diff --git a/CMakeLists.txt b/CMakeLists.txt index c27350e..2cab41a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -7,7 +7,7 @@ project(secret LANGUAGES C CXX) ########################################## -set(CMAKE_CXX_STANDARD 20) +set(CMAKE_CXX_STANDARD 23) set(CMAKE_CXX_STANDARD_REQUIRED ON) set_property(GLOBAL PROPERTY USE_FOLDERS ON) diff --git a/src/driver/main.cpp b/src/driver/main.cpp index 80a5108..563c596 100644 --- a/src/driver/main.cpp +++ b/src/driver/main.cpp @@ -1,8 +1,158 @@ #include "std_include.hpp" #include "logging.hpp" - #include "thread.hpp" +#define DOS_DEV_NAME L"\\DosDevices\\HelloDev" +#define DEV_NAME L"\\Device\\HelloDev" + +#define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) + +NTSTATUS IrpNotImplementedHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) +{ + Irp->IoStatus.Information = 0; + Irp->IoStatus.Status = STATUS_NOT_SUPPORTED; + + UNREFERENCED_PARAMETER(DeviceObject); + PAGED_CODE(); + + // Complete the request + IoCompleteRequest(Irp, IO_NO_INCREMENT); + + return STATUS_NOT_SUPPORTED; +} + +NTSTATUS IrpCreateCloseHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) +{ + Irp->IoStatus.Information = 0; + Irp->IoStatus.Status = STATUS_SUCCESS; + + UNREFERENCED_PARAMETER(DeviceObject); + PAGED_CODE(); + + // Complete the request + IoCompleteRequest(Irp, IO_NO_INCREMENT); + + return STATUS_SUCCESS; +} + +VOID IrpUnloadHandler(IN PDRIVER_OBJECT DriverObject) +{ + UNICODE_STRING DosDeviceName = {0}; + + PAGED_CODE(); + + RtlInitUnicodeString(&DosDeviceName, DOS_DEV_NAME); + + // Delete the symbolic link + IoDeleteSymbolicLink(&DosDeviceName); + + // Delete the device + IoDeleteDevice(DriverObject->DeviceObject); + + debug_log("[!] Hello Driver Unloaded\n"); +} + +NTSTATUS IrpDeviceIoCtlHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) +{ + ULONG IoControlCode = 0; + PIO_STACK_LOCATION IrpSp = NULL; + NTSTATUS Status = STATUS_NOT_SUPPORTED; + + UNREFERENCED_PARAMETER(DeviceObject); + PAGED_CODE(); + + IrpSp = IoGetCurrentIrpStackLocation(Irp); + IoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode; + + if (IrpSp) + { + switch (IoControlCode) + { + case HELLO_DRV_IOCTL: + debug_log("[< HelloDriver >] Hello from the Driver!\n"); + break; + default: + debug_log("[-] Invalid IOCTL Code: 0x%X\n", IoControlCode); + Status = STATUS_INVALID_DEVICE_REQUEST; + break; + } + } + + Irp->IoStatus.Status = Status; + Irp->IoStatus.Information = 0; + + // Complete the request + IoCompleteRequest(Irp, IO_NO_INCREMENT); + + return Status; +} + +NTSTATUS create_io_device(const PDRIVER_OBJECT DriverObject) +{ + UINT32 i = 0; + PDEVICE_OBJECT DeviceObject = NULL; + NTSTATUS Status = STATUS_UNSUCCESSFUL; + UNICODE_STRING DeviceName, DosDeviceName = {0}; + + PAGED_CODE(); + + RtlInitUnicodeString(&DeviceName, DEV_NAME); + RtlInitUnicodeString(&DosDeviceName, DOS_DEV_NAME); + + debug_log("[*] In DriverEntry\n"); + + // Create the device + Status = IoCreateDevice(DriverObject, + 0, + &DeviceName, + FILE_DEVICE_UNKNOWN, + FILE_DEVICE_SECURE_OPEN, + FALSE, + &DeviceObject); + + if (!NT_SUCCESS(Status)) + { + if (DeviceObject) + { + // Delete the device + IoDeleteDevice(DeviceObject); + } + + debug_log("[-] Error Initializing HelloDriver\n"); + return Status; + } + + // Assign the IRP handlers + for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++) + { + // Disable the Compiler Warning: 28169 +#pragma warning(push) +#pragma warning(disable : 28169) + DriverObject->MajorFunction[i] = IrpNotImplementedHandler; +#pragma warning(pop) + } + + // Assign the IRP handlers for Create, Close and Device Control + DriverObject->MajorFunction[IRP_MJ_CREATE] = IrpCreateCloseHandler; + DriverObject->MajorFunction[IRP_MJ_CLOSE] = IrpCreateCloseHandler; + DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IrpDeviceIoCtlHandler; + + // Assign the driver Unload routine + DriverObject->DriverUnload = IrpUnloadHandler; + + // Set the flags + DeviceObject->Flags |= DO_DIRECT_IO; + DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING; + + // Create the symbolic link + Status = IoCreateSymbolicLink(&DosDeviceName, &DeviceName); + + // Show the banner + debug_log("[!] HelloDriver Loaded\n"); + + return Status; +} + _Function_class_(DRIVER_UNLOAD) void unload(PDRIVER_OBJECT /*DriverObject*/) @@ -25,10 +175,12 @@ extern "C" NTSTATUS DriverEntry(const PDRIVER_OBJECT DriverObject, PUNICODE_STRI } debug_log("Hello from CPU %u/%u\n", thread::get_processor_index() + 1, thread::get_processor_count()); - ++i; + InterlockedIncrement(&i); }); debug_log("Final i = %i\n", i); + create_io_device(DriverObject); + return STATUS_SUCCESS; } diff --git a/src/runner/main.cpp b/src/runner/main.cpp index a272a11..2431fca 100644 --- a/src/runner/main.cpp +++ b/src/runner/main.cpp @@ -7,6 +7,51 @@ #define SERVICE_NAME "MomoLul" +#define HELLO_DRV_IOCTL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_NEITHER, FILE_ANY_ACCESS) +const char kDevName[] = "\\\\.\\HelloDev"; + +HANDLE open_device(const char* device_name) +{ + HANDLE device = CreateFileA(device_name, + GENERIC_READ | GENERIC_WRITE, + NULL, + NULL, + OPEN_EXISTING, + NULL, + NULL + ); + return device; +} + +void close_device(HANDLE device) +{ + CloseHandle(device); +} + +BOOL send_ioctl(HANDLE device, DWORD ioctl_code) +{ + //prepare input buffer: + DWORD bufSize = 0x4; + BYTE* inBuffer = (BYTE*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, bufSize); + + //fill the buffer with some content: + RtlFillMemory(inBuffer, bufSize, 'A'); + + DWORD size_returned = 0; + BOOL is_ok = DeviceIoControl(device, + ioctl_code, + inBuffer, + bufSize, + NULL, //outBuffer -> None + 0, //outBuffer size -> 0 + &size_returned, + NULL + ); + //release the input bufffer: + HeapFree(GetProcessHeap(), 0, (LPVOID)inBuffer); + return is_ok; +} + std::filesystem::path get_current_path() { const auto module = GetModuleHandleA(nullptr); @@ -64,6 +109,18 @@ int main(const int /*argc*/, char* /*argv*/[]) if (service) { StartServiceA(service, 0, nullptr); + + HANDLE dev = open_device(kDevName); + if (dev == INVALID_HANDLE_VALUE) + { + printf("Failed!\n"); + return -1; + } + + send_ioctl(dev, HELLO_DRV_IOCTL); + + close_device(dev); + MessageBoxA(0, "Service started!", 0, 0); } return 0;