Last active
February 4, 2025 02:14
-
-
Save MurylloEx/9b7552d1c587a6792c1128b53fe58108 to your computer and use it in GitHub Desktop.
amifldrv64.sys driver reversal functions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject) | |
| { | |
| UNICODE_STRING DestinationString = { 0 }; | |
| UNICODE_STRING SymbolicLinkName = { 0 }; | |
| PDEVICE_OBJECT DeviceObject = NULL; | |
| RtlInitUnicodeString(&DestinationString, L"\\Device\\genericdrv"); | |
| BOOLEAN Exclusive = FALSE; | |
| NTSTATUS Status = IoCreateDevice( | |
| DriverObject, | |
| 56LL, | |
| &DestinationString, | |
| 64000LL, | |
| NULL, | |
| Exclusive, | |
| &DeviceObject); | |
| if (NT_SUCCESS(Status)) | |
| { | |
| RtlInitUnicodeString(&SymbolicLinkName, L"\\??\\genericdrv"); | |
| Status = IoCreateSymbolicLink(&SymbolicLinkName, &DestinationString); | |
| if (NT_SUCCESS(Status)) | |
| { | |
| DriverObject->MajorFunction[IRP_MJ_CREATE] = sub_11B70; | |
| DriverObject->MajorFunction[IRP_MJ_CLOSE] = sub_11B70; | |
| DriverObject->MajorFunction[IRP_MJ_READ] = sub_11B70; | |
| DriverObject->MajorFunction[IRP_MJ_WRITE] = sub_11B70; | |
| DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = sub_11B70; | |
| DriverObject->DriverUnload = sub_11BF0; | |
| RtlZeroMemory(DeviceObject->DeviceExtension, 56LL); | |
| } | |
| else | |
| { | |
| IoDeleteDevice(DeviceObject); | |
| } | |
| } | |
| return Status; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NTSTATUS HandleRequest(PDEVICE_OBJECT DeviceObject, PIRP Irp) | |
| { | |
| PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation(Irp); | |
| PVOID requestBuffer = irpSp->Parameters.Others.Argument1; | |
| PUCHAR requestType = (PUCHAR)requestBuffer; | |
| ULONG outputSize = 0; | |
| *(PULONG)&irpSp->Parameters.Others.Argument2 = 0; | |
| *(PVOID *)&irpSp->Parameters.Others.Argument3 = NULL; | |
| if (*requestType == 14) | |
| { | |
| ULONG length = *((PULONG)(requestType + 8)); | |
| PVOID context = irpSp->Parameters.Others.Argument4; | |
| PULONG outputBuffer = (PULONG)&irpSp->Parameters.Others.Argument3; | |
| *outputBuffer = 0; | |
| outputSize = sub_11C2C( | |
| *((PULONG)(requestType + 24)), | |
| context, | |
| *((PULONG)(requestType + 16)), | |
| context, | |
| length, | |
| outputBuffer, | |
| DeviceObject->DeviceExtension); | |
| *(PULONG)&irpSp->Parameters.Others.Argument2 = outputSize; | |
| } | |
| IoCompleteRequest(Irp, IO_NO_INCREMENT); | |
| return outputSize; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment