Created
October 15, 2020 16:31
-
-
Save iljavs/5529eea9aa9a052f76cc730d9f72ad4d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <ntddk.h> | |
#include <windef.h> | |
#define DEVNAME L"\\Device\\Zero" | |
#define LINKNAME L"\\??\\Zero" | |
void PrUnload(PDRIVER_OBJECT DriverObject) { | |
NTSTATUS status; | |
UNICODE_STRING sLinkName; | |
PDEVICE_OBJECT DevObj, t; | |
DbgPrint("PrUnload called \n"); | |
RtlInitUnicodeString(&sLinkName, LINKNAME); | |
status = IoDeleteSymbolicLink(&sLinkName); | |
if (status != STATUS_SUCCESS) { | |
DbgPrint("IoDeleteSymbolicLink() failed ??!?\n"); | |
} | |
DevObj = DriverObject->DeviceObject; | |
while (DevObj) { | |
t = DevObj->NextDevice; | |
IoDeleteDevice(DevObj); | |
DevObj = t; | |
} | |
DbgPrint("PrUnload is done, module unloaded \n"); | |
return; | |
} | |
NTSTATUS CreateCloseDispatch( | |
PDEVICE_OBJECT DeviceObject, | |
PIRP Irp | |
) { | |
UNREFERENCED_PARAMETER(DeviceObject); | |
Irp->IoStatus.Information = 0; | |
Irp->IoStatus.Status = STATUS_SUCCESS; | |
IoCompleteRequest(Irp, IO_NO_INCREMENT); | |
return STATUS_SUCCESS; | |
} | |
NTSTATUS ReadWriteDispatch( | |
PDEVICE_OBJECT DeviceObject, | |
PIRP Irp | |
) { | |
PIO_STACK_LOCATION IrpSp = IoGetCurrentIrpStackLocation(Irp); | |
NTSTATUS status = STATUS_SUCCESS; | |
DWORD info = 0; | |
UNREFERENCED_PARAMETER(DeviceObject); | |
if (IrpSp->MajorFunction == IRP_MJ_WRITE) { | |
info = IrpSp->Parameters.Write.Length; | |
goto END; | |
} | |
// at this point we know we're IRP_MJ_READ | |
if (!Irp->MdlAddress) { | |
status = STATUS_INVALID_PARAMETER; | |
goto END; | |
} | |
// need to call MmProbeAndLockPages() before doing this? nope, looks like the IO Manager takes care of this. | |
unsigned char *p = MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority); | |
if (!p) { | |
status = STATUS_INSUFFICIENT_RESOURCES; | |
goto END; | |
} | |
memset(p, 0x00, IrpSp->Parameters.Read.Length); | |
info = IrpSp->Parameters.Read.Length; | |
// looks like there's no need to unmap p. the IO Manager will do this when it calls MmUnlockPages on the MDL. | |
END: | |
Irp->IoStatus.Information = info; | |
Irp->IoStatus.Status = status; | |
IoCompleteRequest(Irp, IO_NO_INCREMENT); | |
return STATUS_SUCCESS; | |
} | |
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { | |
PDEVICE_OBJECT DevObject; | |
UNICODE_STRING sDevName; | |
UNICODE_STRING sLinkName; | |
NTSTATUS status; | |
DbgPrint("Simple DriverEntry called: %wZ\n", RegistryPath); | |
DriverObject->DriverUnload = PrUnload; | |
RtlInitUnicodeString(&sDevName, DEVNAME); | |
RtlInitUnicodeString(&sLinkName, LINKNAME); | |
status = IoCreateDevice(DriverObject, 0, &sDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DevObject); | |
if (status != STATUS_SUCCESS) { | |
DbgPrint("IoCreateDevice() failed\n"); | |
return STATUS_UNSUCCESSFUL; | |
} | |
status = IoCreateSymbolicLink(&sLinkName, &sDevName); | |
if (status != STATUS_SUCCESS) { | |
DbgPrint("IoCreateSymbolicLink() failed\n"); | |
IoDeleteDevice(DevObject); | |
return STATUS_UNSUCCESSFUL; | |
} | |
DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCloseDispatch; | |
DriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateCloseDispatch; | |
DriverObject->MajorFunction[IRP_MJ_READ] = ReadWriteDispatch; | |
DriverObject->MajorFunction[IRP_MJ_WRITE] = ReadWriteDispatch; | |
DevObject->Flags |= DO_DIRECT_IO; | |
DevObject->Flags &= ~DO_DEVICE_INITIALIZING; | |
DbgPrint("Driver is successfully loaded!\n"); | |
return STATUS_SUCCESS; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment