📄 dbkdrvr.c.svn-base
字号:
DbgPrint("Loading driver\n");
DbgPrint("Registry path = %S\n", RegistryPath->Buffer);
InitializeObjectAttributes(&oa,RegistryPath,OBJ_KERNEL_HANDLE ,NULL,NULL);
ntStatus=ZwOpenKey(®,KEY_QUERY_VALUE,&oa);
if (ntStatus == STATUS_SUCCESS)
{
UNICODE_STRING A,B,C,D;
PVOID buf;
PKEY_VALUE_PARTIAL_INFORMATION bufA,bufB,bufC,bufD;
ULONG ActualSize;
DbgPrint("Opened the key\n");
BufDriverString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufDeviceString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufProcessEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufThreadEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
bufA=BufDriverString;
bufB=BufDeviceString;
bufC=BufProcessEventString;
bufD=BufThreadEventString;
RtlInitUnicodeString(&A, L"A");
RtlInitUnicodeString(&B, L"B");
RtlInitUnicodeString(&C, L"C");
RtlInitUnicodeString(&D, L"D");
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&A,KeyValuePartialInformation ,bufA,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&B,KeyValuePartialInformation ,bufB,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&C,KeyValuePartialInformation ,bufC,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&D,KeyValuePartialInformation ,bufD,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
{
DbgPrint("Read ok\n");
RtlInitUnicodeString(&uszDriverString,(PCWSTR) bufA->Data);
RtlInitUnicodeString(&uszDeviceString,(PCWSTR) bufB->Data);
RtlInitUnicodeString(&uszProcessEventString,(PCWSTR) bufC->Data);
RtlInitUnicodeString(&uszThreadEventString,(PCWSTR) bufD->Data);
}
else
{
ExFreePool(bufA);
ExFreePool(bufB);
ExFreePool(bufC);
ExFreePool(bufD);
DbgPrint("Failed reading the value\n");
ZwClose(reg);
return STATUS_UNSUCCESSFUL;;
}
}
else
{
DbgPrint("Failed opening the key\n");
return STATUS_UNSUCCESSFUL;;
}
ntStatus = STATUS_SUCCESS;
// Point uszDriverString at the driver name
#ifndef CETC
// Create and initialize device object
ntStatus = IoCreateDevice(DriverObject,
0,
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject);
if(ntStatus != STATUS_SUCCESS)
{
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
return ntStatus;
}
// Point uszDeviceString at the device name
// Create symbolic link to the user-visible name
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
// Delete device object if not successful
IoDeleteDevice(pDeviceObject);
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
return ntStatus;
}
#endif
// Load structure to point to IRP handlers...
DriverObject->DriverUnload = MSJUnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = MSJDispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MSJDispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MSJDispatchIoctl;
DebuggedProcessID=0;
ProtectOn=FALSE;
ImageNotifyRoutineLoaded=FALSE;
LastForegroundWindow=0;
ProtectedProcessID=0;
ModuleList=NULL;
ModuleListSize=0;
KernelCopy=0;
globaldebug=0;
newthreaddatafiller=IoAllocateWorkItem(pDeviceObject);
//
//Processlist init
#ifndef CETC
/* DbgPrint("Creating ProcessEvent with name : %S",uszProcessEventString.Buffer);
ProcessEvent=IoCreateNotificationEvent(&uszProcessEventString, &ProcessEventHandle);
if (ProcessEvent==NULL)
DbgPrint("Failed creating ProcessEvent");
KeClearEvent(ProcessEvent);*/
ProcessEventCount=0;
KeInitializeSpinLock(&ProcesslistSL);
#endif
CreateProcessNotifyRoutineEnabled=FALSE;
//threadlist init
#ifndef CETC
/* DbgPrint("Creating ThreadEvent with name : %S",uszThreadEventString.Buffer);
ThreadEvent=IoCreateNotificationEvent(&uszThreadEventString, &ThreadEventHandle);
if (ThreadEvent==NULL)
DbgPrint("Failed creating ThreadEvent\n");
KeClearEvent(ThreadEvent); */
#endif
ThreadEventCount=0;
for (i=0; i<32;i++)
IDTAddresses[i]=0; //init. I dont know for sure if it gets set to NULL by default so let's be sure
RtlZeroMemory(&DebugEvents[0],50*sizeof(DebugEvent));
BufferSize=0;
processlist=NULL;
OriginalInt1.wHighOffset=0;
OriginalInt3.wHighOffset=0;
ChangeRegistersOnBP=FALSE;
for (i=0;i<4;i++)
ChangeRegs[i].Active=FALSE;
//determine if PAE is used
cr4reg=getCR4();
if ((cr4reg & 0x20)==0x20)
{
PTESize=8; //pae
PAGE_SIZE_LARGE=0x200000;
MAX_PDE_POS=0xC0604000;
}
else
{
PTESize=4;
PAGE_SIZE_LARGE=0x400000;
MAX_PDE_POS=0xC0301000;
}
#ifdef CETC
DbgPrint("Going to initialice CETC\n");
InitializeCETC();
#endif
UsesAlternateMethod=FALSE;
//hideme(DriverObject); //ok, for those that see this, enabling this WILL fuck up try except routines, even in usermode you'll get a blue sreen
// Return success (don't do the devicestring, I need it for unload)
ExFreePool(BufDriverString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
ZwClose(reg);
return ntStatus;
}
NTSTATUS MSJDispatchCreate(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
NTSTATUS MSJDispatchClose(IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information=0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return(STATUS_SUCCESS);
}
NTSTATUS MSJDispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS ntStatus;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
switch(irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_CE_READMEMORY:
__try
{
struct input
{
UINT_PTR processid;
char *startaddress;
unsigned short int bytestoread;
} *pinp,inp;
PEPROCESS selectedprocess;
pinp=Irp->AssociatedIrp.SystemBuffer;
ntStatus=ReadProcessMemory(pinp->processid,NULL,pinp->startaddress,pinp->bytestoread,pinp) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
}
__except(1)
{
ntStatus = STATUS_UNSUCCESSFUL;
};
break;
case IOCTL_CE_WRITEMEMORY:
__try
{
struct input
{
UINT_PTR processid;
void *startaddress;
unsigned short int bytestowrite;
} *pinp,inp;
PEPROCESS selectedprocess;
pinp=Irp->AssociatedIrp.SystemBuffer;
ntStatus=WriteProcessMemory(pinp->processid,NULL,pinp->startaddress,pinp->bytestowrite,(PVOID)((UINT_PTR)pinp+sizeof(inp))) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
}
__except(1)
{
//something went wrong and I don't know what
ntStatus = STATUS_UNSUCCESSFUL;
};
break;
case IOCTL_CE_OPENPROCESS:
{
PEPROCESS selectedprocess;
PHANDLE pid=Irp->AssociatedIrp.SystemBuffer;
HANDLE ProcessHandle=0;
ntStatus=STATUS_SUCCESS;
__try
{
ProcessHandle=0;
if (PsLookupProcessByProcessId((PVOID)(*pid),&selectedprocess)==STATUS_SUCCESS)
{
DbgPrint("Calling ObOpenObjectByPointer\n");
ntStatus=ObOpenObjectByPointer (
selectedprocess,
0,
NULL,
PROCESS_ALL_ACCESS,
*PsProcessType,
KernelMode, //UserMode,
&ProcessHandle);
DbgPrint("ntStatus=%x",ntStatus);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
*pid=ProcessHandle;
break;
}
case IOCTL_CE_OPENTHREAD:
{
HANDLE ThreadHandle;
CLIENT_ID ClientID;
OBJECT_ATTRIBUTES ObjectAttributes;
PHANDLE tid;
RtlZeroMemory(&ObjectAttributes,sizeof(OBJECT_ATTRIBUTES));
ntStatus=STATUS_SUCCESS;
tid=Irp->AssociatedIrp.SystemBuffer;
ClientID.UniqueProcess=0;
ClientID.UniqueThread=*tid;
ThreadHandle=0;
__try
{
ThreadHandle=0;
ntStatus=ZwOpenThread(&ThreadHandle,PROCESS_ALL_ACCESS,&ObjectAttributes,&ClientID);
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
}
*tid=ThreadHandle;
break;
}
case IOCTL_CE_MAKEWRITABLE:
{
struct InputBuf
{
PVOID StartAddress;
ULONG Size;
BYTE CopyOnWrite;
} *PInputBuf;
PInputBuf=Irp->AssociatedIrp.SystemBuffer;
ntStatus=MakeWritable(PInputBuf->StartAddress,PInputBuf->Size,(PInputBuf->CopyOnWrite==1)) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_QUERY_VIRTUAL_MEMORY:
{
struct InputBuf
{
UINT_PTR ProcessID;
UINT_PTR StartAddress;
} *PInputBuf;
struct OutputBuf
{
UINT_PTR length;
UINT_PTR protection;
} *POutputBuf;
UINT_PTR BaseAddress;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
PInputBuf=Irp->AssociatedIrp.SystemBuffer;
POutputBuf=Irp->AssociatedIrp.SystemBuffer;
ntStatus=GetMemoryRegionData(PInputBuf->ProcessID,NULL,(PVOID)(PInputBuf->StartAddress),&(POutputBuf->protection),&(POutputBuf->length),&BaseAddress) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_TEST: //just a test to see it's working
{
PEPROCESS selectedprocess=NULL;
DbgPrint("test\n");
__try
{
PMDL mdl=NULL;
char *buffer;
mdl = IoAllocateMdl((PVOID)0x00400000, 0x4096, FALSE, TRUE, NULL);
if (!mdl)
{
DbgPrint("Not enough memory dude!!!!\n");
ntStatus = STATUS_INSUFFICIENT_RESOURCES;
break;
}
//PsLookupProcessByProcessId((PVOID)696,&selectedprocess);
DbgPrint("Before\n");
DbgPrint("mdl->Process=%x",mdl->Process);
DbgPrint("mdl->MappedSystemVa=%x",mdl->MappedSystemVa);
DbgPrint("mdl->StartVa=%x",mdl->StartVa);
//KeAttachProcess((PEPROCESS)selectedprocess);
MmProbeAndLockPages(mdl, UserMode, IoReadAccess);
DbgPrint("After\n");
DbgPrint("mdl->Process=%x",mdl->Process);
DbgPrint("mdl->MappedSystemVa=%x",mdl->MappedSystemVa);
DbgPrint("mdl->StartVa=%x",mdl->StartVa);
buffer = MmGetSystemAddressForMdlSafe(mdl, NormalPagePriority );
//KeDetachProcess();
DbgPrint("buffer=%x\n",(ULONG)buffer);
//MmUnlockPages(mdl);
//IoFreeMdl(mdl);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -