public static Boolean UnLoadDriver(String ServiceName)
{
if (!Wrapper.IsMsIoLoaded())
{
Console.WriteLine("[+] MsIo driver is not currently loaded..");
}
else
{
APIDef.UNICODE_STRING uDriverServiceName = new APIDef.UNICODE_STRING();
APIDef.RtlInitUnicodeString(ref uDriverServiceName, @"\Registry\Machine\System\CurrentControlSet\Services\" + ServiceName);
UInt32 CallRes = APIDef.NtUnloadDriver(ref uDriverServiceName);
if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
{
Console.WriteLine("[!] Failed to unload driver..");
return(false);
}
else
{
Console.WriteLine("[+] NtUnloadDriver -> Success");
}
}
try
{
// Delete driver from disk
RegistryKey hServiceKey = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Services\" + ServiceName);
String DriverFilePath = (String)hServiceKey.GetValue("ImagePath");
try
{
DriverFilePath = DriverFilePath.Trim(@"\??\".ToCharArray());
File.SetAttributes(DriverFilePath, FileAttributes.Normal);
File.Delete(DriverFilePath);
Console.WriteLine("[+] Driver deleted from disk");
}
catch
{
Console.WriteLine("[!] Failed to delete driver from disk..");
return(false);
}
try
{
Registry.LocalMachine.DeleteSubKeyTree(@"SYSTEM\CurrentControlSet\Services\" + ServiceName);
Console.WriteLine("[+] Driver service artifacts deleted");
}
catch
{
Console.WriteLine("[!] Failed to delete registry key..");
return(false);
}
}
catch
{
Console.WriteLine("[+] Driver service registry entry not found..");
}
return(true);
}
// Check if Directory object contains driver service name
public static Boolean DirectoryObjectContainsDevice(String DriverServiceName)
{
APIDef.UNICODE_STRING ObjectName = new APIDef.UNICODE_STRING();
APIDef.RtlInitUnicodeString(ref ObjectName, ("\\Driver"));
IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));
Marshal.StructureToPtr(ObjectName, pObjectName, true);
APIDef.OBJECT_ATTRIBUTES oa = new APIDef.OBJECT_ATTRIBUTES();
oa.Length = Marshal.SizeOf(oa);
oa.RootDirectory = IntPtr.Zero;
oa.Attributes = 0x40; // OBJ_CASE_INSENSITIVE
oa.ObjectName = pObjectName;
oa.SecurityDescriptor = IntPtr.Zero;
oa.SecurityQualityOfService = IntPtr.Zero;
IntPtr hDirectory = IntPtr.Zero;
UInt32 CallRes = APIDef.NtOpenDirectoryObject(ref hDirectory, 0x1, ref oa);
if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
{
Console.WriteLine("[!] Failed to open DirectoryObject..");
return(false);
}
// Find the correct allocation size
UInt32 ctx = 0;
while (true)
{
UInt32 RetLen = 0;
CallRes = APIDef.NtQueryDirectoryObject(hDirectory, IntPtr.Zero, 0, true, false, ref ctx, ref RetLen);
if (CallRes != APIDef.NTSTATUS_STATUS_BUFFER_TOO_SMALL)
{
return(false);
}
IntPtr AllocPtr = Marshal.AllocHGlobal((Int32)RetLen);
CallRes = APIDef.NtQueryDirectoryObject(hDirectory, AllocPtr, RetLen, true, false, ref ctx, ref RetLen);
if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
{
Marshal.FreeHGlobal(AllocPtr);
return(false);
}
APIDef.OBJECT_DIRECTORY_INFORMATION odi = new APIDef.OBJECT_DIRECTORY_INFORMATION();
odi = (APIDef.OBJECT_DIRECTORY_INFORMATION)Marshal.PtrToStructure(AllocPtr, typeof(APIDef.OBJECT_DIRECTORY_INFORMATION));
Marshal.FreeHGlobal(AllocPtr);
if (Marshal.PtrToStringUni(odi.Name.Buffer) == DriverServiceName)
{
return(true);
}
}
}
public static Boolean LoadDriver(String DriverPath, String ServiceName)
{
APIDef.UNICODE_STRING dus = new APIDef.UNICODE_STRING();
Boolean bCallRes = APIDef.RtlDosPathNameToRelativeNtPathName_U(DriverPath, ref dus, IntPtr.Zero, IntPtr.Zero);
if (!bCallRes)
{
Console.WriteLine("[!] Failed to get Nt path from DOS path..");
return(false);
}
else
{
Console.WriteLine("[>] Driver Nt path: " + Marshal.PtrToStringUni(dus.Buffer, (dus.Length / 2)));
}
try
{
RegistryKey hServiceKey = Registry.LocalMachine.CreateSubKey(@"SYSTEM\CurrentControlSet\Services\" + ServiceName);
try
{
Console.WriteLine("[>] Driver registration: " + hServiceKey.Name);
hServiceKey.SetValue("ErrorControl", APIDef.SERVICE_ERROR_NORMAL, RegistryValueKind.DWord);
hServiceKey.SetValue("Type", APIDef.SERVICE_KERNEL_DRIVER, RegistryValueKind.DWord);
hServiceKey.SetValue("Start", APIDef.SERVICE_DEMAND_START, RegistryValueKind.DWord);
hServiceKey.SetValue("ImagePath", Marshal.PtrToStringUni(dus.Buffer, (dus.Length / 2)), RegistryValueKind.ExpandString);
}
catch
{
Console.WriteLine("[!] Failed to create registry value entry..");
return(false);
}
}
catch
{
Console.WriteLine("[!] Failed to create registry key..");
return(false);
}
// Load driver
APIDef.UNICODE_STRING uDriverServiceName = new APIDef.UNICODE_STRING();
APIDef.RtlInitUnicodeString(ref uDriverServiceName, @"\Registry\Machine\System\CurrentControlSet\Services\" + ServiceName);
UInt32 CallRes = APIDef.NtLoadDriver(ref uDriverServiceName);
if (CallRes != APIDef.NTSTATUS_STATUS_SUCCESS)
{
Console.WriteLine("[!] Failed to load driver..");
return(false);
}
Console.WriteLine("[?] NtLoadDriver -> Success");
return(true);
}
public static IntPtr GetDriverHandle()
{
if (!Wrapper.IsMsIoLoaded())
{
Console.WriteLine("[!] MsIo driver is not currently loaded..");
return(IntPtr.Zero);
}
APIDef.UNICODE_STRING ObjectName = new APIDef.UNICODE_STRING();
APIDef.RtlInitUnicodeString(ref ObjectName, ("\\DosDevices\\MsIo"));
IntPtr pObjectName = Marshal.AllocHGlobal(Marshal.SizeOf(ObjectName));
Marshal.StructureToPtr(ObjectName, pObjectName, true);
APIDef.OBJECT_ATTRIBUTES objectAttributes = new APIDef.OBJECT_ATTRIBUTES();
objectAttributes.Length = Marshal.SizeOf(objectAttributes);
objectAttributes.ObjectName = pObjectName;
objectAttributes.Attributes = 0x40; // OBJ_CASE_INSENSITIVE
APIDef.IO_STATUS_BLOCK ioStatusBlock = new APIDef.IO_STATUS_BLOCK();
IntPtr hDriver = IntPtr.Zero;
UInt32 CallRes = APIDef.NtCreateFile(ref hDriver, (UInt32)(APIDef.FileAccessFlags.WRITE_DAC | APIDef.FileAccessFlags.FILE_GENERIC_READ | APIDef.FileAccessFlags.FILE_GENERIC_WRITE), ref objectAttributes, ref ioStatusBlock, IntPtr.Zero, 0, 0, 0x1, 0, IntPtr.Zero, 0);
if (CallRes == APIDef.NTSTATUS_STATUS_ACCESS_DENIED)
{
Console.WriteLine("[!] STATUS_ACCESS_DENIED : You must run VirtToPhys as Administrator..");
return(IntPtr.Zero);
}
else
{
if (CallRes == APIDef.NTSTATUS_STATUS_SUCCESS)
{
return(hDriver);
}
else
{
Console.WriteLine("[!] Failed to get device handle : " + string.Format("{0:X}", CallRes));
return(IntPtr.Zero);
}
}
}