參考資訊:
https://wasm.in/
http://four-f.narod.ru/
https://github.com/steward-fu/ddk
main.pas
unit main;
interface
uses
DDDK;
const
DEV_NAME = '\Device\MyDriver';
function __DriverEntry(pMyDriver : PDRIVER_OBJECT; pMyRegistry : PUNICODE_STRING) : NTSTATUS; stdcall;
implementation
function AddDevice(pMyDriver : WDFDRIVER; pDeviceInit : PWDFDEVICE_INIT) : NTSTATUS; stdcall;
var
device : WDFDEVICE;
szDevName : UNICODE_STRING;
begin
DbgPrint('Hello, world!', []);
RtlInitUnicodeString(@szDevName, DEV_NAME);
WdfDeviceInitAssignName(pDeviceInit, @szDevName);
WdfDeviceCreate(@pDeviceInit, WDF_NO_OBJECT_ATTRIBUTES, @device);
Result := STATUS_SUCCESS;
end;
function __DriverEntry(pMyDriver : PDRIVER_OBJECT; pMyRegistry : PUNICODE_STRING) : NTSTATUS; stdcall;
var
config : WDF_DRIVER_CONFIG;
begin
WDF_DRIVER_CONFIG_INIT(@config, AddDevice);
WdfDriverCreate(pMyDriver, pMyRegistry, WDF_NO_OBJECT_ATTRIBUTES, @config, WDF_NO_HANDLE);
Result := STATUS_SUCCESS;
end;
end.
loader.asm
.386p
.model flat, stdcall
option casemap : none
include c:\masm32\Macros\Strings.mac
include c:\masm32\include\w2k\ntdef.inc
include c:\masm32\include\w2k\ntstatus.inc
include c:\masm32\include\w2k\ntddk.inc
include c:\masm32\include\w2k\ntoskrnl.inc
include c:\masm32\include\w2k\ntddkbd.inc
include c:\masm32\include\wdf\umdf\1.9\wudfddi_types.inc
include c:\masm32\include\wdf\kmdf\1.9\wdf.inc
include c:\masm32\include\wdf\kmdf\1.9\wdftypes.inc
include c:\masm32\include\wdf\kmdf\1.9\wdfglobals.inc
include c:\masm32\include\wdf\kmdf\1.9\wdffuncenum.inc
include c:\masm32\include\wdf\kmdf\1.9\wdfobject.inc
include c:\masm32\include\wdf\kmdf\1.9\wdfdevice.inc
include c:\masm32\include\wdf\kmdf\1.9\wdfdriver.inc
includelib c:\masm32\lib\wxp\i386\BufferOverflowK.lib
includelib c:\masm32\lib\wdf\kmdf\i386\1.9\wdfldr.lib
includelib c:\masm32\lib\wdf\kmdf\i386\1.9\wdfdriverentry.lib
public DriverEntry
extern _DriverEntry : proc
DriverEntry proc pMyDriver : PDRIVER_OBJECT, pMyRegistry : PUNICODE_STRING
push pMyRegistry
push pMyDriver
call _DriverEntry
ret
DriverEntry endp
end DriverEntry
.end
由於dcc32.exe缺少Buffer Security Check編譯選項,因此,司徒使用MASM32寫了一個Loader,當作中間媒介,用來呼叫Pascal的DriverEntry()
main.inf
[Version] Signature=$CHICAGO$ Class=Unknown Provider=%MFGNAME% DriverVer=11/11/2024,1.0.0.0 [Manufacturer] %MFGNAME%=DeviceList [DeviceList] %DESCRIPTION%=DriverInstall, *MyDriver [DestinationDirs] DefaultDestDir=10,System32\Drivers [SourceDisksFiles] main.sys=1,,, [SourceDisksNames] 1=%INSTDISK%,,, [DriverInstall.NT] CopyFiles=DriverCopyFiles [DriverCopyFiles] main.sys,,,2 [DriverInstall.NT.Services] AddService=FILEIO,2,DriverService [DriverService] ServiceType=1 StartType=3 ErrorControl=1 ServiceBinary=%10%\system32\drivers\main.sys [DriverInstall.NT.HW] AddReg=DriverHwAddReg [DriverHwAddReg] HKR,,SampleInfo,,"" [DriverInstall] AddReg=DriverAddReg CopyFiles=DriverCopyFiles [DriverAddReg] HKR,,DevLoader,,*ntkern HKR,,NTMPDriver,,main.sys [DriverInstall.HW] AddReg=DriverHwAddReg [Strings] MFGNAME="MyDriver" INSTDISK="MyDriver Disc" DESCRIPTION="MyDriver"
編譯
del /s /q main.sys c:\masm32\bin\ml /c /coff /Cp "loader.asm" c:\dddk\bin\dcc32.exe -Uc:\dddk\inc -B -CG -JP -$A-,C-,D-,G-,H-,I-,L-,P-,V-,W+,Y- main.pas c:\dddk\bin\omf2d.exe main.obj c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEWdfFunctions=_WdfFunctions 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEWdfDriverGlobals=_WdfDriverGlobals 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEZwClose=_ZwClose@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEDbgPrint=_DbgPrint 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEExFreePool=_ExFreePool@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeSetTimer=_KeSetTimer@16 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoStopTimer=_IoStopTimer@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoCallDriver=_IoCallDriver@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoStartTimer=_IoStartTimer@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeSetTimerEx=_KeSetTimerEx@20 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEProbeForRead=_ProbeForRead@12 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CERtlZeroMemory=_RtlZeroMemory@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeCancelTimer=_KeCancelTimer@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoStartPacket=_IoStartPacket@16 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEZwOpenProcess=_ZwOpenProcess@16 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoDetachDevice=_IoDetachDevice@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoDeleteDevice=_IoDeleteDevice@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEExAllocatePool=_ExAllocatePool@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeReleaseMutex=_KeReleaseMutex@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoCsqInsertIrp=_IoCsqInsertIrp@12 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoCreateDevice=_IoCreateDevice@28 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeInitializeDpc=_KeInitializeDpc@12 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoCsqInitialize=_IoCsqInitialize@28 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoStartNextPacket=_IoStartNextPacket@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoCompleteRequest=_IoCompleteRequest@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeInitializeMutex=_KeInitializeMutex@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeInitializeTimer=_KeInitializeTimer@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeReleaseSpinLock=_KeReleaseSpinLock@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoInitializeTimer=_IoInitializeTimer@12 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEObDereferenceObject=_ObDereferenceObject@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoGetCurrentProcess=_IoGetCurrentProcess@0 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEInterlockedExchange=@InterlockedExchange@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeInitializeSpinLock=_KeInitializeSpinLock@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoCreateSymbolicLink=_IoCreateSymbolicLink@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoDeleteSymbolicLink=_IoDeleteSymbolicLink@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CERtlInitUnicodeString=_RtlInitUnicodeString@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEPsCreateSystemThread=_PsCreateSystemThread@28 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeWaitForSingleObject=_KeWaitForSingleObject@20 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEExAllocatePoolWithTag=_ExAllocatePoolWithTag@12 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeDelayExecutionThread=_KeDelayExecutionThread@12 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEKeServiceDescriptorTable=_KeServiceDescriptorTable 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEExAllocatePoolWithQuota=_ExAllocatePoolWithQuota@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEPsTerminateSystemThread=_PsTerminateSystemThread@4 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEObReferenceObjectByHandle=_ObReferenceObjectByHandle@24 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEIoAttachDeviceToDeviceStack=_IoAttachDeviceToDeviceStack@8 2>nul c:\dddk\bin\omf2d.exe c:\dddk\inc\dddk.obj /U- /CEMmMapLockedPagesSpecifyCache=_MmMapLockedPagesSpecifyCache@24 2>nul c:\dddk\bin\link.exe /entry:FxDriverEntry@8 /NOLOGO /ALIGN:64 /BASE:0x10000 /SUBSYSTEM:NATIVE /DRIVER /FORCE:UNRESOLVED /FORCE:MULTIPLE c:\dddk\inc\DDDK.obj c:\dddk\lib\ntoskrnl.lib c:\dddk\lib\wdf\kmdf\i386\1.9\wdfdriverentry.lib c:\dddk\lib\wdf\kmdf\i386\1.9\wdfldr.lib main.obj loader.obj /out:main.sys del /s /q main.dcu del /s /q main.obj del /s /q loader.obj
在開始安裝驅動程式之前,需要先下載除錯工具,讓驅動程式的Debug訊息可以顯示在除錯工具上面,目前最佳的Debug輸出訊息工具是DbgView,該公司目前已經被Microsoft併購,所以可以從Microsoft網站下載,下載完後執行DbgView並將Capture => Capture Kernel選項打勾,接著重啟DbgView
對於驅動程式的安裝工具,司徒目前使用NuMega公司製作的EzDriverInstaller,將main.sys和main.inf放在同一個目錄並執行EzDriverInstaller,選擇File => Open...(開啟main.inf檔案),接著按Add New Device就可以在DbgView上面看到輸出訊息
Device Manager
Device Object
司徒接著說明一下為何需要這個Loader?因為在Link階段,FxDriverEntryWorker()無法找到對應的DriverEntry(),即使司徒已經確定Export成_DriverEntry@8,而另一個問題則是Security Cookie Check,這部份尚不知如何從dcc32.exe設定,因此,司徒只好寫一個Loader,讓這個Loader可以跟FxDriverEntryWork()連結,順便解掉Cookie問題
wdfdriverentry.lib(stub.obj) : error LNK2019: unresolved external symbol _DriverEntry@8 referenced in function _FxDriverEntryWorker@8 wdfdriverentry.lib(stub.obj) : error LNK2019: unresolved external symbol ___security_init_cookie referenced in function _FxDriverEntry@8
如果強制安裝驅動測試來使用,必定發生BSOD,原因如下:
原本要指到security_init_cookie()的地方,變成指到PE Header,雖然司徒嘗試手動Patch修復,但是,安裝後還是有點問題,於是,司徒最後只好使用一個簡單的Loader替代