//-----------------------------------------------------------------------------
// Name: StartMonitoring
// Object: start monitoring process, create fifo
// Parameters :
// in :
// out :
// return :
//-----------------------------------------------------------------------------
NTSTATUS StartMonitoring()
{
NTSTATUS ntStatus;
// check if monitoring is already started
if (g_bMonotoringStarted)
return STATUS_SUCCESS;
// initialize FIFO
if (g_pFIFOProcess)
// delete FIFO
KernelFIFODelete(g_pFIFOProcess);
g_pFIFOProcess=KernelFIFONew(sizeof(PROCESS_CALLBACK_INFO));
if (!g_pFIFOProcess)
{
KernelDebugPrint((" ProcMon : PROCESS FIFO ALLOCATION ERROR"));
return STATUS_UNSUCCESSFUL;
}
// initialize unlock event
KeInitializeEvent(&hevt_g_PendingIrpUnlocked,SynchronizationEvent,TRUE);
// call the kernel function to enable process spying
ntStatus=PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
if(ntStatus == STATUS_SUCCESS)
g_bMonotoringStarted=TRUE;
return ntStatus;
}
void DriverUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("==> DrvUnload\n");
UNICODE_STRING DeviceName, DosDeviceName;
PDEVICE_OBJECT DeviceObject = NULL;
// Unhook NtMapViewOfSection
UnHookNtMapViewOfSection();
// 等待所有函数退出
while(g_HookCounter)
{
LARGE_INTEGER interval;
interval.QuadPart = -10 * 1000 * 1000;
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}
// 取消进程回调
PsSetCreateProcessNotifyRoutine(OnProcessQuit, TRUE);
RtlInitUnicodeString(&DeviceName, DEVICE_NAME);
RtlInitUnicodeString(&DosDeviceName, DOS_NAME);
// 删除 Symbolic Link
if (STATUS_SUCCESS != IoDeleteSymbolicLink(&DosDeviceName)) {
KdPrint(("[E] Failed: IoDeleteSymbolicLink\n"));
}
// 删除 Device
::IoDeleteDevice(DriverObject->DeviceObject);
DbgPrint("<== DrvUnload\n");
}
void DriverExampleUnload(IN PDRIVER_OBJECT DriverObject)
{
if(init)
PsSetCreateProcessNotifyRoutine(NotifyRoutine, TRUE);
init = FALSE;
DbgPrint("Goodbye from DriverExample!\n");
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
unsigned i;
init = FALSE;
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
DriverObject->MajorFunction[i] = DriverExampleDefaultHandler;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverExampleCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverExampleCreateClose;
DriverObject->MajorFunction[IRP_MJ_PNP] = DriverExamplePnP;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverExampleDispatchIoctl;
DriverObject->DriverUnload = DriverExampleUnload;
DriverObject->DriverStartIo = NULL;
DriverObject->DriverExtension->AddDevice = DriverExampleAddDevice;
//создаем нотифаер на создание нового процесса в системе
PsSetCreateProcessNotifyRoutine(NotifyRoutine, FALSE);
init = TRUE;
DbgPrint("Driver Start!\n");
return STATUS_SUCCESS;
}
//
// IOCTL handler for setting the callback
//
NTSTATUS ActivateMonitoringHanlder(
IN PIRP Irp
)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
PIO_STACK_LOCATION irpStack = IoGetCurrentIrpStackLocation(Irp);
PACTIVATE_INFO pActivateInfo;
if (irpStack->Parameters.DeviceIoControl.InputBufferLength >=
sizeof(ACTIVATE_INFO))
{
pActivateInfo = Irp->AssociatedIrp.SystemBuffer;
if (g_ActivateInfo.bActivated != pActivateInfo->bActivated)
{
if (pActivateInfo->bActivated)
{
//
// Set up callback routines
//
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
if (ntStatus != STATUS_SUCCESS)
{
return ntStatus;
}
//
// Setup the global data structure
//
g_ActivateInfo.bActivated = pActivateInfo->bActivated;
} // if
else
{
//
// restore the call back routine, thus givinig chance to the
// user mode application to unload dynamically the driver
//
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
if (ntStatus != STATUS_SUCCESS)
return ntStatus;
else
g_ActivateInfo.bActivated = FALSE;
}
ntStatus = STATUS_SUCCESS;
} // if
} // if
return ntStatus;
}
VOID
PushUnload( DRIVER_OBJECT* DriverObject )
{
UNICODE_STRING DeviceLinkU;
NTSTATUS ntStatus;
PMAPINFO pMapInfo;
PSINGLE_LIST_ENTRY pLink;
DbgPrint("[Push] => (PushUnload)");
RdUnload(DriverObject);
//free resources
pLink=PopEntryList(&lstMapInfo);
while(pLink)
{
pMapInfo=CONTAINING_RECORD(pLink, MAPINFO, link);
MmUnmapLockedPages(pMapInfo->pvu, pMapInfo->pMdl);
IoFreeMdl(pMapInfo->pMdl);
MmUnmapIoSpace(pMapInfo->pvk, pMapInfo->memSize);
ExFreePool(pMapInfo);
pLink=PopEntryList(&lstMapInfo);
}
//
// By default the I/O device is configured incorrectly or the
// configuration parameters to the driver are incorrect.
//
ntStatus = STATUS_DEVICE_CONFIGURATION_ERROR;
//
// restore the call back routine, thus givinig chance to the
// user mode application to unload dynamically the driver
//
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
IoDeleteDevice(DriverObject->DeviceObject);
RtlInitUnicodeString(&DeviceLinkU, PUSH_SYMLINK_NAME);
ntStatus=IoDeleteSymbolicLink(&DeviceLinkU);
if (NT_SUCCESS(ntStatus))
{
IoDeleteDevice(DriverObject->DeviceObject);
}
else
{
DbgPrint("Error: IoDeleteSymbolicLink failed");
}
DbgPrint("[Push] <= (PushUnload)");
}
/**
* Unload the driver. Free all resources.
*/
VOID DrvUnload( IN PDRIVER_OBJECT pstDriverObject )
{
//
// pstDriverObject - Pointer to driver object.
//
UNICODE_STRING usDeviceLink;
dprintf( "VwFirewallDrv.sys: Unloading driver...\n" );
//
// Uninstall Filesystem Api Hooks
//
fsapihook_hook_uninstall();
//
// 结束 RDP 端口读取线程
//
procrdp_thread_readport_terminate();
//
// 卸载防火墙回调函数
//
if ( g_stSysInfo.bFirewallLoaded )
{
if ( NT_SUCCESS( SetFilterFunction( callbackFilterFunction, FALSE ) ) )
{
g_stSysInfo.bFirewallLoaded = FALSE;
}
}
//
// 卸载配置信息
//
procconfig_unload_config();
//
// Remove CreateProcessNotifyRoutine & LoadImageNotifyRoutine
//
PsSetCreateProcessNotifyRoutine( procprocess_CreateProcessNotifyRoutine, TRUE );
PsRemoveLoadImageNotifyRoutine( procprocess_LoadImageNotifyRoutine );
//
// Remove symbolic link
//
RtlInitUnicodeString( &usDeviceLink, DOS_DEVICE_NAME );
IoDeleteSymbolicLink( &usDeviceLink );
//
// Remove the device
//
IoDeleteDevice( pstDriverObject->DeviceObject );
}
void UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uszDeviceString;
NTSTATUS ntStatus;
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
IoDeleteDevice(DriverObject->DeviceObject);
RtlInitUnicodeString(&uszDeviceString, DEVICE_LINK_NAME);
IoDeleteSymbolicLink(&uszDeviceString);
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszDeviceString;
UNICODE_STRING uszProcessEventString;
PDEVICE_OBJECT pDeviceObject;
PDEVICE_EXTENSION extension;
RtlInitUnicodeString(&uszDriverString, DEVICE_NAME);
ntStatus = IoCreateDevice(DriverObject,
sizeof(DEVICE_EXTENSION),
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject);
if(ntStatus != STATUS_SUCCESS)
return ntStatus;
extension = pDeviceObject->DeviceExtension;
RtlInitUnicodeString(&uszDeviceString, DEVICE_LINK_NAME);
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(ntStatus != STATUS_SUCCESS)
{
IoDeleteDevice(pDeviceObject);
return ntStatus;
}
g_pDeviceObject = pDeviceObject;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Dispatch;
DriverObject->DriverUnload = UnloadDriver;
RtlInitUnicodeString(&uszProcessEventString, MONITOR_PROCESS_EVENT);
extension->ProcessEvent = IoCreateNotificationEvent (&uszProcessEventString, &extension->hProcessHandle);
KeClearEvent(extension->ProcessEvent);
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
return ntStatus;
}
void FasttrapUnload(PDRIVER_OBJECT DrvObj)
{
LARGE_INTEGER tm;
while (fasttrap_unload() != 0) {
tm.QuadPart = UNLOAD_RETRY_DELAY_TIME;
dprintf("fasttrap.sys: Unload failed. Retry in %ds\n", abs(UNLOAD_RETRY_DELAY_TIME)/10000000);
KeDelayExecutionThread(KernelMode, FALSE, &tm);
}
PsSetCreateProcessNotifyRoutine(CreateProcFunc, TRUE);
IoDeleteSymbolicLink(&deviceLink);
IoDeleteDevice(DrvObj->DeviceObject);
}
/*******************************************************************************
*
* 函 数 名 : DriverUnload
* 功能描述 : DriverUnload
* 参数列表 : pDriverObj --
* 说 明 :
* 返回结果 :
*
*******************************************************************************/
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
PDEVICE_EXTENSION pde = (PDEVICE_EXTENSION)pDriverObj->DeviceObject->DeviceExtension ;
// Unloading - no resources to free so just return.
dprintf("Unloading...\r\n");
//
// TODO: Add uninstall code here.
//
if (pde->bIsSetCreateProcessNotifyRoutine)
{
PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, TRUE) ;
}
// 如果挂钩了NtOpenProcess
if (pde->bIsHookNtOpenProcess)
{
UnHookNtOpenProcess(pDriverObj->DeviceObject) ;
}
// 如果挂钩了NtQuerySystemInformation
if (pde->bIsHookNtQuerySystemInformation)
{
UnHookNtQuerySystemInformation(pDriverObj->DeviceObject) ;
}
// Delete the symbolic link
if(IoIsWdmVersionAvailable(1,0x10))
{
//如果是支持符号链接用户相关性的系统
RtlInitUnicodeString(&strLink, SYMBOLIC_LINK_GLOBAL_NAME);
}
else
{
//不支持
RtlInitUnicodeString(&strLink, SYMBOLIC_LINK_NAME);
}
IoDeleteSymbolicLink(&strLink);
// Delete the DeviceObject
IoDeleteDevice(pDriverObj->DeviceObject);
ReleaseKernelUserManage() ;
dprintf("Unloaded Success\r\n");
return;
}
VOID DDKUnload (IN PDRIVER_OBJECT pDriverObject)
{
//::KeWaitForSingleObject(&g_DispatchMutex,Executive,KernelMode,FALSE,NULL);
KdPrint(("==> DriverUnload\n"));
// 取消进程回调
PsSetCreateProcessNotifyRoutine(OnProcessQuit, TRUE);
UnHookSSDT();
WriteSysLog(LOG_TYPE_DEBUG,L" FinishH2");
if(pEvent)
ObDereferenceObject(pEvent);
ClearFilterCache();
ClearBlackCache();
WriteSysLog(LOG_TYPE_DEBUG,L" ClearB");
LogUninitialize();
//::KeReleaseMutex(&g_DispatchMutex,FALSE);
while(g_HookCounter>0)
{
LARGE_INTEGER interval;
interval.QuadPart = -10 * 1000 * 1000;
KeDelayExecutionThread(KernelMode, FALSE, &interval);
}
//
PDEVICE_OBJECT pNextObj;
pNextObj = pDriverObject->DeviceObject;
while (pNextObj != NULL)
{
PDEVICE_EXTENSION pDevExt = (PDEVICE_EXTENSION)
pNextObj->DeviceExtension;
//删除符号链接
UNICODE_STRING pLinkName = pDevExt->ustrSymLinkName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj = pNextObj->NextDevice;
IoDeleteDevice( pDevExt->pDevice );
IoUnregisterShutdownNotification(pDevExt->pDevice);
}
KdPrint(("<== DriverUnload\n"));
}
BOOLEAN DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DbgPrint("==> Driver Entry\n");
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING DeviceName, DosDeviceName;
PDEVICE_OBJECT DeviceObject = NULL;
RtlInitUnicodeString(&DeviceName, DEVICE_NAME);
RtlInitUnicodeString(&DosDeviceName, DOS_NAME);
// 创建 Device Object
status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN, FALSE, &DeviceObject);
if(!NT_SUCCESS(status))
return STATUS_UNSUCCESSFUL;
// 创建 SymbolicLink
IoCreateSymbolicLink(&DosDeviceName, &DeviceName);
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
// 初始化硬编码操作,如果失败则拒绝加载驱动
if(InitHardCode() == false)
{
KdPrint(("System Version Unrecognized\n"));
return STATUS_UNSUCCESSFUL;
}
// 注册进程回调函数
PsSetCreateProcessNotifyRoutine(OnProcessQuit, FALSE);
// Hook NtMapViewOfSection
HookNtMapViewOfSection();
//DriverObject->DriverUnload = DriverUnload;
DriverObject->Flags |= DO_BUFFERED_IO;
DriverObject->Flags &= (~DO_DEVICE_INITIALIZING);
DbgPrint("<== Driver Entry\n");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
DbgPrint("Hello, my little friend, don't be sad");
status = PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine, FALSE);
if (status == STATUS_SUCCESS)
{
DbgPrint("CreateProcessNotifyRoutine have been loaded");
DriverObject->DriverUnload = UnloadRoutine;
}
else
{
DbgPrint("We have problems with loading CreateProcessNotifyRoutine");
}
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DrvObj, PUNICODE_STRING RegPath)
{
PDEVICE_OBJECT DevObj = NULL;
NTSTATUS status;
UNREFERENCED_PARAMETER(RegPath);
#if _AMD64_
if (IsDebuggerAttached() == 0) {
DbgPrint("fasttrap.sys : debugger not attached. Load failed\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
#endif
if (IsNtVirtualFunc() == 0) {
dprintf("fasttrap.sys : Nt*VirtualMemory functions not found. Load failed\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
status = IoCreateDevice(DrvObj, 0, &deviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN,
FALSE, &DevObj);
if(!NT_SUCCESS(status)) {
return status;
}
DrvObj->MajorFunction[IRP_MJ_CREATE] = FasttrapOpen;
DrvObj->MajorFunction[IRP_MJ_CLOSE] = FasttrapClose;
DrvObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = FasttrapIoctl;
DrvObj->DriverUnload = FasttrapUnload;
status = IoCreateSymbolicLink (&deviceLink, &deviceName);
if (!NT_SUCCESS(status)) {
IoDeleteDevice( DevObj);
return status;
}
fasttrap_load();
if (PsSetCreateProcessNotifyRoutine(CreateProcFunc, FALSE) != STATUS_SUCCESS) {
dprintf("fasttrap.sys: PsSetCreateProcessNotifyRoutine registrartion failed\n");
return STATUS_INSUFFICIENT_RESOURCES;
}
return status;
}
VOID BBUnload( IN PDRIVER_OBJECT DriverObject )
{
UNICODE_STRING deviceLinkUnicodeString;
// Unregister notification
PsSetCreateProcessNotifyRoutine( BBProcessNotify, TRUE );
// Cleanup physical regions
BBCleanupProcessPhysList();
// Cleanup process mapping info
BBCleanupProcessTable();
RtlUnicodeStringInit( &deviceLinkUnicodeString, DOS_DEVICE_NAME );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
IoDeleteDevice( DriverObject->DeviceObject );
return;
}
/******************************************************************************
* Driver unload handler *
******************************************************************************/
static VOID DDKAPI
my_unload(PDRIVER_OBJECT DriverObject)
{
ANSI_STRING SymbolicLinkNameA;
UNICODE_STRING SymbolicLinkNameW;
DbgPrint("DriverUnload called\r\n");
PsSetCreateProcessNotifyRoutine(create_process_watcher, TRUE);
PsRemoveLoadImageNotifyRoutine(load_image_watcher);
RtlInitString(&SymbolicLinkNameA, MY_DOSDEVICE_NAME);
RtlAnsiStringToUnicodeString(&SymbolicLinkNameW, &SymbolicLinkNameA, TRUE);
IoDeleteSymbolicLink(&SymbolicLinkNameW);
IoDeleteDevice(DriverObject->DeviceObject);
for (int i = 0; i < ENT_CNT; ++i)
if(g_proc_table[i].pid)
DbgPrint("Registered process stays: %d\r\n", g_proc_table[i].pid);
}
extern "C" NTSTATUS DriverEntry (
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath )
{
NTSTATUS status ;
KdPrint(("==> DriverEntry\n"));
// 注册进程回调函数
PsSetCreateProcessNotifyRoutine(OnProcessQuit, FALSE);
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
pDriverObject->MajorFunction[IRP_MJ_POWER] = DDKPower;
pDriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = DDKPower;
status = CreateDevice(pDriverObject);
::KeInitializeMutex(&g_DispatchMutex,0);
getProcessNameOffset();
InitializeFilterGoEvent();
if(false == initializeLog())
return STATUS_UNSUCCESSFUL;
if(false == InitHardCode())
{
KdPrint(("init OS is error!\n"));
return STATUS_UNSUCCESSFUL;
}
HookSSDT();
initialMutex();//whiteTable
initialMutexB();//blackTable
initialMutexAddPID();
KdPrint(("<== DriverEntry\n"));
return status;
}
NTSTATUS kkll_m_notify_remove_process(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_INVALID_HANDLE;
UNICODE_STRING uString;
if(bufferIn && (szBufferIn == sizeof(PCREATE_PROCESS_NOTIFY_ROUTINE)))
{
status = PsSetCreateProcessNotifyRoutine(*(PCREATE_PROCESS_NOTIFY_ROUTINE *) bufferIn, TRUE);
if(!NT_SUCCESS(status) && pPsSetCreateProcessNotifyRoutineEx)
status = pPsSetCreateProcessNotifyRoutineEx(*(PCREATE_PROCESS_NOTIFY_ROUTINE_EX *) bufferIn, TRUE);
if(NT_SUCCESS(status))
{
status = kprintf(outBuffer, L"Removed : ");
if(NT_SUCCESS(status))
status = kkll_m_modules_fromAddr(outBuffer, *(PVOID *) bufferIn);
}
}
return status;
}
//-----------------------------------------------------------------------------
// Name: StopMonitoring
// Object: stop monitoring process, destroy fifo
// Parameters :
// in :
// out :
// return :
//-----------------------------------------------------------------------------
NTSTATUS StopMonitoring()
{
NTSTATUS ntStatus;
// check if monitoring is already stopped
if (!g_bMonotoringStarted)
return STATUS_SUCCESS;
if (g_pFIFOProcess)
{
// delete FIFO
KernelFIFODelete(g_pFIFOProcess);
g_pFIFOProcess=NULL;
}
// call the kernel function to disable process spying
ntStatus=PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
if(ntStatus == STATUS_SUCCESS)
g_bMonotoringStarted=FALSE;
return ntStatus;
}
//=======================================================================================
//===== Функция Выгрузки Драйвера
//=======================================================================================
NTSTATUS MyDriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING LinkString;
//PsTerminateSystemThread(STATUS_SUCCESS);
//сносим евент
//eve//ZwClose(ghProcessHandle);
ZwClose(ghProcessHandle);
//снимает нотифаер на создание процесса в системе (если же он конечно создан)
if(gInited)PsSetCreateProcessNotifyRoutine(NotifyRoutine, TRUE);
DbgPrint(" >MegaDriver: UnloadDriver");
//Юникодим имя симлики
RtlInitUnicodeString(&LinkString, L"\\DosDevices\\MegaDriver");
//удаляем симлинк
IoDeleteSymbolicLink(&LinkString);
//удаляем девайс
IoDeleteDevice(DriverObject->DeviceObject);
return STATUS_SUCCESS;
}
//
// Driver unload routine
//
void UnloadDriver(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING uszDeviceString;
//
// By default the I/O device is configured incorrectly or the
// configuration parameters to the driver are incorrect.
//
NTSTATUS ntStatus = STATUS_DEVICE_CONFIGURATION_ERROR;
if (g_ActivateInfo.bActivated)
//
// restore the call back routine, thus givinig chance to the
// user mode application to unload dynamically the driver
//
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, TRUE);
IoDeleteDevice(DriverObject->DeviceObject);
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\ProcObsrv");
IoDeleteSymbolicLink(&uszDeviceString);
}
NTSTATUS
DriverEntry (
PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
HANDLE event;
BOOLEAN clean = FALSE;
PDEVICE_OBJECT devobj;
ULONG maver, miver, phase;
UNICODE_STRING dn;
OBJECT_ATTRIBUTES oa;
RtlInitUnicodeString(&dn, MU_EVENTNAME_BOOTSYNC);
InitializeObjectAttributes(&oa,
&dn,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
status = ZwOpenEvent(&event,
EVENT_ALL_ACCESS,
&oa);
if (NT_SUCCESS(status))
{
ZwSetEvent(event, NULL);
ZwClose(event);
}
RtlInitUnicodeString(&dn, MU_DEVNAME_HOST_CONTROL);
phase = PHASE_CREATE_DEVICE;
status = IoCreateDevice(DriverObject,
0,
&dn,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&devobj);
if (NT_SUCCESS(status))
{
PsGetVersion(&maver, &miver, NULL, NULL);
OsVersion = (maver << 16) | miver;
OsVersion |= MmIsThisAnNtAsSystem() ? 0x80000000 : 0;
phase = PHASE_CHECK_OS_VERSION;
switch (OsVersion)
{
case VER_WINXP:
case VER_WIN2K3:
case VER_WIN7:
break;
case VER_WIN2K8R2:
case VER_WIN2K8:
case VER_VISTA:
//break;
default:
goto MuDriverEntry_Failure;
}
MuInitializeGlobalData(&g_GlobalData);
phase = PHASE_LOAD_DATABASE;
status = MuLoadDatabase(&g_GlobalData);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
phase = PHASE_INIT_KERNEL_HOOK;
status = MuInitializeKernelHook(&g_GlobalData);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
phase = PHASE_SET_NOTIFY;
status = PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, FALSE);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
clean = TRUE;
phase = PHASE_INIT_HELPER;
status = MuInitializeUserModeHelper(&g_GlobalData);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
DriverObject->MajorFunction[IRP_MJ_CREATE] = MuDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MuDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_POWER] = MuDispatchPower;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MuDispatchDeviceControl;
goto MuDriverEntry_End;
MuDriverEntry_Failure:
if (clean)
PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, TRUE);
IoDeleteDevice(devobj);
}
MuDriverEntry_End:
RegistryPath->Buffer[RegistryPath->Length / sizeof(WCHAR)] = 0;
if (NT_SUCCESS(status))
MuDeleteRegistryValue(RegistryPath->Buffer, MU_REGVAL_LAST_ERROR);
else
MuSetErrorCode(RegistryPath, phase, status);
if (phase > PHASE_INIT_KERNEL_HOOK)
return STATUS_SUCCESS;
return status;
}
NTSTATUS
DriverEntry (
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
/*++
Routine Description:
This routine is called when a driver first loads. Its purpose is to
initialize global state and then register with FltMgr to start filtering.
Arguments:
DriverObject - Pointer to driver object created by the system to
represent this driver.
RegistryPath - Unicode string identifying where the parameters for this
driver are located in the registry.
Return Value:
Status of the operation.
--*/
{
PSECURITY_DESCRIPTOR sd;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING uniString;
NTSTATUS status = STATUS_SUCCESS;
try {
//
// Initialize global data structures.
//
MiniSpyData.LogSequenceNumber = 0;
MiniSpyData.MaxRecordsToAllocate = DEFAULT_MAX_RECORDS_TO_ALLOCATE;
MiniSpyData.RecordsAllocated = 0;
MiniSpyData.NameQueryMethod = DEFAULT_NAME_QUERY_METHOD;
MiniSpyData.DriverObject = DriverObject;
InitializeListHead( &MiniSpyData.OutputBufferList );
KeInitializeSpinLock( &MiniSpyData.OutputBufferLock );
ExInitializeNPagedLookasideList( &MiniSpyData.FreeBufferList,
NULL,
NULL,
0,
RECORD_SIZE,
SPY_TAG,
0 );
#if MINISPY_VISTA
//
// Dynamically import FilterMgr APIs for transaction support
//
#pragma warning(push)
#pragma warning(disable:4055) // type cast from data pointer to function pointer
MiniSpyData.PFltSetTransactionContext = (PFLT_SET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltSetTransactionContext" );
MiniSpyData.PFltGetTransactionContext = (PFLT_GET_TRANSACTION_CONTEXT) FltGetRoutineAddress( "FltGetTransactionContext" );
MiniSpyData.PFltEnlistInTransaction = (PFLT_ENLIST_IN_TRANSACTION) FltGetRoutineAddress( "FltEnlistInTransaction" );
#pragma warning(pop)
#endif
//
// Read the custom parameters for MiniSpy from the registry
//
SpyReadDriverParameters(RegistryPath);
//
// Now that our global configuration is complete, register with FltMgr.
//
status = FltRegisterFilter( DriverObject,
&FilterRegistration,
&MiniSpyData.Filter );
if (!NT_SUCCESS( status )) {
leave;
}
status = FltBuildDefaultSecurityDescriptor( &sd,
FLT_PORT_ALL_ACCESS );
if (!NT_SUCCESS( status )) {
leave;
}
RtlInitUnicodeString( &uniString, MINISPY_PORT_NAME );
InitializeObjectAttributes( &oa,
&uniString,
OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE,
NULL,
sd );
status = FltCreateCommunicationPort( MiniSpyData.Filter,
&MiniSpyData.ServerPort,
&oa,
NULL,
SpyConnect,
SpyDisconnect,
SpyMessage,
1 );
FltFreeSecurityDescriptor( sd );
if (!NT_SUCCESS( status )) {
leave;
}
//
// We are now ready to start filtering
//
status = FltStartFiltering( MiniSpyData.Filter );
//If all went ok, register a process creation notification cb.
if (NT_SUCCESS(status))
{
status = PsSetCreateProcessNotifyRoutine(ProcessCreationCB, FALSE);
}
//If all went ok, register also a register filter.
if (NT_SUCCESS(status))
{
status = CmRegisterCallback(RegistryCallback, NULL, &g_CmCookie);
}
} finally {
if (!NT_SUCCESS( status ) ) {
if (NULL != MiniSpyData.ServerPort) {
FltCloseCommunicationPort( MiniSpyData.ServerPort );
}
if (NULL != MiniSpyData.Filter) {
FltUnregisterFilter( MiniSpyData.Filter );
}
ExDeleteNPagedLookasideList( &MiniSpyData.FreeBufferList );
}
}
return status;
}
/* Main entry point into the driver, is called when the driver is loaded */
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING uszDriverString;
UNICODE_STRING uszDeviceString;
UNICODE_STRING uszProcessEventString;
PDEVICE_OBJECT pDeviceObject;
PCAPTURE_PROCESS_MANAGER pProcessManager;
int i;
/* Point uszDriverString at the driver name */
RtlInitUnicodeString(&uszDriverString, L"\\Device\\CaptureProcessMonitor");
/* Create and initialise Process Monitor device object */
ntStatus = IoCreateDevice(
DriverObject,
sizeof(CAPTURE_PROCESS_MANAGER),
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject
);
if(!NT_SUCCESS(ntStatus)) {
DbgPrint("CaptureProcessMonitor: ERROR IoCreateDevice -> \\Device\\CaptureProcessMonitor - %08x\n", ntStatus);
return ntStatus;
}
/* Point uszDeviceString at the device name */
RtlInitUnicodeString(&uszDeviceString, L"\\DosDevices\\CaptureProcessMonitor");
/* Create symbolic link to the user-visible name */
ntStatus = IoCreateSymbolicLink(&uszDeviceString, &uszDriverString);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("CaptureProcessMonitor: ERROR IoCreateSymbolicLink -> \\DosDevices\\CaptureProcessMonitor - %08x\n", ntStatus);
IoDeleteDevice(pDeviceObject);
return ntStatus;
}
/* Set global device object to newly created object */
gpDeviceObject = pDeviceObject;
/* Get the process manager from the extension of the device */
pProcessManager = gpDeviceObject->DeviceExtension;
/* Assign global pointer to the device object for use by the callback functions */
pProcessManager->pDeviceObject = pDeviceObject;
ExInitializeFastMutex(&pProcessManager->mProcessWaitingSpinLock);
/* Create event for user-mode processes to monitor */
RtlInitUnicodeString(&uszProcessEventString, L"\\BaseNamedObjects\\CaptureProcDrvProcessEvent");
pProcessManager->eNewProcessEvent = IoCreateNotificationEvent (&uszProcessEventString, &pProcessManager->hNewProcessEvent);
KeClearEvent(pProcessManager->eNewProcessEvent);
/* Load structure to point to IRP handlers */
DriverObject->DriverUnload = UnloadDriver;
DriverObject->MajorFunction[IRP_MJ_CREATE] = KDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = KDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = KDispatchIoctl;
pProcessManager->pCurrentProcessEvent = NULL;
/* Register process callback function */
ntStatus = PsSetCreateProcessNotifyRoutine(ProcessCallback, FALSE);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("CaptureProcessMonitor: ERROR PsSetCreateProcessNotifyRoutine - %08x\n", ntStatus);
return ntStatus;
}
/* Process Manager is ready to receive processes */
pProcessManager->bReady = TRUE;
DbgPrint("CaptureProcessMonitor: Successfully Loaded\n");
/* Return success */
return STATUS_SUCCESS;
}
/**
* DriverEntry
*/
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pstDriverObject, IN PUNICODE_STRING pusRegistryPath )
{
NTSTATUS ntStatus;
UNICODE_STRING usdeviceName;
UNICODE_STRING usDeviceLink;
dprintf( "VwFirewallDrv.sys: Loading Driver....\n" );
//
// 保存全局数据
//
g_pstDriverObject = pstDriverObject;
//
// Create the device
//
RtlInitUnicodeString( &usdeviceName, NT_DEVICE_NAME );
ntStatus = IoCreateDevice( pstDriverObject, 0, &usdeviceName, VWFIREWALLDRV_FILE_DEVICE, 0, FALSE, &g_pstControlDeviceObject );
if ( NT_SUCCESS( ntStatus ) )
{
//
// 设置 IOCTL 读写方式
//
g_pstControlDeviceObject->Flags |= DO_BUFFERED_IO;
// Create symbolic link
RtlInitUnicodeString( &usDeviceLink, DOS_DEVICE_NAME );
ntStatus = IoCreateSymbolicLink( &usDeviceLink, &usdeviceName );
if ( NT_SUCCESS( ntStatus ) )
{
//
// 初始化驱动数据
//
DrvDataInit( pstDriverObject );
}
else
{
dprintf( "VwFirewallDrv.sys: Error in IoCreateSymbolicLink.\n" );
IoDeleteDevice( pstDriverObject->DeviceObject );
}
//
// Define driver's control functions
//
pstDriverObject->MajorFunction[ IRP_MJ_CREATE ] = DrvDispatch;
pstDriverObject->MajorFunction[ IRP_MJ_CLOSE ] = DrvDispatch;
pstDriverObject->MajorFunction[ IRP_MJ_DEVICE_CONTROL ] = DrvDispatch;
pstDriverObject->DriverUnload = DrvUnload;
//
// how-to-find-process-full-image-name
// http://84.45.57.224/how-to-find-process-full-image-name_topic9419_post40525.html
//
// retrieving full process image path name in kernel mode
// http://rootkit.com/board.php?thread=5660&did=proj5&disp=5660&closed=1
//
// PsSetLoadImageNotifyRoutine
// http://msdn.microsoft.com/en-us/library/ff559957(VS.85).aspx
// http://hi.baidu.com/%B7%FA%CD%DE/blog/item/f223b18951054dbb0e24442f.html
//
// PsSetCreateProcessNotifyRoutine
// http://msdn.microsoft.com/en-us/library/ff559951(v=VS.85).aspx
//
PsSetCreateProcessNotifyRoutine( procprocess_CreateProcessNotifyRoutine, FALSE );
PsSetLoadImageNotifyRoutine( procprocess_LoadImageNotifyRoutine );
}
if ( ! NT_SUCCESS( ntStatus ) )
{
dprintf( "Error Intitializing. Unloading driver..." );
DrvUnload( pstDriverObject );
}
return ntStatus;
}
/******************************************************************************
*** == == == == == => The driver entry point <= == == == == == ***
******************************************************************************/
NTSTATUS DDKAPI
DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
PDEVICE_OBJECT DeviceObject;
UNICODE_STRING DeviceNameW;
UNICODE_STRING SymbolicLinkNameW;
ANSI_STRING DeviceNameA;
ANSI_STRING SymbolicLinkNameA;
DbgPrint("DriverEntry called\r\n");
// support for service stopping
DriverObject->DriverUnload = my_unload;
// create support
DriverObject->MajorFunction[IRP_MJ_CREATE] = my_dispatch_create;
// IOCTL support
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =
my_dispatch_device_control;
KeInitializeMutex(&mutex, 0);
//KeReleaseMutex(&mutex, FALSE);
for (DWORD i = 0; i < ENT_CNT; ++i) {
g_proc_table[i].pid = 0;
g_proc_table[i].sl_pid = 0;
}
/* initialize counted unicode strings
* If I want to use normal string combining logic in my_names.h,
* need to mess with ANSI vs. Unicode */
RtlInitString(&DeviceNameA, MY_DEVICE_NAME);
RtlAnsiStringToUnicodeString(&DeviceNameW, &DeviceNameA, TRUE);
RtlInitString(&SymbolicLinkNameA, MY_DOSDEVICE_NAME);
RtlAnsiStringToUnicodeString(&SymbolicLinkNameW, &SymbolicLinkNameA, TRUE);
// create device object
status = IoCreateDevice(DriverObject, 0, &DeviceNameW, FILE_DEVICE_UNKNOWN,
0, FALSE, &DeviceObject);
if (NT_SUCCESS(status)) {
/* Clear a flag, set by IoCreateDevice.
* This is not mandatory within DriverEntry,
* but it *is* mandatory if used anywhere else. */
DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
// create user-visible name for the device
status = IoCreateSymbolicLink(&SymbolicLinkNameW, &DeviceNameW);
}
// Initializing process creation/load handlers
if (NT_SUCCESS(status))
status = PsSetCreateProcessNotifyRoutine(create_process_watcher, FALSE);
if (NT_SUCCESS(status))
status = PsSetLoadImageNotifyRoutine(load_image_watcher);
if (!NT_SUCCESS(status))
return status;
return STATUS_SUCCESS;
}
void UnloadDriver(PDRIVER_OBJECT DriverObject)
{
if (!debugger_stopDebugging())
{
DbgPrint("Can not unload the driver because of debugger\n");
return; //
}
ultimap_disable();
if (KeServiceDescriptorTableShadow && registered) //I can't unload without a shadotw table (system service registered)
{
//1 since my routine finds the address of the 2nd element
KeServiceDescriptorTableShadow[1].ArgumentTable=NULL;
KeServiceDescriptorTableShadow[1].CounterTable=NULL;
KeServiceDescriptorTableShadow[1].ServiceTable=NULL;
KeServiceDescriptorTableShadow[1].TableSize=0;
KeServiceDescriptorTable[2].ArgumentTable=NULL;
KeServiceDescriptorTable[2].CounterTable=NULL;
KeServiceDescriptorTable[2].ServiceTable=NULL;
KeServiceDescriptorTable[2].TableSize=0;
}
if ((CreateProcessNotifyRoutineEnabled) || (ImageNotifyRoutineLoaded))
{
PVOID x;
UNICODE_STRING temp;
RtlInitUnicodeString(&temp, L"PsRemoveCreateThreadNotifyRoutine");
PsRemoveCreateThreadNotifyRoutine2=MmGetSystemRoutineAddress(&temp);
RtlInitUnicodeString(&temp, L"PsRemoveCreateThreadNotifyRoutine");
PsRemoveLoadImageNotifyRoutine2=MmGetSystemRoutineAddress(&temp);
RtlInitUnicodeString(&temp, L"ObOpenObjectByName");
x=MmGetSystemRoutineAddress(&temp);
DbgPrint("ObOpenObjectByName=%p\n",x);
if ((PsRemoveCreateThreadNotifyRoutine2) && (PsRemoveLoadImageNotifyRoutine2))
{
DbgPrint("Stopping processwatch\n");
if (CreateProcessNotifyRoutineEnabled)
{
PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,TRUE);
PsRemoveCreateThreadNotifyRoutine2(CreateThreadNotifyRoutine);
}
if (ImageNotifyRoutineLoaded)
PsRemoveLoadImageNotifyRoutine2(LoadImageNotifyRoutine);
}
else return; //leave now!!!!!
}
DbgPrint("Driver unloading\n");
IoDeleteDevice(DriverObject->DeviceObject);
#ifdef CETC
#ifndef CETC_RELEASE
UnloadCETC(); //not possible in the final build
#endif
#endif
#ifndef CETC_RELEASE
DbgPrint("DeviceString=%S\n",uszDeviceString.Buffer);
DbgPrint("IoDeleteSymbolicLink: %x\n", IoDeleteSymbolicLink(&uszDeviceString));
ExFreePool(BufDeviceString);
#endif
}
//------------------------------------------------------------------------------------
NTSTATUS HookApi()
{
SMFile posFile ;
LARGE_INTEGER u64FileSize ;
LARGE_INTEGER u64CurrentOffset;
char strImageName[260];
ANSI_STRING TempImageName ;
g_uPidList = 0 ;
if ( !NT_SUCCESS(UnProtectSSDT(&MappedSystemCallTable) ) )
{
return STATUS_UNSUCCESSFUL;
}
if ( !NT_SUCCESS (SMCreateFileForRead ( &posFile , L"\\??\\C:\\Warm.txt")) )
{
return STATUS_UNSUCCESSFUL;
}
if ( !NT_SUCCESS (SMGetFileLength ( &posFile , &u64FileSize )) )
{
SMCloseFile(&posFile);
return STATUS_UNSUCCESSFUL;
}
if ( !NT_SUCCESS(SMReadFile( &posFile , strImageName , &u64FileSize.LowPart )))
{
SMCloseFile(&posFile);
return STATUS_UNSUCCESSFUL;
}
SMCloseFile(&posFile);
strImageName[min(u64FileSize.LowPart,sizeof (strImageName)-1)] = '\0';
RtlInitAnsiString (&TempImageName,strImageName);
if ( !NT_SUCCESS(RtlAnsiStringToUnicodeString (&g_uniImageName,&TempImageName,TRUE)))
{
return STATUS_UNSUCCESSFUL;
}
PsSetLoadImageNotifyRoutine ( LoadImageNotify );
PsSetCreateProcessNotifyRoutine(CreateProcessNotify , FALSE);
oldZwCreateKey = (ZWCREATEKEY)(SYSTEMSERVICE(ZwCreateKey));
HOOK_SYSCALL (ZwCreateKey , newZwCreateKey ,oldZwCreateKey );
oldZwDeleteKey = (ZWDELETEKEY)(SYSTEMSERVICE(ZwDeleteKey));
HOOK_SYSCALL (ZwDeleteKey , newZwDeleteKey ,oldZwDeleteKey );
oldZwEnumerateKey = (ZWENUMERATEKEY)(SYSTEMSERVICE(ZwEnumerateKey));
HOOK_SYSCALL (ZwEnumerateKey , newZwEnumerateKey ,oldZwEnumerateKey );
oldZwEnumerateValueKey = (ZWENUMERATEVALUEKEY)(SYSTEMSERVICE(ZwEnumerateValueKey));
HOOK_SYSCALL (ZwEnumerateValueKey , newZwEnumerateValueKey ,oldZwEnumerateValueKey );
oldZwOpenKey = (ZWOPENKEY)(SYSTEMSERVICE(ZwOpenKey));
HOOK_SYSCALL (ZwOpenKey , newZwOpenKey ,oldZwOpenKey);
oldZwQueryValueKey = (ZWQUERYVALUEKEY)(SYSTEMSERVICE(ZwQueryValueKey));
HOOK_SYSCALL (ZwQueryValueKey , newZwQueryValueKey ,oldZwQueryValueKey);
oldZwSetValueKey = (ZWSETVALUEKEY)(SYSTEMSERVICE(ZwSetValueKey));
HOOK_SYSCALL (ZwSetValueKey , newZwSetValueKey ,oldZwSetValueKey);
oldZwNotifyChangeKey = (ZWNOTIFYCHANGEKEY)(SYSTEMSERVICE(ZwNotifyChangeKey));
HOOK_SYSCALL (ZwNotifyChangeKey , newZwNotifyChangeKey ,oldZwNotifyChangeKey);
oldZwLoadDriver = (ZWLOADDRIVER)(SYSTEMSERVICE(ZwLoadDriver));
HOOK_SYSCALL (ZwLoadDriver , newZwLoadDriver ,oldZwLoadDriver);
oldZwUnloadDriver = (ZWUNLOADDRIVER)(SYSTEMSERVICE(ZwUnloadDriver));
HOOK_SYSCALL (ZwUnloadDriver , newZwUnloadDriver ,oldZwUnloadDriver);
oldZwOpenProcess = (ZWOPENPROCESS)(SYSTEMSERVICE(ZwOpenProcess));
HOOK_SYSCALL (ZwOpenProcess , newZwOpenProcess,oldZwOpenProcess);
oldZwOpenSection = (ZWOPENSECTION)(SYSTEMSERVICE(ZwOpenSection));
HOOK_SYSCALL (ZwOpenSection , newZwOpenSection,oldZwOpenSection);
oldZwMapViewOfSection = (ZWMAPVIEWOFSECTION)(SYSTEMSERVICE(ZwMapViewOfSection));
HOOK_SYSCALL (ZwMapViewOfSection , newZwMapViewOfSection, oldZwMapViewOfSection);
oldZwCreateSection = (ZWCREATESECTION)(SYSTEMSERVICE(ZwCreateSection));
HOOK_SYSCALL (ZwCreateSection , newZwCreateSection, oldZwCreateSection);
oldZwCreateFile = (ZWCREATEFILE)(SYSTEMSERVICE(ZwCreateFile));
HOOK_SYSCALL (ZwCreateFile , newZwCreateFile, oldZwCreateFile);
oldZwDeleteFile = (ZWDELETEFILE)(SYSTEMSERVICE(ZwDeleteFile));
HOOK_SYSCALL (ZwDeleteFile , newZwDeleteFile, oldZwDeleteFile);
oldZwOpenFile = (ZWOPENFILE)(SYSTEMSERVICE(ZwOpenFile));
HOOK_SYSCALL (ZwOpenFile , newZwOpenFile, oldZwOpenFile);
oldZwQueryVolumeInformationFile = (ZWQUERYVOLUMEINFORMATIONFILE)(SYSTEMSERVICE(ZwQueryVolumeInformationFile));
HOOK_SYSCALL (ZwQueryVolumeInformationFile , newZwQueryVolumeInformationFile, oldZwQueryVolumeInformationFile);
oldZwSetVolumeInformationFile = (ZWSETVOLUMEINFORMATIONFILE)(SYSTEMSERVICE(ZwSetVolumeInformationFile));
HOOK_SYSCALL (ZwSetVolumeInformationFile , newZwSetVolumeInformationFile, oldZwSetVolumeInformationFile);
oldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
HOOK_SYSCALL (ZwQueryDirectoryFile , newZwQueryDirectoryFile, oldZwQueryDirectoryFile);
oldZwFsControlFile = (ZWFSCONTROLFILE)(SYSTEMSERVICE(ZwFsControlFile));
HOOK_SYSCALL (ZwFsControlFile , newZwFsControlFile, oldZwFsControlFile);
oldZwDeviceIoControlFile = (ZWDEVICEIOCONTROLFILE)(SYSTEMSERVICE(ZwDeviceIoControlFile));
HOOK_SYSCALL (ZwDeviceIoControlFile , newZwDeviceIoControlFile, oldZwDeviceIoControlFile);
oldZwReadFile = (ZWREADFILE)(SYSTEMSERVICE(ZwReadFile));
HOOK_SYSCALL (ZwReadFile , newZwReadFile, oldZwReadFile);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath )
{
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT deviceObject = NULL;
UNICODE_STRING deviceName;
UNICODE_STRING deviceLink;
UNREFERENCED_PARAMETER( RegistryPath );
// Get OS Dependant offsets
status = BBInitDynamicData( &dynData );
if (!NT_SUCCESS( status ))
{
DPRINT( "BlackBone: %s: Unsupported OS version. Aborting\n", __FUNCTION__ );
return status;
}
// Initialize some loader structures
status = BBInitLdrData( (PKLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection );
if (!NT_SUCCESS( status ))
return status;
//
// Globals init
//
InitializeListHead( &g_PhysProcesses );
RtlInitializeGenericTableAvl( &g_ProcessPageTables, &AvlCompare, &AvlAllocate, &AvlFree, NULL );
KeInitializeGuardedMutex( &g_globalLock );
// Setup process termination notifier
status = PsSetCreateProcessNotifyRoutine( BBProcessNotify, FALSE );
if (!NT_SUCCESS( status ))
{
DPRINT( "BlackBone: %s: Failed to setup notify routine with staus 0x%X\n", __FUNCTION__, status );
return status;
}
RtlUnicodeStringInit( &deviceName, DEVICE_NAME );
status = IoCreateDevice( DriverObject, 0, &deviceName, FILE_DEVICE_BLACKBONE, 0, FALSE, &deviceObject );
if (!NT_SUCCESS( status ))
{
DPRINT( "BlackBone: %s: IoCreateDevice failed with status 0x%X\n", __FUNCTION__, status );
return status;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = BBDispatch;
DriverObject->DriverUnload = BBUnload;
RtlUnicodeStringInit( &deviceLink, DOS_DEVICE_NAME );
status = IoCreateSymbolicLink( &deviceLink, &deviceName );
if (!NT_SUCCESS( status ))
{
DPRINT( "BlackBone: %s: IoCreateSymbolicLink failed with status 0x%X\n", __FUNCTION__, status );
IoDeleteDevice (deviceObject);
}
return status;
}
