www.pudn.com > UCtrl.rar > TSinjoy.c
#include "type.h" #include "TSinjoy.h" #include "Ioctl.h" #include "DataType.h" #include//----------- DataControl *CData; BOOLEAN bProcMon= FALSE; //----------- NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status; PDEVICE_OBJECT deviceObject; UNICODE_STRING ntName; UNICODE_STRING win32Name; RtlInitUnicodeString(&ntName,DeviceName); status = IoCreateDevice( DriverObject, sizeof (TSINJOY_DEVICE_EXTENSION), &ntName, FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject ); if (!NT_SUCCESS (status)) { return status; } DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = TSinjoyDeviceIoControlDispatch; DriverObject->DriverUnload = TSinjoyUnload; RtlInitUnicodeString(&win32Name,LinkName); status = IoCreateSymbolicLink(&win32Name, &ntName); if (!NT_SUCCESS(status)) { IoDeleteDevice(deviceObject); return status; } //------- RtlInitUnicodeString(&dllName, L"\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll"); //------- BaseAddress = GetDllFunctionAddress("ZwCreateProcessEx", &dllName); CreateProcessposition = *((WORD*)(BaseAddress+1)); // DbgPrint("ZwCreateProcessEx's Id:%d\n", CreateProcessposition); RealZwCreateProcess = (ZWCREATEPROCESS)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + CreateProcessposition)); //------- return status; } VOID TSinjoyUnload( IN PDRIVER_OBJECT DriverObject ) { UNICODE_STRING win32Name; UnHookAll();//------------------------- RtlInitUnicodeString(&win32Name, LinkName); IoDeleteSymbolicLink(&win32Name); IoDeleteDevice(DriverObject->DeviceObject); ASSERT(DriverObject->DeviceObject == NULL); // DbgPrint("UnLoad........"); return; } NTSTATUS TSinjoyDeviceIoControlDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PIO_STACK_LOCATION irpStack; NTSTATUS status; PVOID inputBuffer; ULONG inputLength; PVOID outputBuffer; ULONG outputLength; irpStack = IoGetCurrentIrpStackLocation(Irp); inputLength = irpStack->Parameters.DeviceIoControl.InputBufferLength; outputLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength; switch (irpStack->Parameters.DeviceIoControl.IoControlCode) { case IOCTL_HOOK: if (inputLength==sizeof(DataControl)) { inputBuffer = Irp->AssociatedIrp.SystemBuffer; CData = (DataControl *)inputBuffer; // DbgPrint("%d %d ", CData->Hookon,CData->Sty); if (CData->Hookon==1) { SetHook(CData->Sty); // DbgPrint("HookON"); } else if (CData->Hookon==0) { SetUnHook(CData->Sty); // DbgPrint("HookOFF"); } }; status = STATUS_SUCCESS; break; case IOCTL_DataOut: break; case IOCTL_DataIn: break; default: status = STATUS_INVALID_DEVICE_REQUEST; break; } Irp->IoStatus.Status = status; IoCompleteRequest (Irp, IO_NO_INCREMENT); return status; }; NTSTATUS DispatchCreate(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp) { pIrp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS DispatchClose(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp) { pIrp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(pIrp,IO_NO_INCREMENT); return STATUS_SUCCESS; }; VOID SetHook(unsigned int Num) { if (Num==1) { if (!bProcMon) ProcMoniterOn(); bProcMon= TRUE; return; } }; VOID SetUnHook(unsigned int Num) { if (Num==1) { if (bProcMon) ProcMoniterOff(); bProcMon= FALSE; return; } }; VOID UnHookAll() { if (bProcMon) SetUnHook(1); };