- detectdriverbin.zip
- DetectDriverBin
- DetectDriverBin
- DetectDriver.sys
- DetectDriverGUI.exe
- HideDriver.sys
- HideDriverGUI.exe
- detectdriversrc.zip
- DetectDriverSrc
- DetectDriver
- src
- Common
- ddk_build.bat
- DetectDriver
- DetectDriver_vs9.sln
- DetectDriverGUI
- drvCppLib
- build.bat
- cxx.h
- drvCppLib_vs8.vcproj
- drvCppLib_vs9.vcproj
- except.c
- lib_copy
- _memicmp.obj
- _stricmp.obj
- _strnicm.obj
- atlssup.obj
- chkesp.obj
- chkstk.obj
- conv.lib
- eh.lib
- eh3valid.obj
- enable.obj
- exsup.obj
- exsup2.obj
- exsup3.obj
- info.txt
- inp.obj
- lldiv.obj
- lldvrm.obj
- llmul.obj
- llrem.obj
- llshl.obj
- llshr.obj
- longjmp.obj
- matherr.obj
- memccpy.obj
- memchr.obj
- memcmp.obj
- memcpy.obj
- memmove.obj
- memset.obj
- outp.obj
- rtc.lib
- sehprolg.obj
- sehsupp.obj
- setjmp.obj
- setjmp3.obj
- setjmpex.obj
- strcat.obj
- strchr.obj
- strcmp.obj
- strcspn.obj
- strdup.obj
- strlen.obj
- strncat.obj
- strncmp.obj
- strncpy.obj
- strnset.obj
- strpbrk.obj
- strrchr.obj
- strrev.obj
- strset.obj
- strspn.obj
- strstr.obj
- tlssup.obj
- tran.lib
- ulldiv.obj
- ulldvrm.obj
- ullrem.obj
- ullshr.obj
- libcpp.cpp
- libcpp.h
- MAKEFILE
- new.h
- rtti.cpp
- Sources
- drvCppLibTest
- drvSingleModeTest
- drvUtils
- HideDriver
- HideDriverGUI
- info.txt
- STLPort
- Utils
- UtilsPortable
- UtilsPortableUnitTest
|
#include "drvCommon.h"
#include "IRPUtils.h"
#include "Ioctl.h"
#include "QueryMng.h"
#include "ProcessDetector.h"
#include "FileDetector.h"
////////////////////////////////////////////////////////////////////////////////////
/*Name and symbolic link need to provide access to driver from User Mode*/
//The name of current driver
UNICODE_STRING gDeviceName;
PCWSTR gDeviceNameStr = L"\\Device\\DetectDriver";
//The symbolic link of driver location
UNICODE_STRING gSymbolicLinkName;
PCWSTR gSymbolicLinkNameStr = L"\\DosDevices\\DetectDriver";
//The object associated with the driver
PDEVICE_OBJECT gDeviceObject = NULL;
/*QueryMng used for dispatching IOCTL queries*/
utils::QueryMng gQueryMng;
/*ProcessDetector used for detecting hidden process*/
DetectDriver::ProcessDetector gProcessDetector;
/*ProcessDetector used for detecting hidden process*/
DetectDriver::FileDetector gFileDetector;
////////////////////////////////////////////////////////////////////////////////////
extern "C"
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS DeviceControlRoutine( IN PDEVICE_OBJECT fdo, IN PIRP Irp );
NTSTATUS DeviceCloseHandleRoutine(IN PDEVICE_OBJECT fdo,IN PIRP Irp);
NTSTATUS DeviceOpenHandleRoutine(IN PDEVICE_OBJECT fdo,IN PIRP Irp);
NTSTATUS Initialize();
VOID Uninitialize();
////////////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
{
DbgPrint("\t------DETECT DRIVER START------\n");
libcpp_init();
/* Start Driver initialization */
RtlInitUnicodeString(&gDeviceName, gDeviceNameStr);
RtlInitUnicodeString(&gSymbolicLinkName, gSymbolicLinkNameStr);
NTSTATUS status;
status = IoCreateDevice(DriverObject, // pointer on DriverObject
0, // additional size of memory, for device extension
&gDeviceName, // pointer to UNICODE_STRING
FILE_DEVICE_NULL, // Device type
0, // Device characteristic
FALSE, // "Exclusive" device
&gDeviceObject); // pointer do device object
if (status != STATUS_SUCCESS)
return STATUS_FAILED_DRIVER_ENTRY;
status = IoCreateSymbolicLink(&gSymbolicLinkName,&gDeviceName);
if (status != STATUS_SUCCESS)
return STATUS_FAILED_DRIVER_ENTRY;
// Register IRP handlers
PDRIVER_DISPATCH *mj_func;
mj_func = DriverObject->MajorFunction;
DriverObject->DriverUnload = DriverUnload;
mj_func[IRP_MJ_DEVICE_CONTROL] = DeviceControlRoutine;
mj_func[IRP_MJ_CREATE] = DeviceOpenHandleRoutine;
mj_func[IRP_MJ_CLOSE] = DeviceCloseHandleRoutine;
/* Driver initialization are done */
return Initialize();
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
Uninitialize();
IoDeleteSymbolicLink(&gSymbolicLinkName);
IoDeleteDevice(gDeviceObject);
libcpp_exit();
DbgPrint("\t------DETECT DRIVER EXIT------\n");
return;
}
NTSTATUS Initialize()
{
try
{
gProcessDetector.Initialize(gQueryMng);
gFileDetector.Initialize(gQueryMng);
}
catch(const std::exception& ex)
{
DbgPrint("-DetectDriver- Initialize() std::exception: %s\n",ex.what());
}
return STATUS_SUCCESS;
}
VOID Uninitialize()
{
try
{
gProcessDetector.Cleanup(gQueryMng);
gFileDetector.Cleanup(gQueryMng);
}
catch(const std::exception& ex)
{
DbgPrint("-DetectDriver- Uninitialize() std::exception: %s\n",ex.what());
}
}
NTSTATUS DeviceControlRoutine( IN PDEVICE_OBJECT fdo, IN PIRP pIrp )
{
/*
* Query manager process all IRP.
* IRP will be completed by Query manager.
*/
return gQueryMng.ProcessIrp(pIrp);
}
// DeviceOpenHandleRoutine: process IRP_MJ_CREATE call.
NTSTATUS DeviceOpenHandleRoutine(IN PDEVICE_OBJECT fdo,IN PIRP Irp)
{
DbgPrint("-DetectDriver- IRP_MJ_CREATE\n");
return utils::CompleteIrp(Irp,STATUS_SUCCESS,0);
}
// DeviceCloseHandleRoutine: process IRP_MJ_CLOSE call.
NTSTATUS DeviceCloseHandleRoutine(IN PDEVICE_OBJECT fdo,IN PIRP Irp)
{
DbgPrint("-DetectDriver- IRP_MJ_CLOSE\n");
return utils::CompleteIrp(Irp,STATUS_SUCCESS,0);
}
|
By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.
If a file you wish to view isn't highlighted, and is a text file (not binary), please
let us know and we'll add colourisation support for it.
ApriorIT is a software research and development company specializing in cybersecurity and data management technology engineering. We work for a broad range of clients from Fortune 500 technology leaders to small innovative startups building unique solutions.
As Apriorit offers integrated research&development services for the software projects in such areas as endpoint security, network security, data security, embedded Systems, and virtualization, we have strong kernel and driver development skills, huge system programming expertise, and are reals fans of research projects.
Our specialty is reverse engineering, we apply it for security testing and security-related projects.
A separate department of Apriorit works on large-scale business SaaS solutions, handling tasks from business analysis, data architecture design, and web development to performance optimization and DevOps.
Official site: https://www.apriorit.com
Clutch profile: https://clutch.co/profile/apriorit
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.