Modifying the class-driven distribution function in the _windows kernel security programming of the cold River single Fishing

Recently, in the process of reading the book "_windows Kernel security programming in the Cold River," we find that the technical point of modifying the class-driven distribution function, the book only gives specific ideas and part of the code, there is no complete example.

According to the author's ideas and code, the example is complete, found that the driver installed in the WIN7 32-bit environment, keyboard failure.

After debugging, it is possible to replace all distribution functions that are driven by the \\Driver\\Kbdclass class, and if you replace only the functions that distribute irp_mj_read, there is no problem, the following code

1 //Replace the distribution function to implement filtering2#include <wdm.h>3#include <Ntddkbd.h>4 //Kbdclass Driver's name5 #defineKbd_driver_name L "\\Driver\\Kbdclass"6 //the old function address7Pdriver_dispatch olddispatchfun[irp_mj_maximum_function+1];8 externPobject_type *Iodriverobjecttype;9 Pdriver_dispatch Olddispatchread;Ten //This function is a fact, but it is not publicly available in the document. DECLARE it. One //you can use it directly.  A NTSTATUS - Obreferenceobjectbyname ( - punicode_string ObjectName, the ULONG Attributes, - paccess_state Accessstate, - Access_mask desiredaccess, - Pobject_type ObjectType, + Kprocessor_mode AccessMode, - PVOID Parsecontext, +PVOID *Object A                         ); at //New distribution function address - NTSTATUS c2pdispatchgeneral ( - in Pdevice_object DeviceObject, - In pirp Irp -                                  )  - { inPio_stack_location irpstack=iogetcurrentirpstacklocation (IRP); -Dbgprint ("irpstack->minorfunction=%x\n",irpstack->minorfunction); to     returnOlddispatchread (DEVICEOBJECT,IRP); +     //return olddispatchfun[irpstack->minorfunction] (DEVICEOBJECT,IRP); - } the #defineDelay_one_microsecond (-10) * #defineDelay_one_millisecond (delay_one_microsecond*1000) $ #defineDelay_one_second (delay_one_millisecond*1000)Panax Notoginseng //to be replaced when uninstalling - VOID c2punload (in Pdriver_object driverobject) the { +NTSTATUS Status =status_unsuccessful; A     intNIndex =0; thePdriver_object Keyboarddriverobject =NULL; + unicode_string Keyboardname; - Large_integer Delay; $  $Rtlinitunicodestring (&keyboardname, L"\\Driver\\Kbdclass"); -  -Status = Obreferenceobjectbyname (&keyboardname, obj_case_insensitive, NULL,0, *Iodriverobjecttype, theKernelMode, NULL, &keyboarddriverobject); - Wuyi     if(!nt_success (Status)) the     { -Dbgprint ("unloaddriver Get Keyboard Driver Object error\n"); Wu         return; -     } About  $  -     //swap the original distribution function -      -     //For (NIndex; nIndex < irp_mj_maximum_function; nindex++) A     // { +         //InterlockedExchangePointer (&keyboarddriverobject->majorfunction[nindex], OldDispatchFun[nIndex]); the     // } -InterlockedExchangePointer (&KeyBoardDriverObject->Majorfunction[irp_mj_read], olddispatchread); $Dbgprint ("Change majorfunction successful!\n"); the  theDelay = Rtlconvertlongtolargeinteger (5*delay_one_millisecond); the     //delay waiting to complete theKedelayexecutionthread (KernelMode, FALSE, &Delay); - Obreferenceobject (keyboarddriverobject); in } the //Driver Entry the NTSTATUS DriverEntry ( About in Pdriver_object DriverObject, the In punicode_string Registrypath the                      )  the {  + ULONG i; - NTSTATUS status; the Bayi unicode_string unintnamestring; the     //return Kdbclass Drive Object thePdriver_object Kbddriverobject =NULL; -  -Kdprint (("myattach\n"));  the  the     //Initializes a string that is the name of the Kdbclass driver.  the     #ifDBG the_asmint 3; - #endif theRtlinitunicodestring (&unintnamestring, Kbd_driver_name);  the     //please refer to the previous example of opening a device object. Only the drive object is opened here.  theStatus =Obreferenceobjectbyname (94&unintnamestring, the obj_case_insensitive, the NULL, the         0, 98*Iodriverobjecttype, About KernelMode, - NULL,101&Kbddriverobject102         ); 103     //if it fails, return directly.104     if(!nt_success (status)) the     { 106Dbgprint ("myattach:couldn ' t get the MyTest Device Object%x\n", status); 107         return(status);108     }109     Else the     {111         //This open requires a solution application. Release early lest forget afterwards.  the         //interpreted as potentially causing DriverObject reference count plus 1113          the     } the      the 117 118Olddispatchread=kbddriverobject->Majorfunction[irp_mj_read];119InterlockedExchangePointer (&KbdDriverObject->majorfunction[irp_mj_read],c2pdispatchgeneral);  - Obdereferenceobject (kbddriverobject);121     //unload the function. 122Driverobject->driverunload =C2punload;123 124  the     returnstatus;126}

Modifying the class-driven distribution function in the _windows kernel security programming of the cold River single Fishing