View previous topic :: View next topic |
Author |
Message |
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Fri Sep 07, 2012 10:29 am Post subject: Questions about drivers |
|
|
Apparanatly, no matter what I do I can't get my dummy address 0x10000 to be editted.
This my driver:
Code: |
#include <fltKernel.h>
#include <wdm.h>
#include <ntddk.h>
#include <ntifs.h>
NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
KAPC_STATE apcState;
DbgPrint ( "Driver has been loaded." );
// Check the IRQL level
if ( KeGetCurrentIrql () == PASSIVE_LEVEL )
DbgPrint ( "PASSIVE_LEVEL" );
else if ( KeGetCurrentIrql () == APC_LEVEL )
DbgPrint ( "APC_LEVEL" );
else if ( KeGetCurrentIrql () == DISPATCH_LEVEL )
DbgPrint ( "DISPATCH_LEVEL" );
else
DbgPrint ( "DIRQL" );
// Attach to the process
KeStackAttachProcess ( IoGetCurrentProcess (), &apcState );
// Write our memory
RtlCopyMemory ( (PVOID) 0x10000, (PVOID) "\x64", 1 );
// Detach from the process
KeUnstackDetachProcess ( &apcState );
return STATUS_SUCCESS;
}
|
Seems to be right, no errors in code and I my IRQL level is PASSIVE_LEVEL so I should be good.
I run my loader just fine:
Code: |
#include <Windows.h>
#include <iostream>
using namespace std;
int main ( void )
{
cout << "Current pID: " << GetCurrentProcessId () << endl;
// Setup console
system ( "TITLE Loader" );
system ( "COLOR 3" );
system ( "PAUSE" );
// Declare
SERVICE_STATUS ss;
// Open the manager
SC_HANDLE hscManager = OpenSCManager ( NULL, NULL, SC_MANAGER_ALL_ACCESS );
if ( hscManager )
{
// Obtain a handle to the service
SC_HANDLE hscService = OpenService ( hscManager, "Driver", SERVICE_START | DELETE | SERVICE_STOP );
// Create the service
if ( !hscService )
{
// Create the service
hscService = CreateService ( hscManager, "Driver", "Driver Test", SERVICE_START | DELETE | SERVICE_STOP,
SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, "C:\\driver.sys",
NULL, NULL, NULL, NULL, NULL );
}
// Start the driver
if ( hscService )
{
StartService ( hscService, 0, NULL );
cout << "Driver started.. " << endl;
cin.get ();
// Stop the driver
ControlService ( hscService, SERVICE_CONTROL_STOP, &ss );
DeleteService ( hscService );
CloseServiceHandle ( hscService );
}
else
{
cout << "The driver was not loaded. Something went wrong.. " << endl;
}
}
// Close the manager
CloseServiceHandle ( hscManager );
system ( "PAUSE" );
return 0;
}
|
How come its like that? I'm really stomped I tried everything.
I dont know what else I can do..
Please help..
|
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Fri Sep 07, 2012 10:44 am Post subject: |
|
|
I doubt anyone is going to care to help you since you are just selling all of the code you are copy pasting from here anyway.
_________________
- Retired. |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Fri Sep 07, 2012 12:01 pm Post subject: |
|
|
Print out IoGetCurrentProcess() and confirm it is the correct process
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
Unbr0ken Advanced Cheater Reputation: 2
Joined: 10 Aug 2011 Posts: 67
|
Posted: Fri Sep 07, 2012 12:06 pm Post subject: |
|
|
[Offtopic]
Wiccaan wrote: | I doubt anyone is going to care to help you since you are just selling all of the code you are copy pasting from here anyway. |
Hohohoho, which means, that he's just a script kiddie/lammer? l000000l
[/Offtopic]
|
|
Back to top |
|
|
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Fri Sep 07, 2012 3:03 pm Post subject: |
|
|
Dark Byte wrote: | Print out IoGetCurrentProcess() and confirm it is the correct process |
There is just one problem, IoGetCurrentProcess() returns EPROCESS and DbgPrint requests for PCSTR, so how am I sopposed to convert that into a readable string and then display it?
@Wiccan
What convinced you that I copy and paste? This is primarily for learning purposes.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Fri Sep 07, 2012 4:21 pm Post subject: |
|
|
Then print IoGetCurrentProcessId. (Or PsGetCurrentProcessId)
Also, DbgPrint is like printf
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Fri Sep 07, 2012 7:07 pm Post subject: |
|
|
Alright, so I put that to that test.
driver.cpp
Code: |
NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
KAPC_STATE apcState;
DbgPrint ( "Driver has been loaded." );
// Check the IRQL level
if ( KeGetCurrentIrql () == PASSIVE_LEVEL )
DbgPrint ( "PASSIVE_LEVEL" );
else if ( KeGetCurrentIrql () == APC_LEVEL )
DbgPrint ( "APC_LEVEL" );
else if ( KeGetCurrentIrql () == DISPATCH_LEVEL )
DbgPrint ( "DISPATCH_LEVEL" );
else
DbgPrint ( "DIRQL" );
// Attach to the process
KeStackAttachProcess ( IoGetCurrentProcess (), &apcState );
// Write our memory
DbgPrint ( PsGetCurrentProcessId () );
DbgPrint ( "Still here.." );
// Detach from the process
KeUnstackDetachProcess ( &apcState );
return STATUS_SUCCESS;
} |
Output from DebugView (capturing everything possible):
Quote: |
Driver has been loaded.
PASSIVE_LEVEL
Still here..
|
The Process ID wasn't displayed so, I checked the IRQL level of PsGetCurrentProcessId and it says any level so IRQL shouldn't be the problem.
So it changed it to:
Code: |
if ( DbgPrint ( PsGetCurrentProcessId () ) != STATUS_SUCCESS )
DbgPrint ( "Failed to write PsGetCurrentProcessId ()" );
|
and it returned:
Quote: |
Driver has been loaded.
PASSIVE_LEVEL
Failed to write PsGetCurrentProcessId ()
Still here..
|
and when I tried to obtain the error code like this:
Code: |
ULONG err = DbgPrint ( PsGetCurrentProcessId () );
if ( err != STATUS_SUCCESS )
DbgPrint ( err );
|
I get the following error from the Win 7 x86 Checked Build Environment:
Quote: |
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(26) : error C2275: 'ULONG' : illegal use of this type as an expression
1>errors in directory c:\winddk\7600.16385.1\src\drivers\driver
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(26) : error C2275: 'ULONG' : illegal use of this type as an expression
1> c:\winddk\7600.16385.1\inc\api\ntdef.h(561) : see declaration of 'ULONG'
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(26) : error C2146: syntax error : missing ';' before identifier 'err'
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(26) : error C2146: syntax error : missing ';' before identifier 'err'
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(26) : error C2065: 'err' : undeclared identifier
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(26) : error C2065: 'err' : undeclared identifier
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(27) : error C2065: 'err' : undeclared identifier
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(27) : error C2065: 'err' : undeclared identifier
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(2 : error C2065: 'err' : undeclared identifier
1>c:\winddk\7600.16385.1\src\drivers\driver\main.c(2 : error C2065: 'err' : undeclared identifier
|
which means the ULONG wasn't defined which is wierd since I am using DbgPrint which just so happens returns a ULONG. I'm including the header it comes from so I shouldn't be receiving that error?
Also, I traced DbgPrint's ULONG return value down to the ntifs.h which I included in my code but still receive the same error.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Fri Sep 07, 2012 8:14 pm Post subject: |
|
|
Quote: |
DbgPrint is like printf
|
Find out how to use printf to display a number and you'll figure it out for dbgprint as well
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
iPromise Grandmaster Cheater Reputation: -1
Joined: 27 Jun 2009 Posts: 529 Location: Canada
|
Posted: Fri Sep 07, 2012 11:33 pm Post subject: |
|
|
@Dark Byte
my bad,
anyhow I learned how to use printf and I applied it to the application, I changed the code to:
Code: |
NTSTATUS DriverEntry (PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
KAPC_STATE apcState;
DbgPrint ( "Driver has been loaded." );
// Check the IRQL level
if ( KeGetCurrentIrql () == PASSIVE_LEVEL )
DbgPrint ( "PASSIVE_LEVEL" );
else if ( KeGetCurrentIrql () == APC_LEVEL )
DbgPrint ( "APC_LEVEL" );
else if ( KeGetCurrentIrql () == DISPATCH_LEVEL )
DbgPrint ( "DISPATCH_LEVEL" );
else
DbgPrint ( "DIRQL" );
// Attach to the process
KeStackAttachProcess ( IoGetCurrentProcess (), &apcState );
// Write our memory
DbgPrint ( "%ld", PsGetCurrentProcessId () );
// Detach from the process
KeUnstackDetachProcess ( &apcState );
return STATUS_SUCCESS;
}
|
and it returned:
Quote: |
Driver has been loaded.
PASSIVE_LEVEL
4
|
The current process ID of the process however was:
I displayed the current process id before KeStackAttachProcess and it also returned 4.
So that has to mean that the KeStackAttachProcess failed..
I changed IoGetCurrentProcess to PsGetCurrentProcess and I still get the same errors so the problem shouldn't be with the PRKPROCESS parameter of KeStackAttachProcess.
Also, don't we already have access to the address space of the loader? Why must we attach? Maybe its just attaching to itself rather then the loader.
I think I might have to use PsLookupProcessByProcessId.
|
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25287 Location: The netherlands
|
Posted: Fri Sep 07, 2012 11:57 pm Post subject: |
|
|
When your driver starts, it is in the System process (processid 4)
IoGetCurrentProcess() returns the EProcess of the current process (pid 4: system)
So, when you do KeStackAttachProcess, you're changing from processid 4 to processid 4. In short, pretty useless...
And yes , need the EProcess structure of the process you wish to change, and you can use PsLookupProcessByProcessId to do that
Also, if you issue commands using read/write the context will be that of the calling thread
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
|