0
Forum
Our Products
What's New
Our partners
Contact Us
   
   
.: Writting Your First VC++ Driver :.
By Nicholas A. Hall
VC++ driver.c [code] #include #define IO_HOOK_FUNCTIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IO_UNHOOK_FUNCTIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IO_GETSETINFO CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0003, METHOD_BUFFERED, FILE_ANY_ACCESS) // Function signatures typedef ULONG (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL); typedef NTSTATUS (*NTREADVIRTUALMEMORY)(IN HANDLE hProcess, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BytesToRead,IN PULONG BytesRead); typedef NTSTATUS (*NTWRITEVIRTUALMEMORY)(IN HANDLE hProcess, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BytesToWrite,IN PULONG BytesRead); typedef NTSTATUS (*NtReadVirtualMemory)(IN HANDLE ProcessHandle, IN PVOID BaseAddress, OUT PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); typedef NTSTATUS (*NtWriteVirtualMemory)(IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN PVOID Buffer, IN ULONG BufferLength, OUT PULONG ReturnLength OPTIONAL); typedef NTSTATUS (*NtProtectVirtualMemory)(IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN OUT PULONG ProtectSize, IN ULONG NewProtect, OUT PULONG OldProtect); typedef NTSTATUS (*NtDeviceIoControlFile)(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG IoControlCode, IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength, OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength); /* NTSYSAPI NTSTATUS NTAPI ZwReadVirtualMemory( IN HANDLE hProcess,IN PVOID BaseAddress, OUT PVOID Buffer,IN ULONG BytesToRead,OUT PULONG BytesRead); NTSYSAPI NTSTATUS NTAPI ZwWriteVirtualMemory(IN HANDLE hProcess, IN PVOID BaseAddress,OUT PVOID Buffer, IN ULONG BytesToWrite,OUT PULONG BytesRead); NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId); NTSYSAPI NTSTATUS NTAPI ZwDuplicateObject(IN HANDLE SourceProcessHandle, IN HANDLE SourcrHandle, IN HANDLE TaegetProcessHandle, OUT PHANDLE TargetHandle, IN ACCESS_MASK DesiredAccess OPTIONAL,IN BOOLEAN InheritHandle,IN ULONG Options); NTSYSAPI NTSTATUS NTAPI ZwQueryInformationProcess(IN HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, OUT PVOID ProcessInformation, IN ULONG ProcessInformationLength, OUT PULONG ReturnLength OPTIONAL); NTSTATUS MyZwReadVirtualMemory(IN HANDLE hProcess,N PVOID BaseAddress,OUT PVOID Buffer,IN ULONG BytesToRead,IN PULONG BytesRead); NTSTATUS MyZwWriteVirtualMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Buffer,IN ULONG BytesToWrite,IN PULONG BytesRead); NTSTATUS MyZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMase,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId); */ // Function callnumbers ULONG NtOpenProcess_callnumber = 0x007a; //Global Variables UNICODE_STRING DeviceName, DeviceLink; HANDLE UserLandProcessID = (HANDLE)-1; PDEVICE_OBJECT pDeviceObject; //Function Prototypes NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); //END Function Prototypes NTSTATUS __stdcall IOOpenClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { DbgPrint("IOOpenClose Called.\n"); IofCompleteRequest(Irp, IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) { NTSTATUS status = STATUS_SUCCESS; int FunctionStatus = -1; DbgPrint("IOControll Called!\n"); switch (Irp->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode) { case IO_HOOK_FUNCTIONS: FunctionStatus = 0; Irp->IoStatus.Information = sizeof(int); //memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int)); DbgPrint("Hooking...\n"); //HookFunctions(); break; case IO_UNHOOK_FUNCTIONS: FunctionStatus = 1; Irp->IoStatus.Information = sizeof(int); //memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int)); DbgPrint("Unhooking...\n"); //UnHookFunctions(); break; case IO_GETSETINFO: FunctionStatus = 2; //UserLandProcessID = RetrivePID( (char*)Irp->AssociatedIrp.SystemBuffer ); //DbgPrint("Process ID of %s %i", (char*)Irp->AssociatedIrp.SystemBuffer, UserLandProcessID); //DbgPrint("Process ID: %i", UserLandProcessID); DbgPrint("Driver Button 3 Pressed"); Irp->IoStatus.Information = sizeof(int); //memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int)); break; } IofCompleteRequest(Irp, IO_NO_INCREMENT); return status; } void DriverUnload(PDRIVER_OBJECT DriverObject) { DbgPrint("Unloading!\n"); IoDeleteDevice(pDeviceObject); IoDeleteSymbolicLink(&DeviceLink); //ExFreePool(gRegistryPath.Buffer); //RtlZeroMemory(&gRegistryPath, sizeof(gRegistryPath)); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){ NTSTATUS ntStatus; DbgPrint("Driver Loading...!\n"); pDriverObject->DriverUnload = DriverUnload; pDriverObject->MajorFunction[IRP_MJ_CREATE] = &IOOpenClose; pDriverObject->MajorFunction[IRP_MJ_CLOSE] = &IOOpenClose; pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &IOControll; RtlInitUnicodeString(&DeviceName, L"\\Device\\AgentSmithers"); ntStatus = IoCreateDevice(pDriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject); if (ntStatus == STATUS_SUCCESS) { RtlInitUnicodeString(&DeviceLink, L"\\DosDevices\\AgentSmithers"); if (IoCreateSymbolicLink(&DeviceLink, &DeviceName) != STATUS_SUCCESS) { DbgPrint("IoCreateSymbolicLink Failed!"); pDriverObject->DriverUnload = DriverUnload; return STATUS_OBJECT_NAME_EXISTS; } } else { DbgPrint("IoCreateDevice Failed\n"); } DbgPrint("Driver Loaded!\n"); return ntStatus; } [/code] makefile [code] !INCLUDE $(NTMAKEENV)\makefile.def [/code] sources [code] TARGETNAME=helloworld TARGETTYPE=DRIVER TARGETPATH=obj LIBS=C:\WINDDK\3790.1830\lib INCLUDES=C:\WINDDK\3790.1830\inc SOURCES = driver.c [/code] VB.NET [code] Public Class Form1 Structure SECURITY_ATTRIBUTES Dim nLength As Integer Dim lpSecurityDescriptor As Integer Dim bInheritHandle As Integer End Structure Private Const GENERIC_READ As Integer = &H80000000 Private Const GENERIC_WRITE As Integer = &H40000000 Private Const FILE_SHARE_READ = &H1 Private Const FILE_SHARE_WRITE = &H2 Private Const OPEN_EXISTING = 3 Private Const FILE_ATTRIBUTE_NORMAL = &H80 Private Const FILE_DEVICE_UNKNOWN As Integer = &H22 Private Const FILE_DEVICE_HAL As Integer = &H101 Private Const METHOD_BUFFERED = &H0 Private Const FILE_ANY_ACCESS = &H0 'Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Integer, ByVal dwShareMode As Integer, ByRef lpSecurityAttributes As SECURITY_ATTRIBUTES, ByVal dwCreationDisposition As Integer, ByVal dwFlagsAndAttributes As Integer, ByVal hTemplateFile As Integer) As Integer Private Declare Function CreateFile _ Lib "kernel32" Alias "CreateFileA" _ (ByVal lpFileName As String, ByVal dwDesiredAccess As Int32, _ ByVal dwShareMode As Int32, ByVal lpSecurityAttributes As Int32, _ ByVal dwCreationDisposition As Int32, ByVal dwFlagsAndAttributes As Int32, _ ByVal hTemplateFile As Int32) As Int32 Public Declare Function DeviceIoControl Lib "kernel32" (ByVal hDevice As Integer, _ ByVal dwIoControlCode As Integer, _ ByVal lpInBuffer As Object, _ ByVal nInBufferSize As Integer, _ ByVal lpOutBuffer As Object, _ ByVal nOutBufferSize As Integer, _ ByVal lpBytesReturned As Integer, _ ByVal lpOverlapped As Object) As Integer Declare Function CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Integer) As Integer Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load End Sub Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click SendDriverCommand(CTL_CODE(FILE_DEVICE_UNKNOWN, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)) End Sub Private Sub Button2_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button2.Click SendDriverCommand(CTL_CODE(FILE_DEVICE_UNKNOWN, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)) End Sub Private Sub Button3_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button3.Click SendDriverCommand(CTL_CODE(FILE_DEVICE_UNKNOWN, 3, METHOD_BUFFERED, FILE_ANY_ACCESS)) End Sub Private Function CTL_CODE(ByVal DeviceType As Integer, ByVal Func As Integer, ByVal Method As Integer, ByVal Access As Integer) As Integer Return (DeviceType << 16) Or (Access << 14) Or (Func << 2) Or Method End Function Private Sub SendDriverCommand(ByVal IO_Integer As Integer) Dim FileHandle = CreateFile("\\.\AgentSmithers", GENERIC_READ Or GENERIC_WRITE, 0, Nothing, OPEN_EXISTING, 0, 0) Dim IO_HOOK_FUNCTIONS As Integer = IO_Integer Dim ret As Short = -1 'Dim bytesIO As Integer 'DeviceIoControl(FileHandle, IO_HOOK_FUNCTIONS, Nothing, 0, ret, System.Runtime.InteropServices.Marshal.SizeOf(ret), bytesIO, Nothing) Try DeviceIoControl(FileHandle, IO_HOOK_FUNCTIONS, Nothing, 0, Nothing, 0, 0, Nothing) Catch ex As Exception 'Write Access Error Here End Try CloseHandle(FileHandle) End Sub End Class [/code] Helpful Sources http://somebastardstolemyname.wordpress.com/2008/10/04/c-ntopenprocess-hook/
 

.: Links :.

Forums
Desert Computer Agents



Website Homepage | About Us | Forums | Our Products | What's New | Our Partners | Contact Us
Cubicle Generation | Arguments Callee | Desert Defenders
Web site contents Copyright Controlling The Internet 2007, All rights reserved.