseServiceHandle(srvHandle);
CloseServiceHandle(scHandle);
Result:= true;
End;
end;
end;
function OpenDriver:Boolean;
begin
if (BuildDriverService) then
begin
DriverHandle:=CreateFile(
'\\.\'+DRIVER,
GENERIC_READ or GENERIC_WRITE,
0,
nil,
OPEN_EXISTING,
0,
0);
Result:=(DriverHandle<>INVALID_HANDLE_VALUE);
end else
Result:=False;
end;
function DeleteDriverService:boolean;
var
srvStatus: TServiceStatus;
scHandle,srvHandle: SC_HANDLE;
begin
scHandle:=OpenSCManager(Nil,Nil,SC_MANAGER_ALL_ACCESS);
if (scHandle<>0) then
begin
srvHandle:=OpenService(scHandle,DRIVER,SERVICE_ALL_ACCESS);
if (srvHandle<>0) then
begin
ControlService(srvHandle,SERVICE_CONTROL_STOP,srvStatus);
DeleteService(srvHandle);
end;
CloseServiceHandle(srvHandle);
CloseServiceHandle(scHandle);
Result:=true;
end Else
Result:=False;
end;
function CloseDriver:boolean;
begin
CloseHandle(DriverHandle);
Result:=DeleteDriverService;
end;
procedure OpenWinRing;
begin
OSVersion := LOBYTE(LOWORD(GetVersion));
if (OSVersion<>4) then
begin
if (not OpenDriver) then
begin
ShowMessage('Driver not ready!!!');
CloseDriver;
Application.Terminate;
end;
end;
end;
procedure SaveAllReg;stdcall;
Begin
Asm
push eax
mov eax, offset Ring.RegData
mov [eax][04], ebx
mov [eax][08], ecx
mov [eax][12], edx
mov [eax][16], esi
mov [eax][20], edi
mov [eax][24], ebp
mov ebx, eax
pop eax
mov [ebx], eax
End;
end;
procedure ProcessRing0(Ring0Proc: TRing0Proc);StdCall;
var
retbyteWORD;
Label ADJRing0,ADJRing;
Begin
SaveAllReg();
Asm
Mov Ring.AdjRing0Entry, offset ADJRing0
End;
DeviceIoControl(DriverHandle,WINRING_Access,
@Ring, sizeof(Ring), @Ring, sizeof(Ring), retbyte, Nil);
Asm
jmp ADJRing
ADJRing0:
mov eax, [esp+4]
End;
Ring0Proc;
Asm
Ret
ADJRing:
End;
end;
end.
//===================Unit1.pas==========
复制内容到剪贴板代码:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs,WinRing, StdCtrls, ExtCtrls;
type
TForm1 = class(TForm)
Button1: TButton;
Timer1: TTimer;
procedure Button1Click(Sender: TObject);
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure Timer1Timer(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
Timer:Array[0..2] Of Byte;
V:Integer;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
begin
OpenWinRing;
end;
procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);
begin
CloseDriver;
end;
Procedure Test;StdCall;
Var
Val1,Index:Byte;
I:Integer;
Begin
Asm
cli
End;
for i:=0 to 2 Do Begin
Index:=i*2;
asm
mov al, Index
out $70, al
in al, $71
mov Val1, al
End;
Timer:=Val1;
End;
Asm
sti
End;
End;
procedure TForm1.Timer1Timer(Sender: TObject);
begin
ProcessRing0(Test);
Form1.Caption:=Format('%2x,%2x,%2x',[Timer[2],Timer[1],Timer[0]]);
end;
end.
//Windows 2K以上的操作系统,
//用途: 提供超级简单使用的APIrocessRing0(),
//可将delphi中的任意函数由原來的Ring3权限提升到系统的最高级别Ring 0,
//这样我们就可以随意对系统的I/O进行操作了。
//===================WinRing.pas===========================
unit WinRing;
interface
uses Windows,WinSvc,Dialogs,Forms;
Type
TRingData = Record
AdjRing0Entry:ULONG ;
RegData:array[0..6] of ULONG;
end;
TRing0Proc = Procedure;StdCall;
procedure OpenWinRing;
function CloseDriver:boolean;
procedure ProcessRing0(Ring0Proc: TRing0Proc);StdCall;
const
DRIVER = 'WINRING';
implementation
var
DriverHandle: THandle;
Ring: TRingData;
RetByteWord;
OSVersion: byte;
Function WINRING_Access:Cardinal;
Begin
Result:=(($22) shl 16) or (($999) shl 2);
End;
Procedure _WinRing;
Begin
DeviceIoControl(DriverHandle,WINRING_Access,@Ring,
sizeof(Ring),@Ring,sizeof(Ring),retbyte,Nil);
End;
function BuildDriverService:boolean;
var
scHandle, srvHandle: SC_Handle;
achar;
begin
Result:=False;
scHandle:=OpenSCManager(Nil,Nil,SC_MANAGER_ALL_ACCESS);
if (scHandle<>0) then
Begin
srvHandle:=OpenService(scHandle,DRIVER,SERVICE_ALL_ACCESS);
if (srvHandle=0) then
begin
srvHandle:=CreateService(
scHandle,
DRIVER,
DRIVER,
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
'.\WINRING.sys',
Nil,Nil,Nil,nil,nil);
end;
if (srvHandle<>0) then
Begin
A:='';
StartService(srvHandle,0,A);
CloseServiceHandle(srvHandle);
CloseServiceHandle(scHandle);
Result:= true;
End;
end;
end;
function OpenDriver:Boolean;
begin
if (BuildDriverService) then
begin
DriverHandle:=CreateFile(
'\\.\'+DRIVER,
GENERIC_READ or GENERIC_WRITE,
0,
nil,
OPEN_EXISTING,
0,
0);
Result:=(DriverHandle<>INVALID_HANDLE_VALUE);
end else
Result:=False;
end;
function DeleteDriverService:boolean;
var
srvStatus: TServiceStatus;
scHandle,srvHandle: SC_HANDLE;
begin
scHandle:=OpenSCManager(Nil,Nil,SC_MANAGER_ALL_ACCESS);
if (scHandle<>0) then
begin
srvHandle:=OpenService(scHandle,DRIVER,SERVICE_ALL_ACCESS);
if (srvHandle<>0) then
begin
ControlService(srvHandle,SERVICE_CONTROL_STOP,srvStatus);
DeleteService(srvHandle);
end;
CloseServiceHandle(srvHandle);
CloseServiceHandle(scHandle);
Result:=true;
end Else
Result:=False;
end;
function CloseDriver:boolean;
begin
CloseHandle(DriverHandle);
Result:=DeleteDriverService;
end;
procedure OpenWinRing;
begin
OSVersion := LOBYTE(LOWORD(GetVersion));
if (OSVersion<>4) then
begin
if (not OpenDriver) then
begin
ShowMessage('Driver not ready!!!');
CloseDriver;
Application.Terminate;
end;
end;
end;
procedure SaveAllReg;stdcall;
Begin
Asm
push eax
mov eax, offset Ring.RegData
mov [eax][04], ebx
mov [eax][08], ecx
mov [eax][12], edx
mov [eax][16], esi
mov [eax][20], edi
mov [eax][24], ebp
mov ebx, eax
pop eax
mov [ebx], eax
End;
end;
procedure ProcessRing0(Ring0Proc: TRing0Proc);StdCall;
var
retbyteWORD;
Label ADJRing0,ADJRing;
Begin
SaveAllReg();
Asm
Mov Ring.AdjRing0Entry, offset ADJRing0
End;
DeviceIoControl(DriverHandle,WINRING_Access,
@Ring, sizeof(Ring), @Ring, sizeof(Ring), retbyte, Nil);
Asm
jmp ADJRing
ADJRing0:
mov eax, [esp+4]
End;
Ring0Proc;
Asm
Ret
ADJRing:
End;
end;
end.
//===================Unit1.pas==========
复制内容到剪贴板代码:
unit Unit1;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs,WinRing, StdCtrls, ExtCtrls;
type
TForm1 = class(TForm)
Button1: TButton;
Timer1: TTimer;
procedure Button1Click(Sender: TObject);
procedure FormClose(Sender: TObject; var Action: TCloseAction);
procedure Timer1Timer(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
var
Form1: TForm1;
Timer:Array[0..2] Of Byte;
V:Integer;
implementation
{$R *.dfm}
procedure TForm1.Button1Click(Sender: TObject);
begin
OpenWinRing;
end;
procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);
begin
CloseDriver;
end;
Procedure Test;StdCall;
Var
Val1,Index:Byte;
I:Integer;
Begin
Asm
cli
End;
for i:=0 to 2 Do Begin
Index:=i*2;
asm
mov al, Index
out $70, al
in al, $71
mov Val1, al
End;
Timer:=Val1;
End;
Asm
sti
End;
End;
procedure TForm1.Timer1Timer(Sender: TObject);
begin
ProcessRing0(Test);
Form1.Caption:=Format('%2x,%2x,%2x',[Timer[2],Timer[1],Timer[0]]);
end;
end.
推荐分享
图文皆来源于网络,内容仅做公益性分享,版权归原作者所有,如有侵权请告知删除!
Copyright © 2014 DelphiW.com 开发 源码 文档 技巧 All Rights Reserved
晋ICP备14006235号-8 晋公网安备 14108102000087号
执行时间: 0.055027008056641 seconds