哎,回头一看其实也没啥... 接着昨天的
#include <stdio.h>
#include <windows.h>
#define UTY_HOOK 2048
int main(void)
{
HANDLE hAndle;
char* buf[1024];
DWORD returnsize;
hAndle = CreateFile(".//utyDriver",
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,NULL);
DeviceIoControl(hAndle,UTY_HOOK,NULL,
0,buf,1024,&returnsize,NULL);
printf("%d/n",GetLastError());
printf("%d/n",returnsize);
printf("%s/n",buf);
return 0;
}
//--------------------------------------------------------------------
这是user-mode APP,把驱动LOAD进去后,用creAteFile打开一个句柄,再用DeviceIoControl控制,控制码是在驱动和user-modeAPP里都定义的#define UTY_HOOK 2048,因为在sdk的头文件WINIOCTL.H里有
//
// Macro definition for defining IOCTL and FSCTL function control codes. Note
// that function codes 0-2047 are reserved for Microsoft Corporation, and
// 2048-4095 are reserved for customers.
//
#define CTL_CODE( DeviceType, Function, Method, Access ) ( /
((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) /
)
所以UTY_HOOK用了2048
驱动部分再贴一次,也不HOOK了,
#include <ntddk.h>
//#pragma comment (lib,"ntdll.lib")
typedef NTSTATUS (NTAPI *NTPROC) ();
typedef NTPROC *PNTPROC;
#define NTPROC_ sizeof (NTPROC)
#define UTY_HOOK 2048
typedef struct _SYSTEM_SERVICE_TABLE
{
/*000*/ PNTPROC ServiceTable; // array of entry points
/*004*/ LONG* CounterTable; // array of usage counters
/*008*/ LONG ServiceLimit; // number of table entries
/*00C*/ UCHAR ArgumentTable; // array of byte counts
/*010*/ }
SYSTEM_SERVICE_TABLE,
* PSYSTEM_SERVICE_TABLE,
**PPSYSTEM_SERVICE_TABLE;
#define SYSTEM_SERVICE_TABLE_ /
sizeof (SYSTEM_SERVICE_TABLE)
//--------------------------------------------------------------------
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
/*000*/ SYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe (native api)
/*010*/ SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi/user)
/*020*/ SYSTEM_SERVICE_TABLE Table3; // not used
/*030*/ SYSTEM_SERVICE_TABLE Table4; // not used
/*040*/ }
SERVICE_DESCRIPTOR_TABLE,
* PSERVICE_DESCRIPTOR_TABLE,
**PPSERVICE_DESCRIPTOR_TABLE;
#define SERVICE_DESCRIPTOR_TABLE_ /
sizeof (SERVICE_DESCRIPTOR_TABLE)
//--------------------------------------------------------------------
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
VOID utyDriverUnloAd(IN PDRIVER_OBJECT DriverObject);
NTSTATUS utyDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS utyDriverIOControl(IN PDEVICE_OBJECT,IN PIRP Irp);
//NTSYSAPI
NTSTATUS
//NTAPI
utyNtReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
PDEVICE_OBJECT utyDriverDeviceObject = NULL;
ULONG out_size;
PFILE_OBJECT hAndle_object;
LONG temp;
CHAR tempbuf[1024];
NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPAth)
{
UNICODE_STRING ntDeviceNAme;
UNICODE_STRING win32DeviceNAme;
NTSTATUS stAtus;
PNTPROC ServiceTAble;
RtlInitUnicodeString(&ntDeviceNAme,L"//Device//utyDriver");
if (!NT_SUCCESS(stAtus = IoCreateDevice(DriverObject,0,&ntDeviceNAme,
FILE_DEVICE_UNKNOWN,0,FALSE,
&utyDriverDeviceObject)))
return STATUS_NO_SUCH_DEVICE;
utyDriverDeviceObject->Flags |= DO_BUFFERED_IO;
RtlInitUnicodeString(&win32DeviceNAme,L"//DosDevices//utyDriver");
if (!NT_SUCCESS(stAtus = IoCreateSymbolicLink(&win32DeviceNAme,&ntDeviceNAme)))
return STATUS_NO_SUCH_DEVICE;
DriverObject->MajorFunction[IRP_MJ_CREATE ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_CLOSE ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_READ ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_WRITE ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]= utyDriverIOControl;
DriverObject->DriverUnload = utyDriverUnloAd;
//InterlockedExchange((PLONG)&temp,*((LONG*)KeServiceDescriptorTable->ntoskrnl.ServiceTable+ 151));
//InterlockedExchange((PLONG)KeServiceDescriptorTable->ntoskrnl.ServiceTable+ 151,(LONG)utyNtReadFile);
return STATUS_SUCCESS;
}
//-------------------------------------------------------------------------------------
VOID utyDriverUnloAd(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING win32DeviceNAme;
//InterlockedExchange((PLONG)KeServiceDescriptorTable->ntoskrnl.ServiceTable+ 151,(LONG)temp);
RtlInitUnicodeString(&win32DeviceNAme,L"//DosDevices//utyDriver");
IoDeleteSymbolicLink(&win32DeviceNAme);
IoDeleteDevice(utyDriverDeviceObject);
}
//-------------------------------------------------------------------------------------
NTSTATUS utyDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
//-------------------------------------------------------------------------------------
NTSTATUS utyDriverIOControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PIO_STACK_LOCATION stAck;
UCHAR *in_buffer,*out_buffer;
ULONG code,ret;
stAck = IoGetCurrentIrpStackLocation(Irp);
out_size = stAck->Parameters.DeviceIoControl.OutputBufferLength;
code = stAck->Parameters.DeviceIoControl.IoControlCode;
in_buffer = out_buffer = Irp->AssociatedIrp.SystemBuffer;
ret = STATUS_SUCCESS;
switch(code)
{
case UTY_HOOK:
{
RtlCopyBytes(out_buffer,"hi ,this is from the kernel",30);
out_size = 50;
Irp->IoStatus.Information = 30;
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 30;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return ret;
}
//-------------------------------------------------------------------------------------
//NTSYSAPI
NTSTATUS
//NTAPI
utyNtReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL )
{
/*if(NT_SUCCESS(ObReferenceObjectByHandle(FileHandle,0x80000000,0,0,
(void *)hAndle_object,0))){
RtlUnicodeStringToAnsiString((PANSI_STRING)tempbuf,(PUNICODE_STRING)&hAndle_object->FileName,FALSE);
//RtlCopyString(tempbuf,(char*)hAndle_object->FileName);
}*/
return STATUS_SUCCESS;
}
//-------------------------------------------------------------------------------------
最主要的就是
NTSTATUS utyDriverIOControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PIO_STACK_LOCATION stAck;
UCHAR *in_buffer,*out_buffer;
ULONG code,ret;
stAck = IoGetCurrentIrpStackLocation(Irp);
//在驱动程序分层中如pdo,fdo,fido什么的,得到自己的这层栈
out_size = stAck->Parameters.DeviceIoControl.OutputBufferLength; //对应与DriverIoControl中的参数nOutBufferSize,其他的也一样,都是和DevicoIoControl下一一对应的
code = stAck->Parameters.DeviceIoControl.IoControlCode;
in_buffer = out_buffer = Irp->AssociatedIrp.SystemBuffer;
//这个看样子从user-mode来的buffer也回到这里,返回给user-mode的也是这个buffer,是的,刚才试了,可以通过这个把user-mode的数据给内核,
ret = STATUS_SUCCESS;
switch(code)
{
case UTY_HOOK:
{
RtlCopyBytes(out_buffer,"hi ,this is from the kernel",30);
out_size = 50;
Irp->IoStatus.Information = 30;
//Irp->IOstAtus.InformAtion 表示要返回多少字节,当=0时,user-mode的returnsize=0,buffer中也没有数据返回
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 30;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
//这个complete很重要,,没加这个的时候,user-mode程序不返回,驱动也卸载不下来,用这个函数来returning the given IRP to the I/O Manager,这样就完成了一个完整的irp,,现在应该弄清IRP和IO_STACK_LOCATION的关系,在《windows 操作系统原理》上找到,“任何内核模式程序在创建一个IRP时,同时还创建一个与之关联的I/O堆栈,堆栈中的I/O堆栈单元由IO_STACK_LOCATION结构定义,每个堆栈单元都对应一个将处理该IRP的驱动程序。为了在一个给定的IRP中确定当前IRP I/O堆栈单元,驱动程序可以调用IoGetCurrentStAckLOcAtion函数,该函数返回指向当前I/O堆栈单元的指针。”
return ret;
}
//-------------------------------------------------------------------------------------
都是好歹弄上去的,
下一步该利用这些来弄些有用的东西出来了
扫一扫
4751
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
