forked from tongzeyu/HookSysenter
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Driver.c
121 lines (101 loc) · 3.19 KB
/
Driver.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
#include "Driver.h"
#include "ntdll.h"
#pragma INITCODE
NTSTATUS DriverEntry (
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath )
{
NTSTATUS status = STATUS_SUCCESS;
PVOID OldImageBase;
PVOID NewImageBase;
pDriverObject->DriverUnload = HelloDDKUnload;
KdPrint(("加载驱动成功!\n"));
OldImageBase = GetModuleBase("ntoskrnl.exe");
if(NULL != OldImageBase)
{
NewImageBase = KeLoadLibrary(L"\\??\\C:\\windows\\system32\\ntoskrnl.exe", OldImageBase);
}
else
{
OldImageBase = GetModuleBase("ntkrnlpa.exe");
NewImageBase = KeLoadLibrary(L"\\??\\C:\\windows\\system32\\ntkrnlpa.exe", OldImageBase);
}
FixNewKiServiceTable(NewImageBase, OldImageBase);
SetSysenterHook();
SetDebugPortDrxHook();
return status;
}
/************************************************************************
* º¯ÊýÃû³Æ:CreateDevice
* ¹¦ÄÜÃèÊö:³õʼ»¯É豸¶ÔÏó
* ²ÎÊýÁбí:
pDriverObject:´ÓI/O¹ÜÀíÆ÷Öд«½øÀ´µÄÇý¶¯¶ÔÏó
* ·µ»Ø Öµ:·µ»Ø³õʼ»¯×´Ì¬
*************************************************************************/
#pragma INITCODE
NTSTATUS CreateDevice (
IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING devName;
UNICODE_STRING symLinkName;
RtlInitUnicodeString(&devName,L"\\Device\\MyDDKDevice");
status = IoCreateDevice( pDriverObject,
sizeof(DEVICE_EXTENSION),
&devName,
FILE_DEVICE_UNKNOWN,
0, TRUE,
&pDevObj );
if (!NT_SUCCESS(status))
return status;
pDevObj->Flags |= DO_BUFFERED_IO;
pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;
pDevExt->pDevice = pDevObj;
pDevExt->ustrDeviceName = devName;
RtlInitUnicodeString(&symLinkName,L"\\??\\HelloDDK");
pDevExt->ustrSymLinkName = symLinkName;
status = IoCreateSymbolicLink( &symLinkName,&devName );
if (!NT_SUCCESS(status))
{
IoDeleteDevice( pDevObj );
return status;
}
return STATUS_SUCCESS;
}
/************************************************************************
* º¯ÊýÃû³Æ:HelloDDKUnload
* ¹¦ÄÜÃèÊö:¸ºÔðÇý¶¯³ÌÐòµÄжÔزÙ×÷
* ²ÎÊýÁбí:
pDriverObject:Çý¶¯¶ÔÏó
* ·µ»Ø Öµ:·µ»Ø״̬
*************************************************************************/
#pragma PAGEDCODE
VOID HelloDDKUnload (IN PDRIVER_OBJECT pDriverObject)
{
UnSysenterHook();
UnDebugPortDrxHook();
KdPrint(("Çý¶¯Ð¶Ôسɹ¦!\n"));
}
/************************************************************************
* º¯ÊýÃû³Æ:HelloDDKDispatchRoutine
* ¹¦ÄÜÃèÊö:¶Ô¶ÁIRP½øÐд¦Àí
* ²ÎÊýÁбí:
pDevObj:¹¦ÄÜÉ豸¶ÔÏó
pIrp:´ÓIOÇëÇó°ü
* ·µ»Ø Öµ:·µ»Ø״̬
*************************************************************************/
#pragma PAGEDCODE
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("Enter HelloDDKDispatchRoutine\n"));
// Íê³ÉIRP
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0; // bytes xfered
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("Leave HelloDDKDispatchRoutine\n"));
return status;
}