/*

  jhxxs.C

  Author: <your name>
  Last Updated: 2006-03-23

  This framework is generated by EasySYS 0.3.0
  This template file is copying from QuickSYS 0.3.0 written by Chunhua Liu

*/

#include "dbghelp.h"
#include "jhxxs.h"
#include <stdio.h>

#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
//
// A structure representing the instance information associated with
// a particular device
//

typedef struct _DEVICE_EXTENSION
{
    ULONG  StateVariable;

} DEVICE_EXTENSION, *PDEVICE_EXTENSION;

typedef struct _KAPC_STATE{
        LIST_ENTRY        ApcListHead[2];
        PEPROCESS        Process;
        UCHAR                KernelApcInProgress;
        UCHAR                KernelApcPending;
        UCHAR                UserApcPending;
}KAPC_STATE,*PKAPC_STATE;

NTKERNELAPI void KeStackAttachProcess(IN PEPROCESS Process, OUT PKAPC_STATE ApcState);


NTKERNELAPI void KeUnstackDetachProcess(IN PKAPC_STATE ApcState);


NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS * pEProcess);

NTKERNELAPI NTSTATUS ObOpenObjectByPointer(
    IN PVOID Object,                                            
    IN ULONG HandleAttributes,                                  
    IN PACCESS_STATE PassedAccessState OPTIONAL,                
    IN ACCESS_MASK DesiredAccess OPTIONAL,                      
    IN POBJECT_TYPE ObjectType OPTIONAL,                        
    IN KPROCESSOR_MODE AccessMode,                              
    OUT PHANDLE Handle                                          
        );
//
// Device driver routine declarations.
//

NTSTATUS
DriverEntry(
        IN PDRIVER_OBJECT                DriverObject,
        IN PUNICODE_STRING                RegistryPath
        );

NTSTATUS
JhxxsDispatchCreate(
        IN PDEVICE_OBJECT                DeviceObject,
        IN PIRP                                        Irp
        );

NTSTATUS
JhxxsDispatchClose(
        IN PDEVICE_OBJECT                DeviceObject,
        IN PIRP                                        Irp
        );

NTSTATUS
JhxxsDispatchDeviceControl(
        IN PDEVICE_OBJECT                DeviceObject,
        IN PIRP                                        Irp
        );

VOID
JhxxsUnload(
        IN PDRIVER_OBJECT                DriverObject
        );


#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, JhxxsDispatchCreate)
#pragma alloc_text(PAGE, JhxxsDispatchClose)
#pragma alloc_text(PAGE, JhxxsDispatchDeviceControl)
#pragma alloc_text(PAGE, JhxxsUnload)
#endif // ALLOC_PRAGMA

NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess; 
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;

status = ObReferenceObjectByHandle(
                  hProcess,
                  PROCESS_VM_WRITE|PROCESS_VM_READ,
                  NULL,
                  KernelMode,
                  &EProcess,
                  NULL
                  );
                  
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');

if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;

if (MmIsAddressValid(Pbuff))
{
   __try
   {
   ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
   RtlCopyMemory (writebuffer, Pbuff, BufferSize);
   }
   __except(EXCEPTION_EXECUTE_HANDLER)
   {
   status = STATUS_UNSUCCESSFUL;
   }
}
else
{
   status = STATUS_UNSUCCESSFUL;
}

if (NT_SUCCESS(status))
{
  KeStackAttachProcess (EProcess, &ApcState);
  if (MmIsAddressValid(BaseAddress))
  {
   __try
   {
   ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
   RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
   }
   __except(EXCEPTION_EXECUTE_HANDLER)
   {
   status = STATUS_UNSUCCESSFUL;
   }
  }
  else
  {
   status = STATUS_UNSUCCESSFUL;
  }
  KeUnstackDetachProcess (&ApcState);
}

ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}


NTSTATUS
MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;


status = ObReferenceObjectByHandle(
                  hProcess,
                  PROCESS_VM_WRITE|PROCESS_VM_READ,
                  NULL,
                  KernelMode,
                  &EProcess,
                  NULL
                  );


if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}

readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');

if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;


KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
   __try
   {
   ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
   RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
   }
   __except(EXCEPTION_EXECUTE_HANDLER)
   {
   status = STATUS_UNSUCCESSFUL;
   }
}
else
{
  status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);


   if(NT_SUCCESS(status))
   {
        if (MmIsAddressValid(Pbuff))
        {
         __try
         {
         ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
         RtlCopyMemory (Pbuff, readbuffer, BufferSize);
         }
         __except(EXCEPTION_EXECUTE_HANDLER)
         {
         status = STATUS_UNSUCCESSFUL;
         }
        }
        else
        {
        status = STATUS_UNSUCCESSFUL;
        }
   }



ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}



NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
  NTSTATUS  status;
  PEPROCESS  EProcess = NULL;
  HANDLE    handle = NULL;
  UNICODE_STRING y;
  PULONG    PsProcessType;

  status = PsLookupProcessByProcessId(PID, &EProcess);
  if (NT_SUCCESS(status))
  {
    handle = 0;
    RtlInitUnicodeString(&y, L"PsProcessType");
    PsProcessType = MmGetSystemRoutineAddress(&y);
    if (PsProcessType)
    {
      status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
      if (NT_SUCCESS(status))
      {
                *pHandle = handle;
      }
    }
    ObfDereferenceObject(EProcess);
  } 
  return status;
}


NTSTATUS
DriverEntry(
        IN PDRIVER_OBJECT                DriverObject,
        IN PUNICODE_STRING                RegistryPath
        )
{
        NTSTATUS                        status = STATUS_SUCCESS;    
    UNICODE_STRING                ntDeviceName;
        UNICODE_STRING                dosDeviceName;
    PDEVICE_EXTENSION        deviceExtension;
        PDEVICE_OBJECT                deviceObject = NULL;
        BOOLEAN                                fSymbolicLink = FALSE;

        KdBreakPoint();
        RtlInitUnicodeString(&ntDeviceName, JHXXS_DEVICE_NAME_W);
    status = IoCreateDevice(
                DriverObject,
                sizeof(DEVICE_EXTENSION),
                &ntDeviceName,
                FILE_DEVICE_JHXXS,
                0,
                TRUE,
                &deviceObject
                );

    if (!NT_SUCCESS(status))
        {
                goto __failed;
        }

        deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
        RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
        status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
    if (!NT_SUCCESS(status))
        {
                goto __failed;
    }

        fSymbolicLink = TRUE;

    DriverObject->MajorFunction[IRP_MJ_CREATE]         = JhxxsDispatchCreate;
    DriverObject->MajorFunction[IRP_MJ_CLOSE]          = JhxxsDispatchClose;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = JhxxsDispatchDeviceControl;
    DriverObject->DriverUnload                         = JhxxsUnload;

    if (NT_SUCCESS(status))
            return status;

__failed:
        if (fSymbolicLink)
                IoDeleteSymbolicLink(&dosDeviceName);
        if (deviceObject)
                IoDeleteDevice(deviceObject);
        return status;
}

NTSTATUS
JhxxsDispatchCreate(
        IN PDEVICE_OBJECT                DeviceObject,
        IN PIRP                                        Irp
        )
{
        NTSTATUS status = STATUS_SUCCESS;

        Irp->IoStatus.Information = 0;
    Irp->IoStatus.Status = status;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    return status;
}

NTSTATUS
JhxxsDispatchClose(
        IN PDEVICE_OBJECT                DeviceObject,
        IN PIRP                                        Irp
        )
{
        NTSTATUS status = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;
        Irp->IoStatus.Status = status;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    return status;
}

NTSTATUS
JhxxsDispatchDeviceControl(
        IN PDEVICE_OBJECT                DeviceObject,
        IN PIRP                                        Irp
        )
{
        NTSTATUS                        status = STATUS_SUCCESS;
    PIO_STACK_LOCATION        irpStack;
    PDEVICE_EXTENSION        deviceExtension;
        PVOID                                ioBuf;
    ULONG                                inBufLength, outBufLength;
        ULONG                                ioControlCode;

        UCHAR               *buff =0;
        ULONG               OutByteCount =0;

        HANDLE              Writehandel;
        PVOID               WriteDstAddr;
        PVOID               WriteSrcAddr;
        ULONG               WriteSize;
        NTSTATUS            WriteReturn;

        HANDLE              Readhandel;
        PVOID               ReadBaseAddr;
        PVOID               ReadBuffer;
        ULONG               ReadSize;
        NTSTATUS            ReadReturn;

        ULONG               OpenPid;
        PHANDLE             PProcessHandle;
        NTSTATUS            OpenReturn;

    irpStack = IoGetCurrentIrpStackLocation(Irp);
    deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
        Irp->IoStatus.Information = 0;
        ioBuf = Irp->AssociatedIrp.SystemBuffer;
        inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
    outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
    ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;

    switch (ioControlCode)
        {
        case  0X0022E004:
                {
                 buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
                 memmove(&Writehandel,&buff[0],4);
                 memmove(&WriteDstAddr,&buff[4],4);
                 memmove(&WriteSrcAddr,&buff[8],4);
                 memmove(&WriteSize,&buff[12],4);

                 WriteReturn=MyWriteMemory(Writehandel,WriteDstAddr,WriteSrcAddr,WriteSize);
                 memmove(Irp->AssociatedIrp.SystemBuffer,&WriteReturn,4);
                 OutByteCount=4;
                 break;
                }

        case  0X0022E008:
                {
                 buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
                 memmove(&Readhandel,&buff[0],4);
                 memmove(&ReadBaseAddr,&buff[4],4);
                 memmove(&ReadBuffer,&buff[8],4);
                 memmove(&ReadSize,&buff[12],4);

                 ReadReturn=MyReadMemory(Readhandel,ReadBaseAddr,ReadBuffer,ReadSize);
                 memmove(&buff[0],&ReadReturn,4);
                 OutByteCount=4;
                 break;
                }

        case  0X0022E000:
                {
                 OpenReturn = MyOpenProcess(*(PULONG)ioBuf,ioBuf);
                 buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
                 memmove(&buff[4],&OpenReturn,4);
                 OutByteCount=8;
                 break;
                }
                
        case IOCTL_JHXXS_HELLO:
                {
            break;
                }

    default:
        status = STATUS_INVALID_PARAMETER;
                break;
        }
        Irp->IoStatus.Status = status;
        Irp->IoStatus.Information = OutByteCount;
        IoCompleteRequest(Irp, IO_NO_INCREMENT);
    return status;
}

VOID
JhxxsUnload(
        IN PDRIVER_OBJECT                DriverObject
        )
{
    UNICODE_STRING dosDeviceName;
        RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
    IoDeleteSymbolicLink(&dosDeviceName);
        IoDeleteDevice(DriverObject->DeviceObject);
}


完整可编译代码如下[驱动由 BC++编写 WINDDK编译]

上传的附件 jhxxs.rar