; ASM SYS TEMPLATE .586P .MODEL FLAT, STDCALL OPTION CASEMAP:NONE UNICODE = 0 ARGUMENTS = 1 INCLUDE APIMACRO.MAC include w32main.inc INCLUDELIB iNTOSKRNL.LIB INCLUDELIB iKERNEL32.LIB ASSUME FS:NOTHING ; assume nothing :p ; -------------------------------------------------------------------------- ; -------------------------------------------------------------------------- o equ offset .CODE Device_name dw '\','D','e','v','i','c','e','\','r','i','n','g','0',0,0,0 Device_type dw '\','D','o','s','D','e','v','i','c','e','s','\','r','i','n','g','0',0,0,0,0 dd 0 align 4 ;-----------------------.Driver.Entry.---------------------------------------- DriverEntry: ; pDriverObject, pusRegistryPath SymbolicLinkName = dword ptr -14h DeviceName = dword ptr -0Ch DeviceObject = dword ptr -4 DriverObject = dword ptr 8 push ebp mov ebp,esp sub esp,14h push ebx push esi iMOV esi,RtlInitUnicodeString lea eax,[ebp+DeviceName] push offset Device_name push eax call esi ; RtlInitUnicodeString mov ebx,[ebp+DriverObject] ; DRIVER_OBJECT lea eax,[ebp+DeviceObject] ; DEVICE_OBJECT push eax ;DeviceObject push 0 ;Exclusive push 0 ;DeviceCharacteristics lea eax,[ebp+DeviceName] push 22h ;DeviceType FILE_DEVICE_UNKNOWN push eax ;DeviceName push 0 ;DeviceExtensionSize push ebx ;pDriverObject iWin32 IoCreateDevice test eax,eax jnz Exit_on_failed_creation lea eax, [ebp+SymbolicLinkName] ; SymbolicLinkName push offset Device_type push eax call esi ; RtlInitUnicodeString lea eax, [ebp+DeviceName] push eax lea eax, [ebp+SymbolicLinkName] push eax iWin32 IoCreateSymbolicLink mov esi, eax test esi, esi jz Symbolic_link_success push [ebp+DeviceObject] iWin32 IoDeleteDevice mov eax, esi jmp Exit_on_failed_creation Symbolic_link_success: mov dword ptr [ebx+34h], offset UnloadDriver ; DRIVER_OBJECT.PDRIVER_UNLOAD mov dword ptr [ebx+38h], offset RequestHandler ; DRIVER_OBJECT.PDISPATCH_IRP_MJ_CREATE mov dword ptr [ebx+40h], offset RequestHandler ; DRIVER_OBJECT.PDISPATCH_IRP_MJ_CLOSE mov dword ptr [ebx+70h], offset ServiceHandler ; DRIVER_OBJECT.PDISPATCH_IRP_MJ_DEVICE_CONTROL nop ; << important! call initmysys Exit_on_failed_creation: pop esi pop ebx leave retn 8 ;------------------------.IRP.PROCESS.------------------------------------ RequestHandler: mov ecx, [esp+8] xor dl, dl and dword ptr [ecx+18h], 0 ; _IRP.IoStatus.IO_STATUS_BLOCK.Status < STATUS_SUCCESS and dword ptr [ecx+1Ch], 0 ; _IRP.IoStatus.IO_STATUS_BLOCK.Information < nowt iWin32 IofCompleteRequest xor eax, eax retn 8 ;-------------------------------------------------------------------------- ;-------------------------------------------------------------------------- initmysys: xor eax,eax ret failload: mov eax,1 ret ;-------------------------------------------------------------------------- ; -------------------------------------------------------------------------- ; ServiceHandler: ; pDeviceObject, pIrp/_IRP push ebp mov ebp, esp push ebx mov ebx, [ebp+0ch] ; hm pIrp push esi mov edx, [ebx+60h] ; _IRP.Tail.Overlay.CurrentStackLocation IO_STACK_LOCATION.DeviceIoControl mov [ebp+0ch], edx mov eax,[edx+0Ch] ; DeviceIoDeviceIoControl.IoControlCode jmp SH_OK ;cmp eax, service_id ;jne SH_OK push ecx push edx push dword ptr [ebx+0ch] ; _IRP.SystemBuffer iWin32 MmIsAddressValid pop edx pop ecx cmp AL,1 jne SH_FAIL ; invalid address mov eax,[ebx+0ch] ; _IRP.SystemBuffer mov eax,[eax] ;----------- ; SystemBuffer is system space memory with the dio input buffer ; mapped into it ; check here the input buffer for specific params if you like, init :) ;----------- mov eax,[edx+08h] ; DeviceIoControl.InputBufferLength mov ecx,[edx+04h] ; DeviceIoControl.OutputBufferLength mov edi,[ebx+0ch] ; _IRP.SystemBuffer mov [ebx+1Ch],ecx ; _IRP.IoStatus+4 ? size to write mov dword ptr [edi],'eonN' ; None, no service existed :-o xor esi,esi SH_FAIL: xor dl, dl mov ecx, ebx iWin32 IofCompleteRequest xor eax,eax inc eax ; unhandled jmp Exit_SH SH_OK: xor dl, dl mov ecx, ebx iWin32 IofCompleteRequest xor eax,eax ; ok Exit_SH: pop esi pop ebx pop ebp retn 8 ;-------------------------------------------------------------------------- ;-------------------------------------------------------------------------- UnloadDriver: push ebp mov ebp, esp push ecx push ecx mov eax, [ebp+8] push dword ptr [eax+4] iWin32 IoDeleteDevice lea eax, [ebp-8] push offset Device_type push eax iWin32 RtlInitUnicodeString lea eax, [ebp-8] push eax iWin32 IoDeleteSymbolicLink nop nop nop nop leave retn 4 db 'dont panic' END DriverEntry ; --------------------------------------------------------------------------