Hello,all in ntddk.inc FILE_NAME_INFORMATION STRUCT FileNameLength DWORD ? FileName WCHAR 1 dup(?);2 bytes FILE_NAME_INFORMATION ENDS what's the meaning of FileName?
Specifies the first character of the file name string. This is followed in memory by the remainder of the string.
Thanks Great. the following code has happened BOSD. where is the wrong? Код (Text): .386 .model flat, stdcall option casemap:none include \masm32\include\w2k\ntstatus.inc include \masm32\include\w2k\ntddk.inc include \masm32\include\w2k\ntoskrnl.inc includelib \masm32\lib\w2k\ntoskrnl.lib include \masm32\Macros\Strings.mac .data? dwOldSetInformationFile dd ? dwAddr dd ? pFileName PVOID ? .const BUFFER_LENGTH equ 512 CCOUNTED_UNICODE_STRING "\\Device\\Asm", g_usDeviceName, 4 CCOUNTED_UNICODE_STRING "\\??\\AsmFile", g_usSymbolicLinkName, 4 CCOUNTED_UNICODE_STRING "ZwSetInformationFile", g_ApiAddr, 4 .code _memcpy proc uses edi esi ecx pDest:dword, pSource:dword, SizeByte:dword mov ecx, SizeByte mov esi, pSource mov edi, pDest mov eax, ecx shr ecx, 2 rep movsd mov ecx, eax and ecx, 3 rep movsb ret _memcpy endp MySetInformationFile proc hfile:HANDLE,iosb:IO_STATUS_BLOCK,psi:FILE_NAME_INFORMATION,FileInformationLength,FileInformationClass pushad invoke ExAllocatePool, PagedPool, BUFFER_LENGTH .if eax != NULL mov edi, eax invoke _memcpy, edi,addr psi.FileName,psi.FileNameLength invoke DbgPrint, $CTW0("\nFileName: %ws"),edi invoke ExFreePool, edi .endif popad ret MySetInformationFile endp _SetSSDT proc pushad mov eax, KeServiceDescriptorTable mov esi, [eax] mov esi, [esi] invoke MmGetSystemRoutineAddress,addr g_ApiAddr inc eax movzx ecx,byte ptr[eax] sal ecx,2 add esi,ecx mov dwAddr,esi mov edi,dword ptr[esi] mov dwOldSetInformationFile,edi mov edi,offset MySetInformationFile cli mov dword ptr[esi],edi sti popad mov eax, STATUS_SUCCESS ret _SetSSDT endp DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP mov eax, pIrp assume eax:ptr _IRP mov [eax].IoStatus.Status, STATUS_SUCCESS and [eax].IoStatus.Information, 0 assume eax:nothing invoke IoCompleteRequest, pIrp, IO_NO_INCREMENT mov eax, STATUS_SUCCESS ret DispatchCreateClose endp DriverUnload proc pDriverObject:PDRIVER_OBJECT pushad mov esi,dwAddr mov eax,dwOldSetInformationFile cli mov dword ptr[esi],eax sti invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName mov eax,pDriverObject invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject popad ret DriverUnload endp DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PDEVICE_OBJECT mov status, STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject .if eax == STATUS_SUCCESS invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName .if eax == STATUS_SUCCESS mov eax, pDriverObject assume eax:ptr DRIVER_OBJECT mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)],offset DispatchCreateClose mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)],offset DispatchCreateClose mov [eax].DriverUnload,offset DriverUnload assume eax:nothing invoke _SetSSDT mov status, STATUS_SUCCESS .else invoke IoDeleteDevice, pDeviceObject .endif .endif mov eax, status ret DriverEntry endp end DriverEntry
dcskm4200 In what procedure you have BSOD? ADDED: I've found: Код (Text): _SetSSDT proc pushad mov eax, KeServiceDescriptorTable mov esi, [eax] mov esi, [esi] invoke MmGetSystemRoutineAddress,addr g_ApiAddr inc eax movzx ecx,byte ptr[eax] sal ecx,2 add esi,ecx mov dwAddr,esi mov edi,dword ptr[esi] mov dwOldSetInformationFile,edi mov edi,offset MySetInformationFile cli mov dword ptr[esi],edi sti popad mov eax, STATUS_SUCCESS ret _SetSSDT endp You don't unset WP bit in CR0 before writing. Код (Text): __asm { cli mov eax, cr0 mov CR0Reg,eax and eax,0xFFFEFFFF // unset WP bit mov cr0, eax } __asm { mov eax, CR0Reg mov cr0, eax // restore CR0 sti }
Hello,Twister you are right. thank you very much. BOSD is disappeared. but the fileNames can't be showed rightly.
