📄 jiurldriver.cpp
字号:
#include "JiurlDriver.h"
void DriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS DriverDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
BOOLEAN JiurlMmIsBlockValid (PVOID StartVa,ULONG nBytes);
BOOLEAN JiurlMmIsAddressValid (PVOID Va);
BOOLEAN JiurlReadMemory(
PVOID StartVa,
ULONG nBytes,
PVOID lpBuffer);
BOOLEAN JiurlReadProcessMemory(
PVOID pEProcess,
PVOID StartVa,
ULONG nBytes,
PVOID lpBuffer);
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
DbgPrint("Hello, from DriverEntry\n");
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch;
DriverObject->DriverUnload=DriverUnload;
/////////////////////////////////////////////////////
NTSTATUS ret;
PDEVICE_OBJECT deviceObject= NULL;
WCHAR deviceNameBuffer[]= L"\\Device\\JiurlDriver";
UNICODE_STRING deviceNameUnicodeString;
RtlInitUnicodeString (&deviceNameUnicodeString, deviceNameBuffer);
ret=IoCreateDevice(DriverObject,0,&deviceNameUnicodeString,
FILE_DEVICE_UNKNOWN,0,FALSE,&deviceObject);
WCHAR deviceLinkBuffer[]= L"\\??\\JiurlSymbolicLink";
UNICODE_STRING deviceLinkUnicodeString;
RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer);
ret=IoCreateSymbolicLink(&deviceLinkUnicodeString,
&deviceNameUnicodeString);
return STATUS_SUCCESS;
}
// -----------------------------------------------------------------
void DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Bye, from DriverUnload\n");
WCHAR deviceLinkBuffer[]= L"\\??\\JiurlSymbolicLink";
UNICODE_STRING deviceLinkUnicodeString;
RtlInitUnicodeString (&deviceLinkUnicodeString, deviceLinkBuffer);
IoDeleteSymbolicLink (&deviceLinkUnicodeString);
IoDeleteDevice( DriverObject->DeviceObject );
}
// -----------------------------------------------------------------
NTSTATUS
DriverDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION irpStack;
PVOID ioBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntStatus;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
irpStack = IoGetCurrentIrpStackLocation (Irp);
ioBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
int ret;
switch (irpStack->MajorFunction)
{
case IRP_MJ_DEVICE_CONTROL:
{
DbgPrint("IRP_MJ_DEVICE_CONTROL\n");
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (ioControlCode)
{
case JIURL_PROCESS_MEM_OUTPUT:
{
DbgPrint("JIURL_PROCESS_MEM_OUTPUT\n");
PMEMORY_INFO pMemInfo;
pMemInfo=(PMEMORY_INFO)ioBuffer;
PVOID StartVa=(PVOID)pMemInfo->StartVa;
ULONG nBytes=pMemInfo->nBytes;
ULONG ProcessId=pMemInfo->ProcessId;
PVOID pEProcess;
if(ProcessId==0)
{
pEProcess=(PEPROCESS)*(ULONG*)PsIdleProcess;
}
else
{
ret= PsLookupProcessByProcessId(ProcessId,&pEProcess);
if(!NT_SUCCESS(ret))
{
DbgPrint("Error PsLookupProcessByProcessId 0x%08x\n",ret);
break;
}
}
ret=JiurlReadProcessMemory(
pEProcess,StartVa,nBytes,ioBuffer);
if(ret==1)
{
DbgPrint("nBytes 0x%08x\n",nBytes);
Irp->IoStatus.Information=nBytes;
}
break;
}
case JIURL_PROCESS_NAME_OUTPUT:
{
DbgPrint("JIURL_PROCESS_NAME_OUTPUT\n");
ULONG ProcessId=*(ULONG*)ioBuffer;
PVOID pEProcess;
if(ProcessId==0)
{
pEProcess=(PEPROCESS)*(ULONG*)PsIdleProcess;
}
else
{
ret= PsLookupProcessByProcessId(ProcessId,&pEProcess);
if(!NT_SUCCESS(ret))
{
DbgPrint("Error PsLookupProcessByProcessId 0x%08x\n",ret);
break;
}
}
if(pEProcess!=0)
{
RtlCopyMemory (ioBuffer,
((char *)pEProcess)+PROCESS_NAME_OFFSET, 16);
Irp->IoStatus.Information=16;
}
break;
}
case JIURL_PROCESS_VADROOT_OUTPUT:
{
DbgPrint("JIURL_PROCESS_VADROOT_OUTPUT\n");
ULONG ProcessId=*(ULONG*)ioBuffer;
PVOID pEProcess;
if(ProcessId==0)
{
pEProcess=(PEPROCESS)*(ULONG*)PsIdleProcess;
}
else
{
ret= PsLookupProcessByProcessId(ProcessId,&pEProcess);
if(!NT_SUCCESS(ret))
{
DbgPrint("Error PsLookupProcessByProcessId 0x%08x\n",ret);
break;
}
}
if(pEProcess!=0)
{
RtlCopyMemory (ioBuffer,
((char *)pEProcess)+VADROOT_OFFSET, 4);
Irp->IoStatus.Information=4;
}
break;
}
case JIURL_PROCESS_PEB_OUTPUT:
{
DbgPrint("JIURL_PROCESS_PEB_OUTPUT\n");
ULONG ProcessId=*(ULONG*)ioBuffer;
PVOID pEProcess;
if(ProcessId==0)
{
pEProcess=(PEPROCESS)*(ULONG*)PsIdleProcess;
}
else
{
ret= PsLookupProcessByProcessId(ProcessId,&pEProcess);
if(!NT_SUCCESS(ret))
{
DbgPrint("Error PsLookupProcessByProcessId 0x%08x\n",ret);
break;
}
}
if(pEProcess!=0)
{
RtlCopyMemory (ioBuffer,
((char *)pEProcess)+PEB_OFFSET, 4);
Irp->IoStatus.Information=4;
}
break;
}
case JIURL_ThreadListHead_OUTPUT:
{
DbgPrint("JIURL_ThreadListHead_OUTPUT\n");
ULONG ProcessId=*(ULONG*)ioBuffer;
PVOID pEProcess;
if(ProcessId==0)
{
pEProcess=(PEPROCESS)*(ULONG*)PsIdleProcess;
}
else
{
ret= PsLookupProcessByProcessId(ProcessId,&pEProcess);
if(!NT_SUCCESS(ret))
{
DbgPrint("Error PsLookupProcessByProcessId 0x%08x\n",ret);
break;
}
}
if(pEProcess!=0)
{
*(ULONG*)ioBuffer=
(ULONG)(((char *)pEProcess)+tListHead_OFFSET);
Irp->IoStatus.Information=4;
}
break;
}
default:
{
DbgPrint("unknown IRP_MJ_DEVICE_CONTROL\n");
Irp->IoStatus.Status = STATUS_INVALID_PARAMETER;
break;
}
}
break;
}
case IRP_MJ_CREATE:
{
DbgPrint("DispatchCreate\n");
break;
}
case IRP_MJ_CLOSE:
{
DbgPrint("DispatchClose\n");
break;
}
}
ntStatus = Irp->IoStatus.Status;
IoCompleteRequest (Irp,IO_NO_INCREMENT);
return ntStatus;
}
// -----------------------------------------------------------------
BOOLEAN JiurlMmIsAddressValid (PVOID Va)
{
#define X86_PTE_ARRAY ((ULONG*)0xC0000000)
#define X86_PDE_ARRAY ((ULONG*)0xC0300000)
ULONG pde,pte;
pde=X86_PDE_ARRAY [(ULONG)Va>>22];
int ret=0;
if(pde&0x1)
{
if(pde&0x80)
{
ret=1;
}
else
{
pte=X86_PTE_ARRAY [(ULONG)Va>>12];
if(pte!=0)
{
ret =1;
}
}
}
return ret;
}
// -----------------------------------------------------------------
BOOLEAN JiurlMmIsBlockValid (PVOID StartVa,ULONG nBytes)
{
PCHAR pData;
ULONG nData;
BOOLEAN ret;
ret=TRUE;
if(nBytes!=0)
{
pData=(char*)((unsigned int)StartVa & 0xFFFFF000);
nData=(((nBytes+ (((unsigned int)StartVa)&0x00000FFF) -1)/PAGE_SIZE)+1)*PAGE_SIZE;
do
{
ret=JiurlMmIsAddressValid(pData);
nData -= PAGE_SIZE;
pData += PAGE_SIZE;
}
while(ret && nData);
}
return ret;
}
// -----------------------------------------------------------------
BOOLEAN JiurlReadMemory(
PVOID StartVa,
ULONG nBytes,
PVOID lpBuffer)
{
BOOLEAN ret;
ret=JiurlMmIsBlockValid( StartVa, nBytes );
if(ret==1)
{
DbgPrint("Mem Valid\n");
RtlCopyMemory (lpBuffer, StartVa, nBytes);
}
else
{
DbgPrint("Mem Not Valid\n");
}
return ret;
}
// -----------------------------------------------------------------
BOOLEAN JiurlReadProcessMemory(
PVOID pEProcess,
PVOID StartVa,
ULONG nBytes,
PVOID lpBuffer)
{
BOOLEAN ret;
KeAttachProcess(pEProcess);
ret=JiurlReadMemory(StartVa,nBytes,lpBuffer);
KeDetachProcess();
if(ret==1)
{
DbgPrint("JiurlReadProcessMemory SUCCESS\n");
}
else
{
DbgPrint("JiurlReadProcessMemory ERROR\n");
}
return ret;
}
// -----------------------------------------------------------------
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -