Basic Driver IOControl Question

AgentSmithers · #1 October 23rd, 2009, 02:54 PM

Code:

#include <ntddk.h>

#define IO_HOOK_FUNCTIONS      CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_UNHOOK_FUNCTIONS      CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IO_GETSETINFO         CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0003, METHOD_BUFFERED, FILE_ANY_ACCESS)

//Global Variables
UNICODE_STRING DeviceName, DeviceLink;
HANDLE UserLandProcessID = (HANDLE)-1;

//Function Prototypes
NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
//END Function Prototypes

NTSTATUS __stdcall IOOpenClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
   IofCompleteRequest(Irp, IO_NO_INCREMENT);
   return STATUS_SUCCESS;
}

NTSTATUS __stdcall IOControll(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{   
   NTSTATUS status = STATUS_SUCCESS;
   int FunctionStatus = -1;

	DbgPrint("IOControll Called!\n");

   switch (Irp->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode)
   {
      case IO_HOOK_FUNCTIONS: 
         FunctionStatus = 0;
         Irp->IoStatus.Information = sizeof(int);
         memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
         DbgPrint("Hooking...\n");
         //HookFunctions();
         break;
      case IO_UNHOOK_FUNCTIONS:
         FunctionStatus = 1;
         Irp->IoStatus.Information = sizeof(int);
         memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
         DbgPrint("Unhooking...\n");
         //UnHookFunctions();
         break;
      case IO_GETSETINFO:
         FunctionStatus = 2;
         //UserLandProcessID = RetrivePID( (char*)Irp->AssociatedIrp.SystemBuffer );
         //DbgPrint("Process ID of %s %i", (char*)Irp->AssociatedIrp.SystemBuffer,  UserLandProcessID);
         DbgPrint("Process ID: %i", UserLandProcessID);
         Irp->IoStatus.Information = sizeof(int);
         memcpy(Irp->AssociatedIrp.SystemBuffer, &FunctionStatus, sizeof(int));
         break;
   }
   IofCompleteRequest(Irp, IO_NO_INCREMENT);
   return status;
}

void DriverUnload(PDRIVER_OBJECT DriverObject)
{
	DbgPrint("Unloading!\n");
    	//ExFreePool(gRegistryPath.Buffer);
    	//RtlZeroMemory(&gRegistryPath, sizeof(gRegistryPath));
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){
	NTSTATUS ntStatus;
	PDEVICE_OBJECT pDeviceObject;
	RtlInitUnicodeString(&DeviceName, L"\\Device\\Test");
	ntStatus = IoCreateDevice(pDriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);

	if (ntStatus == STATUS_SUCCESS)
   	{
		RtlInitUnicodeString(&DeviceLink, L"\\DosDevices\\Test");
		if (IoCreateSymbolicLink(&DeviceLink, &DeviceName) != STATUS_SUCCESS)
      		{
         		IoDeleteDevice(pDriverObject->DeviceObject);
         		return STATUS_OBJECT_NAME_EXISTS;
      		}
		pDriverObject->DriverUnload = DriverUnload;
      		pDriverObject->MajorFunction[IRP_MJ_CREATE] = &IOOpenClose;
      		pDriverObject->MajorFunction[IRP_MJ_CLOSE] = &IOOpenClose;
      		pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = &IOControll;
		DbgPrint("Hello World!\n");
	}
	return ntStatus;
}

Vb.net

Code:

Public Class Form1
    Structure SECURITY_ATTRIBUTES
        Dim nLength As Integer
        Dim lpSecurityDescriptor As Integer
        Dim bInheritHandle As Integer
    End Structure
    Private Const GENERIC_READ As Integer = &H80000000
    Private Const GENERIC_WRITE As Integer = &H40000000

    Private Const FILE_SHARE_READ = &H1
    Private Const FILE_SHARE_WRITE = &H2
    Private Const OPEN_EXISTING = 3
    Private Const FILE_ATTRIBUTE_NORMAL = &H80

    Private Const FILE_DEVICE_UNKNOWN As Integer = &H22
    Private Const FILE_DEVICE_HAL As Integer = &H101

    Private Const METHOD_BUFFERED = &H0
    Private Const FILE_ANY_ACCESS = &H0

    'Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Integer, ByVal dwShareMode As Integer, <System.Runtime.InteropServices.MarshalAs(System.Runtime.InteropServices.UnmanagedType.Struct)> ByRef lpSecurityAttributes As SECURITY_ATTRIBUTES, ByVal dwCreationDisposition As Integer, ByVal dwFlagsAndAttributes As Integer, ByVal hTemplateFile As Integer) As Integer
    Private Declare Function CreateFile _
    Lib "kernel32" Alias "CreateFileA" _
    (ByVal lpFileName As String, ByVal dwDesiredAccess As Int32, _
    ByVal dwShareMode As Int32, ByVal lpSecurityAttributes As Int32, _
    ByVal dwCreationDisposition As Int32, ByVal dwFlagsAndAttributes As Int32, _
    ByVal hTemplateFile As Int32) As Int32

    Public Declare Function DeviceIoControl Lib "kernel32" (ByVal hDevice As Integer, _
    ByVal dwIoControlCode As Integer, _
    ByVal lpInBuffer As Object, _
    ByVal nInBufferSize As Integer, _
    ByVal lpOutBuffer As Object, _
    ByVal nOutBufferSize As Integer, _
    ByVal lpBytesReturned As Integer, _
    ByVal lpOverlapped As Object) As Integer

    Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load

    End Sub

    Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
        Dim sa As SECURITY_ATTRIBUTES
        Dim FileHandle = CreateFile("\\.\Test", GENERIC_READ Or GENERIC_WRITE, 0, Nothing, OPEN_EXISTING, 0, 0)
        Dim IO_HOOK_FUNCTIONS = CTL_CODE(FILE_DEVICE_UNKNOWN, 1, METHOD_BUFFERED, FILE_ANY_ACCESS)
        Dim ret As Short = -1
        Dim bytesIO As Integer
        DeviceIoControl(FileHandle, IO_HOOK_FUNCTIONS, Nothing, 0, ret, System.Runtime.InteropServices.Marshal.SizeOf(ret), bytesIO, Nothing)
    End Sub

    Private Function CTL_CODE(ByVal DeviceType As Integer, ByVal Func As Integer, ByVal Method As Integer, ByVal Access As Integer) As Integer
        Return (DeviceType << 16) Or (Access << 14) Or (Func << 2) Or Method
    End Function

    'Public Function CTL_CODE(ByVal DeviceType As UInt32, ByVal TheFunction As UInt32, ByVal Method As UInt32, ByVal Access As UInt32) As Integer
    '    Return ((DeviceType << 16) Or (Access << 14) Or (TheFunction << 2) Or Method)
    'End Function
End Class

When I run this code everything goes fine until the DeviceIoControl call, the FileHandle is a valid ID 1345 and I get
"Attempted to read or write protected memory. This is often an indication that other memory is corrupt."

Any idea?

Part of this code was taken from a rootkit but I just want to use it as a simple POC for Driver communication!

Thanks!

-AgentSmithers

AgentSmithers · #2 October 23rd, 2009, 05:20 PM

Okie Ive changed the following line of code to

Code:

DeviceIoControl(FileHandle, IO_HOOK_FUNCTIONS, Nothing, 0, Nothing, 0, 0, Nothing)

And it gives me the same error but when I hit play it passes it up like it was successful?
Any Idea?

Thanks!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: