hujnja

1. #include <ntddk.h>
2.  
3. #define IoRequestCode(code)     CTL_CODE(FILE_DEVICE_UNKNOWN, code, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
4. #define ReadRequestCode         IoRequestCode(0x0701)
5. #define WriteRequestCode        IoRequestCode(0x0702)
6. using ulong = unsigned long;
7.  
8. UNICODE_STRING devicePath, DOSDevicePath;
9.  
10. // Undocumented kernel functions
11.  
12. extern "C" NTSTATUS NTAPI MmCopyVirtualMemory
13. (
14.     PEPROCESS SourceProcess,
15.     PVOID SourceAddress,
16.     PEPROCESS TargetProcess,
17.     PVOID TargetAddress,
18.     SIZE_T BufferSize,
19.     KPROCESSOR_MODE PreviousMode,
20.     PSIZE_T ReturnSize
21. );
22.  
23. extern "C" NTSTATUS NTKERNELAPI PsLookupProcessByProcessId
24. (
25.     _In_ HANDLE ProcessId,
26.     _Outptr_ PEPROCESS* Process
27. );
28.  
29. enum ResponseStatus
30. {
31.     BadProcessId = 0xDEADBEEF
32. };
33.  
34. class ReadRequest
35. {
36.     public:
37.     ReadRequest(ulong pid, ulong addr, ulong sz) : Pid(pid), Addr(addr), Sz(sz) {};
38.     ulong Pid, Addr, Sz;
39.     void* Response;
40. };
41.  
42. class WriteRequest
43. {
44.     public:
45.     WriteRequest(ulong pid, ulong addr, void* data, ulong sz) : Pid(pid), Addr(addr), Data(data), Sz(sz) {};
46.     ulong Pid, Addr, Sz;
47.     void* Data;
48. };
49.  
50. void OnUnload(PDRIVER_OBJECT pDriver)
51. {
52.     IoDeleteSymbolicLink(&DOSDevicePath);
53.     IoDeleteDevice(pDriver->DeviceObject);
54. }
55.  
56. NTSTATUS IoControl(PDEVICE_OBJECT pDevice, PIRP pIrp)
57. {
58.     PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(pIrp);
59.     ULONG code = ioStack->Parameters.DeviceIoControl.IoControlCode;
60.     NTSTATUS status;
61.     SIZE_T argumentStub = 0;
62.  
63.     if (code = ReadRequestCode)
64.     {
65.         ReadRequest* request = (ReadRequest*)pIrp->AssociatedIrp.SystemBuffer;
66.         PEPROCESS process;
67.         if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)request->Pid, &process)))
68.         {
69.             MmCopyVirtualMemory(process, (PVOID)request->Addr, IoGetCurrentProcess(), request->Response, request->Sz, KernelMode, &argumentStub);
70.             status = STATUS_SUCCESS;
71.         }
72.         else
73.         {
74.             status = BadProcessId;
75.         }
76.     }
77.     if (code = WriteRequestCode)
78.     {
79.         WriteRequest* request = (WriteRequest*)pIrp->AssociatedIrp.SystemBuffer;
80.         PEPROCESS process;
81.         if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)request->Pid, &process)))
82.         {
83.             MmCopyVirtualMemory(IoGetCurrentProcess(), request->Data, process, (PVOID)request->Addr, request->Sz, KernelMode, &argumentStub);
84.         }
85.         else
86.         {
87.             status = BadProcessId;
88.         }
89.     }
90.    
91.     pIrp->IoStatus.Status = status;
92.     IoCompleteRequest(pIrp, IO_NO_INCREMENT);
93.     return STATUS_SUCCESS;
94. }
95.  
96. extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
97. {
98.     DbgPrint("Driver loaded\n");
99.     PDEVICE_OBJECT pDevice;
100.  
101.     RtlInitUnicodeString(&devicePath, L"\\Device\\MmDrv");
102.     RtlInitUnicodeString(&DOSDevicePath, L"\\DosDevices\\MmDrv");
103.  
104.     IoCreateDevice(pDriverObject, 0, &devicePath, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
105.     IoCreateSymbolicLink(&DOSDevicePath, &devicePath);
106.  
107.     pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
108.     pDriverObject->DriverUnload = OnUnload;
109.  
110.     pDevice->Flags |= DO_DIRECT_IO;
111.     pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
112.  
113.     return STATUS_SUCCESS;
114. }