├── init.bat ├── src ├── pe2array │ ├── pe2array.vcproj │ └── main.cpp ├── driver-loader │ ├── driver-loader.vcproj │ └── main.cpp └── SimpleInjector-x64 │ └── main.cpp ├── clean.bat ├── .gitignore ├── publish ├── CDLL_Loader │ ├── String_Convertion.h │ ├── String_Convertion.cpp │ ├── README.md │ ├── DLL_Loader.h │ └── DLL_Loader.cpp └── CDriver_Loader │ ├── README.md │ ├── driver.h │ └── driver.cpp ├── LICENSE ├── bin └── study_lua_bridge.lua └── README.md /init.bat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wyrover/win-sys/HEAD/init.bat -------------------------------------------------------------------------------- /src/pe2array/pe2array.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wyrover/win-sys/HEAD/src/pe2array/pe2array.vcproj -------------------------------------------------------------------------------- /src/driver-loader/driver-loader.vcproj: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wyrover/win-sys/HEAD/src/driver-loader/driver-loader.vcproj -------------------------------------------------------------------------------- /clean.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | cd /d %~dp0 3 | del /F /S /Q *.aps *.idb *.ncp *.obj *.pch *.sbr *.tmp *.pdb *.bsc *.ilk *.res *.ncb *.opt *.suo *.manifest *.dep *.user 4 | del *.suo /s /Q /ah 5 | pause -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled Object files 2 | *.slo 3 | *.lo 4 | *.o 5 | *.obj 6 | 7 | # Precompiled Headers 8 | *.gch 9 | *.pch 10 | 11 | # Compiled Dynamic libraries 12 | *.so 13 | *.dylib 14 | *.dll 15 | 16 | # Fortran module files 17 | *.mod 18 | 19 | # Compiled Static libraries 20 | *.lai 21 | *.la 22 | *.a 23 | *.lib 24 | 25 | # Executables 26 | *.exe 27 | *.out 28 | *.app 29 | -------------------------------------------------------------------------------- /publish/CDLL_Loader/String_Convertion.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #pragma warning(push) 3 | #pragma warning(disable: 4244) // possible loss of data 4 | #include 5 | #pragma warning(pop) 6 | 7 | #include 8 | 9 | class String_Convertion { 10 | public: 11 | static std::wstring StringToWString(const std::string& s); 12 | static std::string WStringToString(const std::wstring& s); 13 | }; 14 | -------------------------------------------------------------------------------- /publish/CDLL_Loader/String_Convertion.cpp: -------------------------------------------------------------------------------- 1 | #include "String_Convertion.h" 2 | 3 | std::wstring String_Convertion::StringToWString(const std::string& s) 4 | { 5 | std::wstring temp(s.length(),L' '); 6 | std::copy(s.begin(), s.end(), temp.begin()); 7 | return temp; 8 | } 9 | 10 | std::string String_Convertion::WStringToString(const std::wstring& s) 11 | { 12 | std::string temp(s.length(), ' '); 13 | std::copy(s.begin(), s.end(), temp.begin()); 14 | return temp; 15 | } 16 | -------------------------------------------------------------------------------- /publish/CDLL_Loader/README.md: -------------------------------------------------------------------------------- 1 | DLL Loader / DLL Injections in C++ for Windows 2 | ============== 3 | 4 | Intro 5 | -------------- 6 | I wrote this project back in 2011 when I was playing a bit with DLL Injections. 7 | The class is used to Inject DLL's into running process in Windows. 8 | 9 | There are 4 files in this project 10 | - CDLL_Loader.cpp 11 | - CDLL_Loader.h 12 | - String_Conversion.cpp 13 | - String_Conversion.h 14 | 15 | CDLL_Loader has methods to Load and Eject DLL from running process. 16 | String Conversion is used to convert byte to string. 17 | 18 | 19 | Usage Example 20 | -------------- 21 | CDLL_Loader loader; 22 | DWORD Pid = loader.GetProcessIdByName("cmd.exe"); 23 | 24 | std::cout << "Cmd.exe PID: " << Pid << std::endl; 25 | 26 | if (loader.InitDLL(Pid, "c://someDllFile.dll") == INIT_OK) { 27 | std::cout << "DLL Injected Succesfully!" << std::endl; 28 | } 29 | -------------------------------------------------------------------------------- /publish/CDriver_Loader/README.md: -------------------------------------------------------------------------------- 1 | Driver Loader / Injection / Rootkit in C++ for Windows 2 | ============== 3 | 4 | Intro 5 | -------------- 6 | I wrote this project back in 2011 when I was playing a bit with Injections. 7 | The class is used to Inject Drivers's / Rootkits into Windows Kernel. 8 | 9 | CDriver_Loader has methods to Load and Eject from the Windows Kernel. 10 | 11 | 12 | Usage 13 | --------------- 14 | CDriver_Loader* driver; 15 | try 16 | { 17 | driver = new CDriver_Loader(); 18 | driver->InitSvc(L"c://rootkit.sys", L"driver", L"driver", SERVICE_DEMAND_START); 19 | cout << "Driver Loaded!" << endl; 20 | 21 | driver->CreateSvc(); 22 | cout << "Driver Created!" << endl; 23 | driver->StartSvc(); 24 | cout << "Driver Started!" << endl; 25 | 26 | cout << "Press any key to unload driver..."; 27 | cin.get(); 28 | driver->UnloadSvc(); 29 | cout << "Driver unloaded!" << endl; 30 | } 31 | catch (std::exception &e) 32 | { 33 | cout << "Error:" << e.what() << endl; 34 | } 35 | 36 | delete driver; 37 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 wyrover 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /publish/CDriver_Loader/driver.h: -------------------------------------------------------------------------------- 1 | /* ========================================================= 2 | * Driver.cpp 3 | * ********************************************************* 4 | * 5 | * Class: CDriver_Loader 6 | * 7 | * Author: Dan Revah 8 | * 9 | * Date: 03/12/2011 (DD/MM/YYYY) 10 | * Version: 1.00 11 | * 12 | * (-!-) Kernel-mode driver loader 13 | * - Injecting into windows kernel 14 | * ======================================================== */ 15 | #ifndef _DRIVER_H_ 16 | #define _DRIVER_H_ 17 | 18 | #include 19 | #include 20 | 21 | #define SVC_OK 0x01 22 | 23 | /* ================================================ 24 | * Begin CDriver_Loader Class Definition 25 | * ================================================= */ 26 | class CDriver_Loader { 27 | public: 28 | // Constructors 29 | CDriver_Loader(); // Default constructor 30 | CDriver_Loader(LPTSTR, LPTSTR, LPTSTR, DWORD); // Initalzing 31 | 32 | // Destructor 33 | ~CDriver_Loader(); 34 | 35 | // Status functions 36 | inline bool isInit() const { return init; } 37 | inline bool isLoaded() const { return loaded; } 38 | inline bool isStarted() const { return started; } 39 | 40 | // Driver service functions 41 | DWORD InitSvc(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType); // initalizing the driver service 42 | DWORD CreateSvc(); // Creating the driver service 43 | DWORD StartSvc(); // Starting the driver service 44 | DWORD StopSvc(); // Starting the driver service 45 | DWORD UnloadSvc(); // Unload the driver service 46 | 47 | private: 48 | 49 | LPTSTR mFilePath; //driver file path 50 | LPTSTR mServiceName; //service name 51 | LPTSTR mDisplayName; //dos service name 52 | 53 | DWORD mStartType; //start type 54 | 55 | SC_HANDLE mService; //service's handle 56 | 57 | // Status variables 58 | bool init; 59 | bool loaded; 60 | bool started; 61 | }; 62 | 63 | #endif 64 | -------------------------------------------------------------------------------- /src/pe2array/main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | FILE *Encrypt(char *input, char *output, char *array, char *key) 5 | { 6 | FILE *result; 7 | FILE *result2; 8 | signed int v5 = 0; 9 | int v7; 10 | fopen_s(&result, input, "rb"); 11 | fopen_s(&result2, (const char *)output, "w"); 12 | fprintf(result2, "//const\nunsigned char %s[] = {", array); 13 | srand(atoi(key)); 14 | 15 | while (1) { 16 | v7 = getc(result); 17 | 18 | if (v7 == -1) 19 | break; 20 | 21 | if (v5) 22 | fprintf(result2, ", "); 23 | 24 | if (!(v5 % 16)) 25 | fprintf(result2, "\n\t"); 26 | 27 | v7 = v7 ^ atoi(key); 28 | srand(atoi(key)); 29 | fprintf(result2, "0x%.2X", (unsigned __int8)(BYTE)v7); 30 | ++v5; 31 | } 32 | 33 | fprintf(result2, "\n};\n"); 34 | fclose(result); 35 | fclose(result2); 36 | return result2; 37 | } 38 | ////////////////////////////////////////////////////////////////////////// 39 | int main(int argc, char** argv) 40 | { 41 | //system("cls"); 42 | printf("[+] EncryptFile V2.0.0 by Eric21 \n", argv[0]); 43 | printf("[+] www.eric21.com \n", argv[0]); 44 | 45 | if (argc < 2) { 46 | printf("[Usage]:\n"); 47 | printf("%s [input_file] [output_file] [array_name] [key]\n\n", argv[0]); 48 | printf("[Example]:\n"); 49 | printf("%s test.exe test.h 0x12\n", argv[0]); 50 | printf("%s test.exe test.h test 0x12\n", argv[0]); 51 | exit(-1); 52 | } else { 53 | //argv[3] = (int)"filedata"; 54 | printf("[*] [input_file]: %s\n", argv[1]); 55 | printf("[*] [output_file]: %s\n", argv[2]); 56 | printf("[*] [array_name]: %s\n", argv[3]); 57 | printf("[*] [key]: %s\n", argv[4]); 58 | printf("\n"); 59 | 60 | if (Encrypt(argv[1], argv[2], argv[3], argv[4])) 61 | printf("[+] EncryptFile(); Successfully! ^_^\n"); 62 | else 63 | printf("[-] EncryptFile(); Failed.\n"); 64 | } 65 | 66 | return 0; 67 | } 68 | -------------------------------------------------------------------------------- /publish/CDLL_Loader/DLL_Loader.h: -------------------------------------------------------------------------------- 1 | /* ========================================================= 2 | * DLL_Loader.h 3 | * ********************************************************* 4 | * 5 | * Class: CDLL_Loader 6 | * 7 | * Author: Dan Revah 8 | * 9 | * Date: 25/11/2011 (DD/MM/YYYY) 10 | * 11 | * (-!-) User-mode root (DLL Hooking) 12 | * ======================================================= */ 13 | #ifndef _DLL_LOADER_H_ 14 | #define _DLL_LOADER_H_ 15 | 16 | #include 17 | #include 18 | #include "String_Convertion.h" 19 | 20 | enum DLL_Results { NOT_INIT, INIT_OK, PROCESS_ERROR_OPEN, PROCESS_ERRORR_VALLOC, PROCESS_ERROR_WRITE, PROCESS_ERROR_CREATE_RTHREAD, DLLINJECT_OK, 21 | PROCESS_SET_OK, PROCESS_ERROR_SNAPSHOT, PROCESS_ERROR_NOTFOUND, DLL_ALREADY_INJECTED, DLLEJECT_OK, DLLEJECT_FAIL }; 22 | 23 | /* ================================================ 24 | * Begin CDLL_Loader Class Definition 25 | * ================================================= */ 26 | class CDLL_Loader { 27 | public: 28 | // Constructors 29 | CDLL_Loader(); // default consturctor 30 | CDLL_Loader(DWORD Pid, char* DllPath); // initializing constructor 31 | 32 | // Destructor 33 | ~CDLL_Loader(); 34 | 35 | // Status functions 36 | inline bool isInit() const { return init; } 37 | inline bool isInjected() const { return injected; } 38 | 39 | inline void SetProcessId(DWORD Pid) { ProcessID = Pid; }; // Set process id 40 | 41 | DWORD GetProcessIdByName(char* process_name); // Get process id by name 42 | 43 | DLL_Results InitDLL(DWORD Pid, char* DllPath); // Initilazing the DLL 44 | DLL_Results InjectDll(); // Injecting the dll into the process 45 | DLL_Results EjectDll(); // Ejecting the dll from the process 46 | 47 | private: 48 | DWORD ThreadTeminationStatus; // the handle to the of the newly loaded dll 49 | DWORD ProcessID; // the process id 50 | char* DllFilePath; // the dll path 51 | 52 | // Status variables 53 | bool injected; 54 | bool init; 55 | }; 56 | 57 | #endif 58 | -------------------------------------------------------------------------------- /bin/study_lua_bridge.lua: -------------------------------------------------------------------------------- 1 | -- 2 | --test Namespaces 3 | -- 4 | --print(test,test.detail,test.utility) 5 | 6 | 7 | -- 8 | --test Data, Properties, Functions, and CFunctions 9 | -- 10 | --[[ 11 | test.var1 = 5 -- okay 12 | --test.var2 = 6 -- error: var2 is not writable 13 | --test.prop1 = "Hello" -- okay 14 | --test.prop1 = 68 -- okay, Lua converts the number to a string. 15 | --test.prop2 = "bar" -- error: prop2 is not writable 16 | test.foo() -- calls foo and discards the return value 17 | test.var1 = test.foo () -- calls foo and stores the result in var1 18 | test.bar ("Employee") -- calls bar with a string 19 | --test.bar (test) -- error: bar expects a string not a table 20 | --]] 21 | 22 | 23 | -- 24 | --test Class Objects 25 | -- 26 | local AClassObj = test.A () --create class A instance 27 | 28 | print("before:",test.A.staticData) -- access class A static member 29 | test.A.staticData = 8 -- modify class A static member 30 | print("after:",test.A.staticData) 31 | 32 | print("before:", test.A.getStaticProperty()) 33 | --test.A.staticProperty = 1.2 --error:can not modify 34 | 35 | print("staticCFunc") 36 | test.A.staticCFunc() --Call the static method 37 | 38 | AClassObj.data = "sting" 39 | print("dataMember:",AClassObj.data) 40 | 41 | AClassObj.prop = 'a' 42 | print("property:",AClassObj.prop) 43 | 44 | AClassObj:func1() --Notice: NO AClassObj.func1() 45 | --test.A.func1(AClassObj) -- Equivalent to AClassObj:func1() 46 | 47 | AClassObj:virtualFunc() 48 | 49 | AClassObj:cfunc("lua_State*",42) 50 | 51 | BClassObj = test.B("constructor register",42) --First Call base class A constructor function 52 | 53 | BClassObj:func1() 54 | 55 | BClassObj:func2() 56 | 57 | BClassObj:virtualFunc() --virtualFunc In Class B 58 | 59 | print("dataMember1",a.data1) 60 | a.data1 = 32 61 | print("a dataMember1",a.data1) 62 | 63 | print("pointer ac dataMember1",ac.data1) 64 | --ac.data1 = 32 --error: because ac is registed as const 65 | 66 | print("pointer ac2 dataMember1",ac.data1) 67 | --ac2.data1 = 32 --error: because ac2 is registed as const 68 | 69 | --ap.data1 = 42 70 | --print("ap dataMember1",ap.data1) 71 | 72 | a = nil; collectgarbage () -- 'a' still exists in C++. 73 | b = nil; collectgarbage () -- Lua calls ~B() on the copy of b. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # win-sys 2 | 3 | 驱动开发工程模板及工具包 4 | 5 | 6 | 1. src\driver-loader 驱动加载命令行 7 | 2. src\pe2array PE 文件转字节数组并加密，保存为头文件方便其他工程引用 8 | 3. https://github.com/eric21/MemPE 9 | 3. https://github.com/fancycode/MemoryModule 10 | 4. https://github.com/wyrover/unHooker 11 | 5. https://github.com/eric21/ssdt.Recover.21yu3 12 | 6. https://github.com/wessamza/R3R-BASE Ring3 rootkits - Base 13 | 7. https://github.com/wessamza/DpcCap 14 | 8. https://github.com/aaaddress1/HellKitty-In-VC Ring3 Rootkit Backdoor. 15 | 9. https://github.com/aaaddress1/ReflectiveDLLInjection 64 位注入 16 | 10. https://github.com/aaaddress1/APCInjector-BYPASS-AV 17 | 11. https://github.com/aaaddress1/Virus-Patten-API-Call 18 | 12. https://github.com/aaaddress1/Dad-sRoot hook 指定进程 API 19 | 13. https://github.com/aaaddress1/WinHTTP-Request-Hijacking-In-CSharp 20 | 14. https://github.com/aaaddress1/Dev-C-Homework/tree/master/Attack-KMPlayer_1440 21 | 15. https://github.com/aaaddress1/QACInjector-In-CBuilder 22 | 16. https://github.com/aaaddress1/HTTPs-WebClient-In-CBuilder 23 | 17. https://github.com/s18leoare/Hackshield-Driver-Bypass 24 | 18. https://github.com/redcodes/GameHack 25 | 19. https://github.com/redcodes/DevToolkit 26 | 20. https://github.com/redcodes/gh0st 27 | 21. https://github.com/sincoder/A-Protect 28 | 22. https://github.com/sincoder/hidedir 使用SSDT HOOK 在windows上隐藏指定文件或者文件夹 29 | 23. https://github.com/awendemo/SSDT-Hook 30 | 24. https://github.com/martinb3/windows_driver_model_tutorial 教程 31 | 25. https://github.com/Joshf2k/RegistryMonitor 32 | 26. https://github.com/wyrover/HKkernelDbg 33 | 27. https://github.com/hfiref0x/DSEFix Windows x64 Driver Signature Enforcement Overrider 34 | 28. https://github.com/hfiref0x/WinObjEx64 35 | 29. https://github.com/hfiref0x/TDL Driver loader for bypassing Windows x64 Driver Signature Enforcement 36 | 30. https://github.com/hfiref0x/ZeroAccess 37 | 31. https://github.com/hfiref0x/VBoxHardenedLoader 38 | 32. https://github.com/hfiref0x/LightFTP 39 | 33. https://github.com/hfiref0x/CVE-2015-1701 40 | 34. https://github.com/nikkov/Win-Widget 41 | 35. https://github.com/daynix/UsbDk 42 | 36. https://github.com/daynix/kvm-guest-drivers-windows 驱动编程批处理 43 | 37. https://github.com/Nextzero/WindowsDriver 教程 44 | 38. https://github.com/guidoreina/classes 45 | 39. https://github.com/guidoreina/password_generator 46 | 40. https://github.com/guidoreina/bplus-tree B+ 树 47 | 41. https://github.com/uri247/wdk81 48 | 42. https://github.com/gpoulios/ROPInjector shellcode 49 | 43. https://github.com/wyrover/rootkit.com 50 | 44. https://github.com/b3mb4m/shellsploit-framework shellcode 51 | 45. https://github.com/ambray/Ntfs 52 | 46. https://github.com/strozfriedberg/ntfs-linker 53 | 47. https://github.com/tfairane/ReverseEngineering 54 | 48. https://github.com/tfairane/DKOM 55 | 49. https://github.com/tfairane/DetourAPIMonitor 56 | 50. https://github.com/ThomasThelen/AntiDebugging 57 | 51. https://github.com/scalys7/Vulnerable-Driver 58 | 52. https://github.com/ThomasThelen/DumpHeapMemory 59 | 53. https://github.com/scalys7/Privilege-Escalation-Framework/tree/master/Privilege%20Escalation%20Framework 60 | 54. https://github.com/scalys7/Windows-Kernel-Research 61 | 55. https://github.com/scalys7/Postion-Indipendent-Code-Framework 62 | 56. https://github.com/hfiref0x/ZeroAccess rootkit 63 | 57. https://github.com/XiphosResearch/exploits 64 | 58. https://github.com/MalwareTech/CreateDesktop 65 | 59. https://github.com/MalwareTech/AppContainerSandbox 66 | 60. https://github.com/MalwareTech/FstHook 67 | 61. https://github.com/MalwareTech/BasicHook 68 | 62. https://github.com/MalwareTech/ZombifyProcess 69 | 63. https://github.com/MalwareTech/UACElevator 70 | 64. https://github.com/mieleke/Win64-Rovnix-VBR-Bootkit 71 | 65. https://github.com/edix/LoadDll 72 | 66. https://github.com/edix/MalwareResourceScanner 73 | 67. https://github.com/edix/HiddenProcessDetection 74 | 68. https://github.com/benlinxy/CodeInjection 75 | 69. https://github.com/JonDoNym/peinjector 76 | 70. https://github.com/benlinxy/DllInjection_CreateRemoteThread 77 | 71. https://github.com/benlinxy/DllInjection_SetWindowsHookEx 78 | 72. https://github.com/tandasat/RemoteWriteMonitor 79 | 73. https://github.com/SekoiaLab/pe-tools 80 | 81 | 82 | 83 | ## 驱动安装 84 | 85 | wdk 提供了驱动安装工具，有三种 86 | 87 | - devcon.exe 88 | - difxcmd.exe 89 | - dpinst.exe 90 | 91 | 92 | - https://github.com/unicornx/osrusbfx2/blob/master/windows/drvinst/device-and-driver-installation.md 93 | - https://github.com/Quirkbot/QuirkbotWindowsDriverInstaller 94 | - https://github.com/Plasmenoid/snappy-driver-installer -------------------------------------------------------------------------------- /src/SimpleInjector-x64/main.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include 3 | #include 4 | 5 | HMODULE GetRemoteModuleHandleA(DWORD dwProcessId, const char* szModule) 6 | { 7 | HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId); 8 | MODULEENTRY32 modEntry; 9 | modEntry.dwSize = sizeof(MODULEENTRY32); 10 | Module32First(tlh, &modEntry); 11 | 12 | do { 13 | if (_stricmp(szModule, modEntry.szModule) == 0) { 14 | CloseHandle(tlh); 15 | return modEntry.hModule; 16 | } 17 | } while (Module32Next(tlh, &modEntry)); 18 | 19 | CloseHandle(tlh); 20 | return NULL; 21 | } 22 | 23 | DWORD GetProcessIdFromProcessName(const char* szProcessName) 24 | { 25 | HANDLE tlh = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); 26 | PROCESSENTRY32 procEntry; 27 | procEntry.dwSize = sizeof(PROCESSENTRY32); 28 | Process32First(tlh, &procEntry); 29 | 30 | do { 31 | printf("proc: %s\n", procEntry.szExeFile); 32 | 33 | if (_stricmp(szProcessName, procEntry.szExeFile) == 0) { 34 | CloseHandle(tlh); 35 | return procEntry.th32ProcessID; 36 | } 37 | } while (Process32Next(tlh, &procEntry)); 38 | 39 | CloseHandle(tlh); 40 | return GetCurrentProcessId(); 41 | } 42 | 43 | int main(int argc, char* argv[]) 44 | { 45 | DWORD dwProcessId = GetCurrentProcessId(); 46 | char szProcessName[256] = {0}; 47 | char szModuleName[MAX_PATH] = {0}; 48 | 49 | for (int i = 1; i < argc; i++) { 50 | if (_stricmp(argv[i], "-pid") == 0 && i < (argc - 1)) { 51 | dwProcessId = atoi(argv[i + 1]); 52 | } 53 | 54 | if (_stricmp(argv[i], "-name") == 0 && i < (argc - 1)) { 55 | strcpy_s(szProcessName, argv[i + 1]); 56 | } 57 | 58 | if (_stricmp(argv[i], "-dll") == 0 && i < (argc - 1)) { 59 | strcpy_s(szModuleName, argv[i + 1]); 60 | } 61 | } 62 | 63 | if (strlen(szModuleName) == 0) { 64 | printf("Module name is required...\n"); 65 | return 0; 66 | } 67 | 68 | if (strlen(szProcessName) == 0 && dwProcessId == GetCurrentProcessId()) { 69 | printf("Invalid parameters!\n"); 70 | return 0; 71 | } 72 | 73 | if (strlen(szProcessName) > 0) { 74 | if (dwProcessId == GetCurrentProcessId()) { // Only change the processid if it's not already set 75 | dwProcessId = GetProcessIdFromProcessName(szProcessName); 76 | 77 | if (dwProcessId == GetCurrentProcessId()) { 78 | printf("Failed to obtain process \"%s\"...\n", szProcessName); 79 | return 0; 80 | } 81 | } 82 | } 83 | 84 | HMODULE hKernel = LoadLibraryA("kernel32.dll"); 85 | DWORD64 dwLoadLibraryA = (DWORD64) GetProcAddress(hKernel, "LoadLibraryA") - (DWORD64) hKernel; 86 | printf("kernel32.dll: %016llX\n", hKernel); 87 | printf("LoadLibraryA: %016llX\n", dwLoadLibraryA); 88 | printf("Module Name: %s\n", szModuleName); 89 | char szCurrentModulePath[MAX_PATH] = {0}; 90 | GetModuleFileNameA(GetModuleHandle(NULL), szCurrentModulePath, MAX_PATH); 91 | 92 | for (size_t i = strlen(szCurrentModulePath); i > 0; i--) { 93 | if (szCurrentModulePath[ i ] == '\\') { 94 | szCurrentModulePath[ i + 1 ] = 0; 95 | break; 96 | } 97 | } 98 | 99 | strcat_s(szCurrentModulePath, szModuleName); 100 | printf("Full Path: %s\n", szCurrentModulePath); 101 | DWORD dwFileAttributes = GetFileAttributesA(szCurrentModulePath); 102 | 103 | if (dwFileAttributes == INVALID_FILE_ATTRIBUTES && GetLastError() == ERROR_FILE_NOT_FOUND) { 104 | printf("File not found...\n"); 105 | return 0; 106 | } 107 | 108 | printf("Injecting: %s\n", szCurrentModulePath); 109 | HMODULE hRemoteKernel = GetRemoteModuleHandleA(dwProcessId, "kernel32.dll"); 110 | 111 | if (hRemoteKernel == NULL) { 112 | printf("Failed to locate kernel32 in remote process...\n"); 113 | return 0; 114 | } 115 | 116 | printf("kernel32 (remote): 0x%016llX\n", hRemoteKernel); 117 | HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); 118 | 119 | if (hProcess == INVALID_HANDLE_VALUE) { 120 | printf("Failed to locate remote process...\n"); 121 | return 0; 122 | } 123 | 124 | LPVOID lpModuleName = VirtualAllocEx(hProcess, NULL, strlen(szCurrentModulePath) + 1, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 125 | 126 | if (lpModuleName == NULL) { 127 | printf("Failed to allocate module name in remote process...\n"); 128 | return 0; 129 | } 130 | 131 | if (WriteProcessMemory(hProcess, lpModuleName, szCurrentModulePath, strlen(szCurrentModulePath), NULL) == FALSE) { 132 | printf("Failed to write module name in remote process...\n"); 133 | return 0; 134 | } 135 | 136 | DWORD64 dwRemoteLoadLibraryAddress = ((DWORD64)hRemoteKernel + dwLoadLibraryA); 137 | printf("LoadLibraryA (remote): %016llX\n", dwRemoteLoadLibraryAddress); 138 | HANDLE hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE) dwRemoteLoadLibraryAddress, lpModuleName, 0, 0); 139 | printf("Injecting... "); 140 | WaitForSingleObject(hThread, INFINITE); 141 | printf("Injected!\n"); 142 | return 0; 143 | } -------------------------------------------------------------------------------- /publish/CDLL_Loader/DLL_Loader.cpp: -------------------------------------------------------------------------------- 1 | /* ========================================================= 2 | * DLL_Loader.h 3 | * ********************************************************* 4 | * 5 | * Class: CDLL_Loader 6 | * 7 | * Author: Dan Revah 8 | * 9 | * Date: 25/11/2011 (DD/MM/YYYY) 10 | * 11 | * (-!-) User-mode root (DLL Hooking) 12 | * ======================================================= */ 13 | #include "DLL_Loader.h" 14 | #include 15 | 16 | /* =========================================================== 17 | * CDLL_Loader::CDLL_Loader() 18 | * 19 | * (*) Default constructor 20 | */ 21 | CDLL_Loader::CDLL_Loader(): 22 | ProcessID(0), DllFilePath(0), init(false), injected(false) 23 | { 24 | } 25 | 26 | /* =========================================================== 27 | * CDLL_Loader::CDLL_Loader(DWORD Pid, char* DllPath) 28 | * 29 | * (*) Initializing constructor 30 | * Parameters: 31 | * Pid - Process ID to inject 32 | * DllPath - The Dll path that you use to inject 33 | */ 34 | CDLL_Loader::CDLL_Loader(DWORD Pid, char* DllPath): 35 | ProcessID(Pid), DllFilePath(DllPath), init(true), injected(false) 36 | { 37 | } 38 | 39 | /* ==================================== 40 | * CDLL_Loader::~CDLL_Loader() 41 | * 42 | * (*) Destructor 43 | */ 44 | CDLL_Loader::~CDLL_Loader() 45 | { 46 | //EjectDll(); 47 | 48 | ProcessID = 0; 49 | DllFilePath = 0; 50 | 51 | init = false; 52 | injected = false; 53 | } 54 | 55 | /* =========================================================== 56 | * DLL_Results CDLL_Loader::InitDLL(DWORD Pid, char* DllPath) 57 | * 58 | * Parameters: 59 | * Pid - Process ID to inject 60 | * DllPath - The Dll path that you use to inject 61 | */ 62 | DLL_Results CDLL_Loader::InitDLL(DWORD Pid, char* DllPath) 63 | { 64 | if (isInit()) 65 | return INIT_OK; 66 | 67 | ProcessID = Pid; 68 | DllFilePath = DllPath; 69 | 70 | init = true; 71 | injected = false; 72 | 73 | return INIT_OK; 74 | } 75 | 76 | /* =========================================================== 77 | * DWORD CDLL_Loader::GetProcessIdByName(char* process_name) 78 | * 79 | * Return Value 80 | * If the function succeeds, it returns the Process ID 81 | * If the function fails, it will return NULL 82 | */ 83 | DWORD CDLL_Loader::GetProcessIdByName(char* process_name) 84 | { 85 | HANDLE hProcess; 86 | PROCESSENTRY32 ProcessEntry = {0}; 87 | ProcessEntry.dwSize = sizeof(PROCESSENTRY32); 88 | 89 | hProcess = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 90 | if (hProcess == INVALID_HANDLE_VALUE) 91 | return NULL; 92 | 93 | if (Process32First(hProcess, &ProcessEntry) != FALSE) 94 | { 95 | do { 96 | if (strcmp(process_name, String_Convertion::WStringToString(ProcessEntry.szExeFile).c_str() ) == 0) 97 | { 98 | return ProcessEntry.th32ProcessID; 99 | } 100 | } while (Process32Next(hProcess, &ProcessEntry) != FALSE); 101 | 102 | } 103 | 104 | CloseHandle(hProcess); 105 | return NULL; 106 | } 107 | 108 | /* =========================================================== 109 | * DLL_Results CDLL_Loader::InjectDll() 110 | * 111 | * Injecting the dll into the process 112 | * Return Values: 113 | * If the function succeeds, it returns the value DLLINJECT_OK 114 | * If the function fails: 115 | * NOT_INIT - Not initliazed 116 | * DLL_ALREADY_INJECTED - The dll was already injected 117 | * PROCESS_ERROR_OPEN - Unable to open process ID 118 | * PROCESS_ERRORR_VALLOC - Unable to virtual alloc 119 | * PROCESS_ERROR_WRITE - Unable to write process memory 120 | * PROCESS_ERROR_CREATE_RTHREAD - Unable to create remote thread 121 | */ 122 | 123 | DLL_Results CDLL_Loader::InjectDll() 124 | { 125 | LPVOID VirtualMem; 126 | HANDLE hProcess, hRemoteThread; 127 | HMODULE hModule; 128 | 129 | if (!isInit()) 130 | return NOT_INIT; 131 | 132 | if (isInjected()) 133 | return DLL_ALREADY_INJECTED; 134 | 135 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID); 136 | std::cout << "Last Error: " << GetLastError() << std::endl; 137 | if (hProcess == NULL) 138 | return PROCESS_ERROR_OPEN; 139 | 140 | VirtualMem = VirtualAllocEx (hProcess, NULL, strlen(DllFilePath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); 141 | if (VirtualMem == NULL) 142 | return PROCESS_ERRORR_VALLOC; 143 | 144 | if (WriteProcessMemory(hProcess, (LPVOID)VirtualMem, DllFilePath, strlen(DllFilePath), NULL) == 0) 145 | { 146 | VirtualFreeEx(hProcess, NULL, (size_t)strlen(DllFilePath), MEM_RESERVE|MEM_COMMIT); 147 | CloseHandle(hProcess); 148 | return PROCESS_ERROR_WRITE; 149 | } 150 | 151 | hModule = GetModuleHandle(L"kernel32.dll"); 152 | hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, 153 | (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "LoadLibraryA"), 154 | (LPVOID)VirtualMem, 0, NULL); 155 | 156 | if (hRemoteThread == NULL) 157 | { 158 | FreeLibrary(hModule); 159 | VirtualFreeEx(hProcess, NULL, (size_t)strlen(DllFilePath), MEM_RESERVE | MEM_COMMIT); 160 | CloseHandle(hProcess); 161 | return PROCESS_ERROR_CREATE_RTHREAD; 162 | } 163 | 164 | WaitForSingleObject(hRemoteThread, INFINITE); 165 | GetExitCodeThread(hRemoteThread, &ThreadTeminationStatus); 166 | FreeLibrary(hModule); 167 | 168 | VirtualFreeEx(hProcess, NULL, (size_t)strlen(DllFilePath), MEM_RESERVE | MEM_COMMIT); 169 | CloseHandle(hRemoteThread); 170 | CloseHandle(hProcess); 171 | injected = true; 172 | return DLLINJECT_OK; 173 | } 174 | 175 | /* =========================================================== 176 | * DLL_Results CDLL_Loader::EjectDll() 177 | * 178 | * Ejecting the dll from the process 179 | * Return Values: 180 | * If the function succeeds, it returns the value DLLEJECT_OK 181 | * If the function fails: 182 | * PROCESS_ERROR_OPEN - Unable to open process ID 183 | */ 184 | DLL_Results CDLL_Loader::EjectDll() 185 | { 186 | HANDLE hProcess, hRemoteThread; 187 | HMODULE hModule; 188 | 189 | if (isInjected()) 190 | return DLLEJECT_OK; 191 | 192 | hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID); 193 | if (hProcess == NULL) 194 | return PROCESS_ERROR_OPEN; 195 | 196 | hModule = GetModuleHandle(L"kernel32.dll"); 197 | hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, 198 | (LPTHREAD_START_ROUTINE)GetProcAddress(hModule, "FreeLibrary"), 199 | (LPVOID)ThreadTeminationStatus, 0, NULL); 200 | 201 | if (hRemoteThread != NULL) 202 | { 203 | WaitForSingleObject(hRemoteThread, INFINITE); 204 | GetExitCodeThread(hRemoteThread, &ThreadTeminationStatus); 205 | } 206 | 207 | CloseHandle(hRemoteThread); 208 | CloseHandle(hProcess); 209 | injected = false; 210 | return DLLEJECT_OK; 211 | } 212 | -------------------------------------------------------------------------------- /publish/CDriver_Loader/driver.cpp: -------------------------------------------------------------------------------- 1 | /* ========================================================= 2 | * Driver.cpp 3 | * ********************************************************* 4 | * 5 | * Class: CDriver_Loader 6 | * 7 | * Author: Dan Revah 8 | * 9 | * Date: 03/12/2011 (DD/MM/YYYY) 10 | * Version: 1.00 11 | * 12 | * (-!-) Kernel-mode driver loader 13 | * - Injecting into windows kernel 14 | * ======================================================== */ 15 | 16 | #include "driver.h" 17 | 18 | /* =========================================================== 19 | * CDriver_Loader::CDriver_Loader() 20 | * 21 | * (*) Default Constructor 22 | */ 23 | CDriver_Loader::CDriver_Loader(): 24 | init(false), loaded(false), started(false), mFilePath(NULL), mServiceName(NULL), 25 | mDisplayName(NULL), mStartType(0), mService(NULL) 26 | { 27 | } 28 | 29 | /* ========================================================================================================== 30 | * CDriver_Loader::CDriver_Loader(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType) 31 | * 32 | * (*) Initializing constructor 33 | */ 34 | CDriver_Loader::CDriver_Loader(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType): 35 | init(true), loaded(false), started(false), mFilePath(filePath), mServiceName(serviceName), 36 | mDisplayName(displayName), mStartType(startType), mService(NULL) 37 | { 38 | } 39 | 40 | /* ==================================== 41 | * CDriver_Loader::~CDriver_Loader() 42 | * 43 | * (*) Destructor 44 | */ 45 | CDriver_Loader::~CDriver_Loader() 46 | { 47 | UnloadSvc(); 48 | 49 | mFilePath = NULL; 50 | mServiceName = NULL; 51 | mDisplayName = NULL; 52 | 53 | mStartType = 0; 54 | 55 | mService = NULL; 56 | 57 | init = false; 58 | loaded = false; 59 | started = false; 60 | 61 | } 62 | 63 | /* =========================================================== 64 | * DWORD CDriver_Loader::CreateSvc() 65 | * 66 | * - Creating the driver service 67 | * Return Value 68 | * If the function succeeds, the return value is SVC_OK 69 | * If the function failed it will throw a exception 70 | */ 71 | DWORD CDriver_Loader::CreateSvc() 72 | { 73 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 74 | 75 | if (hSCManager == NULL) 76 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 77 | 78 | mService = CreateService(hSCManager, mServiceName, mDisplayName, SC_MANAGER_ALL_ACCESS, 79 | SERVICE_KERNEL_DRIVER, mStartType, SERVICE_ERROR_NORMAL, mFilePath, NULL, NULL, NULL, NULL, NULL ); 80 | 81 | if (mService == NULL) 82 | { 83 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 84 | 85 | if (mService == NULL) 86 | { 87 | CloseServiceHandle(hSCManager); 88 | throw std::exception("CreateService Failed with error code: "+GetLastError()); 89 | } 90 | } 91 | 92 | loaded = true; 93 | CloseServiceHandle(hSCManager); 94 | 95 | return SVC_OK; 96 | } 97 | 98 | 99 | /* ============================================================================================================ 100 | * DWORD CDriver_Loader::InitSvc(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType) 101 | * 102 | * - Initilazing the service parameters 103 | * 104 | * Parameters: 105 | * filePath - The fully-qualified path to the service binary file 106 | * serviceName - The service name 107 | * displayName - The dos-service name 108 | * startType - The service start options 109 | * 110 | * Return Value 111 | * If the function succeeds or already initialzed, the return value is SV_OK 112 | */ 113 | DWORD CDriver_Loader::InitSvc(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType) 114 | { 115 | if (isInit()) 116 | return SVC_OK; 117 | 118 | mFilePath = filePath; 119 | mServiceName = serviceName; 120 | mDisplayName = displayName; 121 | mStartType = startType; 122 | 123 | mService = NULL; 124 | 125 | init = true; 126 | loaded = false; 127 | started = false; 128 | 129 | return SVC_OK; 130 | } 131 | 132 | /* ============================================================== 133 | * SVC_Result CDriver_Loader::StartSvc() 134 | * 135 | * - Initilazing the service parameters 136 | * 137 | * Return Value 138 | * If the function succeeds, the return value is SVC_OK 139 | * If the function failed it will throw a exception 140 | */ 141 | DWORD CDriver_Loader::StartSvc() 142 | { 143 | if (!isLoaded()) 144 | throw std::exception("Service is not loaded"); 145 | 146 | if (isStarted()) 147 | return SVC_OK; 148 | 149 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 150 | 151 | if (hSCManager == NULL) 152 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 153 | 154 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 155 | 156 | if (mService == NULL) 157 | { 158 | CloseServiceHandle(hSCManager); 159 | throw std::exception("OpenService Failed with error code: "+GetLastError()); 160 | } 161 | 162 | if (StartService(mService,0,NULL)== NULL) 163 | { 164 | CloseServiceHandle(hSCManager); 165 | CloseServiceHandle(mService); 166 | throw std::exception("StartService Failed with error code: "+GetLastError()); 167 | } 168 | 169 | CloseServiceHandle(hSCManager); 170 | started = true; 171 | 172 | return SVC_OK; 173 | } 174 | 175 | /* ============================================================== 176 | * DWORD CDriver_Loader::StopSvc() 177 | * 178 | * - Initilazing the service parameters 179 | * 180 | * Return Value 181 | * If the function succeeds, the return value is SVC_OK 182 | * If the function failed it will throw a exception 183 | */ 184 | DWORD CDriver_Loader::StopSvc() 185 | { 186 | SERVICE_STATUS ss; 187 | 188 | if (!isStarted()) 189 | return SVC_OK; 190 | 191 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 192 | 193 | if (hSCManager == NULL) 194 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 195 | 196 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 197 | 198 | if (mService == NULL) 199 | { 200 | CloseServiceHandle(hSCManager); 201 | throw std::exception("OpenService Failed with error code: "+GetLastError()); 202 | } 203 | 204 | if (ControlService(mService,SERVICE_CONTROL_STOP,&ss)== NULL) 205 | { 206 | CloseServiceHandle(hSCManager); 207 | CloseServiceHandle(mService); 208 | throw std::exception("ControlService Failed with error code: "+GetLastError()); 209 | } 210 | 211 | CloseServiceHandle(hSCManager); 212 | CloseServiceHandle(mService); 213 | started = false; 214 | 215 | return SVC_OK; 216 | } 217 | 218 | /* ============================================================== 219 | * DWORD CDriver_Loader::UnloadSvc() 220 | * 221 | * - Unloading the service 222 | * 223 | * Return Value 224 | * If the function succeeds, the return value is SVC_OK 225 | * If the function failed it will throw a exception 226 | */ 227 | DWORD CDriver_Loader::UnloadSvc() 228 | { 229 | if (!isLoaded()) 230 | return SVC_OK; 231 | 232 | if (isStarted()) 233 | { 234 | if (StopSvc() != SVC_OK) 235 | throw std::exception("Unloading driver Failed with error code: "+GetLastError()); 236 | } 237 | 238 | SC_HANDLE hSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE); 239 | 240 | if (hSCManager == NULL) 241 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 242 | 243 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 244 | 245 | if (mService == NULL) 246 | { 247 | CloseServiceHandle(hSCManager); 248 | throw std::exception("OpenService Failed with error code: "+GetLastError()); 249 | } 250 | 251 | DeleteService(mService); 252 | CloseServiceHandle(hSCManager); 253 | 254 | loaded = false; 255 | 256 | return SVC_OK; 257 | } 258 | -------------------------------------------------------------------------------- /src/driver-loader/main.cpp: -------------------------------------------------------------------------------- 1 | 2 | #ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista. 3 | #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. 4 | #endif 5 | 6 | #define _CRT_SECURE_NO_WARNINGS 7 | 8 | #include 9 | #include 10 | #include 11 | 12 | #define Cleanup(x, y, z) {x = y; goto z;} 13 | #define FLUSH fflush(stdin); 14 | #define DRIVER_LOADED 0x00000001 15 | #define DRIVER_STARTED 0x00000002 16 | #define DRIVER_STOPPED 0x00000003 17 | #define DRIVER_UNLOADED 0x00000004 18 | #define DRIVER_CANT_LOAD 0x00000010 19 | #define DRIVER_CANT_START 0x00000020 20 | #define DRIVER_CANT_STOP 0x00000030 21 | #define DRIVER_CANT_UNLOAD 0x00000040 22 | 23 | typedef struct { 24 | DWORD driverstatus; 25 | } DRIVER_LOADER, *PDRIVER_LOADER; 26 | 27 | int FileExists(const TCHAR *driverpath) 28 | { 29 | 30 | FILE *fExists = _wfopen(driverpath, L"r"); 31 | 32 | if (!fExists) 33 | return 0; 34 | 35 | fclose(fExists); 36 | return 1; 37 | } 38 | 39 | int myLoadDriver(const TCHAR *drivername, const TCHAR *driverpath) 40 | { 41 | SC_HANDLE hSCManager; 42 | SC_HANDLE hService; 43 | int ret = 1; 44 | 45 | if (!FileExists(driverpath)) { 46 | printf("FileExists failed\n"); 47 | Cleanup(ret, -1, c); 48 | } 49 | 50 | hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 51 | 52 | if (!hSCManager) { 53 | printf("OpenSCManager failed\n"); 54 | Cleanup(ret, -2, c); 55 | } 56 | 57 | hService = CreateService( 58 | hSCManager, 59 | drivername, 60 | drivername, 61 | SERVICE_ALL_ACCESS, 62 | SERVICE_KERNEL_DRIVER, 63 | SERVICE_DEMAND_START,//SERVICE_DEMAND_START, 64 | SERVICE_ERROR_NORMAL, 65 | driverpath, 66 | NULL, 67 | NULL, 68 | NULL, 69 | NULL, 70 | NULL); 71 | 72 | if (!hService) { 73 | printf("CreateService failed\n"); 74 | Cleanup(ret, -3, c); 75 | } 76 | 77 | c: 78 | 79 | if (hService) CloseServiceHandle(hService); 80 | 81 | if (hSCManager) CloseServiceHandle(hSCManager); 82 | 83 | return ret; 84 | } 85 | 86 | int myStartDriver(wchar_t *drivername) 87 | { 88 | SC_HANDLE hSCManager; 89 | SC_HANDLE hService; 90 | int ret = 1; 91 | hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 92 | 93 | if (!hSCManager) 94 | Cleanup(ret, -1, c); 95 | 96 | hService = OpenService(hSCManager, drivername, SERVICE_ALL_ACCESS); 97 | 98 | if (!hService) 99 | Cleanup(ret, -2, c); 100 | 101 | if (!StartService(hService, 0, NULL)) 102 | Cleanup(ret, -3, c); 103 | 104 | c: 105 | 106 | if (hService) CloseServiceHandle(hService); 107 | 108 | if (hSCManager) CloseServiceHandle(hSCManager); 109 | 110 | return ret; 111 | } 112 | 113 | int myStopDriver(wchar_t* drivername) 114 | { 115 | SC_HANDLE hSCManager; 116 | SC_HANDLE hService; 117 | SERVICE_STATUS ss; 118 | int ret = 1; 119 | hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 120 | 121 | if (!hSCManager) { 122 | Cleanup(ret, -1, c); 123 | } 124 | 125 | hService = OpenService(hSCManager, drivername, SERVICE_ALL_ACCESS); 126 | 127 | if (!hService) { 128 | Cleanup(ret, -2, c); 129 | } 130 | 131 | if (!ControlService(hService, SERVICE_CONTROL_STOP, &ss)) { 132 | Cleanup(ret, -3, c); 133 | } 134 | 135 | c: 136 | 137 | if (hService) CloseServiceHandle(hService); 138 | 139 | if (hSCManager) CloseServiceHandle(hSCManager); 140 | 141 | return ret; 142 | } 143 | 144 | int myUnloadDriver(const wchar_t* drivername) 145 | { 146 | SC_HANDLE hSCManager; 147 | SC_HANDLE hService; 148 | SERVICE_STATUS ss; 149 | int ret = 1; 150 | hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); 151 | 152 | if (!hSCManager) 153 | Cleanup(ret, -1, c); 154 | 155 | hService = OpenService(hSCManager, drivername, SERVICE_ALL_ACCESS); 156 | 157 | if (!hService) 158 | Cleanup(ret, -2, c); 159 | 160 | // try to stop service first 161 | ControlService(hService, SERVICE_CONTROL_STOP, &ss); 162 | 163 | if (!DeleteService(hService)) 164 | Cleanup(ret, -4, c); 165 | 166 | c: 167 | 168 | if (hService) CloseServiceHandle(hService); 169 | 170 | if (hSCManager) CloseServiceHandle(hSCManager); 171 | 172 | return ret; 173 | } 174 | 175 | void funcLoadDriver(DRIVER_LOADER *dl) 176 | { 177 | wchar_t drivername[256 + 1]; 178 | wchar_t driverpath[256 + 1]; 179 | wchar_t selection; 180 | int err; 181 | 182 | for (; ;) { 183 | printf(" Enter driver's name\n - "); 184 | FLUSH; 185 | scanf("%256[^\n]", drivername); 186 | printf(" Enter driver's full path\n - "); 187 | FLUSH; 188 | scanf("%256[^\n]", driverpath); 189 | printf(" Confirm (Y - yes | N - no | B - back): "); 190 | FLUSH; 191 | scanf("%c", &selection); 192 | 193 | switch (selection) { 194 | case 'y': 195 | case 'Y': 196 | printf(" Performing : myLoadDriver\n"); 197 | err = myLoadDriver(drivername, driverpath); 198 | dl->driverstatus = DRIVER_LOADED; 199 | 200 | if (err != 1) { 201 | dl->driverstatus = DRIVER_CANT_LOAD; 202 | printf(" Error : myLoadDriver (%d)\n", err); 203 | printf(" GetLastError: (%d)\n", GetLastError()); 204 | return; 205 | } 206 | 207 | printf(" Success : myLoadDriver\n"); 208 | return; 209 | 210 | case 'n': 211 | case 'N': 212 | break; 213 | 214 | case 'b': 215 | case 'B': 216 | return; 217 | 218 | default: 219 | printf(" Wrong option selected, default to N\n"); 220 | break; 221 | } 222 | 223 | printf("\n"); 224 | } 225 | } 226 | 227 | void funcStartDriver(DRIVER_LOADER *dl) 228 | { 229 | wchar_t drivername[256 + 1]; 230 | wchar_t selection; 231 | int err; 232 | 233 | for (; ;) { 234 | printf(" Enter driver's name\n - "); 235 | FLUSH; 236 | scanf("%256[^\n]", drivername); 237 | printf(" Confirm (Y - yes | N - no | B - back): "); 238 | FLUSH; 239 | scanf("%c", &selection); 240 | 241 | switch (selection) { 242 | case 'y': 243 | case 'Y': 244 | printf(" Performing : myStartDriver\n"); 245 | err = myStartDriver(drivername); 246 | dl->driverstatus = DRIVER_STARTED; 247 | 248 | if (err != 1) { 249 | dl->driverstatus = DRIVER_CANT_START; 250 | printf(" Error : myStartDriver (%d)\n", err); 251 | printf(" GetLastError: (%d)\n", GetLastError()); 252 | return; 253 | } 254 | 255 | printf(" Success : myStartDriver\n"); 256 | return; 257 | 258 | case 'n': 259 | case 'N': 260 | break; 261 | 262 | case 'b': 263 | case 'B': 264 | return; 265 | 266 | default: 267 | printf(" Wrong option selected, default to N\n"); 268 | break; 269 | } 270 | 271 | printf("\n"); 272 | } 273 | } 274 | 275 | void funcStopDriver(DRIVER_LOADER *dl) 276 | { 277 | wchar_t drivername[256 + 1]; 278 | wchar_t selection; 279 | int err; 280 | 281 | for (; ;) { 282 | printf(" Enter driver's name\n - "); 283 | FLUSH; 284 | scanf("%256[^\n]", drivername); 285 | printf(" Confirm (Y - yes | N - no | B - back): "); 286 | FLUSH; 287 | scanf("%c", &selection); 288 | 289 | switch (selection) { 290 | case 'y': 291 | case 'Y': 292 | printf(" Performing : myStopDriver\n"); 293 | err = myStopDriver(drivername); 294 | dl->driverstatus = DRIVER_STOPPED; 295 | 296 | if (err != 1) { 297 | dl->driverstatus = DRIVER_CANT_STOP; 298 | printf(" Error : myStopDriver (%d)\n", err); 299 | printf(" GetLastError: (%d)\n", GetLastError()); 300 | return; 301 | } 302 | 303 | printf(" Success : myStopDriver\n"); 304 | return; 305 | 306 | case 'n': 307 | case 'N': 308 | break; 309 | 310 | case 'b': 311 | case 'B': 312 | return; 313 | 314 | default: 315 | printf(" Wrong option selected, default to N\n"); 316 | break; 317 | } 318 | 319 | printf("\n"); 320 | } 321 | } 322 | 323 | void funcUnloadDriver(DRIVER_LOADER *dl) 324 | { 325 | wchar_t drivername[256 + 1]; 326 | wchar_t selection; 327 | int err; 328 | 329 | for (; ;) { 330 | printf(" Enter driver's name\n - "); 331 | FLUSH; 332 | scanf("%256[^\n]", drivername); 333 | printf(" Confirm (Y - yes | N - no | B - back): "); 334 | FLUSH; 335 | scanf("%c", &selection); 336 | 337 | switch (selection) { 338 | case 'y': 339 | case 'Y': 340 | printf(" Performing : myUnloadDriver\n"); 341 | err = myUnloadDriver(drivername); 342 | dl->driverstatus = DRIVER_UNLOADED; 343 | 344 | if (err != 1) { 345 | dl->driverstatus = DRIVER_CANT_UNLOAD; 346 | printf(" Error : myUnloadDriver (%d)\n", err); 347 | printf(" GetLastError: (%d)\n", GetLastError()); 348 | return; 349 | } 350 | 351 | printf(" Success : myUnloadDriver\n"); 352 | return; 353 | 354 | case 'n': 355 | case 'N': 356 | break; 357 | 358 | case 'b': 359 | case 'B': 360 | return; 361 | 362 | default: 363 | printf(" Wrong option selected, default to N\n"); 364 | break; 365 | } 366 | 367 | printf("\n"); 368 | } 369 | } 370 | 371 | int main(int argc, wchar_t **argv) 372 | { 373 | DRIVER_LOADER dl; 374 | int selection; 375 | 376 | for (; ;) { 377 | printf(" 1 - Load a driver\n" 378 | " 2 - Start service\n" 379 | " 3 - Stop service\n" 380 | " 4 - Unload a driver\n" 381 | " 0 - Exit\n" 382 | "\n" 383 | " Select an option: "); 384 | FLUSH; 385 | scanf("%d", &selection); 386 | 387 | switch (selection) { 388 | case 1: 389 | funcLoadDriver(&dl); 390 | break; 391 | 392 | case 2: 393 | funcStartDriver(&dl); 394 | break; 395 | 396 | case 3: 397 | funcStopDriver(&dl); 398 | break; 399 | 400 | case 4: 401 | funcUnloadDriver(&dl); 402 | break; 403 | 404 | case 0: 405 | printf(" Thanks for using...XXX \n"); 406 | FLUSH; 407 | getchar(); 408 | return 0; 409 | 410 | default: 411 | break; 412 | } 413 | 414 | printf("\n"); 415 | } 416 | 417 | FLUSH; 418 | getchar(); 419 | return 0; 420 | } --------------------------------------------------------------------------------