flat assembler
Message board for the users of flat assembler.
Index
> Windows > IoCreateDevice |
Author |
|
asmcoder 04 Aug 2008, 16:13
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total |
|||
04 Aug 2008, 16:13 |
|
illuz1oN 04 Aug 2008, 16:47
http://msdn.microsoft.com/en-us/library/ms804358.aspx <-- asmcoder
... |
|||
04 Aug 2008, 16:47 |
|
okasvi 05 Aug 2008, 09:03
instead of
Code: buff db '\',0,'D',0,'e',0,'v',0,'i',0,'c',0,'e',0,'\',0,'q',0,0,0 you could use Code: buff du '\Device\q',0 |
|||
05 Aug 2008, 09:03 |
|
ManOfSteel 05 Aug 2008, 10:14
Yes, as okasvi said, it's much more readable.
Also is there any reason for using ecx with IoCreateDevice? |
|||
05 Aug 2008, 10:14 |
|
asmcoder 05 Aug 2008, 10:24
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total |
|||
05 Aug 2008, 10:24 |
|
ManOfSteel 05 Aug 2008, 10:40
But why trash ecx when you can directly push zero?
Unless of course you're optimizing for size, in which case using ecx will give you (1-byte) smaller code. Ok. |
|||
05 Aug 2008, 10:40 |
|
asmcoder 05 Aug 2008, 10:51
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total |
|||
05 Aug 2008, 10:51 |
|
bcdsys 09 Aug 2008, 14:53
Good, I now fixed driver with asmcoder code, driver no longer BSOD. I have service control program for driver, which loads/unloads driver correctly, but CreateFile fails. Why CreateFile fails?
Driver source: Code: format PE native ;Driver object table ;0x0=Type rw 1 ;0x2=Size rw 1 ;0x4=DeviceObject rd 1 ;0x8=Flags rd 1 ;0xB=DriverStart rd 1 ;0x10=DriverSize rd 1 ;0x14=DriverSection rd 1 ;0x18=DriverExtension rd 1 ;0x1B=DriverName rb 8 ;0x24=HardwareDatabase rd 1 ;0x28=FastIoDispatch rd 1 ;0x2B=DriverInit rd 1 ;0x30=DriverStartIo rd 1 ;0x34=DriverUnload rd 1 ;0x38=MajorFunction rd 01Ch ;IRP_MJ_CREATE = 0x00 ;IRP_MJ_CREATE_NAMED_PIPE = 0x01 ;IRP_MJ_CLOSE = 0x02 ;IRP_MJ_READ = 0x03 ;IRP_MJ_WRITE = 0x04 ;IRP_MJ_QUERY_INFORMATION = 0x05 ;IRP_MJ_SET_INFORMATION = 0x06 ;IRP_MJ_QUERY_EA = 0x07 ;IRP_MJ_SET_EA = 0x08 ;IRP_MJ_FLUSH_BUFFERS = 0x09 ;IRP_MJ_QUERY_VOLUME_INFORMATION = 0x0a ;IRP_MJ_SET_VOLUME_INFORMATION = 0x0b ;IRP_MJ_DIRECTORY_CONTROL = 0x0c ;IRP_MJ_FILE_SYSTEM_CONTROL = 0x0d ;IRP_MJ_DEVICE_CONTROL = 0x0e ;IRP_MJ_INTERNAL_DEVICE_CONTROL = 0x0f ;IRP_MJ_SHUTDOWN = 0x10 ;IRP_MJ_LOCK_CONTROL = 0x11 ;IRP_MJ_CLEANUP = 0x12 ;IRP_MJ_CREATE_MAILSLOT = 0x13 ;IRP_MJ_QUERY_SECURITY = 0x14 ;IRP_MJ_SET_SECURITY = 0x15 ;IRP_MJ_POWER = 0x16 ;IRP_MJ_SYSTEM_CONTROL = 0x17 ;IRP_MJ_DEVICE_CHANGE = 0x18 ;IRP_MJ_QUERY_QUOTA = 0x19 ;IRP_MJ_SET_QUOTA = 0x1a section '' code readable writeable executable notpageable entry $ mov eax, [esp+4] mov dword [eax+0x34], DriverUnload mov dword [eax+0x38], create mov dword [eax+0x40], close mov dword [eax+0x70], io push hello call [DbgPrint] add esp, 4 lea eax, [esp+4] lea edx, [eax+4] ;create the device push edx ;address of pointer to device object push 0 push 0 push 0x22 push device ;name of device push 0 push dword [eax] ;driver object call [IoCreateDevice] push eax push msg_putint call [DbgPrint] add esp, 8 ;create a symbolic link to the device push device push symlink call [IoCreateSymbolicLink] push eax push msg_putint call [DbgPrint] add esp, 8 ;exit the entry routine xor eax, eax ret 8 DriverUnload: push symlink call [IoDeleteSymbolicLink] mov eax, [esp+4] ;pointer to driver object push dword [eax+4] ;pointer to device object call [IoDeleteDevice] push goodbye call [DbgPrint] add esp, 4 ret 4 create: push msg_create call [DbgPrint] add esp, 4 ;restore stack xor eax, eax ret 8 close: push msg_close call [DbgPrint] add esp, 4 xor eax, eax ret 8 io: mov eax, [esp+8] mov eax, [eax+0x60] push dword [eax+0xC] push msg_control call [DbgPrint] add esp, 8 push 0 push dword [esp+12] ;pointer to driver object call [IoCompleteRequest] xor eax, eax ret 8 hello db 'Hello world!', 0 goodbye db 'Goodbye world!', 0 msg_create db 'create', 0 msg_close db 'close', 0 msg_control db 'I/O request %u', 0 msg_putint db '%x', 0 align 2 device: dw 26 dw 28 dd @f @@ du '\Device\Device1', 0 symlink: dw 26 dw 28 dd @f @@ du '\DosDevices\Device1', 0 section '' import readable dd rva ntoskrnl_table, 0, 0, rva ntoskrnl_name, rva ntoskrnl_table dd 0, 0, 0, 0, 0 ntoskrnl_table: IoCreateDevice dd rva _IoCreateDevice IoDeleteDevice dd rva _IoDeleteDevice IoCreateSymbolicLink dd rva _IoCreateSymbolicLink IoDeleteSymbolicLink dd rva _IoDeleteSymbolicLink IoCompleteRequest dd rva _IoCompleteRequest DbgPrint dd rva _DbgPrint dd 0 ntoskrnl_name db 'ntoskrnl.exe', 0 _IoCreateDevice db 0, 0, 'IoCreateDevice', 0 _IoDeleteDevice db 0, 0, 'IoDeleteDevice', 0 _IoCreateSymbolicLink db 0, 0, 'IoCreateSymbolicLink', 0 _IoDeleteSymbolicLink db 0, 0, 'IoDeleteSymbolicLink', 0 _IoCompleteRequest db 0, 0, 'IoCompleteRequest', 0 _DbgPrint db 0, 0, 'DbgPrint', 0 section '' fixups discardable control program code: Code: ;service control manager for DeviceIoControl3.sys format PE console section '' code readable writeable executable entry $ push 0xF003F push 0 push 0 call [OpenSCManager] test eax, eax jnz @f push msg_error_OpenSCManager call [puts] add esp, 4 jmp exit @@: mov ebx, eax ;save handle in eax push 0 push DriverPath push 255 push driver call [GetFullPathName] ;get full path of driver push 0 push 0 push 0 push 0 push 0 push DriverPath push 0 push 3 push 1 push 0xF01FF push s2 push s1 push ebx call [CreateService] ;load driver test eax, eax jnz @f push msg_error_CreateService call [puts] add esp, 4 jmp closeSCM @@: mov esi, eax ;save handle to service push 0 push 0 push esi call [StartService] test eax, eax jnz @f push msg_error_StartService call [puts] add esp, 4 jmp exit_service @@: ;send the I/O request to the driver push 0 ;no template file push 0 push 3 push 0 push 0 push 0 ;GENERIC_READ push device call [CreateFile] cmp eax, -1 jne @f call [GetLastError] push msg_error_CreateFile call [puts] add esp, 4 jmp exit_service @@: mov edi, eax ;save file handle push edi call [CloseHandle] exit_service: sub esp, 28 mov eax, esp push eax push 1 push esi call [ControlService] add esp, 28 test eax, eax jnz @f push msg_error_ControlService call [puts] add esp, 4 @@: push esi call [DeleteService] test eax, eax jnz @f push msg_error_DeleteService call [puts] add esp, 4 @@: closeSCM: push ebx call [CloseServiceHandle] exit: ret ;exits driver db 'DeviceIoControl3.sys', 0 DriverPath rb 256 device db '\\.\Device1', 0 ;name of device s1 db 'DeviceIoControl3', 0 s2 db 'DeviceIoControl Samples', 0 msg_error_OpenSCManager db 'OpenSCManager Error', 0 msg_error_CreateService db 'CreateService Error', 0 msg_error_StartService db 'StartService Error', 0 msg_error_ControlService db 'ControlService Error', 0 msg_error_DeleteService db 'DeleteService Error', 0 msg_error_CreateFile db 'CreateFile Error', 0 section '' import readable dd rva kernel32_table, 0, 0, rva kernel32_name, rva kernel32_table dd rva advapi32_table, 0, 0, rva advapi32_name, rva advapi32_table dd rva msvcrt_table, 0, 0, rva msvcrt_name, rva msvcrt_table dd 0, 0, 0, 0, 0 kernel32_table: ExitProcess dd rva _ExitProcess GetFullPathName dd rva _GetFullPathName GetLastError dd rva _GetLastError CreateFile dd rva _CreateFile DeviceIoControl dd rva _DeviceIoControl CloseHandle dd rva _CloseHandle dd 0 advapi32_table: OpenSCManager dd rva _OpenSCManager CreateService dd rva _CreateService StartService dd rva _StartService DeleteService dd rva _DeleteService ControlService dd rva _ControlService CloseServiceHandle dd rva _CloseServiceHandle dd 0 msvcrt_table: puts dd rva _puts dd 0 kernel32_name db 'KERNEL32.DLL', 0 advapi32_name db 'ADVAPI32.DLL', 0 msvcrt_name db 'MSVCRT.DLL', 0 _GetFullPathName db 0, 0, 'GetFullPathNameA', 0 _ExitProcess db 0, 0, 'ExitProcess', 0 _GetLastError db 0, 0, 'GetLastError', 0 _CreateFile db 0, 0, 'CreateFileA', 0 _DeviceIoControl db 0, 0, 'DeviceIoControl', 0 _CloseHandle db 0, 0, 'CloseHandle', 0 _OpenSCManager db 0, 0, 'OpenSCManagerA', 0 _CreateService db 0, 0, 'CreateServiceA', 0 _StartService db 0, 0, 'StartServiceA', 0 _DeleteService db 0, 0, 'DeleteService', 0 _ControlService db 0, 0, 'ControlService', 0 _CloseServiceHandle db 0, 0, 'CloseServiceHandle', 0 _puts db 0, 0, 'puts', 0 section '' fixups discardable Why is CreateFile failing? Bug in SCP, driver, or both? |
|||
09 Aug 2008, 14:53 |
|
ManOfSteel 10 Aug 2008, 05:56
Code: ;send the I/O request to the driver push 0 ;no template file push 0 push 3 push 0 push 0 push 0 ;GENERIC_READ push device call [CreateFile] Is it GENERIC_READ that you want? In that case, it should be 80000000h instead of 0. |
|||
10 Aug 2008, 05:56 |
|
asmcoder 10 Aug 2008, 11:28
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total |
|||
10 Aug 2008, 11:28 |
|
bcdsys 11 Aug 2008, 01:23
I got driver/scp fully working. Here is driver code:
Code: ;driver that logs DeviceIoControl requests to \Device\DeviceX to debug output format PE native section '' code readable writeable executable notpageable entry $ mov eax, [esp+4] mov dword [eax+0x34], DriverUnload mov dword [eax+0x38], create mov dword [eax+0x40], close mov dword [eax+0x70], io push hello call [DbgPrint] add esp, 4 lea eax, [esp+4] lea edx, [eax+4] ;create the device push edx ;address of pointer to device object push 0 push 0 push 0x22 push device ;name of device push 0 push dword [eax] ;driver object call [IoCreateDevice] ;exit the entry routine xor eax, eax ret 8 DriverUnload: mov eax, [esp+4] ;pointer to driver object push dword [eax+4] ;pointer to device object call [IoDeleteDevice] push bye call [DbgPrint] add esp, 4 ret 4 create: push msg_create call [DbgPrint] add esp, 4 ;restore stack xor eax, eax ret 8 close: push msg_close call [DbgPrint] add esp, 4 xor eax, eax ret 8 io: mov eax, [esp+8] mov eax, [eax+0x60] push dword [eax+0xC] push msg_control call [DbgPrint] add esp, 8 push 0 push dword [esp+12] ;pointer to driver object call [IoCompleteRequest] xor eax, eax ret 8 hello db 'Hello world!', 0 bye db 'Goodbye world!', 0 msg_create db 'create', 0 msg_close db 'close', 0 msg_control db 'I/O request %p', 0 align 4 device: dw 26 dw 28 dd @f @@ du '\Device\DeviceX', 0 section '' import readable dd rva ntoskrnl_table, 0, 0, rva ntoskrnl_name, rva ntoskrnl_table dd 0, 0, 0, 0, 0 ntoskrnl_table: IoCreateDevice dd rva _IoCreateDevice IoDeleteDevice dd rva _IoDeleteDevice IoCompleteRequest dd rva _IoCompleteRequest DbgPrint dd rva _DbgPrint dd 0 ntoskrnl_name db 'ntoskrnl.exe', 0 _IoCreateDevice db 0, 0, 'IoCreateDevice', 0 _IoDeleteDevice db 0, 0, 'IoDeleteDevice', 0 _IoCompleteRequest db 0, 0, 'IoCompleteRequest', 0 _DbgPrint db 0, 0, 'DbgPrint', 0 section '' fixups discardable SCP code: Code: ;service control manager for DeviceIoControl3.sys format PE console section '' code readable writeable executable entry $ push 0xF003F push 0 push 0 call [OpenSCManager] test eax, eax jnz @f push eax push msg_error_OpenSCManager call [printf] add esp, 8 jmp exit @@: mov ebx, eax ;save handle in eax push 0 push DriverPath push 255 push driver call [GetFullPathName] ;get full path of driver push 0 push 0 push 0 push 0 push 0 push DriverPath push 0 push 3 push 1 push 0xF01FF push s2 push s1 push ebx call [CreateService] ;load driver test eax, eax jnz @f push eax push msg_error_CreateService call [printf] add esp, 8 jmp closeSCM @@: mov esi, eax ;save handle to service push 0 push 0 push esi call [StartService] test eax, eax jnz @f push eax push msg_error_StartService call [printf] add esp, 8 jmp exit_service @@: ;send the I/O request to the driver push 0 push 0 push 0 push device push 0 push 24 mov ecx, esp ;save pointer to OBJECT_ATTRIBUTES sub esp, 12 mov eax, esp push 0 push 0 push 0 push 0 push 0 push 0 push 0 push eax push ecx push 3 lea eax, [eax+8] push eax call [NtCreateFile] mov edi, [esp+8] ;save file handle add esp, 36 ;restore stack test eax, eax jz @f push eax push msg_error_NtCreateFile call [printf] add esp, 8 jmp exit_service @@: push msg_request_io_code call [printf] mov eax, esp push eax ;store result in remaining argument from printf call push get_io_code call [scanf] add esp, 8 pop ecx ;get I/O code sub esp, 4 mov eax, esp push 0 push eax push 0 push 0 push 0 push 0 push ecx ;device I/O request code push edi ;device handle call [DeviceIoControl] test eax, eax jnz @f push eax push msg_error_DeviceIoControl call [printf] add esp, 8 @@: add esp, 4 ;clean up stack push edi call [CloseHandle] ;close the device test eax, eax jnz @f push eax push msg_error_CloseHandle call [printf] add esp, 8 jmp exit_service @@: exit_service: sub esp, 28 mov eax, esp push eax push 1 push esi call [ControlService] ;stop the service add esp, 28 test eax, eax jnz @f push eax push msg_error_ControlService call [printf] add esp, 8 @@: push esi call [DeleteService] test eax, eax jnz @f push eax push msg_error_DeleteService call [printf] add esp, 8 @@: closeSCM: push ebx call [CloseServiceHandle] test eax, eax jnz @f push eax push msg_error_CloseServiceHandle call [printf] add esp, 8 @@: exit: ret ;exits driver db 'DeviceIoControl3.sys', 0 DriverPath rb 256 align 4 device: dw 26 dw 28 dd @f @@ du '\Device\DeviceX', 0 ;name of device s1 db 'DeviceIoControl3', 0 s2 db 'DeviceIoControl Samples', 0 msg_error_OpenSCManager db 'OpenSCManager Error: %p', 10, 13, 0 msg_error_CreateService db 'CreateService Error: %p', 10, 13, 0 msg_error_StartService db 'StartService Error: %p', 10, 13, 0 msg_error_ControlService db 'ControlService Error: %p', 10, 13, 0 msg_error_DeleteService db 'DeleteService Error: %p', 10, 13, 0 msg_error_CloseServiceHandle db 'CloseServiceHandle Error: %p', 10, 13, 0 msg_error_NtCreateFile db 'NtCreateFile Error: %p', 10, 13, 0 msg_error_CloseHandle db 'CloseHandle Error: %p', 10, 13, 0 msg_error_DeviceIoControl db 'DeviceIoControl Error: %p', 10, 13, 0 msg_request_io_code db 'Specify the I/O request to send: ', 0 get_io_code db '%p', 0 section '' import readable dd rva ntdll_table, 0, 0, rva ntdll_name, rva ntdll_table dd rva kernel32_table, 0, 0, rva kernel32_name, rva kernel32_table dd rva advapi32_table, 0, 0, rva advapi32_name, rva advapi32_table dd rva msvcrt_table, 0, 0, rva msvcrt_name, rva msvcrt_table dd 0, 0, 0, 0, 0 ntdll_table: NtCreateFile dd rva _NtCreateFile dd 0 kernel32_table: ExitProcess dd rva _ExitProcess GetFullPathName dd rva _GetFullPathName GetLastError dd rva _GetLastError DeviceIoControl dd rva _DeviceIoControl CloseHandle dd rva _CloseHandle dd 0 advapi32_table: OpenSCManager dd rva _OpenSCManager CreateService dd rva _CreateService StartService dd rva _StartService DeleteService dd rva _DeleteService ControlService dd rva _ControlService CloseServiceHandle dd rva _CloseServiceHandle dd 0 msvcrt_table: printf dd rva _printf scanf dd rva _scanf dd 0 ntdll_name db 'NTDLL.DLL', 0 kernel32_name db 'KERNEL32.DLL', 0 advapi32_name db 'ADVAPI32.DLL', 0 msvcrt_name db 'MSVCRT.DLL', 0 _NtCreateFile db 0, 0, 'NtCreateFile', 0 _GetFullPathName db 0, 0, 'GetFullPathNameA', 0 _ExitProcess db 0, 0, 'ExitProcess', 0 _GetLastError db 0, 0, 'GetLastError', 0 _DeviceIoControl db 0, 0, 'DeviceIoControl', 0 _CloseHandle db 0, 0, 'CloseHandle', 0 _OpenSCManager db 0, 0, 'OpenSCManagerA', 0 _CreateService db 0, 0, 'CreateServiceA', 0 _StartService db 0, 0, 'StartServiceA', 0 _DeleteService db 0, 0, 'DeleteService', 0 _ControlService db 0, 0, 'ControlService', 0 _CloseServiceHandle db 0, 0, 'CloseServiceHandle', 0 _printf db 0, 0, 'printf', 0 _scanf db 0, 0, 'scanf', 0 section '' fixups discardable Driver works, in DebugView see messages and I/O request codes sent. Thanks asmcoder for your help. I did not copy your code exactly, I based mine on it since me wanted to learn and code, not copy. I like native API. It works better than Win32 and is cleaner. No problems with symlinks (but tested it before and works with symlinks) and DosDevices, just access \Device\DeviceX. Only limitation was device open failed with 0xC0000034 in SCP if me changed device name < 4 chars in both driver and program. Is this Win2k3 limit, or is it bug in program? If there is bug in code, please post, it took me lots of work to code this. |
|||
11 Aug 2008, 01:23 |
|
asmcoder 11 Aug 2008, 07:02
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total |
|||
11 Aug 2008, 07:02 |
|
bcdsys 17 Aug 2008, 00:42
One more thing
Where are input/output buffers for the I/O request handler stored? Where can I find pointer to the buffers? I looked everywhere and could not find answer. |
|||
17 Aug 2008, 00:42 |
|
asmcoder 17 Aug 2008, 12:30
[content deleted]
Last edited by asmcoder on 14 Aug 2009, 14:56; edited 1 time in total |
|||
17 Aug 2008, 12:30 |
|
bcdsys 20 Aug 2008, 22:06
I found link to http://unitedcrew.org/viewtopic.php?p=70875 same forum different page, has structure offsets I needed (IRP+IO_STACK_LOCATION). Built working speaker driver based on it.
|
|||
20 Aug 2008, 22:06 |
|
Feryno 21 Aug 2008, 12:59
the header is usually created by the ring 3 application
the app may create it in its stack or in its data section or in any writeable section (or even read only section if it is never written - e.g. created at the time of compiling the app) a pointer to the header is passed to the driver as a param from ring3 app the question is just how the driver get it the answer is simple, in IRP.Tail.Overlay.CurrentStackLocation - it is just a value at an offset in IRP containint the pointer to the header good to know that you made it to work there was somewhere kmd.inc file for win32 drivers but I don't know where it is not necessary to count the offsets you have KMD.INC doing drivers is a really big fun (and also a really big pain sometimes) |
|||
21 Aug 2008, 12:59 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.