HyperDbg Debugger
Loading...
Searching...
No Matches
Driver.h File Reference

Header for WDK driver functions for RM. More...

Go to the source code of this file.

Functions

NTSTATUS DriverEntry (PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
 Load & Unload.
VOID DrvUnload (PDRIVER_OBJECT DriverObject)
 Run in the case of driver unload to unregister the devices.
NTSTATUS DrvCreate (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP Major Functions.
NTSTATUS DrvRead (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP_MJ_READ Function handler.
NTSTATUS DrvWrite (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP_MJ_WRITE Function handler.
NTSTATUS DrvClose (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 IRP_MJ_CLOSE Function handler.
NTSTATUS DrvUnsupported (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 Unsupported message for all other IRP_MJ_* handlers.
NTSTATUS DrvDispatchIoControl (PDEVICE_OBJECT DeviceObject, PIRP Irp)
 Driver IOCTL Dispatcher.

Detailed Description

Header for WDK driver functions for RM.

Author
Sina Karvandi (sina@.nosp@m.hype.nosp@m.rdbg..nosp@m.org)
Version
0.2
Date
2023-01-29

Function Documentation

◆ DriverEntry()

NTSTATUS DriverEntry ( PDRIVER_OBJECT DriverObject,
PUNICODE_STRING RegistryPath )

Load & Unload.

Main Driver Entry in the case of driver load.

Load & Unload.

Parameters
DriverObject
RegistryPath
Returns
NTSTATUS
26{
27 NTSTATUS Ntstatus = STATUS_SUCCESS;
28 UINT64 Index = 0;
29 PDEVICE_OBJECT DeviceObject = NULL;
30 UNICODE_STRING DriverName = RTL_CONSTANT_STRING(L"\\Device\\HyperDbgReversingMachineDevice");
31 UNICODE_STRING DosDeviceName = RTL_CONSTANT_STRING(L"\\DosDevices\\HyperDbgReversingMachineDevice");
32
33 UNREFERENCED_PARAMETER(RegistryPath);
34 UNREFERENCED_PARAMETER(DriverObject);
35
36 //
37 // Opt-in to using non-executable pool memory on Windows 8 and later.
38 // https://msdn.microsoft.com/en-us/library/windows/hardware/hh920402(v=vs.85).aspx
39 //
40 ExInitializeDriverRuntime(DrvRtPoolNxOptIn);
41
42 //
43 // Creating the device for interaction with user-mode
44 //
45 Ntstatus = IoCreateDevice(DriverObject,
46 0,
47 &DriverName,
49 FILE_DEVICE_SECURE_OPEN,
50 FALSE,
51 &DeviceObject);
52
53 if (Ntstatus == STATUS_SUCCESS)
54 {
55 for (Index = 0; Index < IRP_MJ_MAXIMUM_FUNCTION; Index++)
56 DriverObject->MajorFunction[Index] = DrvUnsupported;
57
58 //
59 // We cannot use logging mechanism of HyperDbg as it's not initialized yet
60 //
61 DbgPrint("Setting device major functions");
62
63 DriverObject->MajorFunction[IRP_MJ_CLOSE] = DrvClose;
64 DriverObject->MajorFunction[IRP_MJ_CREATE] = DrvCreate;
65 DriverObject->MajorFunction[IRP_MJ_READ] = DrvRead;
66 DriverObject->MajorFunction[IRP_MJ_WRITE] = DrvWrite;
67 DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvDispatchIoControl;
68
69 DriverObject->DriverUnload = DrvUnload;
70 IoCreateSymbolicLink(&DosDeviceName, &DriverName);
71 }
72
73 //
74 // Establish user-buffer access method.
75 //
76 if (DeviceObject != NULL)
77 {
78 DeviceObject->Flags |= DO_BUFFERED_IO;
79 }
80
81 //
82 // We cannot use logging mechanism of HyperDbg as it's not initialized yet
83 //
84 DbgPrint("HyperDbg's device and major functions are loaded");
85
86
87 ASSERT(NT_SUCCESS(Ntstatus));
88 return Ntstatus;
89}
#define FALSE
Definition BasicTypes.h:113
#define FILE_DEVICE_UNKNOWN
Definition Ioctls.h:52
struct _UNICODE_STRING UNICODE_STRING
NTSTATUS DrvWrite(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_WRITE Function handler.
Definition Driver.c:216
NTSTATUS DrvUnsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp)
Unsupported message for all other IRP_MJ_* handlers.
Definition Driver.c:266
NTSTATUS DrvRead(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_READ Function handler.
Definition Driver.c:192
NTSTATUS DrvClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_CLOSE Function handler.
Definition Driver.c:240
VOID DrvUnload(PDRIVER_OBJECT DriverObject)
Run in the case of driver unload to unregister the devices.
Definition Driver.c:98
NTSTATUS DrvCreate(PDEVICE_OBJECT DeviceObject, PIRP Irp)
IRP_MJ_CREATE Function handler.
Definition Driver.c:120
NTSTATUS DrvDispatchIoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
Driver IOCTL Dispatcher.
Definition Ioctl.c:23
NULL()
Definition test-case-generator.py:530

◆ DrvClose()

NTSTATUS DrvClose ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP_MJ_CLOSE Function handler.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
241{
242 UNREFERENCED_PARAMETER(DeviceObject);
243
244 //
245 // If the close is called means that all of the IOCTLs
246 // are not in a pending state so we can safely allow
247 // a new handle creation for future calls to the driver
248 //
250
251 Irp->IoStatus.Status = STATUS_SUCCESS;
252 Irp->IoStatus.Information = 0;
253 IoCompleteRequest(Irp, IO_NO_INCREMENT);
254
255 return STATUS_SUCCESS;
256}
BOOLEAN g_HandleInUse
Determines whether the one application gets the handle or not this is used to ensure that only one ap...
Definition Global.h:18

◆ DrvCreate()

NTSTATUS DrvCreate ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP Major Functions.

IRP_MJ_CREATE Function handler.

IRP Major Functions.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
121{
122 UNREFERENCED_PARAMETER(DeviceObject);
123
124 //
125 // Check for privilege
126 //
127 // Check for the correct security access.
128 // The caller must have the SeDebugPrivilege.
129 //
130
131 LUID DebugPrivilege = {SE_DEBUG_PRIVILEGE, 0};
132
133 if (!SeSinglePrivilegeCheck(DebugPrivilege, Irp->RequestorMode))
134 {
135 Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
136 Irp->IoStatus.Information = 0;
137 IoCompleteRequest(Irp, IO_NO_INCREMENT);
138
139 return STATUS_ACCESS_DENIED;
140 }
141
142 //
143 // Check to allow just one handle to the driver
144 // means that only one application can get the handle
145 // and new application won't allowed to create a new
146 // handle unless the IRP_MJ_CLOSE called.
147 //
148 if (g_HandleInUse)
149 {
150 //
151 // A driver got the handle before
152 //
153 Irp->IoStatus.Status = STATUS_SUCCESS;
154 Irp->IoStatus.Information = 0;
155 IoCompleteRequest(Irp, IO_NO_INCREMENT);
156
157 return STATUS_SUCCESS;
158 }
159
160 //
161 // Initialize the vmm and the reversing machine
162 //
164 {
165 Irp->IoStatus.Status = STATUS_SUCCESS;
166 Irp->IoStatus.Information = 0;
167 IoCompleteRequest(Irp, IO_NO_INCREMENT);
168
169 return STATUS_SUCCESS;
170 }
171 else
172 {
173 //
174 // There was a problem, so not loaded
175 //
176 Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
177 Irp->IoStatus.Information = 0;
178 IoCompleteRequest(Irp, IO_NO_INCREMENT);
179
180 return STATUS_UNSUCCESSFUL;
181 }
182}
#define STATUS_UNSUCCESSFUL
Definition Windows.h:172
BOOLEAN LoaderInitVmmAndReversingMachine()
Initialize the VMM and Reversing Machine.
Definition Loader.c:19

◆ DrvDispatchIoControl()

NTSTATUS DrvDispatchIoControl ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

Driver IOCTL Dispatcher.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
24{
25 PIO_STACK_LOCATION IrpStack;
26 PREGISTER_NOTIFY_BUFFER RegisterEventRequest;
27 NTSTATUS Status;
28
29 UNREFERENCED_PARAMETER(DeviceObject);
30
31 //
32 // Here's the best place to see if there is any allocation pending
33 // to be allcated as we're in PASSIVE_LEVEL
34 //
35 // DO NOT CHANGE CALLING OF THE FOLLOWING FUNCTION
36 //
37 // PoolManagerCheckAndPerformAllocationAndDeallocation();
38
40 {
41 IrpStack = IoGetCurrentIrpStackLocation(Irp);
42
43 switch (IrpStack->Parameters.DeviceIoControl.IoControlCode)
44 {
46
47 //
48 // First validate the parameters.
49 //
50 if (IrpStack->Parameters.DeviceIoControl.InputBufferLength < SIZEOF_REGISTER_EVENT || Irp->AssociatedIrp.SystemBuffer == NULL)
51 {
52 Status = STATUS_INVALID_PARAMETER;
53 LogError("Err, invalid parameter to IOCTL dispatcher");
54 break;
55 }
56
57 //
58 // IRPs supply a pointer to a buffer at Irp->AssociatedIrp.SystemBuffer.
59 // This buffer represents both the input buffer and the output buffer that
60 // are specified in calls to DeviceIoControl
61 //
62 RegisterEventRequest = (PREGISTER_NOTIFY_BUFFER)Irp->AssociatedIrp.SystemBuffer;
63
64 switch (RegisterEventRequest->Type)
65 {
66 case IRP_BASED:
67
69
70 break;
71 case EVENT_BASED:
72
74 {
75 Status = STATUS_SUCCESS;
76 }
77 else
78 {
79 Status = STATUS_UNSUCCESSFUL;
80 }
81
82 break;
83 default:
84 LogError("Err, unknown notification type from user-mode");
85 Status = STATUS_INVALID_PARAMETER;
86 break;
87 }
88 break;
89
90 default:
91 LogError("Err, unknown IOCTL");
92 Status = STATUS_NOT_IMPLEMENTED;
93 break;
94 }
95 }
96 else
97 {
98 //
99 // We're no longer serve IOCTL
100 //
101 Status = STATUS_SUCCESS;
102 }
103
104 if (Status != STATUS_PENDING)
105 {
106 Irp->IoStatus.Status = Status;
107
108 IoCompleteRequest(Irp, IO_NO_INCREMENT);
109 }
110
111 return Status;
112}
void * PVOID
Definition BasicTypes.h:56
struct _REGISTER_NOTIFY_BUFFER * PREGISTER_NOTIFY_BUFFER
@ EVENT_BASED
Definition DataTypes.h:288
@ IRP_BASED
Definition DataTypes.h:287
#define SIZEOF_REGISTER_EVENT
Definition Events.h:438
#define IOCTL_REGISTER_EVENT
ioctl, register a new event
Definition Ioctls.h:114
IMPORT_EXPORT_HYPERLOG BOOLEAN LogRegisterEventBasedNotification(PVOID TargetIrp)
Create an event-based usermode notifying mechanism.
Definition Logging.c:1594
IMPORT_EXPORT_HYPERLOG BOOLEAN LogRegisterIrpBasedNotification(PVOID TargetIrp, LONG *Status)
Register a new IRP Pending thread which listens for new buffers.
Definition Logging.c:1475
#define LogError(format,...)
Log in the case of error.
Definition HyperDbgHyperLogIntrinsics.h:113
BOOLEAN g_VmmInitialized
Shows whether the VMM is initialized or not.
Definition Global.h:24
NOTIFY_TYPE Type
Definition DataTypes.h:312

◆ DrvRead()

NTSTATUS DrvRead ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP_MJ_READ Function handler.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
193{
194 UNREFERENCED_PARAMETER(DeviceObject);
195
196 //
197 // Not used
198 //
199 DbgPrint("This function is not used");
200
201 Irp->IoStatus.Status = STATUS_SUCCESS;
202 Irp->IoStatus.Information = 0;
203 IoCompleteRequest(Irp, IO_NO_INCREMENT);
204
205 return STATUS_SUCCESS;
206}

◆ DrvUnload()

VOID DrvUnload ( PDRIVER_OBJECT DriverObject)

Run in the case of driver unload to unregister the devices.

Parameters
DriverObject
Returns
VOID
99{
100 UNICODE_STRING DosDeviceName;
101
102 RtlInitUnicodeString(&DosDeviceName, L"\\DosDevices\\HyperDbgReversingMachineDevice");
103 IoDeleteSymbolicLink(&DosDeviceName);
104 IoDeleteDevice(DriverObject->DeviceObject);
105
106 //
107 // Unloading VMM and Debugger
108 //
110}
VOID LoaderUninitLogTracer()
Uninitialize the log tracer.
Definition Loader.c:104

◆ DrvUnsupported()

NTSTATUS DrvUnsupported ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

Unsupported message for all other IRP_MJ_* handlers.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
267{
268 UNREFERENCED_PARAMETER(DeviceObject);
269
270 //
271 // Not supported
272 //
273 DbgPrint("This function is not supported");
274
275 Irp->IoStatus.Status = STATUS_SUCCESS;
276 Irp->IoStatus.Information = 0;
277 IoCompleteRequest(Irp, IO_NO_INCREMENT);
278
279 return STATUS_SUCCESS;
280}

◆ DrvWrite()

NTSTATUS DrvWrite ( PDEVICE_OBJECT DeviceObject,
PIRP Irp )

IRP_MJ_WRITE Function handler.

Parameters
DeviceObject
Irp
Returns
NTSTATUS
217{
218 UNREFERENCED_PARAMETER(DeviceObject);
219
220 //
221 // Not used
222 //
223 DbgPrint("This function is not used");
224
225 Irp->IoStatus.Status = STATUS_SUCCESS;
226 Irp->IoStatus.Information = 0;
227 IoCompleteRequest(Irp, IO_NO_INCREMENT);
228
229 return STATUS_SUCCESS;
230}