-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathDriverEntry.cpp
More file actions
58 lines (40 loc) · 1.37 KB
/
DriverEntry.cpp
File metadata and controls
58 lines (40 loc) · 1.37 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
/*
* A simple C++ driver base with KD data block by WhiteByte
*/
#include <ntifs.h>
#include <intrin.h>
#include <Structs.h>
#include <Nt.h>
#include <Routines.h>
#include <Define.h>
void UnloadDriver(IN PDRIVER_OBJECT DriverObject);
EXTERN_C
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING registryPath)
{
InitializeDebuggerBlock();
DbgPrintEx(0, 0, "Kernel base address: 0x%I64X PsLoadedModuleList: 0x%I64X MmUnloadedDrivers: 0x%I64X \n",
KdDebuggerDataBlock->KernBase, KdDebuggerDataBlock->PsLoadedModuleList, KdDebuggerDataBlock->MmUnloadedDrivers);
/*
*
* ULONG_PTR pTmp = *reinterpret_cast<ULONG_PTR*>((BYTE*)pAllocHeader + KDDEBUGGER_DATA_OFFSET);
NTSTATUS status = STATUS_SUCCESS;
MM_COPY_ADDRESS cpAddr = { 0 };
cpAddr.VirtualAddress = (void*)pTmp;
__try {
SIZE_T bytesCopied;
status = MmCopyMemory(pAlloc, cpAddr, sizeof(KDDEBUGGER_DATA64), MM_COPY_MEMORY_VIRTUAL, &bytesCopied);
DbgPrintEx(0, 0, "MmCopyMemory() status: 0x%08X bytesCopied: %zd \n", status, bytesCopied);
}
__except (EXCEPTION_EXECUTE_HANDLER) {
DbgPrintEx(0, 0, "MmCopyMemory() 0x%08X \n", status);
// return STATUS_ACCESS_DENIED;
}
*
*/
pDriverObject->DriverUnload = UnloadDriver;
return STATUS_SUCCESS;
}
void UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
DbgPrintEx(0, 0, "[+] The unloading routine was called \n");
}