r0ke

1. .386
2. .model flat, stdcall
3. option casemap:none
4.  
5. include \masm32\include\windows.inc
6. include \masm32\include\kernel32.inc
7. include \masm32\include\user32.inc
8. include \masm32\include\advapi32.inc
9. includelib \masm32\lib\kernel32.lib
10. includelib \masm32\lib\user32.lib
11. includelib \masm32\lib\advapi32.lib
12. include \masm32\include\winioctl.inc
13. include \masm32\Macros\Strings.mac
14. include common.inc
15.  
16. .const
17.  
18. .data
19.  
20. .data?
21.  
22. .code
23.  
24. start proc uses esi edi
25.  
26.   local hSCManager:HANDLE
27.   local hService:HANDLE
28.   local acModulePath[MAX_PATH]:CHAR
29.   local _ss:SERVICE_STATUS
30.   local hDevice:HANDLE
31.  
32.   local abyScanCodes[7]:BYTE
33.   local dwBytesReturned:DWORD
34.  
35.   lea esi, abyScanCodes
36.   assume esi:ptr BYTE
37.   mov [esi][0*(sizeof BYTE)], 6
38.   mov [esi][1*(sizeof BYTE)], 01eh
39.   mov [esi][2*(sizeof BYTE)], 09eh
40.   mov [esi][3*(sizeof BYTE)], 01eh
41.   mov [esi][4*(sizeof BYTE)], 09eh
42.   mov [esi][5*(sizeof BYTE)], 01eh
43.   mov [esi][6*(sizeof BYTE)], 09eh
44.   assume esi:nothing
45.  
46.   ; Open a handle to the SC Manager database
47.   invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
48.   .if eax != NULL
49.     mov hSCManager, eax
50.  
51.     push eax
52.     invoke GetFullPathName, $CTA0("r0kedrv.sys"), sizeof acModulePath, addr acModulePath, esp
53.       pop eax
54.  
55.     ; Install service
56.     invoke CreateService, hSCManager, $CTA0("r0kedrv"), $CTA0("ring0 keyboard emulator"), \
57.       SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
58.       SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL
59.  
60.     .if eax != NULL
61.       mov hService, eax
62.  
63.       ; Driver's DriverEntry procedure will be called
64.       invoke StartService, hService, 0, NULL
65.       .if eax != 0
66.  
67.         ; Driver will receive I/O request packet (IRP) of type IRP_MJ_CREATE
68.         invoke CreateFile, $CTA0("\\\\.\\r0kedrv"), GENERIC_READ + GENERIC_WRITE, \
69.           0, NULL, OPEN_EXISTING, 0, NULL
70.  
71.         .if eax != INVALID_HANDLE_VALUE
72.           mov hDevice, eax
73.  
74. ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
75.  
76.           ; Driver will receive IRP of type IRP_MJ_DEVICE_CONTROL
77.           invoke DeviceIoControl, hDevice, IOCTL_KB_PS2_WRITE, \
78.             addr abyScanCodes, sizeof abyScanCodes, \
79.             NULL, 0, addr dwBytesReturned, NULL
80.  
81.           .if ( eax == 0 )
82.             invoke MessageBox, NULL, $CTA0("Can't send scancodes to device."), NULL, MB_OK + MB_ICONSTOP
83.           ;.else
84.             ;invoke MessageBox, NULL, $CTA0("Success."), NULL, MB_OK
85.             ;invoke Sleep, 5000
86.           .endif
87.  
88. ;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
89.  
90.           ; Driver will receive IRP of type IRP_MJ_CLOSE
91.           invoke CloseHandle, hDevice
92.         .else
93.           invoke MessageBox, NULL, $CTA0("Device is not present."), NULL, MB_OK + MB_ICONSTOP
94.         .endif
95.         ; DriverUnload proc in our driver will be called
96.         invoke ControlService, hService, SERVICE_CONTROL_STOP, addr _ss
97.       .else
98.         invoke MessageBox, NULL, $CTA0("Can't start driver."), NULL, MB_OK + MB_ICONSTOP
99.       .endif
100.       invoke DeleteService, hService
101.       invoke CloseServiceHandle, hService
102.     .else
103.       invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_OK + MB_ICONSTOP
104.     .endif
105.     invoke CloseServiceHandle, hSCManager
106.   .else
107.     invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), NULL, MB_OK + MB_ICONSTOP
108.   .endif
109.  
110.   invoke ExitProcess, 0
111.  
112. start endp
113.  
114. end start