/* Set event */ ULONG NTAPI SetEvent( HANDLE hEvent ) { ULONG PreviousState; NTSTATUS Status; Status = ZwSetEvent (hEvent, &PreviousState); if (!NT_SUCCESS(Status)) { PreviousState = EVENT_STATE_ERROR; } return PreviousState; }
////////////////////////////////////////////////////////////////////////// // HookKiFastCallEntry NTSTATUS HookKiFastCallEntry() { NTSTATUS status = STATUS_UNSUCCESSFUL; do { ANSI_STRING astrZwSetEvent; DWORD dwZwSetEventAddr, dwZwSetEventRVA; dwZwSetEventAddr = dwZwSetEventRVA = 0; RtlInitAnsiString(&astrZwSetEvent, "ZwSetEvent"); dwZwSetEventAddr = GetNtoskrnlExportNameAddress(&astrZwSetEvent, &dwZwSetEventRVA); if(0 == dwZwSetEventAddr) { break; } g_dwZwSetEventIndex = *(DWORD*)(dwZwSetEventAddr + 1); KSPIN_LOCK SpinLock; KIRQL OldIrql; KeInitializeSpinLock(&SpinLock); KeAcquireSpinLock(&SpinLock, &OldIrql); PageProtectOff(); RealZwSetEvent = (ZwSetEventFunc)(((PSERVICE_DESCRIPTOR_TABLE)g_dwSDTAddress)->ServiceTable[g_dwZwSetEventIndex]); ((PSERVICE_DESCRIPTOR_TABLE)g_dwSDTAddress)->ServiceTable[g_dwZwSetEventIndex] = (DWORD)FakeZwSetEvent; PageProtectOn(); KeReleaseSpinLock(&SpinLock, OldIrql); ZwSetEvent((HANDLE)FAKE_EVENT_HANDLE, NULL); if(0 == g_dwServiceRetAddr) // The return address of KiFastCallEntry call ZwSetEvent { if(g_pProxyJmpCode != NULL) { ExFreePool(g_pProxyJmpCode); } break; } if(g_dwProxyRetAddr != 0) // TODO: Search { status = STATUS_SUCCESS; break; } } while (0); return status; }
NTSTATUS DriverEntry ( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath ) { NTSTATUS status; HANDLE event; BOOLEAN clean = FALSE; PDEVICE_OBJECT devobj; ULONG maver, miver, phase; UNICODE_STRING dn; OBJECT_ATTRIBUTES oa; RtlInitUnicodeString(&dn, MU_EVENTNAME_BOOTSYNC); InitializeObjectAttributes(&oa, &dn, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwOpenEvent(&event, EVENT_ALL_ACCESS, &oa); if (NT_SUCCESS(status)) { ZwSetEvent(event, NULL); ZwClose(event); } RtlInitUnicodeString(&dn, MU_DEVNAME_HOST_CONTROL); phase = PHASE_CREATE_DEVICE; status = IoCreateDevice(DriverObject, 0, &dn, FILE_DEVICE_UNKNOWN, 0, FALSE, &devobj); if (NT_SUCCESS(status)) { PsGetVersion(&maver, &miver, NULL, NULL); OsVersion = (maver << 16) | miver; OsVersion |= MmIsThisAnNtAsSystem() ? 0x80000000 : 0; phase = PHASE_CHECK_OS_VERSION; switch (OsVersion) { case VER_WINXP: case VER_WIN2K3: case VER_WIN7: break; case VER_WIN2K8R2: case VER_WIN2K8: case VER_VISTA: //break; default: goto MuDriverEntry_Failure; } MuInitializeGlobalData(&g_GlobalData); phase = PHASE_LOAD_DATABASE; status = MuLoadDatabase(&g_GlobalData); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; phase = PHASE_INIT_KERNEL_HOOK; status = MuInitializeKernelHook(&g_GlobalData); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; phase = PHASE_SET_NOTIFY; status = PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, FALSE); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; clean = TRUE; phase = PHASE_INIT_HELPER; status = MuInitializeUserModeHelper(&g_GlobalData); if (!NT_SUCCESS(status)) goto MuDriverEntry_Failure; DriverObject->MajorFunction[IRP_MJ_CREATE] = MuDispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_CLOSE] = MuDispatchCreateClose; DriverObject->MajorFunction[IRP_MJ_POWER] = MuDispatchPower; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MuDispatchDeviceControl; goto MuDriverEntry_End; MuDriverEntry_Failure: if (clean) PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, TRUE); IoDeleteDevice(devobj); } MuDriverEntry_End: RegistryPath->Buffer[RegistryPath->Length / sizeof(WCHAR)] = 0; if (NT_SUCCESS(status)) MuDeleteRegistryValue(RegistryPath->Buffer, MU_REGVAL_LAST_ERROR); else MuSetErrorCode(RegistryPath, phase, status); if (phase > PHASE_INIT_KERNEL_HOOK) return STATUS_SUCCESS; return status; }