Zand
Master Cheater
![]() Reputation: 0
Joined: 21 Jul 2006
Posts: 424
|
 Posted: Sat Feb 21, 2009 8:29 am Post subject: [Source] Maybot Driver |
 |
|
I used GiveIO as the base for this; this uses the KBC to simulate keypresses, originally used in Maybot for MS to overcome the attack limit.
| Code: | /*********************************************************************
Author: Zander
Date: 30/07/2008
Program: GIVEIO.SYS
Compile: Use DDK BUILD facility
Purpose: Uses WRITE_PORT_UCHAR and READ_PORT_UCHAR to generate keypresses.
*********************************************************************/
#include <ntifs.h>
#include <ntddk.h>
/*
* The name of our device driver.
*/
#define DEVICE_NAME_STRING L"GiveIO"
/*
* _IO_PORT_ STRUCTURE
*/
typedef struct _IO_PORT_
{
INT bPress;
unsigned int vKey;
}_IO_PORT_DATA_;
// 8042 ports
// when you read from port 64, this is called STATUS_BYTE
// when you write to port 64, this is called COMMAND_BYTE
// read and write on port 64 is called DATA_BYTE
PUCHAR KBC_KEY_DATA = (PUCHAR)0x60;
PUCHAR KBC_KEY_CMD = (PUCHAR)0x64;
// status register bits
#define IBUFFER_FULL 0x02
#define OBUFFER_FULL 0x01
// commands
#define READ_CONTROLLER 0x20
#define WRITE_CONTROLLER 0x60
// command bytes
#define SET_LEDS 0xED
#define KEY_RESET 0xFF
// responses from keyboard
#define KEY_ACK 0xFA // ack
#define KEY_AGAIN 0xFE // send again
/*********************************************************************
Release any allocated objects.
*********************************************************************/
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
WCHAR DOSNameBuffer[] = L"\\DosDevices\\" DEVICE_NAME_STRING;
UNICODE_STRING uniDOSString;
RtlInitUnicodeString(&uniDOSString, DOSNameBuffer);
IoDeleteSymbolicLink (&uniDOSString);
IoDeleteDevice(DriverObject->DeviceObject);
}
/*********************************************************************
Keyboard Controller - Input Buffer Empty
*********************************************************************/
void KBCWait4IBE( void )
{
int dwVal = 0;
do
{
dwVal = READ_PORT_UCHAR(KBC_KEY_CMD);
}while ((dwVal & 0x2) > 0);
}
/*********************************************************************
Keyboard Controller - Data Buffer Empty
*********************************************************************/
void KBCWait4DBE( void )
{
int dwVal = 0;
do
{
dwVal = READ_PORT_UCHAR(KBC_KEY_CMD);
}while ((dwVal & 0x1) > 0);
}
/*********************************************************************
Press Key
*********************************************************************/
void KeyPress(unsigned int vKeyCode)
{
KBCWait4DBE();
KBCWait4IBE();
WRITE_PORT_UCHAR(KBC_KEY_CMD, 0xD2);
KBCWait4IBE();
WRITE_PORT_UCHAR(KBC_KEY_DATA, (unsigned char)vKeyCode);
//KBCWait4IBE();
}
/*********************************************************************
Release Key
*********************************************************************/
void KeyRelease(unsigned int vKeyCode)
{
KBCWait4IBE();
WRITE_PORT_UCHAR(KBC_KEY_CMD, 0xD2);
KBCWait4IBE();
WRITE_PORT_UCHAR(KBC_KEY_DATA, ((unsigned char)vKeyCode + 0x80));
//KBCWait4IBE();
}
/*********************************************************************
Service handler for a CreateFile() user mode call.
This routine is entered in the driver object function call table by
the DriverEntry() routine.
*********************************************************************/
NTSTATUS Create(PDEVICE_OBJECT pDevice,PIRP Irp)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
return ntStatus;
}
/*********************************************************************
Service handler for a CloseFile() user mode call.
This routine is entered in the driver object function call table by
the DriverEntry() routine.
*********************************************************************/
NTSTATUS Close(PDEVICE_OBJECT pDevice,PIRP Irp)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
return ntStatus;
}
NTSTATUS WriteDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS ntStatus = STATUS_INVALID_PARAMETER;
_IO_PORT_DATA_ *IO_PORT;
INT dwWritten = 0;
PIO_STACK_LOCATION gIoIrp = IoGetCurrentIrpStackLocation(Irp);
if(gIoIrp && Irp->MdlAddress)
{
IO_PORT = (_IO_PORT_DATA_*)MmGetSystemAddressForMdlSafe(Irp->MdlAddress, NormalPagePriority);
if(IO_PORT)
{
if(gIoIrp->Parameters.Write.Length == sizeof(_IO_PORT_DATA_))
{
if(IO_PORT->bPress == TRUE)
KeyPress((unsigned char)IO_PORT->vKey);
else if(IO_PORT->bPress == FALSE)
KeyRelease((unsigned char)IO_PORT->vKey);
ntStatus = STATUS_SUCCESS;
}
else
ntStatus = STATUS_BUFFER_TOO_SMALL;
dwWritten = sizeof(_IO_PORT_DATA_);
}
}
Irp->IoStatus.Status = ntStatus;
Irp->IoStatus.Information = dwWritten;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return ntStatus;
}
/*********************************************************************
Driver Entry routine.
This routine is called only once after the driver is initially
loaded into memory. It allocates everything necessary for the
driver's operation. It also creates a symbolic link to the device driver. This allows
a user mode application to access our driver using the \\.\giveio
notation.
*********************************************************************/
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
PDEVICE_OBJECT deviceObject;
NTSTATUS status;
WCHAR NameBuffer[] = L"\\Device\\" DEVICE_NAME_STRING;
WCHAR DOSNameBuffer[] = L"\\DosDevices\\" DEVICE_NAME_STRING;
UNICODE_STRING uniNameString, uniDOSString;
//
// Set up device driver name and device object.
//
RtlInitUnicodeString(&uniNameString, NameBuffer);
RtlInitUnicodeString(&uniDOSString, DOSNameBuffer);
DriverObject->DriverUnload = OnUnload;
status = IoCreateDevice(DriverObject, 0,
&uniNameString,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN, FALSE, &deviceObject);
if(!NT_SUCCESS(status))
return status;
//
// Initialize the Driver Object with driver's entry points.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = Create;
DriverObject->MajorFunction[IRP_MJ_WRITE] = WriteDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = Close;
deviceObject->Flags |= DO_DIRECT_IO;
deviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
status = IoCreateSymbolicLink (&uniDOSString, &uniNameString);
return status;
}
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Reputation: 0
