Hello all, I have been trying to create a simple driver and advance little by little by adding different features to it.
First of all this is my driver, its simple - i commented it thouroly for my own better understanding and memorization .
When ever i try to run the driver using OSRLoader, it is just donle only once, i have to reboot the system to test it again, and i dont get the message located inside unload function when i click on stop button on the osrloader.!
What is wrong?
//In the name of GOD
//Test Driver
//Displaying a Message on Debug Pane in windbg
/***********************************************
things to know in driver development !
There are couple of prefixes that are used
and referenced a lot in api names, these
prefixes are abridged form of a bigger expression
Here is what i could find so far.
"Ex" prefix stands for Ex(Executive support)
Ke denotes to kernel,
Po (for Power)
Ps (for Process Structure)
Ob(for Object),
Io (for I/O manager),
Mm (for memory manager),
Se(for Security manager),
Rtl (for run-time library),
and FsRtl (stands for file system run-time library).
************************************************/
//This is a must have for driver development
#include "ntddk.h"
//skip this!
void UnLoadDriver(IN PDRIVER_OBJECT DriverObject);
//skip this as well , and read later on
NTSTATUS OnClientDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp);
NTSTATUS OnClientCreateDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp);
NTSTATUS OnClientCloseDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp);
NTSTATUS OnClientReadDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp);
NTSTATUS OnClientWriteDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp);
NTSTATUS OnClientIOCTLDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp);
//global variables
const WCHAR ourDeviceNameString[] = L"\\Device\\HosseinDevice";
const WCHAR ourDeviceLinkString[] = L"\\DosDevices\\HosseinDevice";
PDEVICE_OBJECT ourDeviceObject;
#define FILE_DEVICE_HOSSEINDEVICE 0xFF12
//The entry point of a driver execution
NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
IN PUNICODE_STRING theRegisteryPath)
{
UNICODE_STRING ourUnicdeDeviceName;
UNICODE_STRING ourUnicdeDeviceLink;
NTSTATUS ntStatus ;
//dbgPrint prints our debug messages to a debug queue, the windbg app can
//let us see these messages
DbgPrint("In the name of GOD The Most Compassionate The most Merciful");
DbgPrint("\n Our Sample Driver Is Loaded.");
//Setting up our driver name and its symbolic link.
//in order to be able to communicate with outer world! we need to give
//a name to our device driver, after all we are creating a device driver!
//symbolic links are not mandatory, they are only made so that the client
//-side app can connect and communicate to the driver more easily
RtlInitUnicodeString(&ourUnicdeDeviceName, ourDeviceNameString);
//more info at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff548397%28v=vs.85%29.aspx
ntStatus = IoCreateDevice( theDriverObject,
0,//means, we have no driver extension for now!
&ourUnicdeDeviceName,
//Now this is the type of our device driver,
//there are lots of pre-defined types,
//we can choose either FILE_DEVICE_UNKNOWN or a number between 32768 and 65535
//since the others are ms reserved.
//more info on : http://msdn.microsoft.com/en-us/library/windows/hardware/ff563821%28v=vs.85%29.aspx
FILE_DEVICE_HOSSEINDEVICE,
//This is the device characteristic
//most driver developers use what we used here
//more info at : http://msdn.microsoft.com/en-us/library/windows/hardware/ff543147%28v=vs.85%29.aspx
FILE_DEVICE_SECURE_OPEN,//in rootkits book sample it was set to 0!!! have no idea what this causes!
//This option, specifies whether our device is exclusive
//that is only one handle at a time can be opened!
//most driver developers again set this to false!
//info at :http://msdn.microsoft.com/en-us/library/windows/hardware/ff548397%28v=vs.85%29.aspx
//and http://msdn.microsoft.com/en-us/library/windows/hardware/ff563827%28v=vs.85%29.aspx
FALSE,//in rootkitsbook its set to true! why?
&ourDeviceObject);
DbgPrint("\n DriverDevice is created Successfully");
RtlInitUnicodeString(&ourUnicdeDeviceLink, ourDeviceLinkString); //creating a symbolic link out of our unicode array
if( NT_SUCCESS(ntStatus) )
{
ntStatus = IoCreateSymbolicLink(&ourUnicdeDeviceLink,
ourDeviceLinkString);
}
DbgPrint("\n Driver Symlink is now Created.");
//we are now setting the unload function, so that our driver can be
//unloaded after being stopped.
theDriverObject->DriverUnload = UnLoadDriver;
DbgPrint("\n Driver UnloadFunction is set");
//Now In order to be able to communicate with a client side
//application we are going to set something called Major Functions array!
//This MJF array contains functions , user mode app can reference and use
//to communicate with the driver and send commands accordingly.
//Dont let the names fool you!!
theDriverObject->MajorFunction[IRP_MJ_CREATE] = OnClientCreateDispatch;
theDriverObject->MajorFunction[IRP_MJ_CLOSE] = OnClientCloseDispatch;
theDriverObject->MajorFunction[IRP_MJ_READ] = OnClientReadDispatch;
theDriverObject->MajorFunction[IRP_MJ_WRITE] = OnClientWriteDispatch;
theDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = OnClientIOCTLDispatch;
DbgPrint("\n Driver Major Functions are set successfully");
return ntStatus;
}
//Ok, when we load our driver, that is , when it is created an thus loaded,
//we need to unloaded it ourselves, or it will stick there in the memory
//till we reboot the system.!
void UnLoadDriver(IN PDRIVER_OBJECT driverObject)
{
//UNICODE_STRING ourdevicelink;
DbgPrint("The driver is now being unloaded");
//RtlInitUnicodeString(&ourdevicelink, ourDeviceLinkString);
//IoDeleteSymbolicLink(&ourdevicelink);
//IoDeleteDevice(driverObject->DeviceObject);
//DbgPrint("The driver is now unloaded");
}
//Ok these are 5 major functions which allow to communicate with
//outer world!! I mean the client side application
//This is one of the means we can use to send commands to our driver
//OnClientDispatch is a generalized sample for such functions
//The rest are major functions
NTSTATUS OnClientDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS OnClientCreateDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp)
{
//Do sth
DbgPrint(" Create Method is called");
return STATUS_SUCCESS;
}
NTSTATUS OnClientCloseDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp)
{
//Do sth
DbgPrint(" Close Method is called");
return STATUS_SUCCESS;
}
NTSTATUS OnClientReadDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp)
{
//Do sth
DbgPrint(" Read Method is called");
return STATUS_SUCCESS;
}
NTSTATUS OnClientWriteDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP irp)
{
//Do sth
DbgPrint(" Write Method is called");
return STATUS_SUCCESS;
}
NTSTATUS OnClientIOCTLDispatch(IN PDEVICE_OBJECT deviceObject, IN PIRP Irp)
{
PIO_STACK_LOCATION IrpSp;
ULONG FunctionCode;
IrpSp = IoGetCurrentIrpStackLocation(Irp);
FunctionCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
switch(FunctionCode)
{
//do sth
default:
DbgPrint("Default is called .");
}
return STATUS_SUCCESS;
}
