 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
 Posted: Thu Aug 21, 2008 2:39 pm Post subject: Can someone explain how this works??? |
 |
|
Here:
| Code: | #include "ntddk.h"
WCHAR deviceName[] = L"\\Device\\Xanos";
PDEVICE_OBJECT Rootkit;
NTSTATUS OnStubDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
VOID OnUnload( IN PDRIVER_OBJECT DriverObject );
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
int i;
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
RtlInitUnicodeString (&deviceNameUnicodeString, deviceName );
DbgPrint("Loaded driver correctly\n");
DbgPrint("Starting the create device call\n");
ntStatus = IoCreateDevice ( theDriverObject, 0, &deviceNameUnicodeString, 0x00001234,0,TRUE, &Rootkit );
DbgPrint("Completed\n");
theDriverObject->DriverUnload = OnUnload;
DbgPrint("entering loop\n");
for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
theDriverObject->MajorFunction[i] = OnStubDispatch;
}
DbgPrint("Returning status success");
return STATUS_SUCCESS;
}
NTSTATUS OnStubDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID OnUnload( IN PDRIVER_OBJECT DriverObject )
{
DbgPrint("OnUnload called\n");
DbgPrint("Deleting device\n");
IoDeleteDevice(Rootkit);
} |
|
|
| Back to top |
|
 |
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Thu Aug 21, 2008 3:12 pm Post subject: |
|
|
It's just starting the driver, linking functions, and getting it ready for an IOCTL.
This is like the "Hello World" of drivers.
|
|
| Back to top |
|
|
DeviantGeek
Newbie cheater
![]() Reputation: 0
Joined: 30 Apr 2006
Posts: 20
Location: 127.0.0.1
|
| Posted: Thu Aug 21, 2008 7:34 pm Post subject: |
|
|
Flyte pretty much summed it up. This driver does pretty much nothing but set itself up to do nothing =D
these drivers are written in c code only i think, so if your used to c++ or anything, like i was, gotta break away from it here lol.
heres a breakdown on what goes on with this driver:
| Code: | | NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) |
this guy is like main() in any app you write. its the entry point of the driver and is called soon as it is loaded. basically you gotta do 2 things here. create the driver with IoCreateDevice so that the system knows its there, what kind of driver it is, and what level its runnin at etc. then tell the system what functions you have and where they are in your driver by setting them in theDriverObject (there are quite a few, but i guess your doing a rootkit so you dont need to use them all):
| Code: | DriverObject->DriverUnload = DispatchUnload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
DriverObject->MajorFunction[IRP_MJ_READ] = DispatchRead;
DriverObject->MajorFunction[IRP_MJ_WRITE] = DispatchWrite;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceControl;
DriverObject->MajorFunction[IRP_MJ_POWER] = DispatchPower;
DriverObject->MajorFunction[IRP_MJ_PNP] = DispatchPnP; |
in your driver code it doesnt even care, it sets everything to one function. in my opinion not smart because you dont know what your handling. plus it causes unneeded code execution. if your just doing a rootkit. all you will really need is IRP_MJ_DEVICE_CONTROL (to control the driver), IRP_MJ_CLOSE (so applications can remove the handle from the driver), IRP_MJ_CREATE (so applications can create a handle to the driver), and you need to set DriverObject->DriverUnload. all the functions use the same prototype:
| Code: | | NTSTATUS function_name(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) |
the next function in this driver is:
| Code: | | NTSTATUS OnStubDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) |
this is pretty much how you interact with the driver from user mode to kernel mode. this guy basically receives codes from your wrapper and they tell the driver to do something. since your driver doesnt have any code ill post some of mine for an example on how to handle something:
| Code: | NTSTATUS DispatchIoctl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION irpSp;
NTSTATUS ntStatus = STATUS_SUCCESS;
PCHAR inBuff, outBuff;
DWORD inBufLength, outBufLength;
irpSp = IoGetCurrentIrpStackLocation(Irp); //stack pointer
inBufLength = irpSp->Parameters.DeviceIoControl.InputBufferLength; //size of the input buffer
outBufLength = irpSp->Parameters.DeviceIoControl.OutputBufferLength; //size of the output buffer;
/*
these are the same buffer, but i like to seperate them so i dont get confused.
*/
outBuff = Irp->AssociatedIrp.SystemBuffer; //data we send back to the application
inBuff = Irp->AssociatedIrp.SystemBuffer; //data the application sent to us
Irp->IoStatus.Information = 0; //set the return buffer byte size to 0 incase we dont send anything back to the app
switch (irpSp->Parameters.DeviceIoControl.IoControlCode) //what does the app want us to do?
{
case IOCTL_ADD: //simple addition code
/*
when initiating variables, ALWAYS use a try statement. you have to remember your working
in kernel mode. something messes up, say hello to the blue screen of death!
*/
__try
{
unsigned int a;
unsigned int b;
//fetch the data our app sent us
a = *(unsigned int*)inBuff;
b = *(unsigned int*)inBuff + sizeof(unsigned int);
//stick our answer in the output buffer
*(unsigned int*)outBuff = a + b;
//tell the kernel how many bytes we put in the output buffer
Irp->IoStatus.Information = sizeof(unsigned int);
} __except(1) {
//something bad happened! but least our exception caught it so windows wont panic!
ntStatus = STATUS_UNSUCCESSFUL;
}
break;
default:
ntStatus = STATUS_INVALID_DEVICE_REQUEST;
break;
}
/*
set the status of how our request went:
STATUS_SUCCESS i did it!
STATUS_UNSUCCESSFUL i failed =(
STATUS_INVALID_DEVICE_REQUEST i have no idea what you wanted me to do =D
*/
Irp->IoStatus.Status = ntStatus;
//tell the I/O manager we're done and give them the Irp back!
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return ntStatus;
} |
just remember when putting something in the output buffer, dont exceed the size of the buffer or you will make the kernel unhappy!
and lastly OnUnload(). pretty much just deletes the driver from the system. hopefully this helps! took me a little while to figure out how the drivers work. and after quite a few blue screens of death i finally got it working lol
|
|
| Back to top |
|
|
dnsi0
I post too much
![]() Reputation: 0
Joined: 04 Jan 2007
Posts: 2674
|
| Posted: Fri Aug 22, 2008 9:04 am Post subject: |
|
|
| Im not trying to do a rootkit. I found this on the net saying how to make a driver. And One more question. Should I install VM ware so I don't accientally fck up my system with a BSoD?
|
|
| Back to top |
|
|
sponge
I'm a spammer
 Reputation: 1
Joined: 07 Nov 2006
Posts: 6009
|
| Posted: Fri Aug 22, 2008 2:55 pm Post subject: |
|
|
A BSOD is suppose to prevent fuck ups.
_________________
|
|
| Back to top |
|
|
rapion124
Grandmaster Cheater Supreme
![]() Reputation: 0
Joined: 25 Mar 2007
Posts: 1095
|
| Posted: Fri Aug 22, 2008 4:00 pm Post subject: |
|
|
| You don't need to test drivers in a VM. Add exception handling to your code and when testing your driver, run a kernel debugger.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
