1
0
mirror of https://github.com/mastercodeon314/KsDumper-11.git synced 2024-12-18 01:15:53 +01:00
KsDumper-11/KsDumperDriver/Driver.c
2023-01-22 22:05:57 -06:00

169 lines
4.5 KiB
C

#include "NTUndocumented.h"
#include "ProcessLister.h"
#include "UserModeBridge.h"
#include <wdf.h>
DRIVER_INITIALIZE DriverEntry;
#pragma alloc_text(INIT, DriverEntry)
UNICODE_STRING deviceName, symLink;
PDEVICE_OBJECT deviceObject;
NTSTATUS CopyVirtualMemory(PEPROCESS targetProcess, PVOID sourceAddress, PVOID targetAddress, SIZE_T size)
{
PSIZE_T readBytes;
return MmCopyVirtualMemory(targetProcess, sourceAddress, PsGetCurrentProcess(), targetAddress, size, UserMode, &readBytes);
}
NTSTATUS UnsupportedDispatch(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
NTSTATUS CreateDispatch(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
NTSTATUS CloseDispatch(_In_ PDEVICE_OBJECT DeviceObject, _Inout_ PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
//NTSTATUS Unload(IN PDRIVER_OBJECT DriverObject)
//{
// IoDeleteSymbolicLink(&symLink);
// IoDeleteDevice(DriverObject->DeviceObject);
//}
NTSTATUS Unload(IN PDRIVER_OBJECT DriverObject)
{
IoDeleteSymbolicLink(&symLink);
IoDeleteSymbolicLink(&deviceName);
IoDeleteDevice(deviceObject);
return ZwUnloadDriver(&deviceName);
}
NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
NTSTATUS status;
ULONG bytesIO = 0;
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
ULONG controlCode = stack->Parameters.DeviceIoControl.IoControlCode;
if (controlCode == IO_COPY_MEMORY)
{
if (stack->Parameters.DeviceIoControl.InputBufferLength == sizeof(KERNEL_COPY_MEMORY_OPERATION))
{
PKERNEL_COPY_MEMORY_OPERATION request = (PKERNEL_COPY_MEMORY_OPERATION)Irp->AssociatedIrp.SystemBuffer;
PEPROCESS targetProcess;
if (NT_SUCCESS(PsLookupProcessByProcessId(request->targetProcessId, &targetProcess)))
{
CopyVirtualMemory(targetProcess, request->targetAddress, request->bufferAddress, request->bufferSize);
ObDereferenceObject(targetProcess);
}
status = STATUS_SUCCESS;
bytesIO = sizeof(KERNEL_COPY_MEMORY_OPERATION);
}
else
{
status = STATUS_INFO_LENGTH_MISMATCH;
bytesIO = 0;
}
}
else if (controlCode == IO_GET_PROCESS_LIST)
{
if (stack->Parameters.DeviceIoControl.InputBufferLength == sizeof(KERNEL_PROCESS_LIST_OPERATION) &&
stack->Parameters.DeviceIoControl.OutputBufferLength == sizeof(KERNEL_PROCESS_LIST_OPERATION))
{
PKERNEL_PROCESS_LIST_OPERATION request = (PKERNEL_PROCESS_LIST_OPERATION)Irp->AssociatedIrp.SystemBuffer;
GetProcessList(request->bufferAddress, request->bufferSize, &request->bufferSize, &request->processCount);
status = STATUS_SUCCESS;
bytesIO = sizeof(KERNEL_PROCESS_LIST_OPERATION);
}
else
{
status = STATUS_INFO_LENGTH_MISMATCH;
bytesIO = 0;
}
}
else if (controlCode == IO_UNLOAD_DRIVER)
{
Unload(NULL);
bytesIO = 0;
status = STATUS_SUCCESS;
}
else
{
status = STATUS_INVALID_PARAMETER;
bytesIO = 0;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = bytesIO;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS DriverInitialize(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
UNREFERENCED_PARAMETER(RegistryPath);
RtlInitUnicodeString(&deviceName, L"\\Device\\KsDumper");
RtlInitUnicodeString(&symLink, L"\\DosDevices\\KsDumper");
status = IoCreateDevice(DriverObject, 0, &deviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &deviceObject);
if (!NT_SUCCESS(status))
{
return status;
}
status = IoCreateSymbolicLink(&symLink, &deviceName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
return status;
}
deviceObject->Flags |= DO_BUFFERED_IO;
for (ULONG t = 0; t <= IRP_MJ_MAXIMUM_FUNCTION; t++)
DriverObject->MajorFunction[t] = &UnsupportedDispatch;
DriverObject->MajorFunction[IRP_MJ_CREATE] = &CreateDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = &CloseDispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &IoControl;
DriverObject->DriverUnload = &Unload;
deviceObject->Flags &= ~DO_DEVICE_INITIALIZING;
return status;
}
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
return IoCreateDriver(NULL, &DriverInitialize);
}