/* Set event */
ULONG
NTAPI
SetEvent(
HANDLE hEvent
)
{
ULONG PreviousState;
NTSTATUS Status;
Status = ZwSetEvent (hEvent, &PreviousState);
if (!NT_SUCCESS(Status))
{
PreviousState = EVENT_STATE_ERROR;
}
return PreviousState;
}
//////////////////////////////////////////////////////////////////////////
// HookKiFastCallEntry
NTSTATUS HookKiFastCallEntry()
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
do
{
ANSI_STRING astrZwSetEvent;
DWORD dwZwSetEventAddr, dwZwSetEventRVA;
dwZwSetEventAddr = dwZwSetEventRVA = 0;
RtlInitAnsiString(&astrZwSetEvent, "ZwSetEvent");
dwZwSetEventAddr = GetNtoskrnlExportNameAddress(&astrZwSetEvent, &dwZwSetEventRVA);
if(0 == dwZwSetEventAddr)
{
break;
}
g_dwZwSetEventIndex = *(DWORD*)(dwZwSetEventAddr + 1);
KSPIN_LOCK SpinLock;
KIRQL OldIrql;
KeInitializeSpinLock(&SpinLock);
KeAcquireSpinLock(&SpinLock, &OldIrql);
PageProtectOff();
RealZwSetEvent = (ZwSetEventFunc)(((PSERVICE_DESCRIPTOR_TABLE)g_dwSDTAddress)->ServiceTable[g_dwZwSetEventIndex]);
((PSERVICE_DESCRIPTOR_TABLE)g_dwSDTAddress)->ServiceTable[g_dwZwSetEventIndex] = (DWORD)FakeZwSetEvent;
PageProtectOn();
KeReleaseSpinLock(&SpinLock, OldIrql);
ZwSetEvent((HANDLE)FAKE_EVENT_HANDLE, NULL);
if(0 == g_dwServiceRetAddr) // The return address of KiFastCallEntry call ZwSetEvent
{
if(g_pProxyJmpCode != NULL)
{
ExFreePool(g_pProxyJmpCode);
}
break;
}
if(g_dwProxyRetAddr != 0) // TODO: Search
{
status = STATUS_SUCCESS;
break;
}
} while (0);
return status;
}
NTSTATUS
DriverEntry (
PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
HANDLE event;
BOOLEAN clean = FALSE;
PDEVICE_OBJECT devobj;
ULONG maver, miver, phase;
UNICODE_STRING dn;
OBJECT_ATTRIBUTES oa;
RtlInitUnicodeString(&dn, MU_EVENTNAME_BOOTSYNC);
InitializeObjectAttributes(&oa,
&dn,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
NULL);
status = ZwOpenEvent(&event,
EVENT_ALL_ACCESS,
&oa);
if (NT_SUCCESS(status))
{
ZwSetEvent(event, NULL);
ZwClose(event);
}
RtlInitUnicodeString(&dn, MU_DEVNAME_HOST_CONTROL);
phase = PHASE_CREATE_DEVICE;
status = IoCreateDevice(DriverObject,
0,
&dn,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&devobj);
if (NT_SUCCESS(status))
{
PsGetVersion(&maver, &miver, NULL, NULL);
OsVersion = (maver << 16) | miver;
OsVersion |= MmIsThisAnNtAsSystem() ? 0x80000000 : 0;
phase = PHASE_CHECK_OS_VERSION;
switch (OsVersion)
{
case VER_WINXP:
case VER_WIN2K3:
case VER_WIN7:
break;
case VER_WIN2K8R2:
case VER_WIN2K8:
case VER_VISTA:
//break;
default:
goto MuDriverEntry_Failure;
}
MuInitializeGlobalData(&g_GlobalData);
phase = PHASE_LOAD_DATABASE;
status = MuLoadDatabase(&g_GlobalData);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
phase = PHASE_INIT_KERNEL_HOOK;
status = MuInitializeKernelHook(&g_GlobalData);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
phase = PHASE_SET_NOTIFY;
status = PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, FALSE);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
clean = TRUE;
phase = PHASE_INIT_HELPER;
status = MuInitializeUserModeHelper(&g_GlobalData);
if (!NT_SUCCESS(status))
goto MuDriverEntry_Failure;
DriverObject->MajorFunction[IRP_MJ_CREATE] = MuDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MuDispatchCreateClose;
DriverObject->MajorFunction[IRP_MJ_POWER] = MuDispatchPower;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MuDispatchDeviceControl;
goto MuDriverEntry_End;
MuDriverEntry_Failure:
if (clean)
PsSetCreateProcessNotifyRoutine(MuCreateProcessNotify, TRUE);
IoDeleteDevice(devobj);
}
MuDriverEntry_End:
RegistryPath->Buffer[RegistryPath->Length / sizeof(WCHAR)] = 0;
if (NT_SUCCESS(status))
MuDeleteRegistryValue(RegistryPath->Buffer, MU_REGVAL_LAST_ERROR);
else
MuSetErrorCode(RegistryPath, phase, status);
if (phase > PHASE_INIT_KERNEL_HOOK)
return STATUS_SUCCESS;
return status;
}
