NTSTATUS IoDispatchDeviceControl( IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp )
{
PVOID InputBuffer, OutputBuffer;
ULONG InputBufferLength, OutputBufferLength;
ULONG IoControlCode;
TCHAR pMsg[MAX_PATH];
ULONG msgLen, pid, ulBuffer;
PEPROCESS pEProces;
UNICODE_STRING usBuffer;
NTSTATUS status = STATUS_SUCCESS;
PALL_PROCESSES_INFO pAllProcessInfo;
PALL_PROCESS_MODULE_INFO pAllProcessModuleInf;
PALL_PROCESS_THREAD_INFO pAllProcessThreadInf;
PIO_STACK_LOCATION IrpStack = IoGetCurrentIrpStackLocation(pIrp);
InputBuffer = pIrp->AssociatedIrp.SystemBuffer;
InputBufferLength = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
OutputBufferLength = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
pIrp->IoStatus.Information = NULL;
KdPrint(("IoControlCode is 0x%08x\n", IoControlCode));
switch(IrpStack->Parameters.DeviceIoControl.IoControlCode)
{
//强杀进程
case IOCTL_KILL_PROCESS:
{
//_asm int 3
KdPrint(("enum kill process:\n"));
__try
{
pid = *(ULONG*)InputBuffer;
status = PsLookupProcessByProcessId((HANDLE)pid, &pEProces);
if(NT_SUCCESS(status))
{
ObDereferenceObject(pEProces);
}
status = TerminateProcess(pEProces);
if(NT_SUCCESS(status))
{
DbgPrint("TerminateProcess Ok!\n");
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
pIrp->IoStatus.Information = STATUS_INVALID_PARAMETER;
status = STATUS_UNSUCCESSFUL;
}
}
break;
//枚举进程
case IOCTL_ENUM_PROCESS:
{
KdPrint(("enum process :\n"));
//_asm int 3
__try {
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
pAllProcessInfo = (PALL_PROCESSES_INFO)ExAllocatePool(PagedPool, sizeof(ALL_PROCESSES_INFO));
RtlZeroMemory(pAllProcessInfo, sizeof(ALL_PROCESSES_INFO));
//EnumProcessByActiveProcess(pDeviceObject, pIrp, pAllProcessInfo);
ScanXpHandleTable(pDeviceObject, pIrp, pAllProcessInfo);
EnumProcessByThreadList(pDeviceObject, pIrp, pAllProcessInfo);
if (RtlCopyMemory(OutputBuffer, pAllProcessInfo, sizeof(PROCESS_INFO) * pAllProcessInfo->uCount + sizeof(ULONG32)))
{
pIrp->IoStatus.Information = sizeof(PROCESS_INFO) * pAllProcessInfo->uCount + sizeof(ULONG32);
}
} __except( EXCEPTION_EXECUTE_HANDLER ) {
pIrp->IoStatus.Information = STATUS_INVALID_PARAMETER;
status = STATUS_UNSUCCESSFUL;
}
if (NULL != pAllProcessInfo)
{
ExFreePool(pAllProcessInfo);
pAllProcessInfo = NULL;
}
}
break;
//枚举进程模块
case IOCTL_ENUM_PROCESS_MODULE:
{
KdPrint(("enum process module:\n"));
//_asm int 3
__try {
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
pAllProcessModuleInf = (PALL_PROCESS_MODULE_INFO)ExAllocatePool(PagedPool, sizeof(ALL_PROCESS_MODULE_INFO));
RtlZeroMemory(pAllProcessModuleInf, sizeof(ALL_PROCESS_MODULE_INFO));
pid = *(ULONG*)InputBuffer;
PsLookupProcessByProcessId((HANDLE)pid, &pEProces);
ObDereferenceObject(pEProces);
EnumProcessModuleByPEB(pEProces, pAllProcessModuleInf);
if (RtlCopyMemory(OutputBuffer, pAllProcessModuleInf, sizeof(PROCESS_MODULE_INFO) * pAllProcessModuleInf->uCount + sizeof(ULONG32)))
{
pIrp->IoStatus.Information = sizeof(PROCESS_MODULE_INFO) * pAllProcessModuleInf->uCount + sizeof(ULONG32);
}
} __except( EXCEPTION_EXECUTE_HANDLER ) {
pIrp->IoStatus.Information = STATUS_INVALID_PARAMETER;
status = STATUS_UNSUCCESSFUL;
}
if (NULL != pAllProcessModuleInf)
{
ExFreePool(pAllProcessModuleInf);
pAllProcessModuleInf = NULL;
}
}
break;
//枚举进程线程
case IOCTL_ENUM_PROCESS_THREAD:
{
KdPrint(("enum process thread:\n"));
//_asm int 3
__try {
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
pAllProcessThreadInf = (PALL_PROCESS_THREAD_INFO)ExAllocatePool(PagedPool, sizeof(PALL_PROCESS_THREAD_INFO));
RtlZeroMemory(pAllProcessThreadInf, sizeof(PALL_PROCESS_THREAD_INFO));
pid = *(ULONG*)InputBuffer;
PsLookupProcessByProcessId((HANDLE)pid, &pEProces);
ObDereferenceObject(pEProces);
EnumProcessThread(pEProces, pAllProcessThreadInf);
if (RtlCopyMemory(OutputBuffer, pAllProcessThreadInf, sizeof(PROCESS_THREAD_INFO) * pAllProcessThreadInf->uCount + sizeof(ULONG32)))
{
pIrp->IoStatus.Information = sizeof(PROCESS_THREAD_INFO) * pAllProcessThreadInf->uCount + sizeof(ULONG32);
}
} __except( EXCEPTION_EXECUTE_HANDLER ) {
pIrp->IoStatus.Information = STATUS_INVALID_PARAMETER;
status = STATUS_UNSUCCESSFUL;
}
if (NULL != pAllProcessThreadInf)
{
ExFreePool(pAllProcessThreadInf);
pAllProcessThreadInf = NULL;
}
}
break;
//删除文件
case IOCTL_DELETE_FILE:
{
KdPrint(("enum delete file :\n"));
//_asm int 3
__try {
RtlInitUnicodeString(&usBuffer, (PWCHAR)InputBuffer);
DeleteFile(&usBuffer);
} __except( EXCEPTION_EXECUTE_HANDLER ) {
pIrp->IoStatus.Information = STATUS_INVALID_PARAMETER;
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取驱动模块的数目
case IOCTL_GET_DRIVER_MODULE_INFO_SIZE:
{
//_asm int 3
KdPrint(("get driver modules info size :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
EnumDriverModules(g_pDriverObj);
ulBuffer = GetDriverModulesInfoCount();
if (RtlCopyMemory(OutputBuffer, &ulBuffer, sizeof(ULONG)))
{
pIrp->IoStatus.Information = sizeof(ulBuffer);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
FreePagedLookasideListForDriverModules();
KdPrint(("IOCTL_GET_DRIVER_MODULE_INFO_SIZE error"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取驱动模块列表信息
case IOCTL_ENUM_DRIVER_MODULE:
{
//_asm int 3
KdPrint(("enum driver module :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
GetDriverModulesInfo(OutputBuffer);
ulBuffer = GetDriverModulesInfoCount();
pIrp->IoStatus.Information = ulBuffer * sizeof(DRIVER_MODULE_INFO);
FreePagedLookasideListForDriverModules();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_ENUM_DRIVER_MODULE error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取服务列表的数目
case IOCTL_GET_SERVICES_COUNT:
{
//_asm int 3
KdPrint(("get services count :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
EnumServices();
ulBuffer = GetServicesCount();
if (RtlCopyMemory(OutputBuffer, &ulBuffer, sizeof(ULONG)))
{
pIrp->IoStatus.Information = sizeof(ulBuffer);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
FreePagedLookasideListForServices();
KdPrint(("IOCTL_GET_DRIVER_MODULE_INFO_SIZE error"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取服务列表的信息
case IOCTL_ENUM_SERVICES:
{
//_asm int 3
KdPrint(("enum services :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
GetServicesInfo(OutputBuffer);
ulBuffer = GetServicesCount();
pIrp->IoStatus.Information = ulBuffer * sizeof(DRIVER_MODULE_INFO);
FreePagedLookasideListForServices();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_ENUM_DRIVER_MODULE error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取自启动列表的数目
case IOCTL_GET_STARTUP_INFO_COUNT:
{
//_asm int 3
KdPrint(("get startup count :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
EnumSystemStartupInfo();
ulBuffer = GetSystemStartupInfoCount();
if (RtlCopyMemory(OutputBuffer, &ulBuffer, sizeof(ULONG)))
{
pIrp->IoStatus.Information = sizeof(ulBuffer);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
//FreePagedLookasideListForStartup();
KdPrint(("IOCTL_GET_STARTUP_INFO_COUNT error"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取自启动列表的信息
case IOCTL_ENUM_STARTUP:
{
//_asm int 3
KdPrint(("enum startup :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
GetSystemStartupInfo(OutputBuffer);
ulBuffer = GetSystemStartupInfoCount();
pIrp->IoStatus.Information = ulBuffer * sizeof(STARTUP_INFO);
FreePagedLookasideListForStartup();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_ENUM_STARTUP error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获得SSDT计数
case IOCTL_GET_SSDT_COUNT:
{
//_asm int 3
KdPrint(("hook count :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
ulBuffer = GetSSDTCount();
if (RtlCopyMemory(OutputBuffer, &ulBuffer, sizeof(ULONG)))
{
pIrp->IoStatus.Information = sizeof(ulBuffer);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_GET_SSDT_COUNT error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
case IOCTL_ENUM_SSDT:
{
//_asm int 3
KdPrint(("enum SSDT :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
EnumSSDT(OutputBuffer);
ulBuffer = GetSSDTCount();
pIrp->IoStatus.Information = ulBuffer * sizeof(STARTUP_INFO);
FreePagedLookasideListForSSDT();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_ENUM_SSDT error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//设置SSDT
case IOCTL_SET_SSDT:
{
//_asm int 3
KdPrint(("set ssdt :\n"));
__try
{
DisableWriteProtection();
SetSSDT((PVOID)InputBuffer);
EnableWriteProtection();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_SETSSDT error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获得SHADOW SSDT 计数
case IOCTL_GET_SHADOW_HOOK_COUNT:
{
//_asm int 3
KdPrint(("shadow hook count :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
ulBuffer = GetShadowSSDTCount();
if (RtlCopyMemory(OutputBuffer, &ulBuffer, sizeof(ULONG)))
{
pIrp->IoStatus.Information = sizeof(ulBuffer);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_GET_SHADOW_HOOK_COUNT error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
case IOCTL_ENUM_SHADOW_HOOK:
{
//_asm int 3
KdPrint(("enum shadow ssdt :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
EnumShadowSSDT(OutputBuffer);
ulBuffer = GetShadowSSDTCount();
pIrp->IoStatus.Information = ulBuffer * sizeof(STARTUP_INFO);
FreePagedLookasideListForShadowSSDT();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_ENUM_SHADOW_HOOK error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//设置SHADOW SSDT
case IOCTL_SET_SHADOW_HOOK:
{
//_asm int 3
KdPrint(("set shadow ssdt :\n"));
__try
{
DisableWriteProtection();
SetShadowSSDT((PVOID)InputBuffer);
EnableWriteProtection();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_SET_SHADOW_HOOK error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取目录下文件的计数
case IOCTL_GET_DIRECTORY_INFO_COUNT:
{
//_asm int 3
KdPrint(("get directory info count :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
EnumDirectory((PCHAR)InputBuffer);
ulBuffer = GetDirectoryInfoCount();
if (RtlCopyMemory(OutputBuffer, &ulBuffer, sizeof(ULONG)))
{
pIrp->IoStatus.Information = sizeof(ulBuffer);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_GET_DIRECTORY_INFO_COUNT error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//获取目录下所有文件的信息
case IOCTL_ENUM_DIRECTORY_INFO:
{
//_asm int 3
KdPrint(("enum directory info :\n"));
__try
{
OutputBuffer = MmGetSystemAddressForMdlSafe(pIrp->MdlAddress, NormalPagePriority);
RtlZeroMemory(OutputBuffer, pIrp->MdlAddress->ByteCount);
GetDirectoryInfo((PVOID)OutputBuffer);
ulBuffer = GetDirectoryInfoCount();
pIrp->IoStatus.Information = ulBuffer * sizeof(DIRECTORY_INFO);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_ENUM_DIRECTORY_INFO error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
//修改文件权限
case IOCTL_MODIFY_FILE_RIGHT:
{
//_asm int 3
KdPrint(("modify file right :\n"));
__try
{
status = ModifyRight((FILE_RIGHT_MODIFY*)InputBuffer);
status = STATUS_SUCCESS;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("IOCTL_MODIFY_FILE_RIGHT error!"));
status = STATUS_UNSUCCESSFUL;
}
}
break;
default:
status = STATUS_INVALID_DEVICE_REQUEST;
pIrp->IoStatus.Information = 0;
break;
}
//ClearLog();
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
BOOL
Query(LPCTSTR *ServiceArgs,
DWORD ArgCount,
BOOL bExtended)
{
LPENUM_SERVICE_STATUS_PROCESS pServiceStatus = NULL;
DWORD NumServices = 0;
//DWORD ServiceType;
//DWORD ServiceState;
BOOL bServiceName = TRUE;
DWORD OptSize, i;
LPCTSTR *TmpArgs;
INT TmpCnt;
#ifdef SCDBG
TmpArgs = ServiceArgs;
TmpCnt = ArgCount;
_tprintf(_T("Arguments:\n"));
while (TmpCnt)
{
_tprintf(_T(" %s\n"), *TmpArgs);
TmpArgs++;
TmpCnt--;
}
_tprintf(_T("\n"));
#endif /* SCDBG */
/* display all running services and drivers */
if (ArgCount == 0)
{
NumServices = EnumServices(&pServiceStatus,
SERVICE_WIN32,
SERVICE_ACTIVE);
if (NumServices != 0)
{
for (i=0; i < NumServices; i++)
{
PrintService(pServiceStatus[i].lpServiceName,
&pServiceStatus[i].ServiceStatusProcess,
bExtended);
}
_tprintf(_T("number : %lu\n"), NumServices);
if (pServiceStatus)
HeapFree(GetProcessHeap(), 0, pServiceStatus);
return TRUE;
}
return FALSE;
}
TmpArgs = ServiceArgs;
TmpCnt = ArgCount;
OptSize = sizeof(QueryOpts) / sizeof(QueryOpts[0]);
while (TmpCnt--)
{
for (i=0; i < OptSize; i++)
{
if (!lstrcmpi(*TmpArgs, QueryOpts[i]))
{
bServiceName = FALSE;
}
}
TmpArgs++;
}
/* FIXME: parse options */
/* print only the service requested */
if (bServiceName)
{
LPSERVICE_STATUS_PROCESS pStatus;
LPCTSTR ServiceName = *ServiceArgs;
pStatus = QueryService(ServiceName);
if (pStatus)
{
PrintService(ServiceName,
pStatus,
bExtended);
}
}
return TRUE;
}
