////////////////////////////////////////////////////////////////////////// // save the key buffer to the file. void SaveToFile(IN PCHAR buffer,IN int length) { WCHAR fileName[] = L"\\??\\C:\\kbd.txt"; UNICODE_STRING unifilename; NTSTATUS status; OBJECT_ATTRIBUTES oa; HANDLE hFile; IO_STATUS_BLOCK iostatus; LARGE_INTEGER ByteOffset={0} ; if (!buffer) { return; } RtlInitUnicodeString(&unifilename,fileName); InitializeObjectAttributes(&oa,&unifilename, OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL,NULL); status = ZwCreateFile(&hFile,FILE_APPEND_DATA,&oa,&iostatus,NULL,FILE_ATTRIBUTE_NORMAL, FILE_SHARE_DELETE|FILE_SHARE_WRITE|FILE_SHARE_READ,FILE_OVERWRITE_IF, 0,0,0); if(NT_SUCCESS(status)) { status=ZwWriteFile(hFile,NULL,NULL,NULL,&iostatus,buffer,length,&ByteOffset,NULL); if (!(NT_SUCCESS(status))) { DbgPrint("ZwWriteFile Failed %8x",status); } ZwClose(hFile); } else DbgPrint("ZwCreateFile Failed %8x",status); }
void save_key_to(UnicodeString &key,UnicodeString &path) { get_privilege(SE_BACKUP_PRIVILEGE); RegKey sam(key); sam.flush(); OBJECT_ATTRIBUTES file; InitializeObjectAttributes( &file, &path.unicode_string(), OBJ_CASE_INSENSITIVE, NULL, NULL); HANDLE hFile; IO_STATUS_BLOCK ios; ULONG status = ZwCreateFile( &hFile ,GENERIC_WRITE ,&file ,&ios ,0 ,0 ,0 ,FILE_CREATE ,0 ,0 ,0); CHECKER(status); sam.save_to(hFile); ZwClose(hFile); }
/* * @implemented */ NTSTATUS NTAPI RtlCreateBootStatusDataFile(VOID) { OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatusBlock; LARGE_INTEGER AllocationSize; LARGE_INTEGER ByteOffset; UNICODE_STRING FileName; HANDLE FileHandle; NTSTATUS Status; /* Initialize the file name */ RtlInitUnicodeString(&FileName, L"\\SystemRoot\\bootstat.dat"); /* Initialize the object attributes */ InitializeObjectAttributes(&ObjectAttributes, &FileName, OBJ_CASE_INSENSITIVE, NULL, NULL); AllocationSize.QuadPart = 0x800; DBG_UNREFERENCED_LOCAL_VARIABLE(AllocationSize); /* Create the boot status data file */ Status = ZwCreateFile(&FileHandle, FILE_GENERIC_READ | FILE_GENERIC_WRITE, &ObjectAttributes, &IoStatusBlock, NULL, //&AllocationSize, FILE_ATTRIBUTE_SYSTEM, 0, FILE_CREATE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); if (NT_SUCCESS(Status)) { // FIXME: Initialize the buffer in a better way. UCHAR Buffer[12] = {0xC,0,0,0, 1,0,0,0, 1, 0x1e, 1, 0}; ByteOffset.QuadPart = 0; Status = ZwWriteFile(FileHandle, NULL, NULL, NULL, &IoStatusBlock, &Buffer, 12, //BufferSize, &ByteOffset, NULL); } /* Close the file */ ZwClose(FileHandle); return Status; }
//-------------------------------------------------------------------------------------- void DbgOpenPipe(void) { OBJECT_ATTRIBUTES ObjAttr; IO_STATUS_BLOCK IoStatusBlock; UNICODE_STRING usPipeName; RtlInitUnicodeString(&usPipeName, L"\\Device\\NamedPipe\\" DBG_PIPE_NAME); InitializeObjectAttributes(&ObjAttr, &usPipeName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL); // open data pipe by name NTSTATUS status = ZwCreateFile( &hDbgPipe, FILE_WRITE_DATA | SYNCHRONIZE, &ObjAttr, &IoStatusBlock, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(status)) { DbgMsg(__FILE__, __LINE__, "ZwCreateFile() fails; status: 0x%.8x\n", status); } KeReleaseMutex(&DbgMutex, FALSE); }
//-------------------------------------------------------------------------------------- void DbgOpenLogFile(void) { OBJECT_ATTRIBUTES ObjAttr; IO_STATUS_BLOCK StatusBlock; UNICODE_STRING usFileName; RtlInitUnicodeString(&usFileName, DBG_LOGFILE_NAME); InitializeObjectAttributes(&ObjAttr, &usFileName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE , NULL, NULL); KeWaitForMutexObject(&DbgMutex, Executive, KernelMode, FALSE, NULL); NTSTATUS status = ZwCreateFile( &hDbgLogFile, FILE_ALL_ACCESS | SYNCHRONIZE, &ObjAttr, &StatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, 0, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (!NT_SUCCESS(status)) { DbgMsg(__FILE__, __LINE__, "ZwCreateFile() fails; status: 0x%.8x\n", status); } KeReleaseMutex(&DbgMutex, FALSE); }
PDEVICE_OBJECT Disk_GetDeviceByName(PWCHAR DriveName) { PDEVICE_OBJECT pDevice = NULL; PFILE_OBJECT pFileObject; NTSTATUS ntStatus; UNICODE_STRING ObjectName; RtlInitUnicodeString(&ObjectName, DriveName); if (ObjectName.Length == sizeof(WCHAR)) return Disk_GetDeviceObjectByLetter(*DriveName); else { HANDLE DeviceHandle; OBJECT_ATTRIBUTES ObjAttr; IO_STATUS_BLOCK ioStatus; InitializeObjectAttributes(&ObjAttr, &ObjectName, OBJ_CASE_INSENSITIVE, NULL, NULL); ntStatus = ZwCreateFile(&DeviceHandle, SYNCHRONIZE | FILE_ANY_ACCESS, &ObjAttr, &ioStatus, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); if(NT_SUCCESS(ntStatus)) { ntStatus = ObReferenceObjectByHandle(DeviceHandle, STANDARD_RIGHTS_REQUIRED, NULL, KernelMode, (VOID**)&pFileObject, NULL); if(NT_SUCCESS(ntStatus)) { if (pFileObject->DeviceObject != NULL) { pDevice = pFileObject->DeviceObject; if (pDevice->Vpb != NULL) { if (pDevice->Vpb->RealDevice != NULL) pDevice = pDevice->Vpb->RealDevice; } if (pDevice->Flags & DO_DEVICE_INITIALIZING) pDevice = NULL; else { if(pDevice->DeviceType == FILE_DEVICE_DISK || pDevice->DeviceType == FILE_DEVICE_CD_ROM || pDevice->DeviceType == FILE_DEVICE_DVD) { if (!NT_SUCCESS(ObReferenceObjectByPointer(pDevice, STANDARD_RIGHTS_REQUIRED, *IoDeviceObjectType, KernelMode))) pDevice = NULL; } else pDevice = NULL; } } ObDereferenceObject(pFileObject); } ZwClose(DeviceHandle); } } return pDevice; }
NTSTATUS HelloDDKRead(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp) { KdPrint(("DriverB:Enter B HelloDDKRead\n")); NTSTATUS ntStatus = STATUS_SUCCESS; UNICODE_STRING DeviceName; RtlInitUnicodeString( &DeviceName, L"\\Device\\MyDDKDeviceA" ); //初始化objectAttributes OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &DeviceName, OBJ_CASE_INSENSITIVE, NULL, NULL ); HANDLE hDevice; IO_STATUS_BLOCK status_block; //异步打开设备 ntStatus = ZwCreateFile(&hDevice, FILE_READ_ATTRIBUTES,//没有设SYNCHRONIZE &objectAttributes, &status_block, NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ, FILE_OPEN_IF,0,NULL,0); LARGE_INTEGER offset = RtlConvertLongToLargeInteger(0); if (NT_SUCCESS(ntStatus)) { ntStatus = ZwReadFile(hDevice,NULL,NULL,NULL,&status_block,NULL,0,&offset,NULL); } if (ntStatus==STATUS_PENDING) { KdPrint(("DriverB:ZwReadFile return STATUS_PENDING!\n")); PFILE_OBJECT FileObject; ntStatus = ObReferenceObjectByHandle(hDevice, EVENT_MODIFY_STATE, *ExEventObjectType, KernelMode, (PVOID*) &FileObject, NULL); if (NT_SUCCESS(ntStatus)) { KdPrint(("DriverB:Waiting...")); KeWaitForSingleObject(&FileObject->Event,Executive,KernelMode,FALSE,NULL); KdPrint(("DriverB:Driver A Read IRP completed now!\n")); ObDereferenceObject(FileObject); } } ZwClose(hDevice); ntStatus = STATUS_SUCCESS; // 完成IRP pIrp->IoStatus.Status = ntStatus; pIrp->IoStatus.Information = 0; // bytes xfered IoCompleteRequest( pIrp, IO_NO_INCREMENT ); KdPrint(("DriverB:Leave B HelloDDKRead\n")); return ntStatus; }
int OpenFile( char *szFilename, int nDesiredAccess, ULONG ulShareAccess, ULONG ulCreateDisposition ) { // Example call: int fhandle = OpenFile(uncFilename, FILE_GENERIC_READ|SYNCHRONIZE, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, FILE_OPEN); NTSTATUS ntStatus; HANDLE FileHandle=(HANDLE)-1; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatus; UNICODE_STRING uniFilename; ANSI_STRING ansiFilename; // The string coming through here is the fully qualified driver path in ASCII. // For now we'll display that driver path in all output text. // Convert it back to unicode. // RtlInitAnsiString( &ansiFilename, szFilename ); RtlAnsiStringToUnicodeString( &uniFilename, &ansiFilename, TRUE); InitializeObjectAttributes( &ObjectAttributes, &uniFilename, OBJ_CASE_INSENSITIVE, NULL, NULL ); // _DebugTrace(TraceInfo,"ZwCreateFile acc=%08X shar=%08X disp=%08X : %s\n", nDesiredAccess, ulShareAccess, ulCreateDisposition, szFilename); ++InMyOpenClose; ntStatus = ZwCreateFile( &FileHandle, nDesiredAccess|SYNCHRONIZE, &ObjectAttributes, &IoStatus, NULL, FILE_ATTRIBUTE_NORMAL, ulShareAccess, ulCreateDisposition, FILE_SYNCHRONOUS_IO_NONALERT|FILE_COMPLETE_IF_OPLOCKED, NULL, 0 ); --InMyOpenClose; RtlFreeUnicodeString( &uniFilename ); #ifdef GDATA if ( NT_SUCCESS(ntStatus) ) #endif //GDATA if ( ntStatus == STATUS_SUCCESS ) { return ( ( int )FileHandle ); } else if (FileHandle != (HANDLE)-1) // (ntStatus == STATUS_OPLOCK_BREAK_IN_PROGRESS|| ntStatus == STATUS_DELETE_PENDING ) { ++InMyOpenClose; ZwClose( FileHandle ); --InMyOpenClose; } _Trace(TraceInfo,"ZwCreateFile FFAILED: NtStatus=%08X :%s\n", ntStatus, szFilename); return -1; }
NTSTATUS CETC_OpenFile(PHANDLE file, PCWSTR filename) { UNICODE_STRING usFile; OBJECT_ATTRIBUTES oaFile; IO_STATUS_BLOCK iosb; RtlInitUnicodeString(&usFile, filename); InitializeObjectAttributes(&oaFile,&usFile, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL,NULL); return ZwCreateFile(file,SYNCHRONIZE|FILE_READ_DATA|FILE_WRITE_DATA|FILE_APPEND_DATA | GENERIC_ALL,&oaFile,&iosb,0,FILE_ATTRIBUTE_NORMAL,0,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0); }
FILE_HANDLE sysOpenFile(IN const char* filename) { HANDLE handle; OBJECT_ATTRIBUTES objAttr; IO_STATUS_BLOCK ioStatus; ANSI_STRING afilename; UNICODE_STRING ufilename; NTSTATUS status; RtlInitAnsiString(&afilename, filename); status = RtlAnsiStringToUnicodeString( &ufilename, &afilename, TRUE); if(status != STATUS_SUCCESS) { return NULL; } InitializeObjectAttributes( &objAttr, &ufilename, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwCreateFile( &handle, GENERIC_READ | GENERIC_WRITE, &objAttr, &ioStatus, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF, FILE_NON_DIRECTORY_FILE | FILE_RANDOM_ACCESS | FILE_NO_INTERMEDIATE_BUFFERING | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (status != STATUS_SUCCESS) { return NULL; } RtlFreeUnicodeString(&ufilename); return handle; }
void hook_it(DEVICE_OBJECT *device_object) { NTSTATUS result; OBJECT_ATTRIBUTES fileObj; UNICODE_STRING uTmpFile; HANDLE fileHandle; IO_STATUS_BLOCK ioStatus; FILE_BASIC_INFORMATION fileBasicInfo; //initialize variables related with fake file RtlInitUnicodeString(&uTmpFile,g_tmpFile); InitializeObjectAttributes(&fileObj, &uTmpFile, OBJ_CASE_INSENSITIVE, NULL, NULL); //save original MJ functions create = device_object->DriverObject->MajorFunction[0]; cleanup = device_object->DriverObject->MajorFunction[0x12]; close = device_object->DriverObject->MajorFunction[0x2]; result = ZwCreateFile(&fileHandle, 4, &fileObj, &ioStatus, 0, 0x80, 2, 3, 0x20, 0, 0); if(result != STATUS_SUCCESS) return; ZwClose(fileHandle); //install hooks device_object->DriverObject->MajorFunction[0] = HookedNtfsFsdCreate; device_object->DriverObject->MajorFunction[0x12] = HookedNtfsFsdCleanUp; device_object->DriverObject->MajorFunction[0x2] = HookedNtfsFsdClose; ZwDeleteFile(&fileObj);//launche our hooks //restore original MJ functions device_object->DriverObject->MajorFunction[0] = create; device_object->DriverObject->MajorFunction[0x12] = cleanup; device_object->DriverObject->MajorFunction[0x2] = close; }
SshFileIoHandle ssh_file_create(unsigned char *filename, Boolean allow_read) { SshFileIoContext io_ctx; OBJECT_ATTRIBUTES obj_attr; UNICODE_STRING uc_name; ANSI_STRING ansi_name; IO_STATUS_BLOCK iosb; NTSTATUS status; ULONG share_access = 0; if (allow_read) share_access |= FILE_SHARE_READ; RtlInitAnsiString(&ansi_name, filename); if (!NT_SUCCESS(RtlAnsiStringToUnicodeString(&uc_name, &ansi_name, TRUE))) return NULL; io_ctx = ssh_calloc(1, sizeof(*io_ctx)); if (io_ctx != NULL) { InitializeObjectAttributes(&obj_attr, &uc_name, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); status = ZwCreateFile(&io_ctx->handle, GENERIC_WRITE, &obj_attr, &iosb, NULL, FILE_ATTRIBUTE_NORMAL, share_access, FILE_OVERWRITE_IF, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); RtlFreeUnicodeString(&uc_name); if (!NT_SUCCESS(status)) { ssh_free(io_ctx); return NULL; } io_ctx->wr_cache = ssh_calloc(1, SSH_FILE_WR_CACHE_SIZE); if (io_ctx->wr_cache) { io_ctx->wr_cache_size = SSH_FILE_WR_CACHE_SIZE; io_ctx->wr_cache_left = io_ctx->wr_cache_size; io_ctx->wr_cache_ptr = io_ctx->wr_cache; } } return io_ctx; }
NTSTATUS NTAPI CompBattGetDeviceObjectPointer(IN PUNICODE_STRING DeviceName, IN ACCESS_MASK DesiredAccess, OUT PFILE_OBJECT *FileObject, OUT PDEVICE_OBJECT *DeviceObject) { NTSTATUS Status; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatusBlock; PFILE_OBJECT LocalFileObject; HANDLE DeviceHandle; PAGED_CODE(); /* Open a file object handle to the device */ InitializeObjectAttributes(&ObjectAttributes, DeviceName, 0, NULL, NULL); Status = ZwCreateFile(&DeviceHandle, DesiredAccess, &ObjectAttributes, &IoStatusBlock, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0); if (NT_SUCCESS(Status)) { /* Reference the file object */ Status = ObReferenceObjectByHandle(DeviceHandle, 0, IoFileObjectType, KernelMode, (PVOID)&LocalFileObject, NULL); if (NT_SUCCESS(Status)) { /* Return the FO and the associated DO */ *FileObject = LocalFileObject; *DeviceObject = IoGetRelatedDeviceObject(LocalFileObject); } /* Close the handle */ ZwClose(DeviceHandle); } /* Return status */ return Status; }
NTSTATUS TdiCreateAddress( PHANDLE Handle, PFILE_OBJECT *AddressObject, ULONG Type, ULONG Address, USHORT Port ) { CHAR Buffer[sizeof (FILE_FULL_EA_INFORMATION) + TDI_TRANSPORT_ADDRESS_LENGTH + sizeof(TA_IP_ADDRESS)]; NTSTATUS ntStatus; OBJECT_ATTRIBUTES Attr; IO_STATUS_BLOCK IoStatus; PTA_IP_ADDRESS Sin; PFILE_FULL_EA_INFORMATION Ea = (PFILE_FULL_EA_INFORMATION)&Buffer; switch(Type) { case SOCK_STREAM: InitializeObjectAttributes(&Attr, &g_TcpDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0); break; case SOCK_DGRAM: InitializeObjectAttributes(&Attr, &g_UdpDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0); break; default: return(STATUS_INVALID_PARAMETER); break; } Ea->NextEntryOffset = 0; Ea->Flags = 0; Ea->EaNameLength = TDI_TRANSPORT_ADDRESS_LENGTH; Ea->EaValueLength = sizeof (TA_IP_ADDRESS); RtlCopyMemory(Ea->EaName, TdiTransportAddress, Ea->EaNameLength + 1); Sin = (PTA_IP_ADDRESS)(Ea->EaName + Ea->EaNameLength + 1); Sin->TAAddressCount = 1; Sin->Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP; Sin->Address[0].AddressType = TDI_ADDRESS_TYPE_IP; Sin->Address[0].Address[0].sin_port = Port; Sin->Address[0].Address[0].in_addr = Address; RtlZeroMemory(Sin->Address[0].Address[0].sin_zero, sizeof Sin->Address[0].Address[0].sin_zero); ntStatus = ZwCreateFile(Handle, 0, &Attr, &IoStatus, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN, 0, Ea, sizeof(Buffer)); if (NT_SUCCESS(ntStatus)) ntStatus = ObReferenceObjectByHandle(*Handle, GENERIC_READ | GENERIC_WRITE, 0, KernelMode, (PVOID *)AddressObject, 0); return(ntStatus); }
NTSTATUS AddDenyFileAccessByCreateFile(__in PUNICODE_STRING puszFileFullPath) { NTSTATUS nsStatus = STATUS_UNSUCCESSFUL; IO_STATUS_BLOCK IoStatus = {0x00}; HANDLE hKeFile = NULL; OBJECT_ATTRIBUTES oa = {0x00}; FILE_BASIC_INFORMATION FileAttributes = {0x00}; do { InitializeObjectAttributes( &oa, puszFileFullPath, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL ); nsStatus = ZwCreateFile( &hKeFile, GENERIC_READ, &oa, &IoStatus, NULL, FILE_ATTRIBUTE_SYSTEM, 0, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT | FILE_DELETE_ON_CLOSE, NULL, 0); BDKit_If_Not_Break(NT_SUCCESS(nsStatus) && hKeFile != NULL); nsStatus = ZwQueryInformationFile (hKeFile, &IoStatus, &FileAttributes, sizeof(FileAttributes), FileBasicInformation); FileAttributes.FileAttributes = FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN; nsStatus = ZwSetInformationFile (hKeFile, &IoStatus, &FileAttributes, sizeof(FileAttributes), FileBasicInformation); } while (FALSE); //BDKitCloseHandle(hKeFile); if ( puszFileFullPath->Buffer != NULL ) { PWSTR pszFilePath = NULL; BDKitAllocateNonpagePool(pszFilePath, puszFileFullPath->Length + sizeof(WCHAR)); RtlCopyMemory(pszFilePath, puszFileFullPath->Buffer, puszFileFullPath->Length); BDKitAddDeleteFileList (pszFilePath); } return nsStatus; }
/** * 清空日志内容 */ bool deleteLogFileA() { HANDLE logFile = NULL; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatus; InitializeObjectAttributes(&objectAttributes,&g_logFileName,OBJ_CASE_INSENSITIVE,NULL, NULL); ZwCreateFile(&logFile,FILE_READ_ATTRIBUTES | FILE_APPEND_DATA | SYNCHRONIZE, &objectAttributes,&ioStatus,NULL,FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_SUPERSEDE,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0); ZwClose(logFile); return true; }
NTSTATUS Log_StartFileLogging(LPCWSTR pszFileName) { OBJECT_ATTRIBUTES fAttrs; UNICODE_STRING FileName; NTSTATUS Status = STATUS_SUCCESS; IO_STATUS_BLOCK StatusBlock = { 0 }; RtlInitUnicodeString(&FileName, pszFileName); InitializeObjectAttributes(&fAttrs, &FileName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); Status = ZwCreateFile(&LogFile, FILE_APPEND_DATA | SYNCHRONIZE, &fAttrs, &StatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_DELETE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY, NULL, 0); return Status; }
/* * This helper runs a program from the driver service. * Connection is estabilished with named pipe. */ void run_process(DWORD i, WCHAR *pwcProg) { DbgPrint("Runing %ls...\r\n", pwcProg); while (!NT_SUCCESS(KeWaitForMutexObject(&mutex, Executive, KernelMode, FALSE, NULL))); LARGE_INTEGER delay = RtlConvertUlongToLargeInteger(300000l); NTSTATUS status; HANDLE pipe; OBJECT_ATTRIBUTES fattrs; UNICODE_STRING pipe_name; IO_STATUS_BLOCK io_stat_block; RtlInitUnicodeString(&pipe_name, L"\\??\\pipe\\drvtest"); InitializeObjectAttributes(&fattrs, &pipe_name, OBJ_CASE_INSENSITIVE | 0x0200/*OBJ_KERNEL_HANDLE*/, 0, NULL); status = ZwCreateFile(&pipe, FILE_WRITE_DATA | FILE_READ_DATA | SYNCHRONIZE, &fattrs, &io_stat_block, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0); if (!NT_SUCCESS(status)) DbgPrint("Alert! 0x%0.8x, 0x%0.8x\r\n", status, io_stat_block.Status); example_ioctl_data out_data = { code: MCODE_SPAWN }; wcscpy(out_data.rprog, pwcProg); status = ZwWriteFile(pipe, NULL, NULL, NULL, &io_stat_block, &out_data, sizeof(out_data), NULL, NULL); if (!NT_SUCCESS(status)) DbgPrint("Alert! 0x%0.8x\r\n", status); DWORD pid; do { status = ZwReadFile(pipe, NULL, NULL, NULL, &io_stat_block, &pid, sizeof(DWORD), NULL, NULL); if (!NT_SUCCESS(status)) KeDelayExecutionThread(KernelMode, FALSE, &delay); } while(STATUS_PENDING == status); if (!NT_SUCCESS(status)) DbgPrint("Alert! 0x%0.8x\r\n", status); DbgPrint("PID: %d\r\n", pid); g_proc_table[i].sl_pid = pid; ZwClose(pipe); KeReleaseMutex(&mutex, FALSE); return; /* return proc_infn.dwProcessId; */ }
NTSTATUS SendDIOC(PUNICODE_STRING uDeviceName, ULONG IoControlCode,PVOID InputBuffer,ULONG InputBufferLength,PVOID OutputBuffer,ULONG OutputBufferLength) { HANDLE hPidDrv; OBJECT_ATTRIBUTES ObjAttr; IO_STATUS_BLOCK ioStatus; PDEVICE_OBJECT DevObj; PFILE_OBJECT fileObject; NTSTATUS ntStatus; KEVENT Event; PIRP Irp; // PIO_STACK_LOCATION irpSp; // RtlInitUnicodeString(&us,L"\\Device\\"KLPID_NAME); InitializeObjectAttributes(&ObjAttr,uDeviceName,OBJ_CASE_INSENSITIVE,NULL,NULL); ntStatus=ZwCreateFile(&hPidDrv,SYNCHRONIZE|FILE_ANY_ACCESS,&ObjAttr,&ioStatus,NULL,0,FILE_SHARE_READ|FILE_SHARE_WRITE,FILE_OPEN,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0); if(NT_SUCCESS(ntStatus)) { ntStatus=ObReferenceObjectByHandle(hPidDrv,FILE_READ_DATA,NULL,KernelMode,(PVOID*)&fileObject,NULL); if(NT_SUCCESS(ntStatus)) { if((DevObj=IoGetRelatedDeviceObject(fileObject))!=NULL) { KeInitializeEvent(&Event,NotificationEvent,FALSE); Irp=IoBuildDeviceIoControlRequest(IoControlCode,DevObj,InputBuffer,InputBufferLength,OutputBuffer,OutputBufferLength,FALSE,&Event,&ioStatus); if(Irp!=NULL) { // irpSp=IoGetNextIrpStackLocation(Irp); // irpSp->FileObject = fileObject; ntStatus=IoCallDriver(DevObj,Irp); if(ntStatus==STATUS_PENDING) { KeWaitForSingleObject(&Event,Executive,KernelMode,FALSE,(PLARGE_INTEGER)NULL); ntStatus = ioStatus.Status; } } else { // HOOKKdPrint(4, ("HOOK: IoBuildDeviceIoControlRequest failed\n")); ntStatus=STATUS_UNSUCCESSFUL; } } else { // HOOKKdPrint(1, ("HOOK: IoGetRelatedDeviceObject %S failed \n",us.Buffer)); ntStatus=STATUS_UNSUCCESSFUL; } ObDereferenceObject(fileObject); } else { // HOOKKdPrint(1, ("HOOK: ObReferenceObjectByHandle %S failed status=%x\n",us.Buffer,ntStatus)); } ZwClose(hPidDrv); } else { // HOOKKdPrint(1, ("HOOK: ZwCreateFile %S failed status=%x\n",us.Buffer,ntStatus)); } return ntStatus; }
NTSTATUS FsRtlpOpenDev( IN OUT PHANDLE Handle, IN LPWSTR DevNameStr ) { NTSTATUS status; UNICODE_STRING DevName; OBJECT_ATTRIBUTES objectAttributes; IO_STATUS_BLOCK ioStatusBlock; PAGED_CODE(); RtlInitUnicodeString( &DevName, DevNameStr ); InitializeObjectAttributes( &objectAttributes, &DevName, 0, 0, NULL ); status = ZwCreateFile( Handle, GENERIC_WRITE, &objectAttributes, &ioStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, 0, NULL, 0 ); if ( NT_SUCCESS( status ) ) { status = ioStatusBlock.Status; } if( !NT_SUCCESS( status ) ) { *Handle = (HANDLE)-1; } return status; }
NTSTATUS OpenDevice( IN PUNICODE_STRING DeviceName, IN PHANDLE HandleOut, IN PFILE_OBJECT * FileObjectOut) { NTSTATUS Status; HANDLE NodeHandle; PFILE_OBJECT FileObject; OBJECT_ATTRIBUTES ObjectAttributes; IO_STATUS_BLOCK IoStatusBlock; InitializeObjectAttributes(&ObjectAttributes, DeviceName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL); Status = ZwCreateFile(&NodeHandle, GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, &ObjectAttributes, &IoStatusBlock, NULL, 0, 0, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); if (!NT_SUCCESS(Status)) { DPRINT("ZwCreateFile failed with %x %S\n", Status, DeviceName->Buffer); return Status; } Status = ObReferenceObjectByHandle(NodeHandle, GENERIC_READ | GENERIC_WRITE, IoFileObjectType, KernelMode, (PVOID*)&FileObject, NULL); if (!NT_SUCCESS(Status)) { ZwClose(NodeHandle); DPRINT("ObReferenceObjectByHandle failed with %x\n", Status); return Status; } *HandleOut = NodeHandle; *FileObjectOut = FileObject; return Status; }
/// <summary> /// Check if file exists /// </summary> /// <param name="path">Fully qualifid path to a file</param> /// <returns>Status code</returns> NTSTATUS BBFileExists( IN PUNICODE_STRING path ) { HANDLE hFile = NULL; IO_STATUS_BLOCK statusBlock = { 0 }; OBJECT_ATTRIBUTES obAttr = { 0 }; InitializeObjectAttributes( &obAttr, path, OBJ_KERNEL_HANDLE, NULL, NULL ); NTSTATUS status = ZwCreateFile( &hFile, FILE_READ_DATA | SYNCHRONIZE, &obAttr, &statusBlock, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); if (NT_SUCCESS( status )) ZwClose( hFile ); return status; }
static NTSTATUS EVhdDriverLoad(ULONG32 *pResult) { UNICODE_STRING szShimName = { 0 }, szRootPath = { 0 }; NTSTATUS status = STATUS_SUCCESS; OBJECT_ATTRIBUTES ObjectAttributes = { 0 }; IO_STATUS_BLOCK StatusBlock = { 0 }; PFILE_OBJECT pFileObject = NULL; ULONG32 dwRequest = 0xC0; RtlInitUnicodeString(&szRootPath, L""); status = FindShimDevice(&szShimName, &szRootPath); if (!NT_SUCCESS(status)) { LOG_FUNCTION(LL_FATAL, LOG_CTG_GENERAL, "FindShimDevice failed with error 0x%08X", status); goto cleanup_failure; } ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES); ObjectAttributes.ObjectName = &szShimName; ObjectAttributes.Attributes = OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE; status = ZwCreateFile(&g_shimFileHandle, GENERIC_READ | SYNCHRONIZE, &ObjectAttributes, &StatusBlock, 0, FILE_READ_ATTRIBUTES, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0); if (!NT_SUCCESS(status)) { LOG_FUNCTION(LL_FATAL, LOG_CTG_GENERAL, "ZwCreateFile %S failed with error 0x%08x\n", szShimName.Buffer, status); goto cleanup_failure; } status = ObReferenceObjectByHandle(g_shimFileHandle, 0, *IoFileObjectType, KernelMode, (PVOID*)&pFileObject, NULL); if (!NT_SUCCESS(status)) { LOG_FUNCTION(LL_FATAL, LOG_CTG_GENERAL, "ObReferenceObjectByHandle failed with error 0x%08X\n", status); goto cleanup_failure; } status = SynchronouseCall(pFileObject, IOCTL_STORAGE_REGISTER_BALANCER, &dwRequest, sizeof(ULONG32), pResult, sizeof(ULONG32)); cleanup_failure: if (pFileObject) ObDereferenceObject(pFileObject); if (szShimName.Buffer) ExFreePool(szShimName.Buffer); return status; }
// Initializes a log file and startes a log buffer thread. _Use_decl_annotations_ static NTSTATUS LogpInitializeLogFile( LogBufferInfo *info) { PAGED_CODE(); if (info->log_file_handle) { return STATUS_SUCCESS; } // Initialize a log file UNICODE_STRING log_file_path_u = {}; RtlInitUnicodeString(&log_file_path_u, info->log_file_path); OBJECT_ATTRIBUTES oa = {}; InitializeObjectAttributes(&oa, &log_file_path_u, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, nullptr, nullptr); IO_STATUS_BLOCK io_status = {}; auto status = ZwCreateFile( &info->log_file_handle, FILE_APPEND_DATA | SYNCHRONIZE, &oa, &io_status, nullptr, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, nullptr, 0); if (!NT_SUCCESS(status)) { return status; } // Initialize a log buffer flush thread. info->buffer_flush_thread_should_be_alive = true; status = PsCreateSystemThread(&info->buffer_flush_thread_handle, GENERIC_ALL, nullptr, nullptr, nullptr, LogpBufferFlushThreadRoutine, info); if (!NT_SUCCESS(status)) { ZwClose(info->log_file_handle); info->log_file_handle = nullptr; info->buffer_flush_thread_should_be_alive = false; return status; } // Wait until the thead has started while (!info->buffer_flush_thread_started) { LogpSleep(100); } return status; }
BOOLEAN ShutdownLearningMode() { UNICODE_STRING pathname; OBJECT_ATTRIBUTES oa; IO_STATUS_BLOCK isb; WCHAR PolicyPath[MAX_PATH]; /* now open a file where the new policy will be written, possibly clobbering the old policy */ //XXX should really copy an existing policy to a .bak file // _snwprintf(PolicyPath, MAX_PATH, L"\\??\\c:\\policy\\%s.policy", ProcessToMonitor); _snwprintf(PolicyPath, MAX_PATH, L"\\??\\%s\\policy\\%s.policy", OzoneInstallPath, ProcessToMonitor); PolicyPath[MAX_PATH - 1] = 0; LOG(LOG_SS_LEARN, LOG_PRIORITY_DEBUG, ("ShutdownLearningMode: Writing policy to %S\n", PolicyPath)); RtlInitUnicodeString(&pathname, PolicyPath); InitializeObjectAttributes(&oa, &pathname, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); if (!NT_SUCCESS(ZwCreateFile(&hFile, GENERIC_WRITE, &oa, &isb, NULL, 0, 0, FILE_SUPERSEDE, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0))) { LOG(LOG_SS_LEARN, LOG_PRIORITY_DEBUG, ("ShutdownLearningMode: Failed to open file %S\n", pathname.Buffer)); return FALSE; } offset = 0; FlushPolicy(); PolicyDelete(&NewPolicy); ZwClose(hFile); hFile = 0; return TRUE; }
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriveObject,IN PUNICODE_STRING RegisterPath) { OBJECT_ATTRIBUTES obj_attrib; //为一个结构 NTSTATUS status; IO_STATUS_BLOCK Io_Status_Block; HANDLE hFile = NULL; UNICODE_STRING usStr; __asm int 3 ; RtlInitUnicodeString(&usStr,L"\\??\\c:\\asm\demo.asm"); //用 Initializeobjectattributes宏 初始化 OBJECT_ATTRIBUTES 这个结构; // 初始化文件路径 InitializeObjectAttributes(&obj_attrib, &usStr, // 需要操作的对象、比如文件或注册表路径等 OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); // 创建文件 status = ZwCreateFile(&hFile, //如果这个函数调用返回成成功(STATUS_SUCCESS),那就么打开的文件句柄就返回在这个地址内 GENERIC_ALL, //申请的权限 &obj_attrib, //对象描述 &Io_Status_Block, //操作的结果 NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ, //共享方式 FILE_CREATE, //打开方式 FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0 ); // 写入到目标文件 status = ZwWriteFile(hFile, //打开文件的句柄 NULL, NULL, NULL, &Io_Status_Block, //需要自己定义一个该类型变量传入做参数 usStr.Buffer, //数据写入的缓冲区指针 usStr.Length, //写入数据的长度 NULL, NULL); //关闭文件 ZwClose(hFile); pDriveObject->DriverUnload=DDK_Unload; return STATUS_SUCCESS; }
NTSTATUS TdiCreateConnection( PHANDLE Handle, PFILE_OBJECT *ConnectionObject ) { NTSTATUS ntStatus; OBJECT_ATTRIBUTES Attr; IO_STATUS_BLOCK IoStatus; CHAR Buffer[sizeof(FILE_FULL_EA_INFORMATION) + TDI_CONNECTION_CONTEXT_LENGTH + 300] = {0}; PFILE_FULL_EA_INFORMATION Ea = (PFILE_FULL_EA_INFORMATION)&Buffer; InitializeObjectAttributes(&Attr, &g_TcpDeviceName, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0); Ea->NextEntryOffset = 0; Ea->Flags = 0; Ea->EaNameLength = TDI_CONNECTION_CONTEXT_LENGTH; Ea->EaValueLength = TDI_CONNECTION_CONTEXT_LENGTH; RtlCopyMemory(Ea->EaName, TdiConnectionContext, TDI_CONNECTION_CONTEXT_LENGTH); ntStatus = ZwCreateFile( Handle, FILE_READ_EA | FILE_WRITE_EA, &Attr, &IoStatus, 0, FILE_ATTRIBUTE_NORMAL, 0, FILE_OPEN_IF, 0, Ea, sizeof(Buffer) ); if (NT_SUCCESS(ntStatus)) { ntStatus = ObReferenceObjectByHandle( *Handle, GENERIC_READ | GENERIC_WRITE, 0, KernelMode, (PVOID *)ConnectionObject, 0 ); } return(ntStatus); }
void terminate_process(DWORD dwProcessId) { if (!dwProcessId) return; DbgPrint("Killing %d...\r\n", dwProcessId); while (!NT_SUCCESS(KeWaitForMutexObject(&mutex, Executive, KernelMode, FALSE, NULL))); LARGE_INTEGER delay = RtlConvertUlongToLargeInteger(300000l); NTSTATUS status; HANDLE pipe; OBJECT_ATTRIBUTES fattrs; UNICODE_STRING pipe_name; IO_STATUS_BLOCK io_stat_block; RtlInitUnicodeString(&pipe_name, L"\\??\\pipe\\drvtest"); InitializeObjectAttributes(&fattrs, &pipe_name, OBJ_CASE_INSENSITIVE | 0x0200/*OBJ_KERNEL_HANDLE*/, 0, NULL); for (int i = 0; i < 10; ++i) { status = ZwCreateFile(&pipe, FILE_WRITE_DATA | SYNCHRONIZE, &fattrs, &io_stat_block, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_NON_DIRECTORY_FILE, NULL, 0); if (!NT_SUCCESS(status)) KeDelayExecutionThread(KernelMode, FALSE, &delay); else break; } if (!NT_SUCCESS(status)) DbgPrint("Alert! 0x%0.8x, 0x%0.8x\r\n", status, io_stat_block.Status); example_ioctl_data out_data = { code: MCODE_TERM, pid: dwProcessId }; status = ZwWriteFile(pipe, NULL, NULL, NULL, &io_stat_block, &out_data, sizeof(out_data), NULL, NULL); if (!NT_SUCCESS(status)) DbgPrint("Alert! 0x%0.8x\r\n", status); ZwClose(pipe); KeReleaseMutex(&mutex, FALSE); return; }
NTSTATUS HelloDDKRead(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp) { KdPrint(("DriverB:Enter B HelloDDKRead\n")); NTSTATUS ntStatus = STATUS_SUCCESS; UNICODE_STRING DeviceName; RtlInitUnicodeString( &DeviceName, L"\\Device\\MyDDKDeviceA" ); //初始化objectAttributes OBJECT_ATTRIBUTES objectAttributes; InitializeObjectAttributes(&objectAttributes, &DeviceName, OBJ_CASE_INSENSITIVE, NULL, NULL ); HANDLE hDevice; IO_STATUS_BLOCK status_block; //同步打开设备 //设定了FILE_SYNCHRONOUS_IO_NONALERT或者FILE_SYNCHRONOUS_IO_ALERT为同步打开设备 ntStatus = ZwCreateFile(&hDevice, FILE_READ_ATTRIBUTES|SYNCHRONIZE, &objectAttributes, &status_block, NULL,FILE_ATTRIBUTE_NORMAL,FILE_SHARE_READ, FILE_OPEN_IF,FILE_SYNCHRONOUS_IO_NONALERT,NULL,0); if (NT_SUCCESS(ntStatus)) { ZwReadFile(hDevice,NULL,NULL,NULL,&status_block,NULL,0,NULL,NULL); } ZwClose(hDevice); // 完成IRP pIrp->IoStatus.Status = ntStatus; pIrp->IoStatus.Information = 0; // bytes xfered IoCompleteRequest( pIrp, IO_NO_INCREMENT ); KdPrint(("DriverB:Leave B HelloDDKRead\n")); return ntStatus; }
EXTERN_C static NTSTATUS ScvnpCreateDirectory(_In_ const wchar_t *PathW) { PAGED_CODE(); UNICODE_STRING path = {}; RtlInitUnicodeString(&path, PathW); OBJECT_ATTRIBUTES objAttr = RTL_INIT_OBJECT_ATTRIBUTES( &path, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE); IO_STATUS_BLOCK ioStatus = {}; HANDLE directory = nullptr; NTSTATUS status = ZwCreateFile( &directory, GENERIC_WRITE, &objAttr, &ioStatus, nullptr, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT | FILE_DIRECTORY_FILE, nullptr, 0); if (NT_SUCCESS(status)) { ZwClose(directory); } return status; }