#include <windows.h>
#include <stdio.h>
#include <winternl.h>

Include dependency graph for DriverTester.h:

This graph shows which files directly or indirectly include this file:

Classes
struct	_SYSTEM_GDI_DRIVER_INFORMATION

struct	_OBJECT_NAME_INFORMATION

Macros
#define	_WIN32_WINNT 0x0500

#define	DRIVER_NAME L"TestDriver"

#define	STATUS_SUCCESS ((NTSTATUS)0x00000000L)

#define	STATUS_PRIVILEGE_NOT_HELD ((NTSTATUS)0xC0000061L)

#define	SystemLoadGdiDriverInformation 26

#define	SystemExtendServiceTableInformation 38

Typedefs
typedef LONG	NTSTATUS

typedef struct _SYSTEM_GDI_DRIVER_INFORMATION	SYSTEM_GDI_DRIVER_INFORMATION

typedef struct _SYSTEM_GDI_DRIVER_INFORMATION *	PSYSTEM_GDI_DRIVER_INFORMATION

typedef enum _OBJECT_INFORMATION_CLASS	OBJECT_INFO_CLASS

typedef struct _OBJECT_NAME_INFORMATION	OBJECT_NAME_INFORMATION

typedef struct _OBJECT_NAME_INFORMATION *	POBJECT_NAME_INFORMATION

Enumerations
enum	_OBJECT_INFORMATION_CLASS { ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectAllTypesInformation, ObjectHandleInformation, ObjectBasicInformation = 0, ObjectTypeInformation = 2, ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectTypesInformation, ObjectDataInformation }

Functions
BOOL	RegisterDriver (LPCWSTR lpDriverName, LPCWSTR lpPathName)

BOOL	StartDriver (LPCWSTR lpDriverName)

BOOL	StopDriver (LPCWSTR lpDriverName)

BOOL	UnregisterDriver (LPCWSTR lpDriverName)

BOOL	ConvertPath (LPCWSTR lpPath, LPWSTR lpDevice)

BOOL	LoadVia_SystemLoadGdiDriverInformation (LPWSTR lpDriverPath)

BOOL	LoadVia_SystemExtendServiceTableInformation (LPWSTR lpDriverPath)

BOOL	NtStartDriver (LPCWSTR lpService)

BOOL	NtStopDriver (LPCWSTR lpService)

NTSYSAPI NTSTATUS NTAPI	NtSetSystemInformation (IN INT SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength)

NTSTATUS	NtUnloadDriver (IN PUNICODE_STRING DriverServiceName)

NTSTATUS	NtQueryObject (IN HANDLE Handle, IN OBJECT_INFO_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG ObjectInformationLength, OUT PULONG ReturnLength)

Macro Definition Documentation

#define _WIN32_WINNT 0x0500

Definition at line 1 of file DriverTester.h.

#define DRIVER_NAME L"TestDriver"

Definition at line 6 of file DriverTester.h.

#define STATUS_PRIVILEGE_NOT_HELD ((NTSTATUS)0xC0000061L)

Definition at line 9 of file DriverTester.h.

Referenced by add_device(), CdInvalidateVolumes(), EmptyWorkingSet(), ExpRaiseHardError(), Ext2InvalidateVolumes(), FFSInvalidateVolumes(), find_subvol(), FormatEx2(), fsctl_set_xattr(), invalidate_volumes(), KbdHid_ReadCompletion(), KsRemoveBusEnumInterface(), LoadVia_SystemExtendServiceTableInformation(), LoadVia_SystemLoadGdiDriverInformation(), mknod(), MmAdjustWorkingSetSize(), MouHid_ReadCompletion(), NtAllocateVirtualMemory(), NtCloseObjectAuditAlarm(), NtCreateProfile(), NtGetPlugPlayEvent(), NtLoadDriver(), NtLoadKeyEx(), NtLockVirtualMemory(), NtMakePermanentObject(), NtOpenObjectAuditAlarm(), NtPlugPlayControl(), NtPrivilegedServiceAuditAlarm(), NtQuerySystemEnvironmentValue(), NtSaveKeyEx(), NtSaveMergedKeys(), NtSetDefaultHardErrorPort(), NtSetInformationObject(), NtSetInformationProcess(), NtSetInformationThread(), NtSetInformationToken(), NtSetSystemEnvironmentValue(), NtSetSystemPowerState(), NtSetSystemTime(), NtUnloadKey2(), NtUnlockVirtualMemory(), ObCreateObject(), pause_balance(), pause_scrub(), probe_volume(), PspSetPrimaryToken(), PspSetQuotaLimits(), query_scrub(), read_send_buffer(), recvd_subvol(), remove_device(), reserve_subvol(), reset_stats(), resize_device(), resume_balance(), resume_scrub(), RfsdInvalidateVolumes(), RtlAcquirePrivilege(), RtlAdjustPrivilege(), run_error_tests(), send_subvol(), SepAccessCheckAndAuditAlarm(), SePrivilegePolicyCheck(), SmpAcquirePrivilege(), SSI_DEF(), start_balance(), start_scrub(), START_TEST(), stop_balance(), stop_scrub(), test_CallNtPowerInformation(), Test_TimeAdjustment(), TestHardError(), UDFInvalidateVolumes(), and UserInitiateShutdown().

#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)

Definition at line 8 of file DriverTester.h.

#define SystemExtendServiceTableInformation 38

Definition at line 35 of file DriverTester.h.

Referenced by LoadVia_SystemExtendServiceTableInformation(), SmpLoadSubSystemsForMuSession(), and SSI_DEF().

#define SystemLoadGdiDriverInformation 26

Definition at line 34 of file DriverTester.h.

Referenced by LDEVOBJ_bLoadImage(), and LoadVia_SystemLoadGdiDriverInformation().

Typedef Documentation

typedef NTSTATUS

Definition at line 11 of file DriverTester.h.

typedef enum _OBJECT_INFORMATION_CLASS OBJECT_INFO_CLASS

typedef struct _OBJECT_NAME_INFORMATION OBJECT_NAME_INFORMATION

typedef struct _OBJECT_NAME_INFORMATION * POBJECT_NAME_INFORMATION

typedef struct _SYSTEM_GDI_DRIVER_INFORMATION * PSYSTEM_GDI_DRIVER_INFORMATION

typedef struct _SYSTEM_GDI_DRIVER_INFORMATION SYSTEM_GDI_DRIVER_INFORMATION

Enumeration Type Documentation

enum _OBJECT_INFORMATION_CLASS

Enumerator
ObjectBasicInformation
ObjectNameInformation
ObjectTypeInformation
ObjectAllTypesInformation
ObjectHandleInformation
ObjectBasicInformation
ObjectTypeInformation
ObjectBasicInformation
ObjectNameInformation
ObjectTypeInformation
ObjectTypesInformation
ObjectDataInformation

Definition at line 53 of file DriverTester.h.

                                        {
     ObjectBasicInformation,
     ObjectNameInformation,
     ObjectTypeInformation,
     ObjectAllTypesInformation,
     ObjectHandleInformation
 } OBJECT_INFO_CLASS;

Function Documentation

BOOL ConvertPath	(	LPCWSTR	lpPath,
		LPWSTR	lpDevice
	)

Definition at line 56 of file undoc.c.

Referenced by SneakyUndocumentedMethods().

 {
     LPWSTR lpFullPath = NULL;
     DWORD size;
 
     if (lpPath)
     {
         size = GetLongPathNameW(lpPath,
                                 0,
                                 0);
         if (!size)
             return FALSE;
 
         size = (size + 1) * sizeof(WCHAR);
 
         lpFullPath = HeapAlloc(GetProcessHeap(),
                                0,
                                size);
         if (!lpFullPath)
             return FALSE;
 
         if (GetLongPathNameW(lpPath,
                              lpFullPath,
                              size))
         {
             HANDLE hDevice;
             POBJECT_NAME_INFORMATION pObjName;
             NTSTATUS Status;
             DWORD len;
 
             hDevice = CreateFileW(lpFullPath,
                                   GENERIC_READ | GENERIC_WRITE,
                                   0,
                                   NULL,
                                   OPEN_EXISTING,
                                   FILE_ATTRIBUTE_NORMAL,
                                   NULL);
 
             HeapFree(GetProcessHeap(), 0, lpFullPath);
 
             if(hDevice == INVALID_HANDLE_VALUE)
             {
                 wprintf(L"[%x] Failed to open %s\n", GetLastError(), DRIVER_NAME);
                 return FALSE;
             }
 
             size = MAX_PATH * sizeof(WCHAR);
             pObjName = HeapAlloc(GetProcessHeap(), 0, size);
             if (!pObjName)
                 return FALSE;
 
             Status = NtQueryObject(hDevice,
                                    ObjectNameInformation,
                                    pObjName,
                                    size,
                                    &size);
             if (Status == STATUS_SUCCESS)
             {
                 len = pObjName->Name.Length / sizeof(WCHAR);
                 wcsncpy(lpDevice, pObjName->Name.Buffer, len);
                 lpDevice[len] = UNICODE_NULL;
 
                 HeapFree(GetProcessHeap(), 0, pObjName);
 
                 return TRUE;
             }
 
             HeapFree(GetProcessHeap(), 0, pObjName);
         }
     }
 
     return FALSE;
 }

BOOL LoadVia_SystemExtendServiceTableInformation ( LPWSTR lpDriverPath )

Definition at line 240 of file undoc.c.

Referenced by SneakyUndocumentedMethods().

 {
     NTSTATUS Status;
     UNICODE_STRING Buffer;
     DWORD bufSize;
 
     RtlInitUnicodeString(&Buffer, lpDriverPath);
     bufSize = sizeof(UNICODE_STRING);
 
     if (SetPrivilege(TRUE))
     {
         Status = NtSetSystemInformation(SystemExtendServiceTableInformation,
                                         &Buffer,
                                         bufSize);
         if (Status == STATUS_PRIVILEGE_NOT_HELD)
         {
             wprintf(L"SystemExtendServiceTableInformation can only be used in kmode.\n");
         }
         else if (Status == STATUS_SUCCESS)
         {
             wprintf(L"SystemExtendServiceTableInformation incorrectly loaded the driver\n");
             NtUnloadDriver(&Buffer);
 
             return TRUE;
         }
         else
         {
             DWORD err = RtlNtStatusToDosError(Status);
             wprintf(L"LoadVia_SystemExtendServiceTableInformation failed [%lu] - 0x%x\n", err, Status);
         }
 
         SetPrivilege(FALSE);
     }
 
     return FALSE;
 }

BOOL LoadVia_SystemLoadGdiDriverInformation ( LPWSTR lpDriverPath )

Definition at line 199 of file undoc.c.

Referenced by SneakyUndocumentedMethods().

 {
     NTSTATUS Status;
     SYSTEM_GDI_DRIVER_INFORMATION Buffer;
     DWORD bufSize;
 
     bufSize = sizeof(SYSTEM_GDI_DRIVER_INFORMATION);
 
     ZeroMemory(&Buffer, bufSize);
     RtlInitUnicodeString(&Buffer.DriverName, lpDriverPath);
 
     if (SetPrivilege(TRUE))
     {
         Status = NtSetSystemInformation(SystemLoadGdiDriverInformation,
                                         &Buffer,
                                         bufSize);
         if (Status == STATUS_PRIVILEGE_NOT_HELD)
         {
             wprintf(L"SystemLoadGdiDriverInformation can only be used in kmode.\n");
         }
         else if (Status == STATUS_SUCCESS)
         {
             wprintf(L"SystemLoadGdiDriverInformation incorrectly loaded the driver\n");
             NtUnloadDriver(&Buffer.DriverName);
 
             return TRUE;
         }
         else
         {
             DWORD err = RtlNtStatusToDosError(Status);
             wprintf(L"LoadVia_SystemLoadGdiDriverInformation failed [%lu]\n", err);
         }
 
         SetPrivilege(FALSE);
     }
 
     return FALSE;
 }

NTSTATUS NtQueryObject	(	IN HANDLE	Handle,
		IN OBJECT_INFO_CLASS	ObjectInformationClass,
		OUT PVOID	ObjectInformation,
		IN ULONG	ObjectInformationLength,
		OUT PULONG	ReturnLength
	)

Referenced by ConvertPath(), GetHandleInformation(), GetKeySam(), ProtectHandle(), SetHandleInformation(), TraceHandleCount_(), UnProtectHandle(), and VerifyAccess_().

NTSYSAPI NTSTATUS NTAPI NtSetSystemInformation	(	IN INT	SystemInformationClass,
		IN PVOID	SystemInformation,
		IN ULONG	SystemInformationLength
	)

Referenced by _main(), LoadVia_SystemExtendServiceTableInformation(), LoadVia_SystemLoadGdiDriverInformation(), SetSystemTimeAdjustment(), SetTimeZoneInformation(), SmpLoadSubSystem(), SmpLoadSubSystemsForMuSession(), Test_Flags(), Test_KernelDebugger(), and Test_TimeAdjustment().

BOOL NtStartDriver ( LPCWSTR lpService )

Definition at line 133 of file undoc.c.

Referenced by UndocumentedMethod().

 {
     WCHAR szDriverPath[MAX_PATH];
     UNICODE_STRING DriverPath;
     NTSTATUS Status = -1;
 
     wcscpy(szDriverPath,
            L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
     wcscat(szDriverPath,
            lpService);
 
     RtlInitUnicodeString(&DriverPath,
                          szDriverPath);
 
     if (SetPrivilege(TRUE))
     {
         Status = NtLoadDriver(&DriverPath);
         if (Status != STATUS_SUCCESS)
         {
             DWORD err = RtlNtStatusToDosError(Status);
             wprintf(L"NtUnloadDriver failed [%lu]\n", err);
         }
 
         SetPrivilege(FALSE);
     }
 
     return (Status == STATUS_SUCCESS);
 }

BOOL NtStopDriver ( LPCWSTR lpService )

Definition at line 164 of file undoc.c.

Referenced by SneakyUndocumentedMethods(), and UndocumentedMethod().

 {
     WCHAR szDriverPath[MAX_PATH];
     UNICODE_STRING DriverPath;
     NTSTATUS Status = -1;
 
     wcscpy(szDriverPath,
            L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\");
     wcscat(szDriverPath,
            lpService);
 
     RtlInitUnicodeString(&DriverPath,
                          szDriverPath);
 
     if (SetPrivilege(TRUE))
     {
         Status = NtUnloadDriver(&DriverPath);
         if (Status != STATUS_SUCCESS)
         {
             DWORD err = RtlNtStatusToDosError(Status);
             wprintf(L"NtUnloadDriver failed [%lu]\n", err);
         }
 
         SetPrivilege(FALSE);
     }
 
     return (Status == STATUS_SUCCESS);
 }

NTSTATUS NtUnloadDriver ( IN PUNICODE_STRING DriverServiceName )

Definition at line 2092 of file driver.c.

Referenced by LoadVia_SystemExtendServiceTableInformation(), LoadVia_SystemLoadGdiDriverInformation(), NtStopDriver(), ScmUnloadDriver(), and wmain().

 {
     return IopUnloadDriver(DriverServiceName, FALSE);
 }

BOOL RegisterDriver	(	LPCWSTR	lpDriverName,
		LPCWSTR	lpPathName
	)

Definition at line 5 of file umode.c.

Referenced by Initialize().

 {
     SC_HANDLE hSCManager;
     SC_HANDLE hService;
 
     hSCManager = OpenSCManagerW(NULL,
                                 NULL,
                                 SC_MANAGER_ALL_ACCESS);
     if (!hSCManager)
         return FALSE;
 
 retry:
     hService = CreateServiceW(hSCManager,
                               lpDriverName,
                               lpDriverName,
                               SERVICE_ALL_ACCESS,
                               SERVICE_KERNEL_DRIVER,
                               SERVICE_DEMAND_START,
                               SERVICE_ERROR_NORMAL,
                               lpPathName,
                               NULL,
                               NULL,
                               NULL,
                               NULL,
                               NULL);
 
     if (hService)
     {
         CloseServiceHandle(hService);
         CloseServiceHandle(hSCManager);
         return TRUE;
     }
     else
     {
         DWORD err = GetLastError();
 
         if (err == ERROR_SERVICE_MARKED_FOR_DELETE)
         {
             StopDriver(DRIVER_NAME);
             goto retry;
         }
 
         CloseServiceHandle(hSCManager);
 
         // return TRUE if the driver is already registered
         return (err == ERROR_SERVICE_EXISTS);
     }
 }

BOOL StartDriver ( LPCWSTR lpDriverName )

Definition at line 56 of file umode.c.

Referenced by UsermodeMethod().

 {
     SC_HANDLE hSCManager;
     SC_HANDLE hService;
     BOOL bRet;
 
     hSCManager = OpenSCManagerW(NULL,
                                 NULL,
                                 SC_MANAGER_ALL_ACCESS);
     if (!hSCManager)
         return FALSE;
 
     hService = OpenServiceW(hSCManager,
                             lpDriverName,
                             SERVICE_ALL_ACCESS);
     if (!hService)
     {
         CloseServiceHandle(hSCManager);
         return FALSE;
     }
 
     bRet = StartServiceW(hService, 0, NULL);
     if (!bRet)
     {
         if (GetLastError() == ERROR_SERVICE_ALREADY_RUNNING)
         {
             wprintf(L"%s.sys already running\n", DRIVER_NAME);
             bRet = TRUE;
         }
     }
 
     CloseServiceHandle(hService);
     CloseServiceHandle(hSCManager);
 
     return bRet;
 }

BOOL StopDriver ( LPCWSTR lpDriverName )

Definition at line 94 of file umode.c.

Referenced by RegisterDriver(), and UsermodeMethod().

 {
     SC_HANDLE hSCManager;
     SC_HANDLE hService;
     SERVICE_STATUS serviceStatus;
     BOOL bRet;
 
     hSCManager = OpenSCManagerW(NULL,
                                 NULL,
                                 SC_MANAGER_ALL_ACCESS);
     if (!hSCManager)
         return FALSE;
 
     hService = OpenServiceW(hSCManager,
                             lpDriverName,
                             SERVICE_ALL_ACCESS);
     if (!hService)
     {
         CloseServiceHandle(hSCManager);
         return FALSE;
     }
 
     bRet = ControlService(hService,
                           SERVICE_CONTROL_STOP,
                           &serviceStatus);
     if (!bRet)
     {
         if (GetLastError() == ERROR_SERVICE_NOT_ACTIVE)
         {
             wprintf(L"%s.sys wasn't running\n", DRIVER_NAME);
             bRet = TRUE;
         }
     }
 
     CloseServiceHandle(hService);
     CloseServiceHandle(hSCManager);
 
     return bRet;
 }

BOOL UnregisterDriver ( LPCWSTR lpDriverName )

Definition at line 135 of file umode.c.

Referenced by UndocumentedMethod(), Uninitialize(), and UsermodeMethod().

 {
     SC_HANDLE hService;
     SC_HANDLE hSCManager;
     BOOL bRet;
 
     hSCManager = OpenSCManagerW(NULL,
                                 NULL,
                                 SC_MANAGER_ALL_ACCESS);
     if (!hSCManager)
         return FALSE;
 
     hService = OpenServiceW(hSCManager,
                             lpDriverName,
                             SERVICE_ALL_ACCESS);
     if (!hService)
     {
         CloseServiceHandle(hSCManager);
         return FALSE;
     }
 
     bRet = DeleteService(hService);
 
     CloseServiceHandle(hService);
     CloseServiceHandle(hSCManager);
 
     return bRet;
 }

Classes

Macros

Typedefs

Enumerations

Functions

Macro Definition Documentation

Typedef Documentation

Enumeration Type Documentation

Function Documentation