API tools faq
paste
Advertisement
Guest User

r0kedrv

a guest
Aug 2nd, 2012
542
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
ASM (NASM) 4.25 KB | None | 0 0
raw download clone embed print report
  1. .386
  2. .model flat, stdcall
  3. option casemap:none
  4.  
  5. include \masm32\include\w2k\ntstatus.inc
  6. include \masm32\include\w2k\ntddk.inc
  7. include \masm32\include\w2k\ntoskrnl.inc
  8. includelib \masm32\lib\w2k\ntoskrnl.lib
  9. include \masm32\Macros\Strings.mac
  10. include common.inc
  11.  
  12. .const
  13. CCOUNTED_UNICODE_STRING "\\Device\\r0kedrv", g_usDeviceName, 4
  14. CCOUNTED_UNICODE_STRING "\\??\\r0kedrv", g_usSymbolicLinkName, 4
  15. ;CCOUNTED_UNICODE_STRING "\\DosDevices\\r0kedrv", g_usSymbolicLinkName, 4
  16.  
  17. .code
  18.  
  19. DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
  20.  
  21.   ; CreateFile was called, to get driver handle
  22.   ; CloseHandle was called, to close driver handle
  23.   ; In both cases we are in user process context here
  24.  
  25.   mov eax, pIrp
  26.   assume eax:ptr _IRP
  27.   mov [eax].IoStatus.Status, STATUS_SUCCESS
  28.   and [eax].IoStatus.Information, 0
  29.   assume eax:nothing
  30.  
  31.   fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT
  32.  
  33.   mov eax, STATUS_SUCCESS
  34.   ret
  35.  
  36. DispatchCreateClose endp
  37.  
  38. KbPs2Wait proc
  39.  
  40.   ; Wait until it's okay to send a command byte to the keyboard controller port.
  41. TestCmdPort:
  42.   in al, 64h
  43.   test al, 2 ; Check cntrlr input buffer full flag.
  44.   jnz TestCmdPort
  45.   ret
  46.  
  47. KbPs2Wait endp
  48.  
  49. KbPs2Write proc
  50.  
  51.   ; Save scancode
  52.   mov dl, al
  53.  
  54.   ; Wait until the keyboard controller does not contain data before
  55.   ; proceeding with shoving stuff down its throat.
  56. WaitWhileFull:
  57.   in al, 64h
  58.   test al, 1
  59.   jnz WaitWhileFull
  60.  
  61.   ; Tell the keyboard controller to take the next byte
  62.   ; sent to it and return it as a scan code.
  63.   call KbPs2Wait
  64.   mov al, 0d2h ; Return scan code command.
  65.   out 64h, al
  66.  
  67.   ; Send the scan code.
  68.   call KbPs2Wait
  69.   mov al, dl
  70.   out 60h, al
  71.   ret
  72.  
  73. KbPs2Write endp
  74.  
  75. DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP
  76.  
  77.   ; DeviceIoControl was called
  78.   ; We are in user process context here
  79.  
  80.   local status:NTSTATUS
  81.   local dwBytesReturned:DWORD
  82.  
  83.   and dwBytesReturned, 0
  84.  
  85.   mov esi, pIrp
  86.   assume esi:ptr _IRP
  87.  
  88.   IoGetCurrentIrpStackLocation esi
  89.   mov edi, eax
  90.   assume edi:ptr IO_STACK_LOCATION
  91.  
  92.   .if [edi].Parameters.DeviceIoControl.IoControlCode == IOCTL_KB_PS2_WRITE
  93.  
  94.       mov edi, [esi].AssociatedIrp.SystemBuffer
  95.       assume edi:ptr BYTE
  96.  
  97.       xor ebx, ebx
  98.       xor ecx, ecx
  99.       mov cl, [edi]
  100.      
  101.       .while( ebx < ecx )
  102.         inc ebx
  103.         mov al, [edi][ebx*(sizeof BYTE)]
  104.         call KbPs2Write
  105.       .endw
  106.      
  107.       mov status, STATUS_SUCCESS
  108.   .else
  109.     mov status, STATUS_INVALID_DEVICE_REQUEST
  110.   .endif
  111.  
  112.   assume edi:nothing
  113.  
  114.   push status
  115.   pop [esi].IoStatus.Status
  116.  
  117.   push dwBytesReturned
  118.   pop [esi].IoStatus.Information
  119.  
  120.   assume esi:nothing
  121.  
  122.   fastcall IofCompleteRequest, esi, IO_NO_INCREMENT
  123.  
  124.   mov eax, status
  125.   ret
  126.  
  127. DispatchControl endp
  128.  
  129. DriverUnload proc pDriverObject:PDRIVER_OBJECT
  130.  
  131.   ; ControlService,,SERVICE_CONTROL_STOP was called
  132.   ; We are in System process (pid = 8) context here
  133.  
  134.   invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
  135.  
  136.   mov eax, pDriverObject
  137.   invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
  138.  
  139.   ret
  140.  
  141. DriverUnload endp
  142.  
  143. .code INIT
  144.  
  145. DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
  146.  
  147.   ; StartService was called
  148.   ; We are in System process (pid = 8) context here
  149.  
  150.   local status:NTSTATUS
  151.   local pDeviceObject:PDEVICE_OBJECT
  152.  
  153.   mov status, STATUS_DEVICE_CONFIGURATION_ERROR
  154.  
  155.   invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
  156.   .if eax == STATUS_SUCCESS
  157.     invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
  158.     .if eax == STATUS_SUCCESS
  159.       mov eax, pDriverObject
  160.       assume eax:ptr DRIVER_OBJECT
  161.       mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],      offset DispatchCreateClose
  162.       mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],      offset DispatchCreateClose
  163.       mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)],  offset DispatchControl
  164.       mov [eax].DriverUnload,                      offset DriverUnload
  165.       assume eax:nothing
  166.       mov status, STATUS_SUCCESS
  167.     .else
  168.       invoke IoDeleteDevice, pDeviceObject
  169.     .endif
  170.   .endif
  171.  
  172.   mov eax, status
  173.   ret
  174.  
  175. DriverEntry endp
  176.  
  177. end DriverEntry
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!