.: Writting Your First VC++ Driver :.
By Nicholas A. Hall



VC++
driver.c
[code]
#include 

#define IO_HOOK_FUNCTIONS      CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_UNHOOK_FUNCTIONS      CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_GETSETINFO         CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0003, METHOD_BUFFERED, FILE_ANY_ACCESS)

// Function signatures
typedef ULONG (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
typedef NTSTATUS (*NTREADVIRTUALMEMORY)(IN HANDLE hProcess, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BytesToRead,IN PULONG BytesRead);
typedef NTSTATUS (*NTWRITEVIRTUALMEMORY)(IN HANDLE hProcess, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BytesToWrite,IN PULONG BytesRead);
typedef NTSTATUS (*NtReadVirtualMemory)(IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); 
typedef NTSTATUS (*NtWriteVirtualMemory)(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); 
typedef NTSTATUS (*NtProtectVirtualMemory)(IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect);
typedef NTSTATUS (*NtDeviceIoControlFile)(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength); 
	
/*
NTSYSAPI NTSTATUS NTAPI ZwReadVirtualMemory( IN HANDLE hProcess,IN PVOID BaseAddress, OUT PVOID Buffer,IN ULONG BytesToRead,OUT PULONG BytesRead);
NTSYSAPI NTSTATUS NTAPI ZwWriteVirtualMemory(IN HANDLE hProcess, IN PVOID BaseAddress,OUT PVOID Buffer, IN ULONG BytesToWrite,OUT PULONG BytesRead);
NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId);
NTSYSAPI NTSTATUS NTAPI ZwDuplicateObject(IN HANDLE SourceProcessHandle, IN HANDLE SourcrHandle, IN HANDLE TaegetProcessHandle, OUT PHANDLE TargetHandle, IN ACCESS_MASK DesiredAccess OPTIONAL,IN BOOLEAN InheritHandle,IN ULONG Options);
NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(IN HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation,  IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL);
NTSTATUS MyZwReadVirtualMemory(IN HANDLE hProcess,N PVOID BaseAddress,OUT PVOID Buffer,IN ULONG BytesToRead,IN PULONG BytesRead);
NTSTATUS MyZwWriteVirtualMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Buffer,IN ULONG BytesToWrite,IN PULONG BytesRead);
NTSTATUS MyZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMase,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId);
*/

// Function callnumbers
    ULONG NtOpenProcess_callnumber = 0x007a;

//Global Variables
UNICODE_STRING DeviceName, DeviceLink;
HANDLE UserLandProcessID = (HANDLE)-1;
PDEVICE_OBJECT pDeviceObject;

//Function Prototypes
NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
//END Function Prototypes

NTSTATUS __stdcall IOOpenClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
	DbgPrint("IOOpenClose Called.\n");
   	IofCompleteRequest(Irp, IO_NO_INCREMENT);
   	return STATUS_SUCCESS;
}

NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{   
   NTSTATUS status = STATUS_SUCCESS;
   int FunctionStatus = -1;

		DbgPrint("IOControll Called!\n");

   		switch (Irp->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode)
   		{
      		case IO_HOOK_FUNCTIONS: 
         		FunctionStatus = 0;
         		Irp->IoStatus.Information = sizeof(int);
         		//memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
         		DbgPrint("Hooking...\n");
         		//HookFunctions();
         	break;
      	case IO_UNHOOK_FUNCTIONS:
         		FunctionStatus = 1;
         		Irp->IoStatus.Information = sizeof(int);
         		//memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
        		DbgPrint("Unhooking...\n");
         		//UnHookFunctions();
         	break;
      	case IO_GETSETINFO:
         		FunctionStatus = 2;
         		//UserLandProcessID = RetrivePID( (char*)Irp->AssociatedIrp.SystemBuffer );
         		//DbgPrint("Process ID of %s %i", (char*)Irp->AssociatedIrp.SystemBuffer,  UserLandProcessID);
         		//DbgPrint("Process ID: %i", UserLandProcessID);
			DbgPrint("Driver Button 3 Pressed");
         		Irp->IoStatus.Information = sizeof(int);
         		//memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
         	break;
   		}
   		IofCompleteRequest(Irp, IO_NO_INCREMENT);
   	return status;
}

void DriverUnload(PDRIVER_OBJECT DriverObject)
{
	DbgPrint("Unloading!\n");
	IoDeleteDevice(pDeviceObject);
	IoDeleteSymbolicLink(&DeviceLink);
    	//ExFreePool(gRegistryPath.Buffer);
    	//RtlZeroMemory(&gRegistryPath, sizeof(gRegistryPath));
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){
	NTSTATUS ntStatus;
	
	DbgPrint("Driver Loading...!\n");

	pDriverObject->DriverUnload = DriverUnload;
      	pDriverObject->MajorFunction[IRP_MJ_CREATE] = &IOOpenClose;
      	pDriverObject->MajorFunction[IRP_MJ_CLOSE] = &IOOpenClose;
      	pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &IOControll;

	RtlInitUnicodeString(&DeviceName, L"\\Device\\AgentSmithers");
	ntStatus = IoCreateDevice(pDriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);

	if (ntStatus == STATUS_SUCCESS)
   	{
		RtlInitUnicodeString(&DeviceLink, L"\\DosDevices\\AgentSmithers");
		if (IoCreateSymbolicLink(&DeviceLink, &DeviceName) != STATUS_SUCCESS)
      		{
			DbgPrint("IoCreateSymbolicLink Failed!");
			pDriverObject->DriverUnload = DriverUnload;
         		return STATUS_OBJECT_NAME_EXISTS;
      		}
	}
	else
	{
		DbgPrint("IoCreateDevice Failed\n");
	}

	DbgPrint("Driver Loaded!\n");

	return ntStatus;
}


[/code]



makefile
[code]
!INCLUDE $(NTMAKEENV)\makefile.def
[/code]


sources
[code]
TARGETNAME=helloworld
TARGETTYPE=DRIVER
TARGETPATH=obj

LIBS=C:\WINDDK\3790.1830\lib
INCLUDES=C:\WINDDK\3790.1830\inc

SOURCES = driver.c
[/code]


VB.NET
[code]
Public Class Form1
    Structure SECURITY_ATTRIBUTES
        Dim nLength As Integer
        Dim lpSecurityDescriptor As Integer
        Dim bInheritHandle As Integer
    End Structure
    Private Const GENERIC_READ As Integer = &H80000000
    Private Const GENERIC_WRITE As Integer = &H40000000

    Private Const FILE_SHARE_READ = &H1
    Private Const FILE_SHARE_WRITE = &H2
    Private Const OPEN_EXISTING = 3
    Private Const FILE_ATTRIBUTE_NORMAL = &H80

    Private Const FILE_DEVICE_UNKNOWN As Integer = &H22
    Private Const FILE_DEVICE_HAL As Integer = &H101

    Private Const METHOD_BUFFERED = &H0
    Private Const FILE_ANY_ACCESS = &H0

    'Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Integer, ByVal dwShareMode As Integer,  ByRef lpSecurityAttributes As SECURITY_ATTRIBUTES, ByVal dwCreationDisposition As Integer, ByVal dwFlagsAndAttributes As Integer, ByVal hTemplateFile As Integer) As Integer
    Private Declare Function CreateFile _
    Lib "kernel32" Alias "CreateFileA" _
    (ByVal lpFileName As String, ByVal dwDesiredAccess As Int32, _
    ByVal dwShareMode As Int32, ByVal lpSecurityAttributes As Int32, _
    ByVal dwCreationDisposition As Int32, ByVal dwFlagsAndAttributes As Int32, _
    ByVal hTemplateFile As Int32) As Int32

    Public Declare Function DeviceIoControl Lib "kernel32" (ByVal hDevice As Integer, _
    ByVal dwIoControlCode As Integer, _
    ByVal lpInBuffer As Object, _
    ByVal nInBufferSize As Integer, _
    ByVal lpOutBuffer As Object, _
    ByVal nOutBufferSize As Integer, _
    ByVal lpBytesReturned As Integer, _
    ByVal lpOverlapped As Object) As Integer

    Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Integer) As Integer

    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load

    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        SendDriverCommand(CTL_CODE(FILE_DEVICE_UNKNOWN, 1, METHOD_BUFFERED, FILE_ANY_ACCESS))
    End Sub

    Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click
        SendDriverCommand(CTL_CODE(FILE_DEVICE_UNKNOWN, 2, METHOD_BUFFERED, FILE_ANY_ACCESS))
    End Sub

    Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click
        SendDriverCommand(CTL_CODE(FILE_DEVICE_UNKNOWN, 3, METHOD_BUFFERED, FILE_ANY_ACCESS))
    End Sub

    Private Function CTL_CODE(ByVal DeviceType As Integer, ByVal Func As Integer, ByVal Method As Integer, ByVal Access As Integer) As Integer
        Return (DeviceType << 16) Or (Access << 14) Or (Func << 2) Or Method
    End Function

    Private Sub SendDriverCommand(ByVal IO_Integer As Integer)
        Dim FileHandle = CreateFile("\\.\AgentSmithers", GENERIC_READ Or GENERIC_WRITE, 0, Nothing, OPEN_EXISTING, 0, 0)
        Dim IO_HOOK_FUNCTIONS As Integer = IO_Integer
        Dim ret As Short = -1
        'Dim bytesIO As Integer
        'DeviceIoControl(FileHandle, IO_HOOK_FUNCTIONS, Nothing, 0, ret, System.Runtime.InteropServices.Marshal.SizeOf(ret), bytesIO, Nothing)
        Try
            DeviceIoControl(FileHandle, IO_HOOK_FUNCTIONS, Nothing, 0, Nothing, 0, 0, Nothing)
        Catch ex As Exception
            'Write Access Error Here
        End Try

        CloseHandle(FileHandle)
    End Sub
End Class

[/code]





Helpful Sources
http://somebastardstolemyname.wordpress.com/2008/10/04/c-ntopenprocess-hook/

.: Links :.

Forums
Desert Computer Agents