//date: 2020.11.18
//author:cary
//联系qq群:825823014
#include <ntifs.h>
#include <ntddk.h>
#include "He_Read.h"
NTSTATUS CreateDevice(PDRIVER_OBJECT pDriverObject) //创建设备对象
{
NTSTATUS status = STATUS_SUCCESS;
PDEVICE_OBJECT device = NULL;
UNICODE_STRING DeviceName;
RtlInitUnicodeString(&DeviceName, DEVICENAME);
status = IoCreateDevice(
pDriverObject,
sizeof(pDriverObject->DriverExtension),
&DeviceName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
FALSE,
&device
);
if (status == STATUS_SUCCESS)
{
UNICODE_STRING SymbolName;
RtlInitUnicodeString(&SymbolName, SYMBOLNAME);
status = IoCreateSymbolicLink(&SymbolName, &DeviceName);
if (status != STATUS_SUCCESS)
{
DbgPrint(L"kernel创建符号链接失败\n");
IoDeleteDevice(device);
}
}
DbgPrint(L"kernel驱动设备已创建\n");
return status;
}
void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
if (pDriverObject->DeviceObject)
{
UNICODE_STRING SymbolName;
RtlInitUnicodeString(&SymbolName, SYMBOLNAME);
IoDeleteSymbolicLink(&SymbolName);
IoDeleteDevice(pDriverObject->DeviceObject);
}
DbgPrint("kernel驱动已卸载\n");
}
DispatchCreate(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchClose(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchDeviceControl(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
ULONG uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
pIrp->IoStatus.Information = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
PEPROCESS pEprocess = NULL;
KAPC_STATE apc_state = { 0 };
ULONG64 uCr0 = NULL;
LARGE_INTEGER systemTime = { 0 };
LARGE_INTEGER localTime = { 0 };
TIME_FIELDS timeField = { 0 };
CSHORT Minute = 0;
CSHORT Second = 0;
switch (uIoControlCode)
{
/*
case IOCTL_HELLO_Init_Check:
{
KeQuerySystemTime(&systemTime);
ExSystemTimeToLocalTime(&systemTime, &localTime);
RtlTimeToTimeFields(&localTime, &timeField);
if (timeField.Year == 2019 && timeField.Month == 7 && timeField.Day <= 16)
{
__try
{
Minute = ((PCHECKM)pIoBuffer)->uMinute ^ 0x98;
Second = ((PCHECKM)pIoBuffer)->uSecond ^ 0x65;
if (Minute == timeField.Minute && Second == timeField.Second)
{
g_IsChaeck = TRUE;
((PCHECKM)pIoBuffer)->bRet = g_IsChaeck;
if (!g_IsRemove)
{
//移除驱动模块
g_IsRemove = RemoveSystemModule(pDevObj->DriverObject);
}
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
dprintf("Hello:IOCTL_HELLO_Init_Check __except\r\n");
}
}
break;
}
*/
case IOCTL_HELLO_Read:
{
DbgPrint("kernel IOCTL_HELLO_Read start \n");
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)((PREAD_WRITE_INFO)pIoBuffer)->uPid, &pEprocess)))
{
DbgPrint("kernel IOCTL_HELLO_Read pid is ok \n");
KeStackAttachProcess((PRKPROCESS)pEprocess, &apc_state);
__try
{
if (MmIsAddressValid((PVOID)((PREAD_WRITE_INFO)pIoBuffer)->Dst))
{
DbgPrint("kernel IOCTL_HELLO_Read address is ok \n");
RtlCopyMemory(pIoBuffer, (PVOID)((PREAD_WRITE_INFO)pIoBuffer)->Dst, ((PREAD_WRITE_INFO)pIoBuffer)->uSize);
}
else
{
DbgPrint("kernel IOCTL_HELLO_Read address is not ok \n");
RtlZeroMemory(pIoBuffer, uInSize);
}
KeUnstackDetachProcess(&apc_state);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("kernel IOCTL_HELLO_Read get memory error \n");
KeUnstackDetachProcess(&apc_state);
//dprintf("Hello:IOCTL_HELLO_Read __except\r\n");
}
}
else
{
DbgPrint("kernel IOCTL_HELLO_Read pid is not ok \n");
RtlZeroMemory(pIoBuffer, uInSize);
}
break;
}
case IOCTL_HELLO_Write:
{
DbgPrint("kernel IOCTL_HELLO_Write start \n");
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)((PREAD_WRITE_INFO)pIoBuffer)->uPid, &pEprocess)))
{
DbgPrint("kernel IOCTL_HELLO_Write pid is ok \n");
KeStackAttachProcess((PRKPROCESS)pEprocess, &apc_state);
if (MmIsAddressValid((PVOID)((PREAD_WRITE_INFO)pIoBuffer)->Dst))
{
DbgPrint("kernel IOCTL_HELLO_Write address is ok \n");
__try
{
_disable();
uCr0 = __readcr0();
__writecr0(uCr0 ^ 0x10000);
RtlCopyMemory((PVOID)((PREAD_WRITE_INFO)pIoBuffer)->Dst, (PVOID)((ULONG64)pIoBuffer + sizeof(READ_WRITE_INFO)), ((PREAD_WRITE_INFO)pIoBuffer)->uSize);
__writecr0(uCr0);
_enable();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint("kernel IOCTL_HELLO_Write write memory error \n");
KeUnstackDetachProcess(&apc_state);
}
}
KeUnstackDetachProcess(&apc_state);
}
break;
}
case IOCTL_HELLO_GetModule:
{
/*
PREAD_WRITE_INFO GetModue = (PREAD_WRITE_INFO)pIoBuffer;
ANSI_STRING AnsiBuffer = { 0 };
UNICODE_STRING ModuleName = { 0 };
AnsiBuffer.Buffer = (PVOID)GetModue->Dst;
AnsiBuffer.Length = AnsiBuffer.MaximumLength = (USHORT)strlen((PVOID)GetModue->Dst);
RtlAnsiStringToUnicodeString(&ModuleName, &AnsiBuffer, TRUE);//转换
//DbgPrint("[Orange64] ModuleName:%wZ\n", &ModuleName);
*(PVOID*)pIoBuffer = GetProcessModuleBase(GetModue->uPid, ModuleName);
RtlFreeUnicodeString(&ModuleName);// 释放内存
*/
break;
}
case IOCTL_HELLO_AllocMen:
{
if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)((PREAD_WRITE_INFO)pIoBuffer)->uPid, &pEprocess)))
{
PVOID BaseAddress = NULL;
__try
{
KeStackAttachProcess((PRKPROCESS)pEprocess, &apc_state);
ZwAllocateVirtualMemory(NtCurrentProcess(), &BaseAddress, 0, &((PREAD_WRITE_INFO)pIoBuffer)->uSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlZeroMemory(BaseAddress, ((PREAD_WRITE_INFO)pIoBuffer)->uSize);//地址清理
//RtlCopyMemory(pIoBuffer, BaseAddress, sizeof(BaseAddress));
*(PVOID*)pIoBuffer = BaseAddress;
DbgPrint("kernel[Orange64] AllocateAddr:0x%X\n", pIoBuffer);
KeUnstackDetachProcess(&apc_state);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KeUnstackDetachProcess(&apc_state);
DbgPrint("kernel Hello:IOCTL_HELLO_AllocMen __except\r\n");
}
}
}
}
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
DbgPrint("kernel Hello:DriverEntry \n");
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
DbgPrint("kernel 开始驱动\n");
status = CreateDevice(pDriverObj); //创建设备和符号链接
pDriverObj->DriverUnload = DriverUnload;
DbgPrint("kernel Hello:DriverEntry Success\n");
return STATUS_SUCCESS;
}
评论0