BOOL DemDispatch (ULONG iSvc)
{
#if DBG
if(iSvc < SVC_DEMLASTSVC && (fShowSVCMsg & DEMSVCTRACE) &&
apfnSVC[iSvc] != demNotYetImplemented){
sprintf(demDebugBuffer,"DemDispatch: Entering %s\n\tAX=%.4x BX=%.4x CX=%.4x DX=%.4x DI=%.4x SI=%.4x\n",
aSVCNames[iSvc],getAX(),getBX(),getCX(),getDX(),getDI(),getSI());
OutputDebugStringOem(demDebugBuffer);
sprintf(demDebugBuffer,"\tCS=%.4x IP=%.4x DS=%.4x ES=%.4x SS=%.4x SP=%.4x BP=%.4x\n",
getCS(),getIP(), getDS(),getES(),getSS(),getSP(),getBP());
OutputDebugStringOem(demDebugBuffer);
}
#endif
if (iSvc >= SVC_DEMLASTSVC){
#if DBG
sprintf(demDebugBuffer,"Unimplemented SVC index %x\n",iSvc);
OutputDebugStringOem(demDebugBuffer);
#endif
setCF(1);
return FALSE;
}
if (pHardErrPacket) {
pHardErrPacket->vhe_fbInt24 = 0;
}
CurrentISVC = iSvc;
(apfnSVC [iSvc])();
#if DBG
if((fShowSVCMsg & DEMSVCTRACE)){
sprintf(demDebugBuffer,"DemDispatch:On Leaving %s\n\tAX=%.4x BX=%.4x CX=%.4x DX=%.4x DI=%.4x SI=%.4x\n",
aSVCNames[iSvc],getAX(),getBX(),getCX(),getDX(),getDI(),getSI());
OutputDebugStringOem(demDebugBuffer);
sprintf(demDebugBuffer,"\tCS=%.4x IP=%.4x DS=%.4x ES=%.4x SS=%.4x SP=%.4x BP=%.4x CF=%x\n",
getCS(),getIP(), getDS(),getES(),getSS(),getSP(),getBP(),getCF());
OutputDebugStringOem(demDebugBuffer);
}
#endif
return TRUE;
}
void cGenProt(isrVal_t regs)
{
printf("GP\n");
printf("\nGeneral Protection Fault\neip\tcs\tds\teflags\tprocesp\tss\n");
printf("%X\t%X\t%X\t%X\t%X\n", regs.eip, regs.cs, regs.ds, regs.eflags,
regs.procesp, regs.ss);
printf("\nCurrent:\n");
printf("CS\tDS\tSS\tESP\n");
printf("%X\t%X\t%X\t%X\n", getCS(), getDS(), getSS(), getESP());
checkFrame(®s);
// panic("General Protection fault");
}
void cBreakp(isrVal_t regs)
{
printf("BP\n");
checkFrame(®s);
printf("Debug:\n");
printf("eax\tebx\tecx\tedx\n%X\t%X\t%X\t%X\n", regs.eax, regs.ebx, regs.ecx, regs.edx);
printf("\nds\n%X\n", regs.ds);
printf("\nedi\tesi\tebp\tesp\n%X\t%X\t%X\t%X\n", regs.edi, regs.esi, regs.ebp, regs.esp);
printf("\neip\tcs\teflags\tuseresp\tss\n%X\t%X\t%X\t%X\t%X\n", regs.eip, regs.cs, regs.eflags, regs.procesp, regs.ss);
printf("\nerr_code\tfunc_ptr\n%X\t%X\n", regs.errCode, regs.funcPtr);
printf("\n\nCurrent:\n");
printf("CS\tDS\tSS\tESP\n%X\t%X\t%X\t%X\n", getCS(), getDS(), getSS(), getESP());
}
void cDivByZero(isrVal_t regs)
{
printf("D0\n");
checkFrame(®s);
if (regs.cs != 0x8)
{
panic("No process killing code yet");
}
printf("\nDiv by 0\neip\tcs\teflags\tprocesp\tss\n");
printf("%X\t%X\t%X\t%X\t%X\n", regs.eip, regs.cs, regs.eflags, regs.procesp, regs.ss);
printf("\nCurrent:\n");
printf("CS\tDS\tSS\tESP\n");
printf("%X\t%X\t%X\t%X\n", getCS(), getDS(), getSS(), getESP());
panic ("Devide by zero");
}
void MsBopF(){
UCHAR *Instruction;
USHORT i;
// Unimplemented interrupt bop
Instruction = RMSEGOFFTOLIN(getSS(), getSP());
Instruction = RMSEGOFFTOLIN(*((PWORD)Instruction + 1),
*(PWORD)(Instruction));
i = (USHORT)(*(Instruction - 1));
VDprint(
VDP_LEVEL_WARNING,
("SoftPC Bop Support: Unimplemented Interrupt %x\n",
i)
);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
/*++
Routine Description:
This routine is called when the driver is loaded by NT.
Arguments:
DriverObject - Pointer to driver object created by system.
RegistryPath - Pointer to the name of the services node for this driver.
Return Value:
The function value is the final status from the initialization operation.
--*/
{
NTSTATUS ntStatus;
PVOID BufDriverString=NULL,BufProcessEventString=NULL,BufThreadEventString=NULL;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszProcessEventString;
UNICODE_STRING uszThreadEventString;
PDEVICE_OBJECT pDeviceObject;
HANDLE reg=0;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING temp;
char wbuf[100];
WORD this_cs, this_ss, this_ds, this_es, this_fs, this_gs;
ULONG cr4reg;
criticalSection csTest;
HANDLE Ultimap2Handle;
KernelCodeStepping=0;
KernelWritesIgnoreWP = 0;
this_cs=getCS();
this_ss=getSS();
this_ds=getDS();
this_es=getES();
this_fs=getFS();
this_gs=getGS();
//InitializeObjectAttributes(&ao, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
//PsCreateSystemThread(&Ultimap2Handle, 0, NULL, 0, NULL, TestThread, PsGetCurrentProcess());
DbgPrint("DBK loading...");
#ifdef TOBESIGNED
DbgPrint("Signed version");
#endif
//lame antiviruses and more lamer users that keep crying rootkit virus....
temp.Buffer=(PWCH)wbuf;
temp.Length=0;
temp.MaximumLength=100;
RtlAppendUnicodeToString(&temp, L"Ke"); //KeServiceDescriptorTable
RtlAppendUnicodeToString(&temp, L"Service");
RtlAppendUnicodeToString(&temp, L"Descriptor");
RtlAppendUnicodeToString(&temp, L"Table");
KeServiceDescriptorTable=MmGetSystemRoutineAddress(&temp);
DbgPrint("Loading driver\n");
if (RegistryPath)
{
DbgPrint("Registry path = %S\n", RegistryPath->Buffer);
InitializeObjectAttributes(&oa,RegistryPath,OBJ_KERNEL_HANDLE ,NULL,NULL);
ntStatus=ZwOpenKey(®,KEY_QUERY_VALUE,&oa);
if (ntStatus == STATUS_SUCCESS)
{
UNICODE_STRING A,B,C,D;
PKEY_VALUE_PARTIAL_INFORMATION bufA,bufB,bufC,bufD;
ULONG ActualSize;
DbgPrint("Opened the key\n");
BufDriverString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufDeviceString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufProcessEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufThreadEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
bufA=BufDriverString;
bufB=BufDeviceString;
bufC=BufProcessEventString;
bufD=BufThreadEventString;
RtlInitUnicodeString(&A, L"A");
RtlInitUnicodeString(&B, L"B");
RtlInitUnicodeString(&C, L"C");
RtlInitUnicodeString(&D, L"D");
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&A,KeyValuePartialInformation ,bufA,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&B,KeyValuePartialInformation ,bufB,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&C,KeyValuePartialInformation ,bufC,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&D,KeyValuePartialInformation ,bufD,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
{
DbgPrint("Read ok\n");
RtlInitUnicodeString(&uszDriverString,(PCWSTR) bufA->Data);
RtlInitUnicodeString(&uszDeviceString,(PCWSTR) bufB->Data);
RtlInitUnicodeString(&uszProcessEventString,(PCWSTR) bufC->Data);
RtlInitUnicodeString(&uszThreadEventString,(PCWSTR) bufD->Data);
DbgPrint("DriverString=%S\n",uszDriverString.Buffer);
DbgPrint("DeviceString=%S\n",uszDeviceString.Buffer);
DbgPrint("ProcessEventString=%S\n",uszProcessEventString.Buffer);
DbgPrint("ThreadEventString=%S\n",uszThreadEventString.Buffer);
}
else
{
ExFreePool(bufA);
ExFreePool(bufB);
ExFreePool(bufC);
ExFreePool(bufD);
DbgPrint("Failed reading the value\n");
ZwClose(reg);
return STATUS_UNSUCCESSFUL;;
}
}
else
{
DbgPrint("Failed opening the key\n");
return STATUS_UNSUCCESSFUL;;
}
}
else
loadedbydbvm=TRUE;
ntStatus = STATUS_SUCCESS;
if (!loadedbydbvm)
{
// Point uszDriverString at the driver name
#ifndef CETC
// Create and initialize device object
ntStatus = IoCreateDevice(DriverObject,
0,
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject);
if(ntStatus != STATUS_SUCCESS)
{
DbgPrint("IoCreateDevice failed\n");
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
if (reg)
ZwClose(reg);
return ntStatus;
}
// Point uszDeviceString at the device name
// Create symbolic link to the user-visible name
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
DbgPrint("IoCreateSymbolicLink failed: %x\n",ntStatus);
// Delete device object if not successful
IoDeleteDevice(pDeviceObject);
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
if (reg)
ZwClose(reg);
return ntStatus;
}
#endif
}
//when loaded by dbvm driver object is 'valid' so store the function addresses
DbgPrint("DriverObject=%p\n", DriverObject);
// Load structure to point to IRP handlers...
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
if (loadedbydbvm)
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH)DispatchIoctlDBVM;
else
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
//Processlist init
#ifndef CETC
ProcessEventCount=0;
KeInitializeSpinLock(&ProcesslistSL);
#endif
CreateProcessNotifyRoutineEnabled=FALSE;
//threadlist init
ThreadEventCount=0;
BufferSize=0;
processlist=NULL;
#ifndef AMD64
//determine if PAE is used
cr4reg=(ULONG)getCR4();
if ((cr4reg & 0x20)==0x20)
{
PTESize=8; //pae
PAGE_SIZE_LARGE=0x200000;
MAX_PDE_POS=0xC0604000;
MAX_PTE_POS=0xC07FFFF8;
}
else
{
PTESize=4;
PAGE_SIZE_LARGE=0x400000;
MAX_PDE_POS=0xC0301000;
MAX_PTE_POS=0xC03FFFFC;
}
#else
PTESize=8; //pae
PAGE_SIZE_LARGE=0x200000;
MAX_PTE_POS=0xFFFFF6FFFFFFFFF8ULL;
MAX_PDE_POS=0xFFFFF6FB7FFFFFF8ULL;
#endif
#ifdef CETC
DbgPrint("Going to initialice CETC\n");
InitializeCETC();
#endif
//hideme(DriverObject); //ok, for those that see this, enabling this WILL f**k up try except routines, even in usermode you'll get a blue sreen
DbgPrint("Initializing debugger\n");
debugger_initialize();
// Return success (don't do the devicestring, I need it for unload)
DbgPrint("Cleaning up initialization buffers\n");
if (BufDriverString)
{
ExFreePool(BufDriverString);
BufDriverString=NULL;
}
if (BufProcessEventString)
{
ExFreePool(BufProcessEventString);
BufProcessEventString=NULL;
}
if (BufThreadEventString)
{
ExFreePool(BufThreadEventString);
BufThreadEventString=NULL;
}
if (reg)
{
ZwClose(reg);
reg=0;
}
//fetch cpu info
{
DWORD r[4];
DWORD a;
__cpuid(r,0);
DbgPrint("cpuid.0: r[1]=%x", r[1]);
if (r[1]==0x756e6547) //GenuineIntel
{
__cpuid(r,1);
a=r[0];
cpu_stepping=a & 0xf;
cpu_model=(a >> 4) & 0xf;
cpu_familyID=(a >> 8) & 0xf;
cpu_type=(a >> 12) & 0x3;
cpu_ext_modelID=(a >> 16) & 0xf;
cpu_ext_familyID=(a >> 20) & 0xff;
cpu_model=cpu_model + (cpu_ext_modelID << 4);
cpu_familyID=cpu_familyID + (cpu_ext_familyID << 4);
if ((r[2]<<9) & 1)
{
DbgPrint("Intel cpu. IA32_FEATURE_CONTROL MSR=%x", readMSR(0x3a));
}
else
{
DbgPrint("Intel cpu without IA32_FEATURE_CONTROL MSR");
}
vmx_init_dovmcall(1);
setup_APIC_BASE(); //for ultimap
}
else
{
static VOID WINAPI DosStart(LPWORD Stack)
{
BOOLEAN Success;
DWORD Result;
#ifndef STANDALONE
INT i;
#endif
DPRINT("DosStart\n");
/*
* We succeeded, deregister the DOS Starting BOP
* so that no app will be able to call us back.
*/
RegisterBop(BOP_START_DOS, NULL);
/* Initialize the callback context */
InitializeContext(&DosContext, BIOS_CODE_SEGMENT, 0x0010);
Success = DosBIOSInitialize();
// Success &= DosKRNLInitialize();
if (!Success)
{
BiosDisplayMessage("DOS32 loading failed (Error: %u). The VDM will shut down.\n", GetLastError());
EmulatorTerminate();
return;
}
/* Load the mouse driver */
DosMouseInitialize();
#ifndef STANDALONE
/* Parse the command line arguments */
for (i = 1; i < NtVdmArgc; i++)
{
if (wcsncmp(NtVdmArgv[i], L"-i", 2) == 0)
{
/* This is the session ID (hex format) */
SessionId = wcstoul(NtVdmArgv[i] + 2, NULL, 16);
}
}
/* Initialize Win32-VDM environment */
Env = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, EnvSize);
if (Env == NULL)
{
DosDisplayMessage("Failed to initialize the global environment (Error: %u). The VDM will shut down.\n", GetLastError());
EmulatorTerminate();
return;
}
/* Clear the structure */
RtlZeroMemory(&CommandInfo, sizeof(CommandInfo));
/* Get the initial information */
CommandInfo.TaskId = SessionId;
CommandInfo.VDMState = VDM_GET_FIRST_COMMAND | VDM_FLAG_DOS;
GetNextVDMCommand(&CommandInfo);
#else
/* Retrieve the command to start */
if (NtVdmArgc >= 2)
{
WideCharToMultiByte(CP_ACP, 0, NtVdmArgv[1], -1, AppName, sizeof(AppName), NULL, NULL);
if (NtVdmArgc >= 3)
WideCharToMultiByte(CP_ACP, 0, NtVdmArgv[2], -1, CmdLine, sizeof(CmdLine), NULL, NULL);
else
strcpy(CmdLine, "");
}
else
{
DosDisplayMessage("Invalid DOS command line\n");
EmulatorTerminate();
return;
}
#endif
/*
* At this point, CS:IP points to the DOS BIOS exit code. If the
* root command interpreter fails to start (or if it exits), DOS
* exits and the VDM terminates.
*/
/* Start the root command interpreter */
// TODO: Really interpret the 'SHELL=' line of CONFIG.NT, and use it!
/*
* Prepare the stack for DosStartComSpec:
* push Flags, CS and IP, and an extra WORD.
*/
setSP(getSP() - sizeof(WORD));
*((LPWORD)SEG_OFF_TO_PTR(getSS(), getSP())) = (WORD)getEFLAGS();
setSP(getSP() - sizeof(WORD));
*((LPWORD)SEG_OFF_TO_PTR(getSS(), getSP())) = getCS();
setSP(getSP() - sizeof(WORD));
*((LPWORD)SEG_OFF_TO_PTR(getSS(), getSP())) = getIP();
setSP(getSP() - sizeof(WORD));
Result = DosStartComSpec(TRUE, SEG_OFF_TO_PTR(SYSTEM_ENV_BLOCK, 0),
MAKELONG(getIP(), getCS()),
#ifndef STANDALONE
&RootCmd.ComSpecPsp
#else
NULL
#endif
);
if (Result != ERROR_SUCCESS)
{
/* Unprepare the stack for DosStartComSpec */
setSP(getSP() + 4*sizeof(WORD));
DosDisplayMessage("Failed to start the Command Interpreter (Error: %u). The VDM will shut down.\n", Result);
EmulatorTerminate();
return;
}
#ifndef STANDALONE
RootCmd.Terminated = FALSE;
InsertComSpecInfo(&RootCmd);
#endif
/**/
/* Attach to the console and resume the VM */
DosProcessConsoleAttach();
EmulatorResume();
/**/
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
/*++
Routine Description:
This routine is called when the driver is loaded by NT.
Arguments:
DriverObject - Pointer to driver object created by system.
RegistryPath - Pointer to the name of the services node for this driver.
Return Value:
The function value is the final status from the initialization operation.
--*/
{
NTSTATUS ntStatus;
PVOID BufDriverString=NULL,BufProcessEventString=NULL,BufThreadEventString=NULL;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszProcessEventString;
UNICODE_STRING uszThreadEventString;
PDEVICE_OBJECT pDeviceObject;
HANDLE reg=0;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING temp;
char wbuf[100];
WORD this_cs, this_ss, this_ds, this_es, this_fs, this_gs;
ULONG cr4reg;
criticalSection csTest;
DbgPrint("I'm alive!\n");
//DbgPrint("%S",oa.ObjectName.Buffer);
KernelCodeStepping=0;
this_cs=getCS();
this_ss=getSS();
this_ds=getDS();
this_es=getES();
this_fs=getFS();
this_gs=getGS();
#ifdef AMD64
DbgPrint("cs=%x ss=%x ds=%x es=%x fs=%x gs=%x\n",getCS(), getSS(), getDS(), getES(), getFS(), getGS());
DbgPrint("fsbase=%llx gsbase=%llx gskernel=%llx\n", readMSR(0xc0000100), readMSR(0xc0000101), readMSR(0xc0000102));
DbgPrint("rbp=%llx\n", getRBP());
DbgPrint("gs:188=%llx\n", __readgsqword(0x188));
DbgPrint("current csr=%x\n", _mm_getcsr());
#endif
DbgPrint("Test critical section routines\n");
RtlZeroMemory(&csTest,sizeof(criticalSection));
DbgPrint("csTest.locked=%d\n",csTest.locked);
csEnter(&csTest);
DbgPrint("After enter\n");
DbgPrint("csTest.locked=%d\n",csTest.locked);
csLeave(&csTest);
DbgPrint("After leave\n");
DbgPrint("csTest.locked=%d\n",csTest.locked);
//lame antiviruses and more lamer users that keep crying rootkit virus....
temp.Buffer=(PWCH)wbuf;
temp.Length=0;
temp.MaximumLength=100;
RtlAppendUnicodeToString(&temp, L"Ke"); //KeServiceDescriptorTable
RtlAppendUnicodeToString(&temp, L"Service");
RtlAppendUnicodeToString(&temp, L"Descriptor");
RtlAppendUnicodeToString(&temp, L"Table");
KeServiceDescriptorTable=MmGetSystemRoutineAddress(&temp);
DbgPrint("Loading driver\n");
if (RegistryPath)
{
DbgPrint("Registry path = %S\n", RegistryPath->Buffer);
InitializeObjectAttributes(&oa,RegistryPath,OBJ_KERNEL_HANDLE ,NULL,NULL);
ntStatus=ZwOpenKey(®,KEY_QUERY_VALUE,&oa);
if (ntStatus == STATUS_SUCCESS)
{
UNICODE_STRING A,B,C,D;
PKEY_VALUE_PARTIAL_INFORMATION bufA,bufB,bufC,bufD;
ULONG ActualSize;
DbgPrint("Opened the key\n");
BufDriverString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufDeviceString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufProcessEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
BufThreadEventString=ExAllocatePool(PagedPool,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100);
bufA=BufDriverString;
bufB=BufDeviceString;
bufC=BufProcessEventString;
bufD=BufThreadEventString;
RtlInitUnicodeString(&A, L"A");
RtlInitUnicodeString(&B, L"B");
RtlInitUnicodeString(&C, L"C");
RtlInitUnicodeString(&D, L"D");
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&A,KeyValuePartialInformation ,bufA,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&B,KeyValuePartialInformation ,bufB,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&C,KeyValuePartialInformation ,bufC,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
ntStatus=ZwQueryValueKey(reg,&D,KeyValuePartialInformation ,bufD,sizeof(KEY_VALUE_PARTIAL_INFORMATION)+100,&ActualSize);
if (ntStatus == STATUS_SUCCESS)
{
DbgPrint("Read ok\n");
RtlInitUnicodeString(&uszDriverString,(PCWSTR) bufA->Data);
RtlInitUnicodeString(&uszDeviceString,(PCWSTR) bufB->Data);
RtlInitUnicodeString(&uszProcessEventString,(PCWSTR) bufC->Data);
RtlInitUnicodeString(&uszThreadEventString,(PCWSTR) bufD->Data);
DbgPrint("DriverString=%S\n",uszDriverString.Buffer);
DbgPrint("DeviceString=%S\n",uszDeviceString.Buffer);
DbgPrint("ProcessEventString=%S\n",uszProcessEventString.Buffer);
DbgPrint("ThreadEventString=%S\n",uszThreadEventString.Buffer);
}
else
{
ExFreePool(bufA);
ExFreePool(bufB);
ExFreePool(bufC);
ExFreePool(bufD);
DbgPrint("Failed reading the value\n");
ZwClose(reg);
return STATUS_UNSUCCESSFUL;;
}
}
else
{
DbgPrint("Failed opening the key\n");
return STATUS_UNSUCCESSFUL;;
}
}
else
loadedbydbvm=TRUE;
ntStatus = STATUS_SUCCESS;
if (!loadedbydbvm)
{
// Point uszDriverString at the driver name
#ifndef CETC
// Create and initialize device object
ntStatus = IoCreateDevice(DriverObject,
0,
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject);
if(ntStatus != STATUS_SUCCESS)
{
DbgPrint("IoCreateDevice failed\n");
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
if (reg)
ZwClose(reg);
return ntStatus;
}
// Point uszDeviceString at the device name
// Create symbolic link to the user-visible name
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
DbgPrint("IoCreateSymbolicLink failed: %x\n",ntStatus);
// Delete device object if not successful
IoDeleteDevice(pDeviceObject);
ExFreePool(BufDriverString);
ExFreePool(BufDeviceString);
ExFreePool(BufProcessEventString);
ExFreePool(BufThreadEventString);
if (reg)
ZwClose(reg);
return ntStatus;
}
#endif
}
//when loaded by dbvm driver object is 'valid' so store the function addresses
DbgPrint("DriverObject=%p\n", DriverObject);
// Load structure to point to IRP handlers...
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
if (loadedbydbvm)
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH)DispatchIoctlDBVM;
else
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
//Processlist init
#ifndef CETC
ProcessEventCount=0;
KeInitializeSpinLock(&ProcesslistSL);
#endif
CreateProcessNotifyRoutineEnabled=FALSE;
//threadlist init
ThreadEventCount=0;
BufferSize=0;
processlist=NULL;
#ifndef AMD64
//determine if PAE is used
cr4reg=(ULONG)getCR4();
if ((cr4reg & 0x20)==0x20)
{
PTESize=8; //pae
PAGE_SIZE_LARGE=0x200000;
MAX_PDE_POS=0xC0604000;
MAX_PTE_POS=0xC07FFFF8;
}
else
{
PTESize=4;
PAGE_SIZE_LARGE=0x400000;
MAX_PDE_POS=0xC0301000;
MAX_PTE_POS=0xC03FFFFC;
}
#else
PTESize=8; //pae
PAGE_SIZE_LARGE=0x200000;
MAX_PTE_POS=0xFFFFF6FFFFFFFFF8ULL;
MAX_PDE_POS=0xFFFFF6FB7FFFFFF8ULL;
#endif
#ifdef CETC
DbgPrint("Going to initialice CETC\n");
InitializeCETC();
#endif
//hideme(DriverObject); //ok, for those that see this, enabling this WILL f**k up try except routines, even in usermode you'll get a blue sreen
DbgPrint("Initializing debugger\n");
debugger_initialize();
// Return success (don't do the devicestring, I need it for unload)
DbgPrint("Cleaning up initialization buffers\n");
if (BufDriverString)
{
ExFreePool(BufDriverString);
BufDriverString=NULL;
}
if (BufProcessEventString)
{
ExFreePool(BufProcessEventString);
BufProcessEventString=NULL;
}
if (BufThreadEventString)
{
ExFreePool(BufThreadEventString);
BufThreadEventString=NULL;
}
if (reg)
{
ZwClose(reg);
reg=0;
}
//fetch cpu info
{
DWORD r[4];
DWORD a;
__cpuid(r,1);
a=r[0];
cpu_stepping=a & 0xf;
cpu_model=(a >> 4) & 0xf;
cpu_familyID=(a >> 8) & 0xf;
cpu_type=(a >> 12) & 0x3;
cpu_ext_modelID=(a >> 16) & 0xf;
cpu_ext_familyID=(a >> 20) & 0xff;
cpu_model=cpu_model + (cpu_ext_modelID << 4);
cpu_familyID=cpu_familyID + (cpu_ext_familyID << 4);
}
{
APIC y;
DebugStackState x;
DbgPrint("offset of LBR_Count=%d\n", (UINT_PTR)&x.LBR_Count-(UINT_PTR)&x);
DbgPrint("Testing forEachCpu(...)\n");
forEachCpu(TestDPC, NULL, NULL, NULL);
forEachCpuPassive(TestPassive, 0);
DbgPrint("LVT_Performance_Monitor=%x\n", (UINT_PTR)&y.LVT_Performance_Monitor-(UINT_PTR)&y);
}
return STATUS_SUCCESS;
}
VOID cmdCreateProcess ( VOID )
{
VDMINFO VDMInfoForCount;
STARTUPINFO StartupInfo;
PROCESS_INFORMATION ProcessInformation;
HANDLE hStd16In,hStd16Out,hStd16Err;
CHAR CurDirVar [] = "=?:";
CHAR Buffer [MAX_DIR];
CHAR *CurDir = Buffer;
DWORD dwRet;
BOOL Status;
NTSTATUS NtStatus;
UNICODE_STRING Unicode;
OEM_STRING OemString;
LPVOID lpNewEnv=NULL;
PSTD_HANDLES pStdHandles;
ANSI_STRING Env_A;
// we have one more 32 executable active
Exe32ActiveCount++;
// Increment the Re-enterancy count for the VDM
VDMInfoForCount.VDMState = INCREMENT_REENTER_COUNT;
GetNextVDMCommand (&VDMInfoForCount);
RtlZeroMemory((PVOID)&StartupInfo,sizeof(STARTUPINFO));
StartupInfo.cb = sizeof(STARTUPINFO);
CurDirVar [1] = chDefaultDrive;
dwRet = GetEnvironmentVariable (CurDirVar,Buffer,MAX_DIR);
if (dwRet == 0 || dwRet == MAX_DIR)
CurDir = NULL;
pStdHandles = (PSTD_HANDLES) GetVDMAddr (getSS(), getBP());
if ((hStd16In = (HANDLE) FETCHDWORD(pStdHandles->hStdIn)) != (HANDLE)-1)
SetStdHandle (STD_INPUT_HANDLE, hStd16In);
if ((hStd16Out = (HANDLE) FETCHDWORD(pStdHandles->hStdOut)) != (HANDLE)-1)
SetStdHandle (STD_OUTPUT_HANDLE, hStd16Out);
if ((hStd16Err = (HANDLE) FETCHDWORD(pStdHandles->hStdErr)) != (HANDLE)-1)
SetStdHandle (STD_ERROR_HANDLE, hStd16Err);
/*
* Warning, pEnv32 currently points to an ansi environment.
* The DOS is using an ANSI env which isn't quite correct.
* If the DOS is changed to use an OEM env then we will
* have to convert the env back to ansi before spawning
* non-dos exes ?!?
* 16-Jan-1993 Jonle
*/
Env_A.Buffer = NULL;
RtlInitString((PSTRING)&OemString, pCommand32);
NtStatus = RtlOemStringToUnicodeString(&Unicode,&OemString,TRUE);
if (NT_SUCCESS(NtStatus)) {
NtStatus = RtlUnicodeStringToAnsiString((PANSI_STRING)&OemString, &Unicode, FALSE);
RtlFreeUnicodeString( &Unicode );
}
if (!NT_SUCCESS(NtStatus)) {
SetLastError(RtlNtStatusToDosError(NtStatus));
Status = FALSE;
}
else {
if (pEnv32 != NULL && !cmdXformEnvironment (pEnv32, &Env_A)) {
SetLastError(ERROR_NOT_ENOUGH_MEMORY);
Status = FALSE;
}
else {
Status = CreateProcess (
NULL,
(LPTSTR)pCommand32,
NULL,
NULL,
TRUE,
CREATE_SUSPENDED | CREATE_DEFAULT_ERROR_MODE,
Env_A.Buffer,
(LPTSTR)CurDir,
&StartupInfo,
&ProcessInformation);
}
}
if (Status == FALSE)
dwExitCode32 = GetLastError ();
if (hStd16In != (HANDLE)-1)
SetStdHandle (STD_INPUT_HANDLE, SCS_hStdIn);
if (hStd16Out != (HANDLE)-1)
SetStdHandle (STD_OUTPUT_HANDLE, SCS_hStdOut);
if (hStd16Err != (HANDLE)-1)
SetStdHandle (STD_ERROR_HANDLE, SCS_hStdErr);
if (Status) {
ResumeThread (ProcessInformation.hThread);
WaitForSingleObject(ProcessInformation.hProcess, (DWORD)-1);
GetExitCodeProcess (ProcessInformation.hProcess, &dwExitCode32);
CloseHandle (ProcessInformation.hProcess);
CloseHandle (ProcessInformation.hThread);
}
if (Env_A.Buffer)
RtlFreeAnsiString(&Env_A);
// Decrement the Re-enterancy count for the VDM
VDMInfoForCount.VDMState = DECREMENT_REENTER_COUNT;
GetNextVDMCommand (&VDMInfoForCount);
// one less 32 executable active
Exe32ActiveCount--;
// Kill this thread
ExitThread (0);
}
