#include "common.h"
#include "Ioctl.h"
extern "C"
{
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS CompleteIrp(PIRP Irp, NTSTATUS status, ULONG info);
NTSTATUS DeviceControlRoutine( IN PDEVICE_OBJECT fdo, IN PIRP Irp );
NTSTATUS Close_HandleIRPprocessing(IN PDEVICE_OBJECT fdo,IN PIRP Irp);
NTSTATUS Create_File_IRPprocessing(IN PDEVICE_OBJECT fdo,IN PIRP Irp);
}// extern "C"
#include "HookFile.h"
#include "HookProcess.h"
#include "QueryMng.h"
#include "HookMng.h"
////////////////////////////////////////////////////////////////////////////////////
/*InitializeHooks: this function initializes all possible hooks*/
void InitializeHooks();
/*DeviceName: the name of current driver*/
UNICODE_STRING DeviceName;
/*SymbolicLinkName: the symbolic link of driver location*/
UNICODE_STRING SymbolicLinkName;
/*deviceObject: the object associated with the driver*/
PDEVICE_OBJECT deviceObject = NULL;
/*gQueryMng: used for dispatching IOCTL queries*/
static QueryMng gQueryMng;
/*gHookMng: used for hooking functions*/
static HookMng gHookMng;
////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
PDRIVER_DISPATCH *mj_func;
NTSTATUS st;
PCWSTR dDeviceName = L"\\Device\\HideDriver";
PCWSTR dSymbolicLinkName = L"\\DosDevices\\HideDriver";
DbgPrint("\t------START------\n");
libcpp_init();
RtlInitUnicodeString(&DeviceName, dDeviceName);
RtlInitUnicodeString(&SymbolicLinkName, dSymbolicLinkName);
st = IoCreateDevice(DriverObject, // pointer on DriverObject
0, // additional size of memory, for dev. extension
&DeviceName, // pointer to UNICODE_STRING
FILE_DEVICE_NULL,// Device type
0, // Device characteristic
FALSE, // "Exclusive" device
&deviceObject); // pointer do device object
if (st == STATUS_SUCCESS)
st = IoCreateSymbolicLink(&SymbolicLinkName,
&DeviceName);
mj_func = DriverObject->MajorFunction;
DriverObject->DriverUnload = DriverUnload;
mj_func[IRP_MJ_DEVICE_CONTROL] = DeviceControlRoutine;
mj_func[IRP_MJ_CREATE] = Create_File_IRPprocessing;
mj_func[IRP_MJ_CLOSE] = Close_HandleIRPprocessing;
// ............................ //
InitializeHooks();
return STATUS_SUCCESS;
}
void InitializeHooks()
{
gHookMng.CleanQueuedHooks();
HookProcessInit(gHookMng,gQueryMng); //HookProcess.h
HookFileInit(gHookMng,gQueryMng); //HookFile.h
if(!gHookMng.ApplyQueuedHooks())
DbgPrint("InitializeHooks - ERROR ApplyQueuedHooks\n");
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
gHookMng.ClearHooks();
IoDeleteSymbolicLink(&SymbolicLinkName);
IoDeleteDevice(deviceObject);
HookFileExit(); //HookProcess.h
HookProcessExit(); //HookFile.h
// Cpp unload
libcpp_exit();
DbgPrint("\t------EXIT------\n");
return;
}
NTSTATUS CompleteIrp( PIRP Irp, NTSTATUS status, ULONG info)
{
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = info;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return status;
}
NTSTATUS DeviceControlRoutine( IN PDEVICE_OBJECT fdo, IN PIRP pIrp )
{
/*
* sends IRP for dispatching by Query manager
* IRP will be completed by Query manager
*/
return gQueryMng.ProcessIrp(pIrp);
}
// Create_File_IRPprocessing: process IRP_MJ_CREATE query.
NTSTATUS Create_File_IRPprocessing(IN PDEVICE_OBJECT fdo,IN PIRP Irp)
{
DbgPrint("-HideDriver- IRP_MJ_CREATE\n");
return CompleteIrp(Irp,STATUS_SUCCESS,0);
}
// Close_File_IRPprocessing: process IRP_MJ_CLOSE query.
NTSTATUS Close_HandleIRPprocessing(IN PDEVICE_OBJECT fdo,IN PIRP Irp)
{
DbgPrint("-HideDriver- IRP_MJ_CLOSE\n");
return CompleteIrp(Irp,STATUS_SUCCESS,0);
}
Submit an article or tip