NTSTATUS kkll_m_process_token(SIZE_T szBufferIn, PVOID bufferIn, PKIWI_BUFFER outBuffer)
{
NTSTATUS status = STATUS_SUCCESS;
PMIMIDRV_PROCESS_TOKEN_FROM_TO pTokenFromTo = (PMIMIDRV_PROCESS_TOKEN_FROM_TO) bufferIn;
ULONG fromProcessId, toProcessId;
HANDLE hFromProcess, hFromProcessToken;
PEPROCESS pFromProcess = PsInitialSystemProcess, pToProcess = NULL;
if(pTokenFromTo && (szBufferIn == sizeof(MIMIDRV_PROCESS_TOKEN_FROM_TO)))
{
if(pTokenFromTo->fromProcessId)
status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->fromProcessId, &pFromProcess);
if(NT_SUCCESS(status) && pTokenFromTo->toProcessId)
status = PsLookupProcessByProcessId((HANDLE) pTokenFromTo->toProcessId, &pToProcess);
}
if(NT_SUCCESS(status))
{
status = ObOpenObjectByPointer(pFromProcess, OBJ_KERNEL_HANDLE, NULL, 0, *PsProcessType, KernelMode, &hFromProcess);
if(NT_SUCCESS(status))
{
status = ZwOpenProcessTokenEx(hFromProcess, 0, OBJ_KERNEL_HANDLE, &hFromProcessToken);
if(NT_SUCCESS(status))
{
status = kprintf(outBuffer, L"Token from %u/%-14S\n", PsGetProcessId(pFromProcess), PsGetProcessImageFileName(pFromProcess));
if(NT_SUCCESS(status))
{
if(pToProcess)
status = kkll_m_process_token_toProcess(szBufferIn, bufferIn, outBuffer, hFromProcessToken, pToProcess);
else
status = kkll_m_process_enum(szBufferIn, bufferIn, outBuffer, kkll_m_process_systoken_callback, hFromProcessToken);
}
ZwClose(hFromProcessToken);
}
ZwClose(hFromProcess);
}
}
if(pToProcess)
ObDereferenceObject(pToProcess);
if(pFromProcess && (pFromProcess != PsInitialSystemProcess))
ObDereferenceObject(pFromProcess);
return status;
}
NTSTATUS MimiDispatchDeviceControl(IN OUT DEVICE_OBJECT *DeviceObject, IN OUT IRP *Irp)
{
NTSTATUS status = STATUS_NOT_SUPPORTED;
PIO_STACK_LOCATION pIoStackIrp = NULL;
size_t szBufferIn, szBufferOut, szReallyOut = 0;
PVOID bufferIn, bufferOut;
KIWI_BUFFER kOutputBuffer = {&szBufferOut, (PWSTR *) &bufferOut};
ULONG i;
PMDL pMdl;
pIoStackIrp = IoGetCurrentIrpStackLocation(Irp);
if(pIoStackIrp)
{
szBufferIn = pIoStackIrp->Parameters.DeviceIoControl.InputBufferLength;
szBufferOut = pIoStackIrp->Parameters.DeviceIoControl.OutputBufferLength;
bufferIn = pIoStackIrp->Parameters.DeviceIoControl.Type3InputBuffer;
bufferOut = Irp->UserBuffer;
switch(pIoStackIrp->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_MIMIDRV_RAW:
status = kprintf(&kOutputBuffer, L"Raw command (not implemented yet) : %s\n", bufferIn);
break;
case IOCTL_MIMIDRV_PING:
status = kprintf(&kOutputBuffer, L"Input : %s\nOutput : %s\n", bufferIn, L"pong");
break;
case IOCTL_MIMIDRV_BSOD:
KeBugCheck(MANUALLY_INITIATED_CRASH);
break;
case IOCTL_MIMIDRV_DEBUG_BUFFER:
status = kprintf(&kOutputBuffer, L"in (0x%p - %u) ; out (0x%p - %u)\n", bufferIn, szBufferIn, bufferOut, szBufferOut);
break;
case IOCTL_MIMIDRV_PROCESS_LIST:
status = kkll_m_process_enum(szBufferIn, bufferIn, &kOutputBuffer, kkll_m_process_list_callback, NULL); // input needed ?
break;
case IOCTL_MIMIDRV_PROCESS_TOKEN:
status = kkll_m_process_token(szBufferIn, bufferIn, &kOutputBuffer);
break;
case IOCTL_MIMIDRV_PROCESS_PROTECT:
status = kkll_m_process_protect(szBufferIn, bufferIn, &kOutputBuffer);
break;
case IOCTL_MIMIDRV_PROCESS_FULLPRIV:
status = kkll_m_process_fullprivileges(szBufferIn, bufferIn, &kOutputBuffer);
break;
case IOCTL_MIMIDRV_MODULE_LIST:
status = kkll_m_modules_enum(szBufferIn, bufferIn, &kOutputBuffer, kkll_m_modules_list_callback, NULL); // input needed ?
break;
case IOCTL_MIMIDRV_SSDT_LIST:
status = kkll_m_ssdt_list(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_NOTIFY_PROCESS_LIST:
status = kkll_m_notify_list_process(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_NOTIFY_THREAD_LIST:
status = kkll_m_notify_list_thread(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_NOTIFY_IMAGE_LIST:
status = kkll_m_notify_list_image(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_NOTIFY_REG_LIST:
status = kkll_m_notify_list_reg(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_NOTIFY_OBJECT_LIST:
status = kkll_m_notify_list_object(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_FILTER_LIST:
status = kkll_m_filters_list(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_MINIFILTER_LIST:
status = kkll_m_minifilters_list(&kOutputBuffer);
break;
case IOCTL_MIMIDRV_VM_READ:
status = kkll_m_memory_vm_read(bufferOut, bufferIn, szBufferOut);
break;
case IOCTL_MIMIDRV_VM_WRITE:
status = kkll_m_memory_vm_write(bufferOut, bufferIn, szBufferIn);
break;
case IOCTL_MIMIDRV_VM_ALLOC:
status = kkll_m_memory_vm_alloc(szBufferIn, (PVOID *) bufferOut);
break;
case IOCTL_MIMIDRV_VM_FREE:
status = kkll_m_memory_vm_free(bufferIn);
break;
case IOCTL_MIMIDRV_CREATEREMOTETHREAD:
status = ((PMIMIDRV_THREAD_INFO) bufferIn)->pRoutine(((PMIMIDRV_THREAD_INFO) bufferIn)->pArg);
break;
}
if(NT_SUCCESS(status))
szReallyOut = pIoStackIrp->Parameters.DeviceIoControl.OutputBufferLength - szBufferOut;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = szReallyOut;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
