www.pudn.com > dvKrnlData.rar > dvKrnlData.c
// dvKrnlData.c
//
// Generated by C DriverWizard 3.2.0 (Build 2485)
// Requires DDK Only
// File created on 9/12/2006
//
#include "pch.h"
#include "..\intrface.h"
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
// global data
DVKRNLDATA_DATA g_Data;
///////////////////////////////////////////////////////////////////////////////////////////////////
// DriverEntry
// Installable driver initialization entry point.
// This entry point is called directly by the I/O system.
//
// Arguments:
// IN DriverObject
// pointer to the driver object
//
// IN RegistryPath
// pointer to a unicode string representing the path,
// to driver-specific key in the registry.
//
// Return Value:
// Status
//
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status;
PDEVICE_OBJECT deviceObject;
PDVKRNLDATA_DEVICE_EXTENSION deviceExtension;
UNICODE_STRING ntName;
UNICODE_STRING win32Name;
dvKrnlDataDebugPrint(DBG_INIT, DBG_TRACE, __FUNCTION__"++");
dvKrnlDataDebugPrint(DBG_INIT, DBG_INFO, "Compiled at %s on %s", __TIME__, __DATE__);
#ifdef DBG
// DbgBreakPoint();
#endif
RtlZeroMemory(&g_Data, sizeof(DVKRNLDATA_DATA));
// save registry path
g_Data.RegistryPath.Length = RegistryPath->Length;
g_Data.RegistryPath.MaximumLength = RegistryPath->Length + sizeof(UNICODE_NULL);
g_Data.RegistryPath.Buffer = (PWCHAR)ExAllocatePoolWithTag(
PagedPool,
g_Data.RegistryPath.MaximumLength,
DVKRNLDATA_POOL_TAG
);
if(g_Data.RegistryPath.Buffer == NULL)
{
status = STATUS_INSUFFICIENT_RESOURCES;
dvKrnlDataDebugPrint(DBG_INIT, DBG_ERR, __FUNCTION__": Failed to allocate memory for RegistryPath");
return status;
}
RtlCopyUnicodeString(&g_Data.RegistryPath, RegistryPath);
// setup our dispatch function table in the driver object
DriverObject->MajorFunction[IRP_MJ_CREATE] = dvKrnlDataCreateDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = dvKrnlDataCloseDispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = dvKrnlDataDeviceIoControlDispatch;
DriverObject->MajorFunction[IRP_MJ_READ] = dvKrnlDataReadDispatch;
DriverObject->MajorFunction[IRP_MJ_WRITE] = dvKrnlDataWriteDispatch;
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = dvKrnlDataShutdownDispatch;
DriverObject->DriverUnload = dvKrnlDataUnload;
// initialize device name
RtlInitUnicodeString(&ntName, L"\\Device\\dvKrnlDataDevice");
// Create our function device object.
status = IoCreateDevice(
DriverObject,
sizeof(DVKRNLDATA_DEVICE_EXTENSION),
&ntName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&deviceObject
);
if(!NT_SUCCESS (status))
{
ExFreePool(g_Data.RegistryPath.Buffer);
g_Data.RegistryPath.Buffer = NULL;
dvKrnlDataDebugPrint(DBG_INIT, DBG_ERR, __FUNCTION__"--. STATUS %x", status);
return status;
}
// Initialize the device extension.
deviceExtension = (PDVKRNLDATA_DEVICE_EXTENSION)deviceObject->DeviceExtension;
// Zero the memory
RtlZeroMemory(deviceExtension, sizeof(DVKRNLDATA_DEVICE_EXTENSION));
// save our device object pointer
deviceExtension->DeviceObject = deviceObject;
// This flag sets the buffering method for reads and writes
// to METHOD_BUFFERED. IOCTLs are handled by IO control codes
// independent of the value of this flag.
deviceObject->Flags |= DO_BUFFERED_IO;
RtlInitUnicodeString(&win32Name, L"\\??\\dvKrnlDataDevice");
status = IoCreateSymbolicLink(&win32Name, &ntName);
if(!NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
ExFreePool(g_Data.RegistryPath.Buffer);
g_Data.RegistryPath.Buffer = NULL;
return status;
}
IoRegisterShutdownNotification(deviceObject);
dvKrnlDataDebugPrint(DBG_INIT, DBG_TRACE, __FUNCTION__"--. STATUS %x", status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataCreateDispatch
// Dispatch routine for IRP_MJ_CREATE requests.
//
// Arguments:
// IN DeviceObject
// pointer to the device object for our device
//
// IN Irp
// the create IRP
//
// Return Value:
// NT status code.
//
NTSTATUS dvKrnlDataCreateDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PDVKRNLDATA_DEVICE_EXTENSION deviceExtension;
NTSTATUS status;
dvKrnlDataDebugPrint(DBG_CREATECLOSE, DBG_TRACE, __FUNCTION__"++. IRP %p", Irp);
deviceExtension = (PDVKRNLDATA_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
InterlockedIncrement(&deviceExtension->OpenHandleCount);
status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
dvKrnlDataDebugPrint(DBG_CREATECLOSE, DBG_TRACE, __FUNCTION__"--. IRP %p, STATUS %x", Irp, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataCloseDispatch
// Dispatch routine for IRP_MJ_CLOSE requests.
//
// Arguments:
// IN DeviceObject
// pointer to the device object for our device
//
// IN Irp
// the close IRP
//
// Return Value:
// NT status code.
//
NTSTATUS dvKrnlDataCloseDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PDVKRNLDATA_DEVICE_EXTENSION deviceExtension;
NTSTATUS status;
dvKrnlDataDebugPrint(DBG_CREATECLOSE, DBG_TRACE, __FUNCTION__"++. IRP %p", Irp);
deviceExtension = (PDVKRNLDATA_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
InterlockedDecrement(&deviceExtension->OpenHandleCount);
dvKrnlDataDebugPrint(DBG_CREATECLOSE, DBG_TRACE, __FUNCTION__"--. IRP %p, STATUS %x", Irp, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataUnload
// Driver unload callback.
//
// Arguments:
// IN DriverObject
// pointer to the driver object
//
// Return Value:
// none
//
VOID dvKrnlDataUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING win32Name;
dvKrnlDataDebugPrint(DBG_UNLOAD, DBG_TRACE, __FUNCTION__"++");
RtlInitUnicodeString(&win32Name, L"\\??\\dvKrnlDataDevice");
IoDeleteSymbolicLink(&win32Name);
IoUnregisterShutdownNotification(DriverObject->DeviceObject);
IoDeleteDevice(DriverObject->DeviceObject);
// The device object(s) should be NULL now
// (since we unload, all the devices objects associated with this
// driver must be deleted.
ASSERT(DriverObject->DeviceObject == NULL);
// We should not be unloaded until all the devices we control
// have been removed from our queue.
// release memory block allocated for registry path
if (g_Data.RegistryPath.Buffer != NULL)
{
ExFreePool(g_Data.RegistryPath.Buffer);
g_Data.RegistryPath.Buffer = NULL;
}
dvKrnlDataDebugPrint(DBG_UNLOAD, DBG_TRACE, __FUNCTION__"--");
return;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataReadDispatch
// Dispatch routine for IRP_MJ_READ requests.
//
// Arguments:
// IN DeviceObject
// pointer to the device object for our device
//
// IN Irp
// the read IRP
//
// Return Value:
// NT status code.
//
NTSTATUS dvKrnlDataReadDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status;
PDVKRNLDATA_DEVICE_EXTENSION deviceExtension;
PIO_STACK_LOCATION irpStack;
PVOID readBuffer;
ULONG readLength;
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"++. IRP %p", Irp);
deviceExtension = (PDVKRNLDATA_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
// Get our IRP stack location
irpStack = IoGetCurrentIrpStackLocation(Irp);
// Get the read buffer length
readLength = irpStack->Parameters.Read.Length;
if (readLength == 0)
{
// just complete 0 length request
status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
dvKrnlDataDebugPrint(DBG_IO, DBG_WARN, __FUNCTION__"--. IRP %p, STATUS %x", Irp, status);
return status;
}
readBuffer = Irp->AssociatedIrp.SystemBuffer;
status = STATUS_NOT_IMPLEMENTED;
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = 0;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. IRP %p STATUS %x", Irp, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataWriteDispatch
// Dispatch routine for IRP_MJ_WRITE requests.
//
// Arguments:
// IN DeviceObject
// pointer to the device object for our device
//
// IN Irp
// the write IRP
//
// Return Value:
// NT status code.
//
NTSTATUS dvKrnlDataWriteDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status;
PDVKRNLDATA_DEVICE_EXTENSION deviceExtension;
PIO_STACK_LOCATION irpStack;
PVOID writeBuffer;
ULONG writeLength;
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"++. IRP %p", Irp);
deviceExtension = (PDVKRNLDATA_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
// Get our IRP stack location
irpStack = IoGetCurrentIrpStackLocation(Irp);
// Get the write buffer length
writeLength = irpStack->Parameters.Write.Length;
if (writeLength == 0)
{
// just complete 0 length request
status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
dvKrnlDataDebugPrint(DBG_IO, DBG_WARN, __FUNCTION__"--. IRP %p, STATUS %x", Irp, status);
return status;
}
writeBuffer = Irp->AssociatedIrp.SystemBuffer;
status = STATUS_NOT_IMPLEMENTED;
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = 0;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. IRP %p STATUS %x", Irp, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataDeviceIoControlDispatch
// Dispatch routine for IRP_MJ_DEVICE_CONTROL requests.
//
// Arguments:
// IN DeviceObject
// pointer to the device object for our device
//
// IN Irp
// the device i/o control IRP
//
// Return Value:
// NT status code.
//
NTSTATUS dvKrnlDataDeviceIoControlDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
NTSTATUS status;
PDVKRNLDATA_DEVICE_EXTENSION deviceExtension;
PVOID inputBuffer;
ULONG inputLength;
PVOID outputBuffer;
ULONG outputLength;
DWORD dwRealLen = 0;
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"++. IRP %p", Irp);
deviceExtension = (PDVKRNLDATA_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
// Get our IRP stack location
irpStack = IoGetCurrentIrpStackLocation(Irp);
// Get the buffer lengths
inputLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
switch (irpStack->Parameters.DeviceIoControl.IoControlCode)
{
case KRNLDATA_IO_READ_MEM:
status = dvKrnlDataReadMem(
deviceExtension,
inputBuffer,
inputLength,
outputBuffer,
outputLength,
&dwRealLen);
break;
case KRNLDATA_IO_IDT:
status = dvKrnlDataGetIDT(
deviceExtension,
outputBuffer,
outputLength,
&dwRealLen);
break;
case KRNLDATA_IO_SST:
status = dvKrnlDataGetSST(
deviceExtension,
outputBuffer,
outputLength,
&dwRealLen);
break;
case KRNLDATA_IO_PHYSICAL:
status = dvKrnlDataGetPhysical(
deviceExtension,
inputBuffer,
inputLength,
outputBuffer,
outputLength,
&dwRealLen);
break;
case KRNLDATA_IO_HIDE_PROC:
status = dvKrnlDataHideProc(
deviceExtension,
inputBuffer,
inputLength);
break;
case KRNLDATA_IO_STOP_HIDE:
EndHook();
status = STATUS_SUCCESS;
break;
case KRNLDATA_IO_WRITE_MEM:
default:
status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = dwRealLen;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. IRP %p STATUS %x", Irp, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataShutdownDispatch
// Dispatch routine for IRP_MJ_SHUTDOWN requests.
//
// Arguments:
// IN DeviceObject
// pointer to the device object for our device
//
// IN Irp
// the shutdown IRP
//
// Return Value:
// NT status code.
//
NTSTATUS dvKrnlDataShutdownDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status;
PDVKRNLDATA_DEVICE_EXTENSION deviceExtension;
dvKrnlDataDebugPrint(DBG_GENERAL, DBG_TRACE, __FUNCTION__"++. IRP %p", Irp);
deviceExtension = (PDVKRNLDATA_DEVICE_EXTENSION)DeviceObject->DeviceExtension;
status = STATUS_NOT_IMPLEMENTED;
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = 0;
IoCompleteRequest (Irp, IO_NO_INCREMENT);
dvKrnlDataDebugPrint(DBG_GENERAL, DBG_TRACE, __FUNCTION__"--. IRP %p STATUS %x", Irp, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataReadMem
// 读取内核地址的内存值
//
// argument
// IN pDeviceCtx 自己定义的设备扩展结构
// IN pInput 输入数据的缓存地址
// IN dwInput 输入数据的长度
// OUT pOutput 输出数据的缓存地址,目前采用BUFFERD方式,故与pInput地址相同
// IN dwOutput 输出缓存的大小
// OUT pdwOutLen 实际输出的长度
//
// return
// NT status code
//
NTSTATUS dvKrnlDataReadMem(
IN PDVKRNLDATA_DEVICE_EXTENSION pDeviceCtx,
IN PVOID pInput,
IN DWORD dwInput,
OUT PVOID pOutput,
IN DWORD dwOutput,
OUT PDWORD pdwOutLen
)
{
NTSTATUS status;
PDVKRNLDATA_MEM_REQUEST pMemReq = NULL;
PVOID pAddr = NULL;
DWORD dwLen = 0;
dvKrnlDataDebugPrint(
DBG_IO,
DBG_TRACE,
__FUNCTION__"++. pInput %p dwInput %d pOutput %p dwOutput %d", pInput, dwInput, pOutput, dwOutput);
pMemReq = (PDVKRNLDATA_MEM_REQUEST)pInput;
if(dwInput < sizeof(DVKRNLDATA_MEM_REQUEST))
{
status = STATUS_INVALID_PARAMETER;
goto out;
}
pAddr = pMemReq->pAddress;
dwLen = pMemReq->dwRequestLen;
if(dwLen > dwOutput)
{
status = STATUS_BUFFER_TOO_SMALL;
goto out;
}
dvKrnlDataDebugPrint(DBG_IO, DBG_INFO, "Address: %08X, Len: %X", pAddr, dwLen);
__try
{
RtlCopyMemory(pOutput, pAddr, dwLen);
*pdwOutLen = dwLen;
status = STATUS_SUCCESS;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
*pdwOutLen = 0;
status = STATUS_INVALID_PARAMETER;
}
out:
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. WrittenLen %d STATUS %x", *pdwOutLen, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataGetIDT
// 获取系统的中断描述表(IDT)
//
// argument
// IN pDeviceCtx 自己定义的设备扩展结构
// OUT pOutput 输出数据的缓存地址
// IN dwOutput 输出缓存的大小
// OUT pdwOutLen 实际输出的长度
//
// return
// NT status code
//
NTSTATUS dvKrnlDataGetIDT(
IN PDVKRNLDATA_DEVICE_EXTENSION pDeviceCtx,
OUT PVOID pOutput,
IN DWORD dwOutput,
OUT PDWORD pdwOutLen
)
{
NTSTATUS status;
IDTR idtr;
DWORD dwLen = 0;
int nIDTRSize = sizeof(IDTR);
dvKrnlDataDebugPrint(
DBG_IO,
DBG_TRACE,
__FUNCTION__"++. pOutput %p dwOutput %d", pOutput, dwOutput);
//获取idt基址
__asm
{
sidt idtr
}
//输出idt信息
dvKrnlDataDebugPrint(DBG_IO, DBG_INFO, "IDTLimit: %X, IDTBase: %08X", idtr.IDTLimit, idtr.IDTBase);
if(nIDTRSize > dwOutput)
{
status = STATUS_BUFFER_TOO_SMALL;
goto out;
}
//输出的信息组成: IDTR + IDT_ENTRY[]
RtlCopyMemory(pOutput, &idtr, nIDTRSize);
if((idtr.IDTLimit * sizeof(IDT_ENTRY) + nIDTRSize) < dwOutput)
{
dwLen = idtr.IDTLimit * sizeof(IDT_ENTRY);
}
else
{
dwLen = dwOutput - nIDTRSize;
}
__try
{
RtlCopyMemory((PVOID)((DWORD)pOutput + nIDTRSize), idtr.IDTBase, dwLen);
*pdwOutLen = (dwLen + nIDTRSize);
status = STATUS_SUCCESS;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
*pdwOutLen = 0;
status = STATUS_INVALID_PARAMETER;
}
out:
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. WrittenLen %d STATUS %x", *pdwOutLen, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataGetSST
// 通过服务描述表(SDT)读取ntoskrnl.exe的服务索引表(SST)
//
// argument
// IN pDeviceCtx 自己定义的设备扩展结构
// OUT pOutput 输出数据的缓存地址
// IN dwOutput 输出缓存的大小
// OUT pdwOutLen 实际输出的长度
//
// return
// NT status code
//
NTSTATUS dvKrnlDataGetSST(
IN PDVKRNLDATA_DEVICE_EXTENSION pDeviceCtx,
OUT PVOID pOutput,
IN DWORD dwOutput,
OUT PDWORD pdwOutLen
)
{
NTSTATUS status;
PSYSTEM_SERVICE_TABLE pNtosSST;
int nSSTSize = sizeof(SYSTEM_SERVICE_TABLE);
dvKrnlDataDebugPrint(
DBG_IO,
DBG_TRACE,
__FUNCTION__"++. pOutput %p dwOutput %d", pOutput, dwOutput);
pNtosSST = &(KeServiceDescriptorTable->ntoskrnl);
//输出ntoskrnl的SST信息
dvKrnlDataDebugPrint(
DBG_IO, DBG_INFO,
"ServiceTable: %08X, ArgumentTable: %08X, ServiceLimit: %X",
pNtosSST->ServiceTable,
pNtosSST->ArgumentTable,
pNtosSST->ServiceLimit);
if(nSSTSize + (sizeof(PVOID) + sizeof(BYTE)) * pNtosSST->ServiceLimit > dwOutput)
{
status = STATUS_BUFFER_TOO_SMALL;
goto out;
}
//输出的信息组成: SST + ServiceTable[] + ArgumentTable[]
__try
{
RtlCopyMemory(pOutput, pNtosSST, nSSTSize);
(DWORD)pOutput += nSSTSize;
RtlCopyMemory(pOutput, pNtosSST->ServiceTable, (pNtosSST->ServiceLimit) * sizeof(PVOID));
(DWORD)pOutput += (pNtosSST->ServiceLimit) * sizeof(PVOID);
RtlCopyMemory(pOutput, pNtosSST->ArgumentTable, (pNtosSST->ServiceLimit) * sizeof(BYTE));
*pdwOutLen = nSSTSize + (sizeof(PVOID) + sizeof(BYTE)) * pNtosSST->ServiceLimit;
status = STATUS_SUCCESS;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
*pdwOutLen = 0;
status = STATUS_INVALID_PARAMETER;
}
out:
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. WrittenLen %d STATUS %x", *pdwOutLen, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataGetPhysical
// 调用MmGetPhysicalAddress函数来获取线性地址对应的物理地址
//
// argument
// IN pDeviceCtx 自己定义的设备扩展结构
// IN pInput 输入数据的缓存地址
// IN dwInput 输入数据的长度
// OUT pOutput 输出数据的缓存地址,目前采用BUFFERD方式,故与pInput地址相同
// IN dwOutput 输出缓存的大小
// OUT pdwOutLen 实际输出的长度
//
// return
// NT status code
//
NTSTATUS dvKrnlDataGetPhysical(
IN PDVKRNLDATA_DEVICE_EXTENSION pDeviceCtx,
IN PVOID pInput,
IN DWORD dwInput,
OUT PVOID pOutput,
IN DWORD dwOutput,
OUT PDWORD pdwOutLen
)
{
NTSTATUS status;
PVOID pLineAddr = NULL;
PHYSICAL_ADDRESS PhysicalAddr;
dvKrnlDataDebugPrint(
DBG_IO,
DBG_TRACE,
__FUNCTION__"++. pInput %p dwInput %d pOutput %p dwOutput %d", pInput, dwInput, pOutput, dwOutput);
if(dwInput < sizeof(PVOID) || dwOutput < sizeof(PHYSICAL_ADDRESS))
{
status = STATUS_BUFFER_TOO_SMALL;
goto out;
}
pLineAddr = *(PPVOID)pInput;
dvKrnlDataDebugPrint(DBG_IO, DBG_INFO, "Line Address: %p", pLineAddr);
//首先检查地址是否合法,然后获取对应的物理地址ULARGE_INTEGER型,64位
if(MmIsAddressValid(pLineAddr))
{
PhysicalAddr = MmGetPhysicalAddress(pLineAddr);
RtlCopyMemory(pOutput, &PhysicalAddr, sizeof(PHYSICAL_ADDRESS));
*pdwOutLen = sizeof(PHYSICAL_ADDRESS);
status = STATUS_SUCCESS;
}
else
{
dvKrnlDataDebugPrint(DBG_IO, DBG_INFO, "invlaid address");
*pdwOutLen = 0;
status = STATUS_INVALID_PARAMETER;
}
out:
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. WrittenLen %d STATUS %x", *pdwOutLen, status);
return status;
}
///////////////////////////////////////////////////////////////////////////////////////////////////
// dvKrnlDataHideProc
// 通过Hook ZwQuerySystemInformation来隐藏指定PID的进程
//
// argument
// IN pDeviceCtx 自己定义的设备扩展结构
// IN pInput 输入数据的缓存地址
// IN dwInput 输入数据的长度
//
// return
// NT status code
//
NTSTATUS dvKrnlDataHideProc(
IN PDVKRNLDATA_DEVICE_EXTENSION pDeviceCtx,
IN PVOID pInput,
IN DWORD dwInput
)
{
NTSTATUS status;
DWORD dwHidePID;
dvKrnlDataDebugPrint(
DBG_IO,
DBG_TRACE,
__FUNCTION__"++. pInput %p dwInput %d", pInput, dwInput);
if(dwInput < sizeof(DWORD))
{
status = STATUS_INVALID_PARAMETER;
goto out;
}
dwHidePID = *(DWORD *)pInput;
dvKrnlDataDebugPrint(DBG_IO, DBG_INFO, "Hide PID: %08X", dwHidePID);
StartHook(dwHidePID);
status = STATUS_SUCCESS;
out:
dvKrnlDataDebugPrint(DBG_IO, DBG_TRACE, __FUNCTION__"--. STATUS %x", status);
return status;
}