March 13 can be communicated with the kernel.

Hey, look back, look at it, no ... followed yesterday

#include #include #define uty_hook 2048int main (void) {handle handle; char * buf [1024]; dword returnsize;

hAndle = CreateFile ( ".// utyDriver", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); DeviceIoControl (hAndle, UTY_HOOK, NULL, 0, buf, 1024, & returnsize, NULL); printf ( "% d / N ", getLastError ()); Printf ("% d / n ", returnsize; printf ("% s / n ", buf); return 0;} // --------- -------------------------------------------------- ------ This is the user-mode app, after entering the driver LOAD, open a handle with CreateFile, then use Deviceiocontrol control, the control code is the #define uty_hook 2048 defined in the driver and user-modeApp, because In the header file of the SDK WiniocTl.h

/// macro definition for defining ioctl and fsctl function control cup. Note // That Function Codes 0-2047 Are Reserved for Microsoft Corporation, And // 2048-4095 Are Reserved for customers.//

#define CTL_CODE (DeviceType, Function, Method, Access) (/ ((DeviceType) << 16) | ((Access) << 14) | ((function) << 2) | (Method) /)

So UTY_HOOK uses 2048

The driver is posted once, nor hook,

#include // # pragma Comment (LIB, "NTDLL.LIB") typef ntstatus (); typedef ntproc * Pntproc; #define ntproc_ sizeof (ntproc) #define uty_hook 2048

typedef struct _SYSTEM_SERVICE_TABLE {/ * 000 * / PNTPROC ServiceTable; // array of entry points / * 004 * / LONG * CounterTable; // array of usage counters / * 008 * / LONG ServiceLimit; // number of table entries / * 00C * / Uchar argumenttable; // array of byte counts / * 010 * /} system_service_table, * psystem_service_table, ** ppsystem_service_table;

#define system_service_table_ / sizeof (System_Service_Table) // -------------------------------------------------------------------------------------------------------------------------------- ---------------------------- Typedef struct _Service_Descriptor_table {/ * 000 * / system_service_table ntoskrnl; // ntoskrnl.exe (Native API) / * 010 * / SYSTEM_SERVICE_TABLE win32k; // win32k.sys (gdi / user) / * 020 * / SYSTEM_SERVICE_TABLE Table3; // not used / * 030 * / SYSTEM_SERVICE_TABLE Table4; // not used / * 040 * /} SERVICE_DESCRIPTOR_TABLE, * PSERVICE_DESCRIPTOR_TABLE, ** PPSERVICE_DESCRIPTOR_TABLE; #define service_descriptor_table_ / sizeof (service_descriptor_table) // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------- EXTERN PSERVICE_DESCRIPTOR_TABLE KESERVICEDESCRIPTORTABLE;

VOID utyDriverUnloAd (IN PDRIVER_OBJECT DriverObject); NTSTATUS utyDriverIO (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); NTSTATUS utyDriverIOControl (IN PDEVICE_OBJECT, IN PIRP Irp);

// NTSYSAPI NTSTATUS // NtapiutyNTREADFILE

IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL);

PDEvice_Object utydriverDeviceObject = null; ulong out_size; pfile_object handle_object; long temp; char Tempbuf [1024];

NTSTATUS DRIVERENTRY (PDRIVER_Object DriverObject, PUNICODE_STRING RegistryPath) {Unicode_String NTDevice; UNICODE_STRING WIN32DEVICENAME; NTSTATUS STATUS; PNTPROC ServiceTable

RtlInitUnicodeString (& ntDeviceNAme, L "// Device // utyDriver"); if return STATUS_NO_SUCH_DEVICE (NT_SUCCESS (stAtus = IoCreateDevice (DriverObject, 0, & ntDeviceNAme, FILE_DEVICE_UNKNOWN, 0, FALSE, & utyDriverDeviceObject))!); UtyDriverDeviceObject-> Flags | = DO_BUFFERED_IO ; RtlInitUnicodeString (& win32DeviceNAme, L "// DosDevices // utyDriver"); if (NT_SUCCESS (stAtus = IoCreateSymbolicLink (& win32DeviceNAme, & ntDeviceNAme))!) return STATUS_NO_SUCH_DEVICE; DriverObject-> MajorFunction [IRP_MJ_CREATE] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_CLOSE ] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_READ] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_WRITE] = utyDriverIO; DriverObject-> MajorFunction [IRP_MJ_DEVICE_CONTROL] = utyDriverIOControl; DriverObject-> DriverUnload = utyDriverUnloAd; // InterlockedExchange ((PLONG) & temp, * ((Long *) keserviceDescriptable-> ntoskrnl.serviceTable 151)); //interlockedExchange (( (Plong )keserviceDescriptable "keserviceDescriptable "keserviceDescriptable "kesekrnl.serviceTabl E 151, (long) utyntreadfile;

Return status_success;} // ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------- void utratriverunload (in pdriver_object driverobject) {unicode_string Win32Devicename;

//Interlockedexchange (( (Plong )keserviceDescriptable "keserviceDescriptable "keserviceDescriptable "keserviceDescriptable "keservicedescriptable "keservicedescriptable "keserviceDescriptable, "

RTLinitunicodeString (& Win32Devicename, L "// dosdevices // utrater"); IodeteSymbolicLink (& Win32DeviceName);

IodeleteDevice (utydriverDeviceObject);} // ------------------------------------------ ------------------------------------------- NTSTATUS UTYDRIVERIO (in PDEvice_Object DeviceObject, IN PIRP IRP) {IRP-> iostatus.status = status_success; IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT); RETURN IRP-> iostatus.status;} // -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------------- ----------------- NTSTATUS utyDriverIOControl (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {PIO_STACK_LOCATION stAck; UCHAR * in_buffer, * out_buffer; ULONG code, ret; stAck = IoGetCurrentIrpStackLocation (Irp) ; Out_size = stack-> parameters.deviceioocontrol.outputbufferLength; code = stack-> parameters.deviceiocontrol.iocontrolcode;

IN_Buffer = OUT_Buffer = IRP-> AssociatedIrp.systemBuffer;

Ret = status_success;

Switch (code) {copy uty_hook: {RTLCopyBytes (Out_Buffer, "Hi, this is from the kernel", 30); out_size = 50; IRP-> iostatus.information = 30;

} IRP-> iostatus.status = status_success; IRP-> iostatus.information = 30;

IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT); RETURN RET;} // ------------------------------------- ------------------------------------ // NTSYSAPI NTSTATUS // NTAPIUTYNTREADFILE

IN HANDLE FileHandle, IN HANDLE Event OPTIONAL, IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL, OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL) {/ * if (NT_SUCCESS (ObReferenceObjectByHandle ( FileHandle, 0x80000000,0,0, (void *) hAndle_object, 0))) {RtlUnicodeStringToAnsiString ((PANSI_STRING) tempbuf, (PUNICODE_STRING) & hAndle_object-> FileName, FALSE); // RtlCopyString (tempbuf, (char *) hAndle_object-> FileName);} * /

Return status_success;} // ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------------------------------------

The most important thing is

NTSTATUS UTYDRIVERICONTROL (IN PDEVICE_Object DeviceObject, in PIRP IRP) {PIO_STACK_LOCATION Stack; uchar * in_buffer, * OUT_Buffer; Ulong Code, Ret;

Stack = IOGETCURRENTIRPSTACKLOCATION (IRP);

/ / In the driver, such as PDO, FDO, FIDO, get your own stack OUT_SIZE = stack-> parameters.deviceiocontrol.outputbufferLength; // correspond to the parameter noutbuffersize in DriverioControl, the same, all the same Yes, the next one in DevicoIocontrol

Code = stack-> parameters.deviceioocontrol.iocontrolcode;

IN_Buffer = OUT_Buffer = IRP-> AssociatedIrp.systemBuffer;

// This looks from user-mode buffer back here, and it is also this buffer to returning to user-mode. Yes, just try it, you can pass this User-Mode data to the kernel,

Ret = status_success;

Switch (code) {copy uty_hook: {RTLCopyBytes (Out_Buffer, "Hi, this is from the kernel", 30); out_size = 50; IRP-> iostatus.information = 30;

//Irp->iostatus.information means how many bytes to return, when = 0, User-mode Returnsize = 0, there is no data in Buffer

}

} IRP-> iostatus.status = status_success; IRP-> iostatus.information = 30;

IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT); // This Complete is very important, did not add this, the user-mode program does not return, the driver is not uninstalled, and this function is used to return the given Irp to the I / o manager, so After completing a complete IRP, you should now clear the relationship between IRP and IO_STACK_LOCATION, found on "Windows Operating System Principle", "Any kernel mode program is created when you create an IRP, and also create a associated I / O Stack, I / O stack unit in the stack is defined by the IO_STACK_LOCATION structure, each of which corresponds to a driver that will process the IRP. In order to determine the current IRP I / O stack unit, driver in a given IRP You can call the IOGetCurrentStackLocation function that returns a pointer to the current I / O stack unit. "Return Ret;} // ----------------------- -------------------------------------------------- ---------- It is so good to get it.

Next, this should be used to make something useful.