Need help in making the Native Application

[Diedrick]

HI GUYS

I need help here , I am trying to make antivirus application and as you might be knowing that there Are two types of viruses and that is active or passive. The passive is easy to remove in contrast to the active one which is difficult to remove . although I got the solution that is by removing it in system boot. The fact that at the time when the windows boot any process or the services will not get begin except the kernel mode it's be completed.. with the method we can remove the virus before get started. So I looked everywhere and got this information that state that I can make a native application and put in it in this registry path "HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute, although the issue is How to build a native application. Can any on here help me on this I will be really glad .

[Shreevats]

Well it is hars to understand what exactly do you mean by the native application and if you need to add your app to the key you want, then check the RegKeyOpenEx that will do what you were looking for

[Diedrick]

Thanks for the reply all I was asking is that I know the native program, is console application worked. however I try to create it and put in it to the registry however not

[Villiers]

Well as far as I know the Native apps make use of an undocumented "native" API. there is regarding 250 of those functions within the Windows Device Driver Kit. sadly, most of those functions are undocumented. These apps solely use the native API's and cannot use operating environments like Win32 API's. Thus, they have to be loaded and commenced before the loading of the Win32 Subsystem. That registry key you listed higher than is where native apps are started by the Session Manager (smss.exe) before the beginning of the Win32 Subsystem. So all you need to do is to Download the Windows Device Driver Kit (DDK)

[Shreevats]

Well you need the Windows Driver Kit (WDK) to writing kernel code. It has the tools, samples, help files etc. which perhaps utilize if you wish to code on that level. The kernel level is where your native api's are located Let's take a look at the the Win32 CreateFile operate. we might in general choice this operate in what's mentioned as User Mode. The mode that almost all folks are accustomed to. This operate in flip calls NtCreateFile on the kernel level. NtCreateFile in flip calls ZwCreate file on the kernel level. NtCreateFile and ZwCreateFile are native API's. The NtXxxx functions check the provided parameters and access modes for validity and explicitly set the previous mode to USER mode. The ZwXxxx don't operate variants . Thus, NT Drivers decision ZwCreateFile(...)when they're a gap file on their own behalf. OS atmosphere Subsystems that are using the quality Win32 API's would use NtXxxxx since they're calling from user mode. To recap, native apps use the native api rather than the UserMode Win32 api. A fully operate example follows. discuss with the InitializeNativeFunctions decision. It initializes the subsequent native functions: RtlInitUnicodeString ZwCreateFile ZwCreateEvent ZwQueryDirectoryFile ZwWaitForSingleObject RtlUnicodetoAnsiString

Code:

    #include <windows.h>
    #include <stdio.h>
    typedef LONG NTSTATUS;
    typedef NTSTATUS *PNTSTATUS;
    typedef DWORD ULONG_PTR;
    #define STATUS_SUCCESS (NTSTATUS)0x00000000L
    #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
    #define FILE_OPEN 0x00000001
    #define OBJ_CASE_INSENSITIVE 0x00000040L
    #define FILE_DIRECTORY_FILE 0x00000001
    #define InitializeObjectAttributes( p, n, a, r, s ) { \
    (p)->uLength = sizeof( OBJECT_ATTRIBUTES ); \
    (p)->hRootDirectory = r; \
    (p)->uAttributes = a; \
    (p)->pObjectName = n; \
    (p)->pSecurityDescriptor = s; \
    (p)->pSecurityQualityOfService = NULL; \
    }
    typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
    } UNICODE_STRING;
    typedef UNICODE_STRING *PUNICODE_STRING;
    typedef const UNICODE_STRING *PCUNICODE_STRING;
    typedef USHORT RTL_STRING_LENGTH_TYPE;
    typedef struct _STRING {
    USHORT Length;
    USHORT MaximumLength;
    PCHAR Buffer;
    } STRING;
    typedef STRING *PSTRING;
    typedef STRING ANSI_STRING;
    typedef PSTRING PANSI_STRING;
    typedef struct _OBJECT_ATTRIBUTES {
    ULONG uLength;
    HANDLE hRootDirectory;
    PUNICODE_STRING pObjectName;
    ULONG uAttributes;
    PVOID pSecurityDescriptor;
    PVOID pSecurityQualityOfService;
    } OBJECT_ATTRIBUTES;
    #define InitializeObjectAttributes( p, n, a, r, s ) { \
    (p)->uLength = sizeof( OBJECT_ATTRIBUTES ); \
    (p)->hRootDirectory = r; \
    (p)->uAttributes = a; \
    (p)->pObjectName = n; \
    (p)->pSecurityDescriptor = s; \
    (p)->pSecurityQualityOfService = NULL; \
    }
    typedef OBJECT_ATTRIBUTES * POBJECT_ATTRIBUTES;
    typedef struct _IO_STATUS_BLOCK {
    union {
    NTSTATUS Status;
    PVOID Pointer;
    };
    ULONG_PTR Information;
    } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
    typedef VOID (NTAPI *PIO_APC_ROUTINE) (IN PVOID ApcContext, IN PIO_STATUS_BLOCK IoStatusBlock, IN ULONG Reserved);
    typedef enum _FILE_INFORMATION_CLASS {
    FileDirectoryInformation = 1,
    FileFullDirectoryInformation,
    FileBothDirectoryInformation,
    FileBasicInformation,
    FileStandardInformation,
    FileInternalInformation,
    FileEaInformation,
    FileAccessInformation,
    FileNameInformation,
    FileRenameInformation,
    FileLinkInformation,
    FileNamesInformation,
    FileDispositionInformation,
    FilePositionInformation,
    FileFullEaInformation,
    FileModeInformation,
    FileAlignmentInformation,
    FileAllInformation,
    FileAllocationInformation,
    FileEndOfFileInformation,
    FileAlternateNameInformation,
    FileStreamInformation,
    FilePipeInformation,
    FilePipeLocalInformation,
    FilePipeRemoteInformation,
    FileMailslotQueryInformation,
    FileMailslotSetInformation,
    FileCompressionInformation,
    FileObjectIdInformation,
    FileCompletionInformation,
    FileMoveClusterInformation,
    FileQuotaInformation,
    FileReparsePointInformation,
    FileNetworkOpenInformation,
    FileAttributeTagInformation,
    FileTrackingInformation,
    FileIdBothDirectoryInformation,
    FileIdFullDirectoryInformation,
    FileValidDataLengthInformation,
    FileShortNameInformation,
    FileMaximumInformation
    } FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
    typedef enum _EVENT_TYPE {NotificationEvent, SynchronizationEvent} EVENT_TYPE;
    typedef struct _FILE_BOTH_DIR_INFORMATION {
    ULONG NextEntryOffset;
    ULONG FileIndex;
    LARGE_INTEGER CreationTime;
    LARGE_INTEGER LastAccessTime;
    LARGE_INTEGER LastWriteTime;
    LARGE_INTEGER ChangeTime;
    LARGE_INTEGER EndOfFile;
    LARGE_INTEGER AllocationSize;
    ULONG FileAttributes;
    ULONG FileNameLength;
    ULONG EaSize;
    CCHAR ShortNameLength;
    WCHAR ShortName[12];
    WCHAR FileName[1];
    } FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
    NTSTATUS (WINAPI * pRtlInitUnicodeString)(PUNICODE_STRING, PCWSTR);
    NTSTATUS (WINAPI * pZwCreateFile)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG);
    NTSTATUS (WINAPI * pZwCreateEvent)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, EVENT_TYPE, BOOLEAN);
    NTSTATUS (WINAPI * pZwQuerydirectoryFile)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN);
    NTSTATUS (WINAPI * pZwWaitForSingleobject)(HANDLE, BOOLEAN, PLARGE_INTEGER);
    NTSTATUS (WINAPI * pRtlUnicodeStringToAnsiString)(PANSI_STRING, PCUNICODE_STRING, BOOLEAN);
    NTSTATUS (WINAPI * pZwClose)(HANDLE);
    void IntializeNativeFunctions(VOID)
    {
    HMODULE hModule = LoadLibrary ("Ntdll.dll");
    pRtlInitUnicodeString = (NTSTATUS (WINAPI *)(PUNICODE_STRING, PCWSTR)) GetProcAddress (hModule, "RtlInitUnicodeString");
    pZwCreateFile = (NTSTATUS (WINAPI *)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, PIO_STATUS_BLOCK, PLARGE_INTEGER, ULONG, ULONG, ULONG, ULONG, PVOID, ULONG)) GetProcAddress (hModule, "ZwCreateFile");
    pZwCreateEvent = (NTSTATUS (WINAPI *)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES, EVENT_TYPE, BOOLEAN)) GetProcAddress (hModule, "ZwCreateEvent");
    pZwQuerydirectoryFile = (NTSTATUS (WINAPI *)(HANDLE, HANDLE, PIO_APC_ROUTINE, PVOID, PIO_STATUS_BLOCK, PVOID, ULONG, FILE_INFORMATION_CLASS, BOOLEAN, PUNICODE_STRING, BOOLEAN)) GetProcAddress (hModule, "ZwQueryDirectoryFile");
    pZwWaitForSingleobject = (NTSTATUS (WINAPI *)(HANDLE, BOOLEAN, PLARGE_INTEGER)) GetProcAddress (hModule, "ZwWaitForSingleObject");
    pRtlUnicodeStringToAnsiString = (NTSTATUS (WINAPI *)(PANSI_STRING, PCUNICODE_STRING, BOOLEAN)) GetProcAddress (hModule, "RtlUnicodeStringToAnsiString");
    pZwClose = (NTSTATUS (WINAPI *)(HANDLE)) GetProcAddress (hModule, "ZwClose");
    }
    NTSTATUS ListDirectory(WCHAR * pszDirectoryName)
    {
    UNICODE_STRING RootDirectoryName;
    ANSI_STRING as;
    OBJECT_ATTRIBUTES RootDirectoryAttributes;
    NTSTATUS ntStatus = STATUS_SUCCESS;
    HANDLE RootDirectoryHandle;
    IO_STATUS_BLOCK Iosb;
    HANDLE Event;
    PUCHAR Buffer[65536];
    WCHAR wszBuffer[50];
    PFILE_BOTH_DIR_INFORMATION DirInformation;
    if(pRtlInitUnicodeString == NULL) return -1;
    if(pRtlUnicodeStringToAnsiString == NULL) return -1;
    _snwprintf(wszBuffer,sizeof(wszBuffer),L"\\??\\%s\\",pszDirectoryName);
    ntStatus = ((pRtlInitUnicodeString)(&RootDirectoryName, wszBuffer));
    if (!NT_SUCCESS(ntStatus))
    return ntStatus;
    InitializeObjectAttributes (&RootDirectoryAttributes, &RootDirectoryName, OBJ_CASE_INSENSITIVE, 0, 0);
    if(pZwCreateFile == NULL) return -1;
    ntStatus =((pZwCreateFile)(&RootDirectoryHandle,
    GENERIC_READ,
    &RootDirectoryAttributes,
    &Iosb,
    0,
    FILE_ATTRIBUTE_DIRECTORY,
    FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
    FILE_OPEN,
    FILE_DIRECTORY_FILE,
    0, 0));
    if (!NT_SUCCESS(ntStatus))
    {
    printf("Unable to open %s, error = 0x%x\n", &RootDirectoryName, ntStatus);
    return ntStatus;
    }
    if(pZwCreateEvent == NULL) return -1;
    ntStatus = ((pZwCreateEvent)(&Event, GENERIC_ALL, 0, NotificationEvent, FALSE));
    if (!NT_SUCCESS(ntStatus))
    {
    printf("Event creation failed with error 0x%x\n", ntStatus);
    return ntStatus;
    }
    if(pZwQuerydirectoryFile == NULL) return -1;
    if(((pZwQuerydirectoryFile)(RootDirectoryHandle,
    Event, 0, 0,
    &Iosb,
    Buffer,
    sizeof(Buffer),
    FileBothDirectoryInformation,
    FALSE,
    NULL,
    FALSE)) == STATUS_PENDING)
    {
    if(pZwWaitForSingleobject == NULL) return -1;
    ntStatus = ((pZwWaitForSingleobject)(Event, TRUE, 0));
    }
    if (!NT_SUCCESS(ntStatus))
    {
    printf("Unable to query directory contents, error 0x%x\n", ntStatus);
    return ntStatus;
    }
    DirInformation = (PFILE_BOTH_DIR_INFORMATION) Buffer;
    while (1)
    {
    UNICODE_STRING EntryName;
    EntryName.MaximumLength = EntryName.Length = (USHORT) DirInformation -> FileNameLength;
    EntryName.Buffer = &DirInformation -> FileName[0];
    ((pRtlUnicodeStringToAnsiString)(&as, &EntryName, TRUE));
    printf("%s\n", as.Buffer);
    if (0 == DirInformation -> NextEntryOffset)
    break;
    else
    DirInformation = (PFILE_BOTH_DIR_INFORMATION) (((PUCHAR)DirInformation) + DirInformation -> NextEntryOffset);
    }
    ((pZwClose)(RootDirectoryHandle));
    return ntStatus;
    }
    int main(VOID)
    {
    WCHAR wszDirectory[] = {L"C:\\Temp"};
    IntializeNativeFunctions();
    ListDirectory(wszDirectory);
    return 0;
    }

[Ronchi]

That is the Windows API operate. That is used to remove the files upon next system startup - that is what you primarily appear to be wanting. So, probably it should be of facilitate to you - though this relies on what precisely your anti-virus stuff is stuff is.

[Jacques25]

Well I was just checking the Windows Driver Kit (WDK) and its look as if that it has all the information that needed to writing device drivers. Very little information was found on Native Applications. So, that is very easy to use in , I put together the following sample native app.

Code:

    TARGETNAME=test
    TARGETTYPE=PROGRAM
    _NT_TARGET_VERSION= $(_NT_TARGET_VERSION_WIN7)
    UMTYPE=nt
    UMENTRY=NtProcessStartup
    MINWIN_SDK_LIB_PATH=$(SDK_LIB_PATH)
    TARGETLIBS=$(SDK_LIB_PATH)\setupapi.lib \
    $(SDK_LIB_PATH)\user32.lib \
    $(DDK_LIB_PATH)\nt.lib \
    $(DDK_LIB_PATH)\ntdll.lib
    INCLUDES=$(INCLUDES);$(DDK_INC_PATH)
    SOURCES=test.c
    TARGET_DESTINATION=wdf

Test.c file

    #include "ntifs.h"
    #include "test.h"
    #include "ntddk.h"
    // Prototypes
    BOOL STDCALL Beep (DWORD dwFreq, DWORD dwDuration);
    VOID STDCALL Print(__wchar_t *msg);
    VOID STDCALL Sleep1(DWORD dwMilliseconds);
    DWORD STDCALL SleepEx(DWORD dwMilliseconds, BOOL bAlertable);
    void NtProcessStartup( PVOID arg) {
    int i;
    Print(L"This is a Native Mode Application\n");
    Beep(2000,1000);
    Beep(3000,1000);
    Beep(4000,1000);
    Beep(5000,1000);
    Print(L"Sleeping for 10 seconds");
    for (i=0; i < 10; i++)
    {
    Print(L".");
    Sleep1(1000);
    }
    Print(L"\nLet us now load the Windows Operating System");
    NtTerminateProcess( NtCurrentProcess(), 0 );
    }
    VOID STDCALL Print(__wchar_t *msg) {
    UNICODE_STRING umsg;
    RtlInitUnicodeString (&umsg, msg);
    NtDisplayString(&umsg);
    }
    VOID STDCALL Sleep1(DWORD dwMilliseconds) {
    SleepEx(dwMilliseconds, FALSE);
    return;
    }
    DWORD STDCALL SleepEx(DWORD dwMilliseconds, BOOL bAlertable) {
    LARGE_INTEGER Interval;
    NTSTATUS errCode;
    if (dwMilliseconds != INFINITE) {
    #pragma warning( disable : 4146 )
    Interval.QuadPart = -(ULONGLONG)dwMilliseconds * 10000;
    #pragma warning( default : 4146 )
    } else {
    Interval.QuadPart = -0x7FFFFFFFFFFFFFFFLL;
    }
    errCode = NtDelayExecution ((bAlertable ? TRUE : FALSE), &Interval);
    if (!NT_SUCCESS(errCode)) return -1;
    return 0;
    }
    BOOL STDCALL Beep (DWORD dwFreq, DWORD dwDuration)
    {
    HANDLE hBeep;
    UNICODE_STRING BeepDevice;
    OBJECT_ATTRIBUTES ObjectAttributes;
    IO_STATUS_BLOCK IoStatusBlock;
    BEEP_SET_PARAMETERS BeepSetParameters;
    NTSTATUS Status;
    /* check the parameters */
    if ((dwFreq >= 0x25 && dwFreq <= 0x7FFF) ||
    (dwFreq == 0x0 && dwDuration == 0x0))
    {
    /* open the device */
    RtlInitUnicodeString(&BeepDevice,
    L"\\Device\\Beep");
    InitializeObjectAttributes(&ObjectAttributes,
    &BeepDevice,
    0,
    NULL,
    NULL);
    Status = NtCreateFile(&hBeep,
    FILE_READ_DATA | FILE_WRITE_DATA,
    &ObjectAttributes,
    &IoStatusBlock,
    NULL,
    0,
    FILE_SHARE_READ | FILE_SHARE_WRITE,
    FILE_OPEN_IF,
    0,
    NULL,
    0);
    if (NT_SUCCESS(Status))
    {
    /* Set beep data */
    BeepSetParameters.Frequency = dwFreq;
    BeepSetParameters.Duration = dwDuration;
    Status = NtDeviceIoControlFile(hBeep,
    NULL,
    NULL,
    NULL,
    &IoStatusBlock,
    IOCTL_BEEP_SET,
    &BeepSetParameters,
    sizeof(BEEP_SET_PARAMETERS),
    NULL,
    0);
    /* do an alertable wait if necessary */
    if (NT_SUCCESS(Status) &&
    (dwFreq != 0x0 || dwDuration != 0x0) && dwDuration != (DWORD)-1)
    {
    SleepEx(dwDuration,
    TRUE);
    }
    NtClose(hBeep);
    }
    }
    else
    Status = STATUS_INVALID_PARAMETER;
    if (!NT_SUCCESS(Status))
    {
    return FALSE;
    }
    return TRUE;
    }

Test.h file

    typedef int WINBOOL,*PWINBOOL,*LPWINBOOL;
    #define BOOL WINBOOL
    typedef unsigned long DWORD;
    #define ULONGLONG unsigned __int64
    #define STDCALL __stdcall
    #define INFINITE 0xFFFFFFFF // Infinite timeout
    typedef struct _BEEP_SET_PARAMETERS {
    ULONG Frequency;
    ULONG Duration;
    } BEEP_SET_PARAMETERS, *PBEEP_SET_PARAMETERS;
    #define IOCTL_BEEP_SET \
    CTL_CODE(FILE_DEVICE_BEEP,0,METHOD_BUFFERED,FILE_ANY_ACCESS)
    NTSYSAPI
    NTSTATUS
    NTAPI
    NtClose(
    IN HANDLE Handle
    );
    NTSYSAPI
    NTSTATUS
    NTAPI
    NtCreateFile(
    OUT PHANDLE phFile,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes,
    OUT PIO_STATUS_BLOCK IoStatusBlock,
    IN PLARGE_INTEGER AllocationSize OPTIONAL,
    IN ULONG FileAttributes,
    IN ULONG ShareAccess,
    IN ULONG CreateDisposition,
    IN ULONG CreateOptions,
    IN PVOID EaBuffer OPTIONAL,
    IN ULONG EaLength
    );
    NTSYSAPI
    NTSTATUS
    NTAPI
    NtDelayExecution(
    IN ULONG bAlertable,
    IN PLARGE_INTEGER pDuration
    );
    NTSYSAPI
    NTSTATUS
    NTAPI
    NtDeviceIoControlFile(
    IN HANDLE hFile,
    IN HANDLE hEvent OPTIONAL,
    IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
    IN PVOID IoApcContext OPTIONAL,
    OUT PIO_STATUS_BLOCK pIoStatusBlock,
    IN ULONG DeviceIoControlCode,
    IN PVOID InBuffer OPTIONAL,
    IN ULONG InBufferLength,
    OUT PVOID OutBuffer OPTIONAL,
    IN ULONG OutBufferLength
    );
    NTSYSAPI
    NTSTATUS
    NTAPI
    NtDisplayString(
    IN PUNICODE_STRING pString
    );
    NTSYSAPI
    NTSTATUS
    NTAPI
    NtTerminateProcess(
    IN HANDLE hProcess,
    IN ULONG ExitCode
    );

[Vandam]

Well I just coped the makefile from one in every of the opposite examples to your folder containing the take a look at example. All the makefiles found within the WDK samples space are an equivalent. Thus, the makefile, sources, test.c and test.h ought to all be within the same folder. I've used the x64 Checked build atmosphere from that I ran Build.bat from the folder containing all of the higher than files to create the native a

[Akbarha]

Well all I can say is you may like to check the to see how it works

You might try the following minimal snippet minimal snippet to see how it works -

Code:

    #include <iostream>
    #include <windows.h>
    using namespace std;
    int main()
    {
    // Queue the file c:\temp\foobar.txt for deletion upon next system start up ...
    MoveFileEx("C:\\temp\\foobar.txt", NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
    // If the following displays zero - the operation succeeded, anything else
    // is an error code.
    cout << " GetLastError(): " << GetLastError() << endl;
    }

You have to write the code access to a specific part of the system registry. As is state on the the MSDN documentation that will help