driver.c

一个拷贝系统的SAM 文件的示例,附带驱动源码.

#include <ntddk.h>
#include "driver.h"

UNICODE_STRING DeviceName;
UNICODE_STRING SymbolicLinkName;
PDEVICE_OBJECT deviceObject;

#define BASE_IOCTL (FILE_DEVICE_UNKNOWN << 16) | (FILE_READ_ACCESS << 14) | METHOD_BUFFERED

#define IOCTL1 BASE_IOCTL | (1 << 2)

ULONG ObjectTableOffset = 0;

ExLookupHandleTableEntryPtr ExLookupHandleTableEntry;

void DriverUnload(
            IN PDRIVER_OBJECT DriverObject
            )
{
	IoDeleteSymbolicLink(&SymbolicLinkName);
    IoDeleteDevice(deviceObject);
}

PHANDLE_TABLE_ENTRY 
	XpLookupHandleTableEntry(
	           IN PXP_HANDLE_TABLE HandleTable,
	           IN EXHANDLE         Handle
	           )
{
	ULONG i, j, k;
	PHANDLE_TABLE_ENTRY Entry = NULL;
	ULONG TableCode = HandleTable->TableCode & ~TABLE_LEVEL_MASK;

    i = (Handle.Index >> 17) & 0x1FF;
    j = (Handle.Index >> 9)  & 0x1FF;
    k = (Handle.Index)       & 0x1FF;

	switch (HandleTable->TableCode & TABLE_LEVEL_MASK)
	{
		case 0 :
		  Entry = &((PHANDLE_TABLE_ENTRY)TableCode)[k];
		break;
		
		case 1 :
		  if (((PVOID *)TableCode)[j]) 
		  {
		  	 Entry = &((PHANDLE_TABLE_ENTRY *)TableCode)[j][k];			
		  }
		break;
		case 2 :
		  if (((PVOID *)TableCode)[i])
		  if (((PVOID **)TableCode)[i][j])
		  {
		     Entry = &((PHANDLE_TABLE_ENTRY **)TableCode)[i][j][k];				  		 
		  }
		break;
	}
	return Entry;
}


PHANDLE_TABLE_ENTRY
	Win2kLookupHandleTableEntry(
			IN PWIN2K_HANDLE_TABLE HandleTable,
			IN EXHANDLE            Handle
			)
{
    ULONG i, j, k;

	i = (Handle.Index >> 16) & 255;
    j = (Handle.Index >> 8)  & 255;
    k = (Handle.Index)       & 255;
	
    if (HandleTable->Table[i]) 
	{
		if (HandleTable->Table[i][j])
		{
			return &(HandleTable->Table[i][j][k]);
		}   
    }
	return NULL;    
}

BOOLEAN SetHandleAccess(
				IN HANDLE      Handle,
				IN ACCESS_MASK GrantedAccess
				)
{
	PHANDLE_TABLE       ObjectTable = *(PHANDLE_TABLE *)RVATOVA(PsGetCurrentProcess(), ObjectTableOffset);
	PHANDLE_TABLE_ENTRY Entry;
	EXHANDLE            ExHandle;

	ExHandle.GenericHandleOverlay = Handle;

	Entry = ExLookupHandleTableEntry(ObjectTable, ExHandle);

	if (Entry) Entry->GrantedAccess = GrantedAccess;

	return Entry > 0;
}


NTSTATUS DriverIoControl(
    IN PDEVICE_OBJECT DeviceObject,
    IN PIRP Irp)
{
    PIO_STACK_LOCATION pisl     = IoGetCurrentIrpStackLocation(Irp);
    NTSTATUS           status   = STATUS_UNSUCCESSFUL;
	ULONG              BuffSize = pisl->Parameters.DeviceIoControl.InputBufferLength;
	PUCHAR             pBuff    = Irp->AssociatedIrp.SystemBuffer;
	HANDLE             Handle;
	ACCESS_MASK        GrantedAccess;

	Irp->IoStatus.Information = 0;

	switch(pisl->Parameters.DeviceIoControl.IoControlCode)
	{
		case IOCTL1: 
			if (pBuff && BuffSize >= sizeof(HANDLE) + sizeof(ACCESS_MASK))
			{
				Handle        = *(HANDLE*)pBuff;
				GrantedAccess = *(ACCESS_MASK*)(pBuff + sizeof(HANDLE));

				if (Handle != (HANDLE)-1 && SetHandleAccess(Handle, GrantedAccess)) status = STATUS_SUCCESS;
				
			}		
		break;
	}   

    Irp->IoStatus.Status = status;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return status;
}

NTSTATUS DriverCreateClose(
    IN PDEVICE_OBJECT DeviceObject,
    IN PIRP Irp)
{
    Irp->IoStatus.Information = 0;
    Irp->IoStatus.Status = STATUS_SUCCESS;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}


NTSTATUS DriverEntry(
			IN PDRIVER_OBJECT DriverObject,
            IN PUNICODE_STRING RegistryPath
			)
{
	PCWSTR   dDeviceName       = L"\\Device\\haccess";
	PCWSTR   dSymbolicLinkName = L"\\DosDevices\\haccess";
	NTSTATUS status;
	PDRIVER_DISPATCH *ppdd;

	RtlInitUnicodeString(&DeviceName,       dDeviceName);
    RtlInitUnicodeString(&SymbolicLinkName, dSymbolicLinkName);

	switch (*NtBuildNumber)
	{
		case 2600:
			ObjectTableOffset = 0x0C4;
			ExLookupHandleTableEntry = XpLookupHandleTableEntry;
		break;

		case 2195:
			ObjectTableOffset = 0x128;
			ExLookupHandleTableEntry = Win2kLookupHandleTableEntry;
		break;

		default: return STATUS_UNSUCCESSFUL;
	}

	status = IoCreateDevice(DriverObject, 
		                    0, 
							&DeviceName, 
							FILE_DEVICE_UNKNOWN, 
							0, 
							TRUE, 
							&deviceObject);
	
	if (NT_SUCCESS(status)) 
	{
		status = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);

		if (!NT_SUCCESS(status)) IoDeleteDevice(deviceObject);

		DriverObject->DriverUnload = DriverUnload;
	}

	ppdd = DriverObject->MajorFunction;
   
	ppdd [IRP_MJ_CREATE] =
    ppdd [IRP_MJ_CLOSE ] = DriverCreateClose;
    ppdd [IRP_MJ_DEVICE_CONTROL ] = DriverIoControl;

	return status;
}

#define AC_GENERIC_READ        0x120089
#define AC_GENERIC_WRITE       0x120196
#define AC_DELETE              0x110080
#define AC_READ_CONTROL        0x120080
#define AC_WRITE_DAC           0x140080
#define AC_WRITE_OWNER         0x180080
#define AC_GENERIC_ALL         0x1f01ff
#define AC_STANDARD_RIGHTS_ALL 0x1f0080