WIN7 X86
驱动
#include<ntifs.h>
#include <WinDef.h>
#define DEVICE_NAME L"\\Device\\wangliang"
#define SYM_NAME L"\\??\\wangliang"
#define _COMM_ID 0x12345678
typedef NTSTATUS(*QUERY_INFO_PROCESS)(
__in HANDLE ProcessHandle,
__in PROCESSINFOCLASS ProcessInformationClass,
__out_bcount(ProcessInformationLength) PVOID ProcessInformation,
__in ULONG ProcessInformationLength,
__out_opt PULONG ReturnLength
);
QUERY_INFO_PROCESS ZwQueryInformationProcess;
typedef struct _CommPackage {
ULONG64 id;
ULONG64 pid;
CHAR name[64];
}CommPackage, * PCommPackage;
typedef NTSTATUS(NTAPI* CommCallback)(PCommPackage package);
CommCallback gCommCallback = NULL;
NTSTATUS DefDispatch(DEVICE_OBJECT* DeviceObject, IRP* Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver) {
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
IoDeleteSymbolicLink(&symName);
IoDeleteDevice(pDriver->DeviceObject);
DbgPrint("Driver UnLoad!");
}
NTSTATUS process_enum(DEVICE_OBJECT* DeviceObject, IRP* Irp) {
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
LARGE_INTEGER ByteOffset = ioStack->Parameters.Read.ByteOffset;
int Length = ioStack->Parameters.Read.Length;
PCommPackage package = Irp->UserBuffer;
NTSTATUS status = STATUS_UNSUCCESSFUL;
HANDLE hProc = NULL;
PEPROCESS pEprocess = NULL;
char* ulProcessName = NULL;
ULONG ulProcessID = 0;
UINT32 ReturnLength = 0;
PVOID pBuf = NULL;
ULONG ulSize = 1000;
ANSI_STRING ansi_buffer_target = { 0 };
pEprocess = PsGetCurrentProcess();
if (pEprocess == NULL) {
DbgPrintEx(77, 0, "GRT ERROR");
return STATUS_SUCCESS;
}
if (package->pid > 1) {
ULONG64 i = (ULONG64)1;
for (; i < package->pid; i++) {
pEprocess = (PEPROCESS)(*(ULONG*)((ULONG)pEprocess + 0xB8) - 0xB8);
}
}
if (*(ULONG*)((ULONG)pEprocess + 0xB4) == NULL) {
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS NtStatus = ObOpenObjectByPointer(pEprocess, NULL, NULL, 0, NULL, KernelMode, &hProc);
if (!NT_SUCCESS(NtStatus)) {
ZwClose(hProc);
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
pBuf = ExAllocatePool(PagedPool, ulSize);
if (!pBuf) {
ZwClose(hProc);
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
RtlZeroMemory(pBuf, ulSize);
if (NULL == ZwQueryInformationProcess) {
UNICODE_STRING routineName;
RtlInitUnicodeString(&routineName, L"ZwQueryInformationProcess");
ZwQueryInformationProcess =(QUERY_INFO_PROCESS)MmGetSystemRoutineAddress(&routineName);
if (NULL == ZwQueryInformationProcess) {
DbgPrint("Cannot resolve ZwQueryInformationProcess\n");
}
}
NtStatus = ZwQueryInformationProcess(hProc, ProcessImageFileName, pBuf, ulSize,NULL);
if (!NT_SUCCESS(NtStatus)) {
ZwClose(hProc);
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
RtlUnicodeStringToAnsiString(&ansi_buffer_target, (PUNICODE_STRING)pBuf, TRUE);
strcpy(package->name, ansi_buffer_target.Buffer);
RtlFreeAnsiString(&ansi_buffer_target);
/*
ulProcessName = (char*)((ULONG)pEprocess + 0x16C);
ulProcessID = *(ULONG*)((ULONG)pEprocess + 0xB4);
DbgPrintEx(77, 0, "PID=%d,process_name=%s\r\n", ulProcessID, ulProcessName);
strcpy(package->name, ulProcessName);
*/
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
//APChangeThreadMode(EThread, PreviousMode);
ZwClose(hProc);
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING registeryPat) {
UNICODE_STRING unName = { 0 };
RtlInitUnicodeString(&unName, DEVICE_NAME);
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
PDEVICE_OBJECT pDevice = NULL;
NTSTATUS status = IoCreateDevice(pDriver, NULL, &unName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
if (!NT_SUCCESS(status))
{
DbgPrint("[db]:%x\r\n", status);
return status;
}
status = IoCreateSymbolicLink(&symName, &unName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevice);
DbgPrint("[db]:%x\r\n", status);
return status;
}
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
pDriver->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_READ] = process_enum;
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
R3
#include <stdio.h>
#include <Windows.h>
#define SYM_NAME "\\\\.\\wangliang"
typedef struct _CommPackage {
ULONG64 id;
ULONG64 pid;
CHAR name[64];
}CommPackage, * PCommPackage;
#define _COMM_ID 0x12345678
int main()
{
CommPackage packag;
packag.id = _COMM_ID;
packag.pid = (ULONG64)1;
for (int i = 0; i < 64; i++) {
packag.name[i] = 0;
}
HANDLE hDevice = CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDevice == NULL || hDevice == INVALID_HANDLE_VALUE)
{
printf("%d", hDevice);
system("pause");
return 0;
}
DWORD p = 0;
ReadFile(hDevice, &packag, sizeof(CommPackage), &p, NULL);
char First[64] = { 0 };
strcpy_s(First, 64, packag.name);
printf("%s\r\n", packag.name);
do {
packag.pid = packag.pid + 1;
for (int i = 0; i < 64; i++) {
packag.name[i] = 0;
}
ReadFile(hDevice, &packag, sizeof(CommPackage), &p, NULL);
printf("%s\r\n", packag.name);
Sleep(1000);
} while (strcmp(First, packag.name) != NULL);
CloseHandle(hDevice);
system("pause");
return 0;
}