哎,回頭一看其實也沒啥... 接着昨天的
#include <stdio.h>
#include <windows.h>
#define UTY_HOOK 2048
int main(void)
{
HANDLE hAndle;
char* buf[1024];
DWORD returnsize;
hAndle = CreateFile("////.//utyDriver",
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,NULL);
DeviceIoControl(hAndle,UTY_HOOK,NULL,
0,buf,1024,&returnsize,NULL);
printf("%d/n",GetLastError());
printf("%d/n",returnsize);
printf("%s/n",buf);
return 0;
}
//--------------------------------------------------------------------
這是user-mode APP,把驅動LOAD進去後,用creAteFile打開一個句柄,再用DeviceIoControl控制,控制碼是在驅動和user-modeAPP裏都定義的#define UTY_HOOK 2048,因爲在sdk的頭文件WINIOCTL.H裏有
//
// Macro definition for defining IOCTL and FSCTL function control codes. Note
// that function codes 0-2047 are reserved for Microsoft Corporation, and
// 2048-4095 are reserved for customers.
//
#define CTL_CODE( DeviceType, Function, Method, Access ) ( /
((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) /
)
所以UTY_HOOK用了2048
驅動部分再貼一次,也不HOOK了,
#include <ntddk.h>
//#pragma comment (lib,"ntdll.lib")
typedef NTSTATUS (NTAPI *NTPROC) ();
typedef NTPROC *PNTPROC;
#define NTPROC_ sizeof (NTPROC)
#define UTY_HOOK 2048
typedef struct _SYSTEM_SERVICE_TABLE
{
/*000*/ PNTPROC ServiceTable; // array of entry points
/*004*/ LONG* CounterTable; // array of usage counters
/*008*/ LONG ServiceLimit; // number of table entries
/*00C*/ UCHAR ArgumentTable; // array of byte counts
/*010*/ }
SYSTEM_SERVICE_TABLE,
* PSYSTEM_SERVICE_TABLE,
**PPSYSTEM_SERVICE_TABLE;
#define SYSTEM_SERVICE_TABLE_ /
sizeof (SYSTEM_SERVICE_TABLE)
//--------------------------------------------------------------------
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
/*000*/ SYSTEM_SERVICE_TABLE ntoskrnl; // ntoskrnl.exe (native api)
/*010*/ SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi/user)
/*020*/ SYSTEM_SERVICE_TABLE Table3; // not used
/*030*/ SYSTEM_SERVICE_TABLE Table4; // not used
/*040*/ }
SERVICE_DESCRIPTOR_TABLE,
* PSERVICE_DESCRIPTOR_TABLE,
**PPSERVICE_DESCRIPTOR_TABLE;
#define SERVICE_DESCRIPTOR_TABLE_ /
sizeof (SERVICE_DESCRIPTOR_TABLE)
//--------------------------------------------------------------------
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
VOID utyDriverUnloAd(IN PDRIVER_OBJECT DriverObject);
NTSTATUS utyDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS utyDriverIOControl(IN PDEVICE_OBJECT,IN PIRP Irp);
//NTSYSAPI
NTSTATUS
//NTAPI
utyNtReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL );
PDEVICE_OBJECT utyDriverDeviceObject = NULL;
ULONG out_size;
PFILE_OBJECT hAndle_object;
LONG temp;
CHAR tempbuf[1024];
NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPAth)
{
UNICODE_STRING ntDeviceNAme;
UNICODE_STRING win32DeviceNAme;
NTSTATUS stAtus;
PNTPROC ServiceTAble;
RtlInitUnicodeString(&ntDeviceNAme,L"//Device//utyDriver");
if (!NT_SUCCESS(stAtus = IoCreateDevice(DriverObject,0,&ntDeviceNAme,
FILE_DEVICE_UNKNOWN,0,FALSE,
&utyDriverDeviceObject)))
return STATUS_NO_SUCH_DEVICE;
utyDriverDeviceObject->Flags |= DO_BUFFERED_IO;
RtlInitUnicodeString(&win32DeviceNAme,L"//DosDevices//utyDriver");
if (!NT_SUCCESS(stAtus = IoCreateSymbolicLink(&win32DeviceNAme,&ntDeviceNAme)))
return STATUS_NO_SUCH_DEVICE;
DriverObject->MajorFunction[IRP_MJ_CREATE ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_CLOSE ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_READ ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_WRITE ] = utyDriverIO;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]= utyDriverIOControl;
DriverObject->DriverUnload = utyDriverUnloAd;
//InterlockedExchange((PLONG)&temp,*((LONG*)KeServiceDescriptorTable->ntoskrnl.ServiceTable+ 151));
//InterlockedExchange((PLONG)KeServiceDescriptorTable->ntoskrnl.ServiceTable+ 151,(LONG)utyNtReadFile);
return STATUS_SUCCESS;
}
//-------------------------------------------------------------------------------------
VOID utyDriverUnloAd(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING win32DeviceNAme;
//InterlockedExchange((PLONG)KeServiceDescriptorTable->ntoskrnl.ServiceTable+ 151,(LONG)temp);
RtlInitUnicodeString(&win32DeviceNAme,L"//DosDevices//utyDriver");
IoDeleteSymbolicLink(&win32DeviceNAme);
IoDeleteDevice(utyDriverDeviceObject);
}
//-------------------------------------------------------------------------------------
NTSTATUS utyDriverIO(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
//-------------------------------------------------------------------------------------
NTSTATUS utyDriverIOControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PIO_STACK_LOCATION stAck;
UCHAR *in_buffer,*out_buffer;
ULONG code,ret;
stAck = IoGetCurrentIrpStackLocation(Irp);
out_size = stAck->Parameters.DeviceIoControl.OutputBufferLength;
code = stAck->Parameters.DeviceIoControl.IoControlCode;
in_buffer = out_buffer = Irp->AssociatedIrp.SystemBuffer;
ret = STATUS_SUCCESS;
switch(code)
{
case UTY_HOOK:
{
RtlCopyBytes(out_buffer,"hi ,this is from the kernel",30);
out_size = 50;
Irp->IoStatus.Information = 30;
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 30;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
return ret;
}
//-------------------------------------------------------------------------------------
//NTSYSAPI
NTSTATUS
//NTAPI
utyNtReadFile(
IN HANDLE FileHandle,
IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
OUT PVOID Buffer,
IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL )
{
/*if(NT_SUCCESS(ObReferenceObjectByHandle(FileHandle,0x80000000,0,0,
(void *)hAndle_object,0))){
RtlUnicodeStringToAnsiString((PANSI_STRING)tempbuf,(PUNICODE_STRING)&hAndle_object->FileName,FALSE);
//RtlCopyString(tempbuf,(char*)hAndle_object->FileName);
}*/
return STATUS_SUCCESS;
}
//-------------------------------------------------------------------------------------
最主要的就是
NTSTATUS utyDriverIOControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PIO_STACK_LOCATION stAck;
UCHAR *in_buffer,*out_buffer;
ULONG code,ret;
stAck = IoGetCurrentIrpStackLocation(Irp);
//在驅動程序分層中如pdo,fdo,fido什麼的,得到自己的這層棧
out_size = stAck->Parameters.DeviceIoControl.OutputBufferLength; //對應與DriverIoControl中的參數nOutBufferSize,其他的也一樣,都是和DevicoIoControl下一一對應的
code = stAck->Parameters.DeviceIoControl.IoControlCode;
in_buffer = out_buffer = Irp->AssociatedIrp.SystemBuffer;
//這個看樣子從user-mode來的buffer也回到這裏,返回給user-mode的也是這個buffer,是的,剛纔試了,可以通過這個把user-mode的數據給內核,
ret = STATUS_SUCCESS;
switch(code)
{
case UTY_HOOK:
{
RtlCopyBytes(out_buffer,"hi ,this is from the kernel",30);
out_size = 50;
Irp->IoStatus.Information = 30;
//Irp->IOstAtus.InformAtion 表示要返回多少字節,當=0時,user-mode的returnsize=0,buffer中也沒有數據返回
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 30;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
//這個complete很重要,,沒加這個的時候,user-mode程序不返回,驅動也卸載不下來,用這個函數來returning the given IRP to the I/O Manager,這樣就完成了一個完整的irp,,現在應該弄清IRP和IO_STACK_LOCATION的關係,在《windows 操作系統原理》上找到,“任何內核模式程序在創建一個IRP時,同時還創建一個與之關聯的I/O堆棧,堆棧中的I/O堆棧單元由IO_STACK_LOCATION結構定義,每個堆棧單元都對應一個將處理該IRP的驅動程序。爲了在一個給定的IRP中確定當前IRP I/O堆棧單元,驅動程序可以調用IoGetCurrentStAckLOcAtion函數,該函數返回指向當前I/O堆棧單元的指針。”
return ret;
}
//-------------------------------------------------------------------------------------
都是好歹弄上去的,
下一步該利用這些來弄些有用的東西出來了
