📄 saferun.c
字号:
/*
SafeRun.C
Author: <your name>
Last Updated: 2006-03-23
This framework is generated by EasySYS 0.3.0
This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu
*/
#include "dbghelp.h"
#include "SafeRun.h"
#include "Ioctlcmd.h"
#include "IrpFile.h"
#include "HookShadowSSDT.h"
//
extern ULONG ProcessIdToProtect;
//
// A structure representing the instance information associated with
// a particular device
//
typedef struct _DEVICE_EXTENSION
{
ULONG StateVariable;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
//
// Device driver routine declarations.
//
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
BOOLEAN
SaferunDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
);
VOID
SaferunUnload(
IN PDRIVER_OBJECT DriverObject
);
VOID
SaferunUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING dosDeviceName;
//
// Free any resources
//
//
// Delete the symbolic link
//
RtlInitUnicodeString(&dosDeviceName, SAFERUN_DOS_DEVICE_NAME_W);
IoDeleteSymbolicLink(&dosDeviceName);
//
// Delete the device object
//
IoDeleteDevice(DriverObject->DeviceObject);
UnHookShadowTable(); //停止Shadow Hook
dprintf("[SafeRun] unloaded\n");
}
BOOLEAN
SaferunDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
IoStatus->Status = STATUS_SUCCESS; // Assume success
IoStatus->Information = 0; // Assume nothing returned
switch ( IoControlCode )
{
case IOCTL_SAFERUN_VERSION:
{
//
// Some app is saying hello
//
break;
}
case IOCTL_SAFERUN_SETID:
{
ULONG dwTemp = 0;
if(InputBufferLength < sizeof(ULONG))
{
IoStatus->Information = STATUS_INVALID_PARAMETER;
break;
}
memcpy(&dwTemp, InputBuffer, sizeof(ULONG));
ProcessIdToProtect = (ULONG)dwTemp;
}
break;
default:
KdPrint (("[SafeRun] unknown IRP_MJ_DEVICE_CONTROL\n"));
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return TRUE;
}
NTSTATUS
SaferunDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
WORK_QUEUE_ITEM workItem;
//
// Go ahead and set the request up as successful
//
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
KdPrint(("[SafeRun] IRP_MJ_CREATE\n"));
break;
case IRP_MJ_SHUTDOWN:
KdPrint(("[SafeRun] IRP_MJ_SHUTDOWN\n"));
break;
case IRP_MJ_CLOSE:
KdPrint(("[SafeRun] IRP_MJ_CLOSE\n"));
break;
case IRP_MJ_DEVICE_CONTROL:
KdPrint (("[SafeRun] IRP_MJ_DEVICE_CONTROL\n"));
SaferunDeviceControl(
irpStack->FileObject, TRUE, inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength, ioControlCode, &Irp->IoStatus, DeviceObject );
break;
default:
KdPrint (("[SafeRun] IRP_OTHER\n"));
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING dosDeviceName;
PDEVICE_EXTENSION deviceExtension;
PDEVICE_OBJECT deviceObject = NULL;
BOOLEAN fSymbolicLink = FALSE;
UNICODE_STRING deviceLinkUnicodeString;
dprintf("[SafeRun] DriverEntry: %wZ\n", RegistryPath);
//
// A real driver would:
//
// 1. Report it's resources (IoReportResourceUsage)
//
// 2. Attempt to locate the device(s) it supports
//
// OK, we've claimed our resources & found our h/w, so create
// a device and initialize stuff...
//
//
// Setup our name and symbolic link.
//
RtlInitUnicodeString(&ntDeviceName, SAFERUN_DEVICE_NAME_W);
RtlInitUnicodeString (&deviceLinkUnicodeString, SAFERUN_DOS_DEVICE_NAME_W );
//
// Create an EXCLUSIVE device, i.e. only 1 thread at a time can send
// i/o requests.
//
status = IoCreateDevice(
DriverObject,
0, // DeviceExtensionSize
&ntDeviceName, // DeviceName
FILE_DEVICE_UNKNOWN, // DeviceType
0, // DeviceCharacteristics
TRUE, // Exclusive
&deviceObject // [OUT]
);
if (NT_SUCCESS(status))
{
dprintf("[SafeRun] IoCreateDevice Succeed!\n");
//
// Create a symbolic link that the GUI can specify to gain access
// to this driver/device
//
status = IoCreateSymbolicLink ( &deviceLinkUnicodeString, &ntDeviceName );
if( NT_SUCCESS(status))
{
dprintf("[SafeRun] IoCreateSymbolicLink Succeed!\n");
//
// Create dispatch points for all routines that must be handled
//
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = SaferunDispatch;
//
// Its extremely unsafe to unload a system-call hooker, so this
// is only enabled in the debug version for testing purposes.
//
DriverObject->DriverUnload = SaferunUnload;
//
HookShadowTable(); //启动Shadow Hook
}
else
{
dprintf("[SafeRun] IoCreateSymbolicLink Failed!\n");
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
}
}
else
{
dprintf("[SafeRun] IoCreateSymbolicLink Failed!\n");
if (deviceObject)
{
IoDeleteDevice(deviceObject);
}
}
return status;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -