//////////////////////////////////////////////////////////////////////////
// save the key buffer to the file.
void SaveToFile(IN PCHAR buffer,IN int length)
{
WCHAR fileName[] = L"\\??\\C:\\kbd.txt";
UNICODE_STRING unifilename;
NTSTATUS status;
OBJECT_ATTRIBUTES oa;
HANDLE hFile;
IO_STATUS_BLOCK iostatus;
LARGE_INTEGER ByteOffset={0} ;
if (!buffer)
{
return;
}
RtlInitUnicodeString(&unifilename,fileName);
InitializeObjectAttributes(&oa,&unifilename,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE,
NULL,NULL);
status = ZwCreateFile(&hFile,FILE_APPEND_DATA,&oa,&iostatus,NULL,FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,FILE_OVERWRITE_IF,
0,0,0);
if(NT_SUCCESS(status))
{
status=ZwWriteFile(hFile,NULL,NULL,NULL,&iostatus,buffer,length,&ByteOffset,NULL);
if (!(NT_SUCCESS(status)))
{
DbgPrint("ZwWriteFile Failed %8x",status);
}
ZwClose(hFile);
}
else
DbgPrint("ZwCreateFile Failed %8x",status);
}
void save_key_to(UnicodeString &key,UnicodeString &path)
{
get_privilege(SE_BACKUP_PRIVILEGE);
RegKey sam(key);
sam.flush();
OBJECT_ATTRIBUTES file;
InitializeObjectAttributes(
&file,
&path.unicode_string(),
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
HANDLE hFile;
IO_STATUS_BLOCK ios;
ULONG status = ZwCreateFile(
&hFile
,GENERIC_WRITE
,&file
,&ios
,0
,0
,0
,FILE_CREATE
,0
,0
,0);
CHECKER(status);
sam.save_to(hFile);
ZwClose(hFile);
}
/*
* @implemented
*/
NTSTATUS
NTAPI
RtlCreateBootStatusDataFile(VOID)
{
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
LARGE_INTEGER AllocationSize;
LARGE_INTEGER ByteOffset;
UNICODE_STRING FileName;
HANDLE FileHandle;
NTSTATUS Status;
/* Initialize the file name */
RtlInitUnicodeString(&FileName,
L"\\SystemRoot\\bootstat.dat");
/* Initialize the object attributes */
InitializeObjectAttributes(&ObjectAttributes,
&FileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
AllocationSize.QuadPart = 0x800;
DBG_UNREFERENCED_LOCAL_VARIABLE(AllocationSize);
/* Create the boot status data file */
Status = ZwCreateFile(&FileHandle,
FILE_GENERIC_READ | FILE_GENERIC_WRITE,
&ObjectAttributes,
&IoStatusBlock,
NULL, //&AllocationSize,
FILE_ATTRIBUTE_SYSTEM,
0,
FILE_CREATE,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (NT_SUCCESS(Status))
{
// FIXME: Initialize the buffer in a better way.
UCHAR Buffer[12] = {0xC,0,0,0, 1,0,0,0, 1, 0x1e, 1, 0};
ByteOffset.QuadPart = 0;
Status = ZwWriteFile(FileHandle,
NULL,
NULL,
NULL,
&IoStatusBlock,
&Buffer,
12, //BufferSize,
&ByteOffset,
NULL);
}
/* Close the file */
ZwClose(FileHandle);
return Status;
}
//--------------------------------------------------------------------------------------
void DbgOpenPipe(void)
{
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK IoStatusBlock;
UNICODE_STRING usPipeName;
RtlInitUnicodeString(&usPipeName, L"\\Device\\NamedPipe\\" DBG_PIPE_NAME);
InitializeObjectAttributes(&ObjAttr, &usPipeName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
// open data pipe by name
NTSTATUS status = ZwCreateFile(
&hDbgPipe,
FILE_WRITE_DATA | SYNCHRONIZE,
&ObjAttr,
&IoStatusBlock,
0,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (!NT_SUCCESS(status))
{
DbgMsg(__FILE__, __LINE__, "ZwCreateFile() fails; status: 0x%.8x\n", status);
}
KeReleaseMutex(&DbgMutex, FALSE);
}
//--------------------------------------------------------------------------------------
void DbgOpenLogFile(void)
{
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK StatusBlock;
UNICODE_STRING usFileName;
RtlInitUnicodeString(&usFileName, DBG_LOGFILE_NAME);
InitializeObjectAttributes(&ObjAttr, &usFileName,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE , NULL, NULL);
KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL);
NTSTATUS status = ZwCreateFile(
&hDbgLogFile,
FILE_ALL_ACCESS | SYNCHRONIZE,
&ObjAttr,
&StatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
0,
FILE_OVERWRITE_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (!NT_SUCCESS(status))
{
DbgMsg(__FILE__, __LINE__, "ZwCreateFile() fails; status: 0x%.8x\n", status);
}
KeReleaseMutex(&DbgMutex, FALSE);
}
PDEVICE_OBJECT
Disk_GetDeviceByName(PWCHAR DriveName)
{
PDEVICE_OBJECT pDevice = NULL;
PFILE_OBJECT pFileObject;
NTSTATUS ntStatus;
UNICODE_STRING ObjectName;
RtlInitUnicodeString(&ObjectName, DriveName);
if (ObjectName.Length == sizeof(WCHAR))
return Disk_GetDeviceObjectByLetter(*DriveName);
else
{
HANDLE DeviceHandle;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK ioStatus;
InitializeObjectAttributes(&ObjAttr, &ObjectName, OBJ_CASE_INSENSITIVE, NULL, NULL);
ntStatus = ZwCreateFile(&DeviceHandle, SYNCHRONIZE | FILE_ANY_ACCESS, &ObjAttr, &ioStatus, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);
if(NT_SUCCESS(ntStatus))
{
ntStatus = ObReferenceObjectByHandle(DeviceHandle, STANDARD_RIGHTS_REQUIRED, NULL, KernelMode, (VOID**)&pFileObject, NULL);
if(NT_SUCCESS(ntStatus))
{
if (pFileObject->DeviceObject != NULL)
{
pDevice = pFileObject->DeviceObject;
if (pDevice->Vpb != NULL)
{
if (pDevice->Vpb->RealDevice != NULL)
pDevice = pDevice->Vpb->RealDevice;
}
if (pDevice->Flags & DO_DEVICE_INITIALIZING)
pDevice = NULL;
else
{
if(pDevice->DeviceType == FILE_DEVICE_DISK || pDevice->DeviceType == FILE_DEVICE_CD_ROM || pDevice->DeviceType == FILE_DEVICE_DVD)
{
if (!NT_SUCCESS(ObReferenceObjectByPointer(pDevice, STANDARD_RIGHTS_REQUIRED, *IoDeviceObjectType, KernelMode)))
pDevice = NULL;
}
else
pDevice = NULL;
}
}
ObDereferenceObject(pFileObject);
}
ZwClose(DeviceHandle);
}
}
return pDevice;
}
NTSTATUS HelloDDKRead(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
KdPrint(("DriverB:Enter B HelloDDKRead\n"));
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING DeviceName;
RtlInitUnicodeString( &DeviceName, L"\\Device\\MyDDKDeviceA" );
//初始化objectAttributes
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&DeviceName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
HANDLE hDevice;
IO_STATUS_BLOCK status_block;
//异步打开设备
ntStatus = ZwCreateFile(&hDevice,
FILE_READ_ATTRIBUTES,//没有设SYNCHRONIZE
&objectAttributes,
&status_block,
NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,
FILE_OPEN_IF,0,NULL,0);
LARGE_INTEGER offset = RtlConvertLongToLargeInteger(0);
if (NT_SUCCESS(ntStatus))
{
ntStatus = ZwReadFile(hDevice,NULL,NULL,NULL,&status_block,NULL,0,&offset,NULL);
}
if (ntStatus==STATUS_PENDING)
{
KdPrint(("DriverB:ZwReadFile return STATUS_PENDING!\n"));
PFILE_OBJECT FileObject;
ntStatus = ObReferenceObjectByHandle(hDevice, EVENT_MODIFY_STATE, *ExEventObjectType,
KernelMode, (PVOID*) &FileObject, NULL);
if (NT_SUCCESS(ntStatus))
{
KdPrint(("DriverB:Waiting..."));
KeWaitForSingleObject(&FileObject->Event,Executive,KernelMode,FALSE,NULL);
KdPrint(("DriverB:Driver A Read IRP completed now!\n"));
ObDereferenceObject(FileObject);
}
}
ZwClose(hDevice);
ntStatus = STATUS_SUCCESS;
// 完成IRP
pIrp->IoStatus.Status = ntStatus;
pIrp->IoStatus.Information = 0; // bytes xfered
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("DriverB:Leave B HelloDDKRead\n"));
return ntStatus;
}
int OpenFile( char *szFilename, int nDesiredAccess, ULONG ulShareAccess, ULONG ulCreateDisposition )
{
// Example call: int fhandle = OpenFile(uncFilename, FILE_GENERIC_READ|SYNCHRONIZE, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, FILE_OPEN);
NTSTATUS ntStatus;
HANDLE FileHandle=(HANDLE)-1;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatus;
UNICODE_STRING uniFilename;
ANSI_STRING ansiFilename;
// The string coming through here is the fully qualified driver path in ASCII.
// For now we'll display that driver path in all output text.
// Convert it back to unicode.
//
RtlInitAnsiString( &ansiFilename, szFilename );
RtlAnsiStringToUnicodeString( &uniFilename, &ansiFilename, TRUE);
InitializeObjectAttributes( &ObjectAttributes, &uniFilename,
OBJ_CASE_INSENSITIVE, NULL, NULL );
// _DebugTrace(TraceInfo,"ZwCreateFile acc=%08X shar=%08X disp=%08X : %s\n", nDesiredAccess, ulShareAccess, ulCreateDisposition, szFilename);
++InMyOpenClose;
ntStatus = ZwCreateFile( &FileHandle,
nDesiredAccess|SYNCHRONIZE,
&ObjectAttributes,
&IoStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
ulShareAccess,
ulCreateDisposition,
FILE_SYNCHRONOUS_IO_NONALERT|FILE_COMPLETE_IF_OPLOCKED,
NULL,
0 );
--InMyOpenClose;
RtlFreeUnicodeString( &uniFilename );
#ifdef GDATA
if ( NT_SUCCESS(ntStatus) )
#endif //GDATA
if ( ntStatus == STATUS_SUCCESS )
{
return ( ( int )FileHandle );
}
else if (FileHandle != (HANDLE)-1)
// (ntStatus == STATUS_OPLOCK_BREAK_IN_PROGRESS|| ntStatus == STATUS_DELETE_PENDING )
{
++InMyOpenClose;
ZwClose( FileHandle );
--InMyOpenClose;
}
_Trace(TraceInfo,"ZwCreateFile FFAILED: NtStatus=%08X :%s\n", ntStatus, szFilename);
return -1;
}
NTSTATUS CETC_OpenFile(PHANDLE file, PCWSTR filename)
{
UNICODE_STRING usFile;
OBJECT_ATTRIBUTES oaFile;
IO_STATUS_BLOCK iosb;
RtlInitUnicodeString(&usFile, filename);
InitializeObjectAttributes(&oaFile,&usFile, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL,NULL);
return ZwCreateFile(file,SYNCHRONIZE|FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA | GENERIC_ALL,&oaFile,&iosb,0,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
}
FILE_HANDLE sysOpenFile(IN const char* filename)
{
HANDLE handle;
OBJECT_ATTRIBUTES objAttr;
IO_STATUS_BLOCK ioStatus;
ANSI_STRING afilename;
UNICODE_STRING ufilename;
NTSTATUS status;
RtlInitAnsiString(&afilename, filename);
status = RtlAnsiStringToUnicodeString(
&ufilename,
&afilename,
TRUE);
if(status != STATUS_SUCCESS)
{
return NULL;
}
InitializeObjectAttributes(
&objAttr,
&ufilename,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
status = ZwCreateFile(
&handle,
GENERIC_READ | GENERIC_WRITE,
&objAttr,
&ioStatus,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ,
FILE_OPEN_IF,
FILE_NON_DIRECTORY_FILE |
FILE_RANDOM_ACCESS |
FILE_NO_INTERMEDIATE_BUFFERING |
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if (status != STATUS_SUCCESS)
{
return NULL;
}
RtlFreeUnicodeString(&ufilename);
return handle;
}
void hook_it(DEVICE_OBJECT *device_object)
{
NTSTATUS result;
OBJECT_ATTRIBUTES fileObj;
UNICODE_STRING uTmpFile;
HANDLE fileHandle;
IO_STATUS_BLOCK ioStatus;
FILE_BASIC_INFORMATION fileBasicInfo;
//initialize variables related with fake file
RtlInitUnicodeString(&uTmpFile,g_tmpFile);
InitializeObjectAttributes(&fileObj,
&uTmpFile,
OBJ_CASE_INSENSITIVE,
NULL,
NULL);
//save original MJ functions
create = device_object->DriverObject->MajorFunction[0];
cleanup = device_object->DriverObject->MajorFunction[0x12];
close = device_object->DriverObject->MajorFunction[0x2];
result = ZwCreateFile(&fileHandle,
4,
&fileObj,
&ioStatus,
0,
0x80,
2,
3,
0x20,
0,
0);
if(result != STATUS_SUCCESS)
return;
ZwClose(fileHandle);
//install hooks
device_object->DriverObject->MajorFunction[0] = HookedNtfsFsdCreate;
device_object->DriverObject->MajorFunction[0x12] = HookedNtfsFsdCleanUp;
device_object->DriverObject->MajorFunction[0x2] = HookedNtfsFsdClose;
ZwDeleteFile(&fileObj);//launche our hooks
//restore original MJ functions
device_object->DriverObject->MajorFunction[0] = create;
device_object->DriverObject->MajorFunction[0x12] = cleanup;
device_object->DriverObject->MajorFunction[0x2] = close;
}
SshFileIoHandle
ssh_file_create(unsigned char *filename,
Boolean allow_read)
{
SshFileIoContext io_ctx;
OBJECT_ATTRIBUTES obj_attr;
UNICODE_STRING uc_name;
ANSI_STRING ansi_name;
IO_STATUS_BLOCK iosb;
NTSTATUS status;
ULONG share_access = 0;
if (allow_read)
share_access |= FILE_SHARE_READ;
RtlInitAnsiString(&ansi_name, filename);
if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&uc_name, &ansi_name, TRUE)))
return NULL;
io_ctx = ssh_calloc(1, sizeof(*io_ctx));
if (io_ctx != NULL)
{
InitializeObjectAttributes(&obj_attr, &uc_name,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL, NULL);
status = ZwCreateFile(&io_ctx->handle, GENERIC_WRITE,
&obj_attr, &iosb, NULL,
FILE_ATTRIBUTE_NORMAL, share_access,
FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT,
NULL, 0);
RtlFreeUnicodeString(&uc_name);
if (!NT_SUCCESS(status))
{
ssh_free(io_ctx);
return NULL;
}
io_ctx->wr_cache = ssh_calloc(1, SSH_FILE_WR_CACHE_SIZE);
if (io_ctx->wr_cache)
{
io_ctx->wr_cache_size = SSH_FILE_WR_CACHE_SIZE;
io_ctx->wr_cache_left = io_ctx->wr_cache_size;
io_ctx->wr_cache_ptr = io_ctx->wr_cache;
}
}
return io_ctx;
}
NTSTATUS
NTAPI
CompBattGetDeviceObjectPointer(IN PUNICODE_STRING DeviceName,
IN ACCESS_MASK DesiredAccess,
OUT PFILE_OBJECT *FileObject,
OUT PDEVICE_OBJECT *DeviceObject)
{
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
PFILE_OBJECT LocalFileObject;
HANDLE DeviceHandle;
PAGED_CODE();
/* Open a file object handle to the device */
InitializeObjectAttributes(&ObjectAttributes, DeviceName, 0, NULL, NULL);
Status = ZwCreateFile(&DeviceHandle,
DesiredAccess,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
0,
NULL,
0);
if (NT_SUCCESS(Status))
{
/* Reference the file object */
Status = ObReferenceObjectByHandle(DeviceHandle,
0,
IoFileObjectType,
KernelMode,
(PVOID)&LocalFileObject,
NULL);
if (NT_SUCCESS(Status))
{
/* Return the FO and the associated DO */
*FileObject = LocalFileObject;
*DeviceObject = IoGetRelatedDeviceObject(LocalFileObject);
}
/* Close the handle */
ZwClose(DeviceHandle);
}
/* Return status */
return Status;
}
NTSTATUS
TdiCreateAddress(
PHANDLE Handle,
PFILE_OBJECT *AddressObject,
ULONG Type,
ULONG Address,
USHORT Port
)
{
CHAR Buffer[sizeof (FILE_FULL_EA_INFORMATION) + TDI_TRANSPORT_ADDRESS_LENGTH + sizeof(TA_IP_ADDRESS)];
NTSTATUS ntStatus;
OBJECT_ATTRIBUTES Attr;
IO_STATUS_BLOCK IoStatus;
PTA_IP_ADDRESS Sin;
PFILE_FULL_EA_INFORMATION Ea = (PFILE_FULL_EA_INFORMATION)&Buffer;
switch(Type)
{
case SOCK_STREAM:
InitializeObjectAttributes(&Attr, &g_TcpDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
break;
case SOCK_DGRAM:
InitializeObjectAttributes(&Attr, &g_UdpDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
break;
default:
return(STATUS_INVALID_PARAMETER);
break;
}
Ea->NextEntryOffset = 0;
Ea->Flags = 0;
Ea->EaNameLength = TDI_TRANSPORT_ADDRESS_LENGTH;
Ea->EaValueLength = sizeof (TA_IP_ADDRESS);
RtlCopyMemory(Ea->EaName, TdiTransportAddress, Ea->EaNameLength + 1);
Sin = (PTA_IP_ADDRESS)(Ea->EaName + Ea->EaNameLength + 1);
Sin->TAAddressCount = 1;
Sin->Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP;
Sin->Address[0].AddressType = TDI_ADDRESS_TYPE_IP;
Sin->Address[0].Address[0].sin_port = Port;
Sin->Address[0].Address[0].in_addr = Address;
RtlZeroMemory(Sin->Address[0].Address[0].sin_zero, sizeof Sin->Address[0].Address[0].sin_zero);
ntStatus = ZwCreateFile(Handle, 0, &Attr, &IoStatus, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0, Ea, sizeof(Buffer));
if (NT_SUCCESS(ntStatus))
ntStatus = ObReferenceObjectByHandle(*Handle, GENERIC_READ | GENERIC_WRITE, 0, KernelMode, (PVOID *)AddressObject, 0);
return(ntStatus);
}
NTSTATUS AddDenyFileAccessByCreateFile(__in PUNICODE_STRING puszFileFullPath)
{
NTSTATUS nsStatus = STATUS_UNSUCCESSFUL;
IO_STATUS_BLOCK IoStatus = {0x00};
HANDLE hKeFile = NULL;
OBJECT_ATTRIBUTES oa = {0x00};
FILE_BASIC_INFORMATION FileAttributes = {0x00};
do
{
InitializeObjectAttributes(
&oa,
puszFileFullPath,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL
);
nsStatus = ZwCreateFile(
&hKeFile,
GENERIC_READ,
&oa,
&IoStatus,
NULL,
FILE_ATTRIBUTE_SYSTEM,
0,
FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_DELETE_ON_CLOSE,
NULL,
0);
BDKit_If_Not_Break(NT_SUCCESS(nsStatus) && hKeFile != NULL);
nsStatus = ZwQueryInformationFile (hKeFile, &IoStatus, &FileAttributes, sizeof(FileAttributes), FileBasicInformation);
FileAttributes.FileAttributes = FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN;
nsStatus = ZwSetInformationFile (hKeFile, &IoStatus, &FileAttributes, sizeof(FileAttributes), FileBasicInformation);
} while (FALSE);
//BDKitCloseHandle(hKeFile);
if ( puszFileFullPath->Buffer != NULL )
{
PWSTR pszFilePath = NULL;
BDKitAllocateNonpagePool(pszFilePath, puszFileFullPath->Length + sizeof(WCHAR));
RtlCopyMemory(pszFilePath, puszFileFullPath->Buffer, puszFileFullPath->Length);
BDKitAddDeleteFileList (pszFilePath);
}
return nsStatus;
}
/**
* 清空日志内容
*/
bool deleteLogFileA()
{
HANDLE logFile = NULL;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK ioStatus;
InitializeObjectAttributes(&objectAttributes,&g_logFileName,OBJ_CASE_INSENSITIVE,NULL, NULL);
ZwCreateFile(&logFile,FILE_READ_ATTRIBUTES | FILE_APPEND_DATA | SYNCHRONIZE,
&objectAttributes,&ioStatus,NULL,FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_SUPERSEDE,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
ZwClose(logFile);
return true;
}
NTSTATUS Log_StartFileLogging(LPCWSTR pszFileName)
{
OBJECT_ATTRIBUTES fAttrs;
UNICODE_STRING FileName;
NTSTATUS Status = STATUS_SUCCESS;
IO_STATUS_BLOCK StatusBlock = { 0 };
RtlInitUnicodeString(&FileName, pszFileName);
InitializeObjectAttributes(&fAttrs, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
Status = ZwCreateFile(&LogFile, FILE_APPEND_DATA | SYNCHRONIZE, &fAttrs,
&StatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY, NULL, 0);
return Status;
}
/*
* This helper runs a program from the driver service.
* Connection is estabilished with named pipe.
*/
void run_process(DWORD i, WCHAR *pwcProg)
{
DbgPrint("Runing %ls...\r\n", pwcProg);
while (!NT_SUCCESS(KeWaitForMutexObject(&mutex, Executive,
KernelMode, FALSE, NULL)));
LARGE_INTEGER delay = RtlConvertUlongToLargeInteger(300000l);
NTSTATUS status;
HANDLE pipe;
OBJECT_ATTRIBUTES fattrs;
UNICODE_STRING pipe_name;
IO_STATUS_BLOCK io_stat_block;
RtlInitUnicodeString(&pipe_name, L"\\??\\pipe\\drvtest");
InitializeObjectAttributes(&fattrs, &pipe_name,
OBJ_CASE_INSENSITIVE | 0x0200/*OBJ_KERNEL_HANDLE*/,
0, NULL);
status = ZwCreateFile(&pipe, FILE_WRITE_DATA | FILE_READ_DATA | SYNCHRONIZE,
&fattrs, &io_stat_block, NULL, 0,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN,
FILE_NON_DIRECTORY_FILE, NULL, 0);
if (!NT_SUCCESS(status))
DbgPrint("Alert! 0x%0.8x, 0x%0.8x\r\n", status, io_stat_block.Status);
example_ioctl_data out_data = { code: MCODE_SPAWN };
wcscpy(out_data.rprog, pwcProg);
status = ZwWriteFile(pipe, NULL, NULL, NULL, &io_stat_block, &out_data,
sizeof(out_data), NULL, NULL);
if (!NT_SUCCESS(status))
DbgPrint("Alert! 0x%0.8x\r\n", status);
DWORD pid;
do {
status = ZwReadFile(pipe, NULL, NULL, NULL, &io_stat_block, &pid,
sizeof(DWORD), NULL, NULL);
if (!NT_SUCCESS(status))
KeDelayExecutionThread(KernelMode, FALSE, &delay);
} while(STATUS_PENDING == status);
if (!NT_SUCCESS(status))
DbgPrint("Alert! 0x%0.8x\r\n", status);
DbgPrint("PID: %d\r\n", pid);
g_proc_table[i].sl_pid = pid;
ZwClose(pipe);
KeReleaseMutex(&mutex, FALSE);
return;
/* return proc_infn.dwProcessId; */
}
NTSTATUS SendDIOC(PUNICODE_STRING uDeviceName, ULONG IoControlCode,PVOID InputBuffer,ULONG InputBufferLength,PVOID OutputBuffer,ULONG OutputBufferLength)
{
HANDLE hPidDrv;
OBJECT_ATTRIBUTES ObjAttr;
IO_STATUS_BLOCK ioStatus;
PDEVICE_OBJECT DevObj;
PFILE_OBJECT fileObject;
NTSTATUS ntStatus;
KEVENT Event;
PIRP Irp;
// PIO_STACK_LOCATION irpSp;
// RtlInitUnicodeString(&us,L"\\Device\\"KLPID_NAME);
InitializeObjectAttributes(&ObjAttr,uDeviceName,OBJ_CASE_INSENSITIVE,NULL,NULL);
ntStatus=ZwCreateFile(&hPidDrv,SYNCHRONIZE|FILE_ANY_ACCESS,&ObjAttr,&ioStatus,NULL,0,FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
if(NT_SUCCESS(ntStatus)) {
ntStatus=ObReferenceObjectByHandle(hPidDrv,FILE_READ_DATA,NULL,KernelMode,(PVOID*)&fileObject,NULL);
if(NT_SUCCESS(ntStatus)) {
if((DevObj=IoGetRelatedDeviceObject(fileObject))!=NULL) {
KeInitializeEvent(&Event,NotificationEvent,FALSE);
Irp=IoBuildDeviceIoControlRequest(IoControlCode,DevObj,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength,FALSE,&Event,&ioStatus);
if(Irp!=NULL) {
// irpSp=IoGetNextIrpStackLocation(Irp);
// irpSp->FileObject = fileObject;
ntStatus=IoCallDriver(DevObj,Irp);
if(ntStatus==STATUS_PENDING) {
KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,(PLARGE_INTEGER)NULL);
ntStatus = ioStatus.Status;
}
} else {
// HOOKKdPrint(4, ("HOOK: IoBuildDeviceIoControlRequest failed\n"));
ntStatus=STATUS_UNSUCCESSFUL;
}
} else {
// HOOKKdPrint(1, ("HOOK: IoGetRelatedDeviceObject %S failed \n",us.Buffer));
ntStatus=STATUS_UNSUCCESSFUL;
}
ObDereferenceObject(fileObject);
} else {
// HOOKKdPrint(1, ("HOOK: ObReferenceObjectByHandle %S failed status=%x\n",us.Buffer,ntStatus));
}
ZwClose(hPidDrv);
} else {
// HOOKKdPrint(1, ("HOOK: ZwCreateFile %S failed status=%x\n",us.Buffer,ntStatus));
}
return ntStatus;
}
NTSTATUS
FsRtlpOpenDev(
IN OUT PHANDLE Handle,
IN LPWSTR DevNameStr
)
{
NTSTATUS status;
UNICODE_STRING DevName;
OBJECT_ATTRIBUTES objectAttributes;
IO_STATUS_BLOCK ioStatusBlock;
PAGED_CODE();
RtlInitUnicodeString( &DevName, DevNameStr );
InitializeObjectAttributes(
&objectAttributes,
&DevName,
0,
0,
NULL
);
status = ZwCreateFile(
Handle,
GENERIC_WRITE,
&objectAttributes,
&ioStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE,
FILE_OPEN,
0,
NULL,
0
);
if ( NT_SUCCESS( status ) ) {
status = ioStatusBlock.Status;
}
if( !NT_SUCCESS( status ) ) {
*Handle = (HANDLE)-1;
}
return status;
}
NTSTATUS
OpenDevice(
IN PUNICODE_STRING DeviceName,
IN PHANDLE HandleOut,
IN PFILE_OBJECT * FileObjectOut)
{
NTSTATUS Status;
HANDLE NodeHandle;
PFILE_OBJECT FileObject;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
InitializeObjectAttributes(&ObjectAttributes, DeviceName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = ZwCreateFile(&NodeHandle,
GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
0,
0,
FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
if (!NT_SUCCESS(Status))
{
DPRINT("ZwCreateFile failed with %x %S\n", Status, DeviceName->Buffer);
return Status;
}
Status = ObReferenceObjectByHandle(NodeHandle, GENERIC_READ | GENERIC_WRITE, IoFileObjectType, KernelMode, (PVOID*)&FileObject, NULL);
if (!NT_SUCCESS(Status))
{
ZwClose(NodeHandle);
DPRINT("ObReferenceObjectByHandle failed with %x\n", Status);
return Status;
}
*HandleOut = NodeHandle;
*FileObjectOut = FileObject;
return Status;
}
/// <summary>
/// Check if file exists
/// </summary>
/// <param name="path">Fully qualifid path to a file</param>
/// <returns>Status code</returns>
NTSTATUS BBFileExists( IN PUNICODE_STRING path )
{
HANDLE hFile = NULL;
IO_STATUS_BLOCK statusBlock = { 0 };
OBJECT_ATTRIBUTES obAttr = { 0 };
InitializeObjectAttributes( &obAttr, path, OBJ_KERNEL_HANDLE, NULL, NULL );
NTSTATUS status = ZwCreateFile(
&hFile, FILE_READ_DATA | SYNCHRONIZE, &obAttr,
&statusBlock, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0
);
if (NT_SUCCESS( status ))
ZwClose( hFile );
return status;
}
static NTSTATUS EVhdDriverLoad(ULONG32 *pResult)
{
UNICODE_STRING szShimName = { 0 }, szRootPath = { 0 };
NTSTATUS status = STATUS_SUCCESS;
OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
IO_STATUS_BLOCK StatusBlock = { 0 };
PFILE_OBJECT pFileObject = NULL;
ULONG32 dwRequest = 0xC0;
RtlInitUnicodeString(&szRootPath, L"");
status = FindShimDevice(&szShimName, &szRootPath);
if (!NT_SUCCESS(status))
{
LOG_FUNCTION(LL_FATAL, LOG_CTG_GENERAL, "FindShimDevice failed with error 0x%08X", status);
goto cleanup_failure;
}
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.ObjectName = &szShimName;
ObjectAttributes.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
status = ZwCreateFile(&g_shimFileHandle, GENERIC_READ | SYNCHRONIZE, &ObjectAttributes, &StatusBlock, 0,
FILE_READ_ATTRIBUTES, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0);
if (!NT_SUCCESS(status))
{
LOG_FUNCTION(LL_FATAL, LOG_CTG_GENERAL, "ZwCreateFile %S failed with error 0x%08x\n", szShimName.Buffer, status);
goto cleanup_failure;
}
status = ObReferenceObjectByHandle(g_shimFileHandle, 0, *IoFileObjectType, KernelMode, (PVOID*)&pFileObject, NULL);
if (!NT_SUCCESS(status))
{
LOG_FUNCTION(LL_FATAL, LOG_CTG_GENERAL, "ObReferenceObjectByHandle failed with error 0x%08X\n", status);
goto cleanup_failure;
}
status = SynchronouseCall(pFileObject, IOCTL_STORAGE_REGISTER_BALANCER, &dwRequest, sizeof(ULONG32), pResult, sizeof(ULONG32));
cleanup_failure:
if (pFileObject) ObDereferenceObject(pFileObject);
if (szShimName.Buffer) ExFreePool(szShimName.Buffer);
return status;
}
// Initializes a log file and startes a log buffer thread.
_Use_decl_annotations_ static NTSTATUS LogpInitializeLogFile(
LogBufferInfo *info) {
PAGED_CODE();
if (info->log_file_handle) {
return STATUS_SUCCESS;
}
// Initialize a log file
UNICODE_STRING log_file_path_u = {};
RtlInitUnicodeString(&log_file_path_u, info->log_file_path);
OBJECT_ATTRIBUTES oa = {};
InitializeObjectAttributes(&oa, &log_file_path_u,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, nullptr,
nullptr);
IO_STATUS_BLOCK io_status = {};
auto status = ZwCreateFile(
&info->log_file_handle, FILE_APPEND_DATA | SYNCHRONIZE, &oa, &io_status,
nullptr, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, nullptr, 0);
if (!NT_SUCCESS(status)) {
return status;
}
// Initialize a log buffer flush thread.
info->buffer_flush_thread_should_be_alive = true;
status = PsCreateSystemThread(&info->buffer_flush_thread_handle, GENERIC_ALL,
nullptr, nullptr, nullptr,
LogpBufferFlushThreadRoutine, info);
if (!NT_SUCCESS(status)) {
ZwClose(info->log_file_handle);
info->log_file_handle = nullptr;
info->buffer_flush_thread_should_be_alive = false;
return status;
}
// Wait until the thead has started
while (!info->buffer_flush_thread_started) {
LogpSleep(100);
}
return status;
}
BOOLEAN
ShutdownLearningMode()
{
UNICODE_STRING pathname;
OBJECT_ATTRIBUTES oa;
IO_STATUS_BLOCK isb;
WCHAR PolicyPath[MAX_PATH];
/* now open a file where the new policy will be written, possibly clobbering the old policy */
//XXX should really copy an existing policy to a .bak file
// _snwprintf(PolicyPath, MAX_PATH, L"\\??\\c:\\policy\\%s.policy", ProcessToMonitor);
_snwprintf(PolicyPath, MAX_PATH, L"\\??\\%s\\policy\\%s.policy", OzoneInstallPath, ProcessToMonitor);
PolicyPath[MAX_PATH - 1] = 0;
LOG(LOG_SS_LEARN, LOG_PRIORITY_DEBUG, ("ShutdownLearningMode: Writing policy to %S\n", PolicyPath));
RtlInitUnicodeString(&pathname, PolicyPath);
InitializeObjectAttributes(&oa, &pathname, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL);
if (!NT_SUCCESS(ZwCreateFile(&hFile, GENERIC_WRITE, &oa, &isb,
NULL, 0, 0, FILE_SUPERSEDE,
FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0)))
{
LOG(LOG_SS_LEARN, LOG_PRIORITY_DEBUG, ("ShutdownLearningMode: Failed to open file %S\n", pathname.Buffer));
return FALSE;
}
offset = 0;
FlushPolicy();
PolicyDelete(&NewPolicy);
ZwClose(hFile);
hFile = 0;
return TRUE;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriveObject,IN PUNICODE_STRING RegisterPath)
{
OBJECT_ATTRIBUTES obj_attrib; //为一个结构
NTSTATUS status;
IO_STATUS_BLOCK Io_Status_Block;
HANDLE hFile = NULL;
UNICODE_STRING usStr;
__asm int 3 ;
RtlInitUnicodeString(&usStr,L"\\??\\c:\\asm\demo.asm");
//用 Initializeobjectattributes宏 初始化 OBJECT_ATTRIBUTES 这个结构;
// 初始化文件路径
InitializeObjectAttributes(&obj_attrib,
&usStr, // 需要操作的对象、比如文件或注册表路径等
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
// 创建文件
status = ZwCreateFile(&hFile, //如果这个函数调用返回成成功(STATUS_SUCCESS),那就么打开的文件句柄就返回在这个地址内
GENERIC_ALL, //申请的权限
&obj_attrib, //对象描述
&Io_Status_Block, //操作的结果
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ, //共享方式
FILE_CREATE, //打开方式
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0 );
// 写入到目标文件
status = ZwWriteFile(hFile, //打开文件的句柄
NULL,
NULL,
NULL,
&Io_Status_Block, //需要自己定义一个该类型变量传入做参数
usStr.Buffer, //数据写入的缓冲区指针
usStr.Length, //写入数据的长度
NULL,
NULL);
//关闭文件
ZwClose(hFile);
pDriveObject->DriverUnload=DDK_Unload;
return STATUS_SUCCESS;
}
NTSTATUS
TdiCreateConnection(
PHANDLE Handle,
PFILE_OBJECT *ConnectionObject
)
{
NTSTATUS ntStatus;
OBJECT_ATTRIBUTES Attr;
IO_STATUS_BLOCK IoStatus;
CHAR Buffer[sizeof(FILE_FULL_EA_INFORMATION) + TDI_CONNECTION_CONTEXT_LENGTH + 300] = {0};
PFILE_FULL_EA_INFORMATION Ea = (PFILE_FULL_EA_INFORMATION)&Buffer;
InitializeObjectAttributes(&Attr, &g_TcpDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0);
Ea->NextEntryOffset = 0;
Ea->Flags = 0;
Ea->EaNameLength = TDI_CONNECTION_CONTEXT_LENGTH;
Ea->EaValueLength = TDI_CONNECTION_CONTEXT_LENGTH;
RtlCopyMemory(Ea->EaName, TdiConnectionContext, TDI_CONNECTION_CONTEXT_LENGTH);
ntStatus =
ZwCreateFile(
Handle,
FILE_READ_EA | FILE_WRITE_EA,
&Attr,
&IoStatus,
0, FILE_ATTRIBUTE_NORMAL,
0, FILE_OPEN_IF, 0,
Ea, sizeof(Buffer)
);
if (NT_SUCCESS(ntStatus)) {
ntStatus =
ObReferenceObjectByHandle(
*Handle,
GENERIC_READ | GENERIC_WRITE,
0, KernelMode,
(PVOID *)ConnectionObject,
0
);
}
return(ntStatus);
}
void terminate_process(DWORD dwProcessId)
{
if (!dwProcessId)
return;
DbgPrint("Killing %d...\r\n", dwProcessId);
while (!NT_SUCCESS(KeWaitForMutexObject(&mutex, Executive,
KernelMode, FALSE, NULL)));
LARGE_INTEGER delay = RtlConvertUlongToLargeInteger(300000l);
NTSTATUS status;
HANDLE pipe;
OBJECT_ATTRIBUTES fattrs;
UNICODE_STRING pipe_name;
IO_STATUS_BLOCK io_stat_block;
RtlInitUnicodeString(&pipe_name, L"\\??\\pipe\\drvtest");
InitializeObjectAttributes(&fattrs, &pipe_name,
OBJ_CASE_INSENSITIVE | 0x0200/*OBJ_KERNEL_HANDLE*/,
0, NULL);
for (int i = 0; i < 10; ++i) {
status = ZwCreateFile(&pipe, FILE_WRITE_DATA | SYNCHRONIZE,
&fattrs, &io_stat_block, NULL, 0,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN,
FILE_NON_DIRECTORY_FILE, NULL, 0);
if (!NT_SUCCESS(status))
KeDelayExecutionThread(KernelMode, FALSE, &delay);
else
break;
}
if (!NT_SUCCESS(status))
DbgPrint("Alert! 0x%0.8x, 0x%0.8x\r\n", status, io_stat_block.Status);
example_ioctl_data out_data = { code: MCODE_TERM, pid: dwProcessId };
status = ZwWriteFile(pipe, NULL, NULL, NULL, &io_stat_block, &out_data,
sizeof(out_data), NULL, NULL);
if (!NT_SUCCESS(status))
DbgPrint("Alert! 0x%0.8x\r\n", status);
ZwClose(pipe);
KeReleaseMutex(&mutex, FALSE);
return;
}
NTSTATUS HelloDDKRead(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
KdPrint(("DriverB:Enter B HelloDDKRead\n"));
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING DeviceName;
RtlInitUnicodeString( &DeviceName, L"\\Device\\MyDDKDeviceA" );
//初始化objectAttributes
OBJECT_ATTRIBUTES objectAttributes;
InitializeObjectAttributes(&objectAttributes,
&DeviceName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
HANDLE hDevice;
IO_STATUS_BLOCK status_block;
//同步打开设备
//设定了FILE_SYNCHRONOUS_IO_NONALERT或者FILE_SYNCHRONOUS_IO_ALERT为同步打开设备
ntStatus = ZwCreateFile(&hDevice,
FILE_READ_ATTRIBUTES|SYNCHRONIZE,
&objectAttributes,
&status_block,
NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ,
FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0);
if (NT_SUCCESS(ntStatus))
{
ZwReadFile(hDevice,NULL,NULL,NULL,&status_block,NULL,0,NULL,NULL);
}
ZwClose(hDevice);
// 完成IRP
pIrp->IoStatus.Status = ntStatus;
pIrp->IoStatus.Information = 0; // bytes xfered
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("DriverB:Leave B HelloDDKRead\n"));
return ntStatus;
}
EXTERN_C static NTSTATUS ScvnpCreateDirectory(_In_ const wchar_t *PathW) {
PAGED_CODE();
UNICODE_STRING path = {};
RtlInitUnicodeString(&path, PathW);
OBJECT_ATTRIBUTES objAttr = RTL_INIT_OBJECT_ATTRIBUTES(
&path, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE);
IO_STATUS_BLOCK ioStatus = {};
HANDLE directory = nullptr;
NTSTATUS status = ZwCreateFile(
&directory, GENERIC_WRITE, &objAttr, &ioStatus, nullptr,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE, nullptr, 0);
if (NT_SUCCESS(status)) {
ZwClose(directory);
}
return status;
}
