| View previous topic :: View next topic |
| Author |
Message |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
 Posted: Tue Dec 14, 2010 3:25 am Post subject: Driver Developing Studing |
 |
|
I'm trying to hook IRPs with my kmd
i looked at my book for example and saw that code
| Code: |
#include <ntddk.h>
NTSTATUS MyOpen( IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp ) {
DbgPrint( "A File Openned\n" );
return STATUS_SUCCESS;
}
VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) {
DbgPrint( "OnUnload Called\n" );
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath ) {
pDriverObject->DriverUnload = OnUnload;
pDriverObject->MajorFunction[IRP_MJ_CREATE] = MyOpen;
return STATUS_SUCCESS;
}
|
which means that every time a file is opened by an application, the MyOpen function suppose to be called and output to my DbgView what it suppose to.
but nothing is happening, i test it with a demo app that i created in C that use CreateFile to open / create a new file
Am I missing something here?
_________________
Stylo |
|
| Back to top |
|
 |
Noz3001
I'm a spammer
 Reputation: 26
Joined: 29 May 2006
Posts: 6220
Location: /dev/null
|
| Posted: Tue Dec 14, 2010 7:10 am Post subject: |
|
|
| You sure dbgview is set up to catch kernelmode messages? Does it call the onunload method?
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Tue Dec 14, 2010 7:13 am Post subject: |
|
|
Yeah, i can see the unload called message
i set up dbgview to catch everything
but the idea is right?
I mean, i should see a message every time a file handle is opened by CreateFile?
_________________
Stylo |
|
| Back to top |
|
|
HomerSexual
Grandmaster Cheater Supreme
 Reputation: 5
Joined: 03 Feb 2007
Posts: 1657
|
| Posted: Tue Dec 14, 2010 7:07 pm Post subject: |
|
|
| Stylo wrote: | Yeah, i can see the unload called message
i set up dbgview to catch everything
but the idea is right?
I mean, i should see a message every time a file handle is opened by CreateFile? |
Correct me if I'm mistaken (it's been awhile), but this doesn't hook the System's CreateFile does it? I coded a CreateFile hook awhile ago and it was much more intricate than this.
I *think* this just hooks the whenever a pipe to the driver is opened?
_________________
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Tue Dec 14, 2010 9:50 pm Post subject: |
|
|
I guess you're right but the point is that i should see the dbgprint message
every time a handle is opened?!
_________________
Stylo |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Wed Dec 15, 2010 1:18 am Post subject: |
|
|
Try to use the program: dbgview.exe , it's easier and works fine for me.
Further should your function look like this:
| Code: | NTSTATUS MyCreate (IN PDEVICE_OBJECT pDriverObject, IN PIRP pIrp)
{
DbgPrint("MyCreate is calelled (API = CreateFile)\n"); // It's nice to do this further in the research, at least for me:)
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0; // no bytes xfered
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = MyCreate; |
I once made a tut, also with some usermode code. Loading + calling function from a driver. If you are intrested, ill post all source here, not that much.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed Dec 15, 2010 2:42 am Post subject: |
|
|
umm... I am using dbgview :\ i said it at top
and nothing is pretty much different from what i'v written except it's status and info
The point is, i should see the dbgprint message but i don't and i have no idea why
_________________
Stylo |
|
| Back to top |
|
|
tombana
Master Cheater
![]() Reputation: 2
Joined: 14 Jun 2007
Posts: 456
Location: The Netherlands
|
| Posted: Wed Dec 15, 2010 4:26 am Post subject: |
|
|
| Are you sure you are actually loading your driver? You have to use certain API's like OpenSCManager and CreateService to actually start the 'service'/driver. Then you can use CreateFile with the symbolic filename as path and then the driver should be called.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed Dec 15, 2010 4:53 am Post subject: |
|
|
The driver loaded perfectly
I can even see the unload called message when i unload it
_________________
Stylo |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Wed Dec 15, 2010 5:57 am Post subject: |
|
|
| Stylo wrote: | umm... I am using dbgview :\ i said it at top
and nothing is pretty much different from what i'v written except it's status and info
The point is, i should see the dbgprint message but i don't and i have no idea why |
... Did you try to add the status like my code? That would work, since I use it and it works fine.
IN kernel those status and info things can change everything.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed Dec 15, 2010 7:48 am Post subject: |
|
|
Still nothing . .
_________________
Stylo |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Wed Dec 15, 2010 11:01 am Post subject: |
|
|
| Maybe it is you usermode code. Show us it.
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Wed Dec 15, 2010 2:34 pm Post subject: |
|
|
| Code: |
#include <stdio.h>
#include <Windows.h>
#include <conio.h>
int main( void ) {
HANDLE hFile;
hFile = CreateFileA( "NewFile.txt", GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0 );
getch();
return 0;
}
|
_________________
Stylo |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Wed Dec 15, 2010 3:33 pm Post subject: |
|
|
hehe stupid of me:)
in Driver.C (add this somehwere in the entry shit.=)
| Code: |
NTSTATUS status;
PDEVICE_OBJECT deviceObject = NULL;
UNICODE_STRING NtNameString;
UNICODE_STRING Win32NameString;
RtlInitUnicodeString (&Win32NameString, L"\\DosDevices\\NazDriver");
RtlInitUnicodeString (&NtNameString, L"\\Device\\DriverMe");
status = IoCreateDevice(DriverObject,0,&NtNameString,FILE_DEVICE_UNKNOWN,0,(BOOLEAN) FALSE,&deviceObject);
if (!NT_SUCCESS(status))
return status;
status = IoCreateSymbolicLink (&Win32NameString, &NtNameString); |
in usermode.c(pp)
It seems u miss understood the first para. As example above, use this.
| Code: |
hFile = CreateFile("\\\\.\\NazDriver", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); |
Have fun.
EDIT: to unlaod the driver You''ve to delete thesymboliclink.
| Code: | UNICODE_STRING Win32NameString;
RtlInitUnicodeString(&Win32NameString, L"\\DosDevices\\NazDriver");
IoDeleteSymbolicLink(&Win32NameString); |
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
