#ifndef __DRVCOMM_H__ #define __DRVCOMM_H__ //device names #define DEVICE_NAME L"\\Device\\hookA" #define DOS_DEVICE_NAME L"\\DosDevices\\hookA" //types of response buffer #define RESPONSE_NOTIFY_LOAD_DRIVER_CHECK 0x00000001 #define RESPONSE_NOTIFY_PHYSICAL_MEMORY_CHECK 0x00000002 #define RESPONSE_NOTIFY_PROCESS_CHECK 0x00000101 #define RESPONSE_NOTIFY_FILE_CHECK 0x00000102 //IO control codes //HOOK_START initiate hooks #define IOCTL_HOOK_START CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //HOOK_STOP unhook hooked functions #define IOCTL_HOOK_STOP CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //PROTECT_PROCESS adds/removes Process protection #define IOCTL_PROTECT_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN,0x880,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //PROTECT_FILE adds/removes Process protection #define IOCTL_PROTECT_FILE CTL_CODE(FILE_DEVICE_UNKNOWN,0x881,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //NOTIFY waits for driver notification #define IOCTL_NOTIFY CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //IOCTL_NOTIFY_LOAD_DRIVER_CHECK answers IOCTL_NOTIFY type RESPONSE_NOTIFY_LOAD_DRIVER_CHECK #define IOCTL_NOTIFY_LOAD_DRIVER_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN,0x981,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //IOCTL_NOTIFY_PHYSICAL_MEMORY_CHECK answers IOCTL_NOTIFY type RESPONSE_NOTIFY_PHYSICAL_MEMORY_CHECK #define IOCTL_NOTIFY_PHYSICAL_MEMORY_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN,0x982,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //IOCTL_NOTIFY_PROCESS_CHECK answers IOCTL_NOTIFY type RESPONSE_NOTIFY_PROCESS_CHECK #define IOCTL_NOTIFY_PROCESS_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN,0xA00,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //IOCTL_NOTIFY_FILE_CHECK answers IOCTL_NOTIFY type RESPONSE_NOTIFY_FILE_CHECK #define IOCTL_NOTIFY_FILE_CHECK CTL_CODE(FILE_DEVICE_UNKNOWN,0xA01,METHOD_BUFFERED,FILE_READ_DATA | FILE_WRITE_DATA) //driver/app communication buffers typedef struct DRVCOMM_REQUEST_BUFFER { union { struct { ULONG SDT_index_ZwQueryInformationThread; //SDT index of ZwQueryInformationThread } init; struct { ULONG pid; //pid of process to protect/disable protection for int enable; //protect on true, disable protection otherwise } protect_process; struct { wchar_t name[512]; //null terminated file name to protect/disable protection for int enable; //protect on true, disable protection otherwise } protect_file; struct { int permit; //true to permit the operation, false not to permit the operation } process_check,load_driver_check,physical_memory_check,file_check; } parameters; } DRVCOMM_REQUEST_BUFFER,*PDRVCOMM_REQUEST_BUFFER; typedef struct DRVCOMM_RESPONSE_BUFFER { ULONG status; //status of requested operation, should be 1 on success ULONG type; //type of response buffer union { struct { ULONG caller_pid; //pid of process that requests access ULONG pid; //pid of protected process ULONG access; //required access } process_check; struct { ULONG caller_pid; //pid of process that requests access wchar_t regpath[512]; //registry path in system format } load_driver_check; struct { ULONG caller_pid; //pid of process that requests access ULONG access; //required access } physical_memory_check; struct { ULONG caller_pid; //pid of process that requests access wchar_t name[512]; //null terminated file name ULONG access; //required access } file_check; } parameters; } DRVCOMM_RESPONSE_BUFFER,*PDRVCOMM_RESPONSE_BUFFER; #endif