DriverTester.h File Reference

#include <windows.h>
#include <stdio.h>
#include <winternl.h>

Include dependency graph for DriverTester.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes
struct	_SYSTEM_GDI_DRIVER_INFORMATION
struct	_OBJECT_NAME_INFORMATION

Macros
#define	_WIN32_WINNT   0x0500
#define	DRIVER_NAME   L"TestDriver"
#define	STATUS_SUCCESS   ((NTSTATUS)0x00000000L)
#define	STATUS_PRIVILEGE_NOT_HELD   ((NTSTATUS)0xC0000061L)
#define	SystemLoadGdiDriverInformation   26
#define	SystemExtendServiceTableInformation   38

Typedefs
typedef LONG	NTSTATUS
typedef struct _SYSTEM_GDI_DRIVER_INFORMATION	SYSTEM_GDI_DRIVER_INFORMATION
typedef struct _SYSTEM_GDI_DRIVER_INFORMATION *	PSYSTEM_GDI_DRIVER_INFORMATION
typedef enum _OBJECT_INFORMATION_CLASS	OBJECT_INFO_CLASS
typedef struct _OBJECT_NAME_INFORMATION	OBJECT_NAME_INFORMATION
typedef struct _OBJECT_NAME_INFORMATION *	POBJECT_NAME_INFORMATION

Enumerations
enum	_OBJECT_INFORMATION_CLASS {   ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectAllTypesInformation,   ObjectHandleInformation, ObjectBasicInformation = 0, ObjectTypeInformation = 2, ObjectBasicInformation,   ObjectNameInformation, ObjectTypeInformation, ObjectTypesInformation, ObjectDataInformation }

Functions
BOOL	RegisterDriver (LPCWSTR lpDriverName, LPCWSTR lpPathName)
BOOL	StartDriver (LPCWSTR lpDriverName)
BOOL	StopDriver (LPCWSTR lpDriverName)
BOOL	UnregisterDriver (LPCWSTR lpDriverName)
BOOL	ConvertPath (LPCWSTR lpPath, LPWSTR lpDevice)
BOOL	LoadVia_SystemLoadGdiDriverInformation (LPWSTR lpDriverPath)
BOOL	LoadVia_SystemExtendServiceTableInformation (LPWSTR lpDriverPath)
BOOL	NtStartDriver (LPCWSTR lpService)
BOOL	NtStopDriver (LPCWSTR lpService)
NTSYSAPI NTSTATUS NTAPI	NtSetSystemInformation (IN INT SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength)
NTSTATUS	NtUnloadDriver (IN PUNICODE_STRING DriverServiceName)
NTSTATUS	NtQueryObject (IN HANDLE Handle, IN OBJECT_INFO_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG ObjectInformationLength, OUT PULONG ReturnLength)

Macro Definition Documentation

_WIN32_WINNT

#define _WIN32_WINNT   0x0500

Definition at line 1 of file DriverTester.h.

DRIVER_NAME

#define DRIVER_NAME   L"TestDriver"

Definition at line 6 of file DriverTester.h.

STATUS_PRIVILEGE_NOT_HELD

#define STATUS_PRIVILEGE_NOT_HELD   ((NTSTATUS)0xC0000061L)

Definition at line 9 of file DriverTester.h.

STATUS_SUCCESS

#define STATUS_SUCCESS   ((NTSTATUS)0x00000000L)

Definition at line 8 of file DriverTester.h.

SystemExtendServiceTableInformation

#define SystemExtendServiceTableInformation   38

Definition at line 35 of file DriverTester.h.

SystemLoadGdiDriverInformation

#define SystemLoadGdiDriverInformation   26

Definition at line 34 of file DriverTester.h.

Typedef Documentation

NTSTATUS

typedef LONG NTSTATUS

Definition at line 11 of file DriverTester.h.

OBJECT_INFO_CLASS

typedef enum _OBJECT_INFORMATION_CLASS OBJECT_INFO_CLASS

OBJECT_NAME_INFORMATION

typedef struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION

POBJECT_NAME_INFORMATION

typedef struct _OBJECT_NAME_INFORMATION * POBJECT_NAME_INFORMATION

PSYSTEM_GDI_DRIVER_INFORMATION

typedef struct _SYSTEM_GDI_DRIVER_INFORMATION * PSYSTEM_GDI_DRIVER_INFORMATION

SYSTEM_GDI_DRIVER_INFORMATION

typedef struct _SYSTEM_GDI_DRIVER_INFORMATION SYSTEM_GDI_DRIVER_INFORMATION

Enumeration Type Documentation

_OBJECT_INFORMATION_CLASS

enum _OBJECT_INFORMATION_CLASS

Enumerator
ObjectBasicInformation
ObjectNameInformation
ObjectTypeInformation
ObjectAllTypesInformation
ObjectHandleInformation
ObjectBasicInformation
ObjectTypeInformation
ObjectBasicInformation
ObjectNameInformation
ObjectTypeInformation
ObjectTypesInformation
ObjectDataInformation

Definition at line 53 of file DriverTester.h.

                                       {
    ObjectBasicInformation,
    ObjectNameInformation,
    ObjectTypeInformation,
    ObjectAllTypesInformation,
    ObjectHandleInformation
} OBJECT_INFO_CLASS;

Function Documentation

ConvertPath()

BOOL ConvertPath	(	LPCWSTR	lpPath,
		LPWSTR	lpDevice
	)

Definition at line 56 of file undoc.c.

{
    LPWSTR lpFullPath = NULL;
    DWORD size;

    if (lpPath)
    {
        size = GetLongPathNameW(lpPath,
                                0,
                                0);
        if (!size)
            return FALSE;

        size = (size + 1) * sizeof(WCHAR);

        lpFullPath = HeapAlloc(GetProcessHeap(),
                               0,
                               size);
        if (!lpFullPath)
            return FALSE;

        if (GetLongPathNameW(lpPath,
                             lpFullPath,
                             size))
        {
            HANDLE hDevice;
            POBJECT_NAME_INFORMATION pObjName;
            NTSTATUS Status;
            DWORD len;

            hDevice = CreateFileW(lpFullPath,
                                  GENERIC_READ | GENERIC_WRITE,
                                  0,
                                  NULL,
                                  OPEN_EXISTING,
                                  FILE_ATTRIBUTE_NORMAL,
                                  NULL);

            HeapFree(GetProcessHeap(), 0, lpFullPath);

            if(hDevice == INVALID_HANDLE_VALUE)
            {
                wprintf(L"[%x] Failed to open %s\n", GetLastError(), DRIVER_NAME);
                return FALSE;
            }

            size = MAX_PATH * sizeof(WCHAR);
            pObjName = HeapAlloc(GetProcessHeap(), 0, size);
            if (!pObjName)
                return FALSE;

            Status = NtQueryObject(hDevice,
                                   ObjectNameInformation,
                                   pObjName,
                                   size,
                                   &size);
            if (Status == STATUS_SUCCESS)
            {
                len = pObjName->Name.Length / sizeof(WCHAR);
                wcsncpy(lpDevice, pObjName->Name.Buffer, len);
                lpDevice[len] = UNICODE_NULL;

                HeapFree(GetProcessHeap(), 0, pObjName);

                return TRUE;
            }

            HeapFree(GetProcessHeap(), 0, pObjName);
        }
    }

    return FALSE;
}

Referenced by SneakyUndocumentedMethods().

LoadVia_SystemExtendServiceTableInformation()

BOOL LoadVia_SystemExtendServiceTableInformation

(

LPWSTR

lpDriverPath

)

Definition at line 240 of file undoc.c.

{
    NTSTATUS Status;
    UNICODE_STRING Buffer;
    DWORD bufSize;

    RtlInitUnicodeString(&Buffer, lpDriverPath);
    bufSize = sizeof(UNICODE_STRING);

    if (SetPrivilege(TRUE))
    {
        Status = NtSetSystemInformation(SystemExtendServiceTableInformation,
                                        &Buffer,
                                        bufSize);
        if (Status == STATUS_PRIVILEGE_NOT_HELD)
        {
            wprintf(L"SystemExtendServiceTableInformation can only be used in kmode.\n");
        }
        else if (Status == STATUS_SUCCESS)
        {
            wprintf(L"SystemExtendServiceTableInformation incorrectly loaded the driver\n");
            NtUnloadDriver(&Buffer);

            return TRUE;
        }
        else
        {
            DWORD err = RtlNtStatusToDosError(Status);
            wprintf(L"LoadVia_SystemExtendServiceTableInformation failed [%lu] - 0x%x\n", err, Status);
        }

        SetPrivilege(FALSE);
    }

    return FALSE;
}

Referenced by SneakyUndocumentedMethods().

LoadVia_SystemLoadGdiDriverInformation()

BOOL LoadVia_SystemLoadGdiDriverInformation

(

LPWSTR

lpDriverPath

)

Definition at line 199 of file undoc.c.

{
    NTSTATUS Status;
    SYSTEM_GDI_DRIVER_INFORMATION Buffer;
    DWORD bufSize;

    bufSize = sizeof(SYSTEM_GDI_DRIVER_INFORMATION);

    ZeroMemory(&Buffer, bufSize);
    RtlInitUnicodeString(&Buffer.DriverName, lpDriverPath);

    if (SetPrivilege(TRUE))
    {
        Status = NtSetSystemInformation(SystemLoadGdiDriverInformation,
                                        &Buffer,
                                        bufSize);
        if (Status == STATUS_PRIVILEGE_NOT_HELD)
        {
            wprintf(L"SystemLoadGdiDriverInformation can only be used in kmode.\n");
        }
        else if (Status == STATUS_SUCCESS)
        {
            wprintf(L"SystemLoadGdiDriverInformation incorrectly loaded the driver\n");
            NtUnloadDriver(&Buffer.DriverName);

            return TRUE;
        }
        else
        {
            DWORD err = RtlNtStatusToDosError(Status);
            wprintf(L"LoadVia_SystemLoadGdiDriverInformation failed [%lu]\n", err);
        }

        SetPrivilege(FALSE);
    }

    return FALSE;
}

Referenced by SneakyUndocumentedMethods().

NtQueryObject()

NTSTATUS NtQueryObject	(	IN HANDLE	Handle,
		IN OBJECT_INFO_CLASS	ObjectInformationClass,
		OUT PVOID	ObjectInformation,
		IN ULONG	ObjectInformationLength,
		OUT PULONG	ReturnLength
	)

Referenced by ConvertPath(), GetHandleInformation(), GetKeySam(), IsGlobalDeviceMap(), IsGlobalSymbolicLink(), ProtectHandle(), SetHandleInformation(), TraceHandleCount_(), UnProtectHandle(), and VerifyAccess_().

NtSetSystemInformation()

NTSYSAPI NTSTATUS NTAPI NtSetSystemInformation	(	IN INT	SystemInformationClass,
		IN PVOID	SystemInformation,
		IN ULONG	SystemInformationLength
	)

Referenced by _main(), LoadVia_SystemExtendServiceTableInformation(), LoadVia_SystemLoadGdiDriverInformation(), SetSystemTimeAdjustment(), SetTimeZoneInformation(), SmpLoadSubSystem(), SmpLoadSubSystemsForMuSession(), Test_Flags(), Test_KernelDebugger(), and Test_TimeAdjustment().

NtStartDriver()

BOOL NtStartDriver

(

LPCWSTR

lpService

)

Definition at line 133 of file undoc.c.

{
    WCHAR szDriverPath[MAX_PATH];
    UNICODE_STRING DriverPath;
    NTSTATUS Status = -1;

    wcscpy(szDriverPath,
           L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
    wcscat(szDriverPath,
           lpService);

    RtlInitUnicodeString(&DriverPath,
                         szDriverPath);

    if (SetPrivilege(TRUE))
    {
        Status = NtLoadDriver(&DriverPath);
        if (Status != STATUS_SUCCESS)
        {
            DWORD err = RtlNtStatusToDosError(Status);
            wprintf(L"NtUnloadDriver failed [%lu]\n", err);
        }

        SetPrivilege(FALSE);
    }

    return (Status == STATUS_SUCCESS);
}

Referenced by UndocumentedMethod().

NtStopDriver()

BOOL NtStopDriver

(

LPCWSTR

lpService

)

Definition at line 164 of file undoc.c.

{
    WCHAR szDriverPath[MAX_PATH];
    UNICODE_STRING DriverPath;
    NTSTATUS Status = -1;

    wcscpy(szDriverPath,
           L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
    wcscat(szDriverPath,
           lpService);

    RtlInitUnicodeString(&DriverPath,
                         szDriverPath);

    if (SetPrivilege(TRUE))
    {
        Status = NtUnloadDriver(&DriverPath);
        if (Status != STATUS_SUCCESS)
        {
            DWORD err = RtlNtStatusToDosError(Status);
            wprintf(L"NtUnloadDriver failed [%lu]\n", err);
        }

        SetPrivilege(FALSE);
    }

    return (Status == STATUS_SUCCESS);
}

Referenced by SneakyUndocumentedMethods(), and UndocumentedMethod().

NtUnloadDriver()

NTSTATUS NtUnloadDriver

(

IN PUNICODE_STRING

DriverServiceName

)

Definition at line 2142 of file driver.c.

{
    return IopUnloadDriver(DriverServiceName, FALSE);
}

Referenced by LoadVia_SystemExtendServiceTableInformation(), LoadVia_SystemLoadGdiDriverInformation(), NtStopDriver(), ScmUnloadDriver(), START_TEST(), and wmain().

RegisterDriver()

BOOL RegisterDriver	(	LPCWSTR	lpDriverName,
		LPCWSTR	lpPathName
	)

Definition at line 5 of file umode.c.

{
    SC_HANDLE hSCManager;
    SC_HANDLE hService;

    hSCManager = OpenSCManagerW(NULL,
                                NULL,
                                SC_MANAGER_ALL_ACCESS);
    if (!hSCManager)
        return FALSE;

retry:
    hService = CreateServiceW(hSCManager,
                              lpDriverName,
                              lpDriverName,
                              SERVICE_ALL_ACCESS,
                              SERVICE_KERNEL_DRIVER,
                              SERVICE_DEMAND_START,
                              SERVICE_ERROR_NORMAL,
                              lpPathName,
                              NULL,
                              NULL,
                              NULL,
                              NULL,
                              NULL);

    if (hService)
    {
        CloseServiceHandle(hService);
        CloseServiceHandle(hSCManager);
        return TRUE;
    }
    else
    {
        DWORD err = GetLastError();

        if (err == ERROR_SERVICE_MARKED_FOR_DELETE)
        {
            StopDriver(DRIVER_NAME);
            goto retry;
        }

        CloseServiceHandle(hSCManager);

        // return TRUE if the driver is already registered
        return (err == ERROR_SERVICE_EXISTS);
    }
}

Referenced by Initialize().

StartDriver()

BOOL StartDriver

(

LPCWSTR

lpDriverName

)

Definition at line 56 of file umode.c.

{
    SC_HANDLE hSCManager;
    SC_HANDLE hService;
    BOOL bRet;

    hSCManager = OpenSCManagerW(NULL,
                                NULL,
                                SC_MANAGER_ALL_ACCESS);
    if (!hSCManager)
        return FALSE;

    hService = OpenServiceW(hSCManager,
                            lpDriverName,
                            SERVICE_ALL_ACCESS);
    if (!hService)
    {
        CloseServiceHandle(hSCManager);
        return FALSE;
    }

    bRet = StartServiceW(hService, 0, NULL);
    if (!bRet)
    {
        if (GetLastError() == ERROR_SERVICE_ALREADY_RUNNING)
        {
            wprintf(L"%s.sys already running\n", DRIVER_NAME);
            bRet = TRUE;
        }
    }

    CloseServiceHandle(hService);
    CloseServiceHandle(hSCManager);

    return bRet;
}

StopDriver()

BOOL StopDriver

(

LPCWSTR

lpDriverName

)

Definition at line 94 of file umode.c.

{
    SC_HANDLE hSCManager;
    SC_HANDLE hService;
    SERVICE_STATUS serviceStatus;
    BOOL bRet;

    hSCManager = OpenSCManagerW(NULL,
                                NULL,
                                SC_MANAGER_ALL_ACCESS);
    if (!hSCManager)
        return FALSE;

    hService = OpenServiceW(hSCManager,
                            lpDriverName,
                            SERVICE_ALL_ACCESS);
    if (!hService)
    {
        CloseServiceHandle(hSCManager);
        return FALSE;
    }

    bRet = ControlService(hService,
                          SERVICE_CONTROL_STOP,
                          &serviceStatus);
    if (!bRet)
    {
        if (GetLastError() == ERROR_SERVICE_NOT_ACTIVE)
        {
            wprintf(L"%s.sys wasn't running\n", DRIVER_NAME);
            bRet = TRUE;
        }
    }

    CloseServiceHandle(hService);
    CloseServiceHandle(hSCManager);

    return bRet;
}

Referenced by RegisterDriver().

UnregisterDriver()

BOOL UnregisterDriver

(

LPCWSTR

lpDriverName

)

Definition at line 135 of file umode.c.

{
    SC_HANDLE hService;
    SC_HANDLE hSCManager;
    BOOL bRet;

    hSCManager = OpenSCManagerW(NULL,
                                NULL,
                                SC_MANAGER_ALL_ACCESS);
    if (!hSCManager)
        return FALSE;

    hService = OpenServiceW(hSCManager,
                            lpDriverName,
                            SERVICE_ALL_ACCESS);
    if (!hService)
    {
        CloseServiceHandle(hSCManager);
        return FALSE;
    }

    bRet = DeleteService(hService);

    CloseServiceHandle(hService);
    CloseServiceHandle(hSCManager);

    return bRet;
}

Referenced by UndocumentedMethod(), Uninitialize(), and UsermodeMethod().