| /********************************************************************* |
| |
| Author: Dale Roberts |
| Date: 8/30/95 |
| Program: GIVEIO.SYS |
| Compile: Use DDK BUILD facility |
| |
| Purpose: Give direct port I/O access to a user mode process. |
| |
| *********************************************************************/ |
| #include <ntddk.h> |
| |
| /* |
| * The name of our device driver. |
| */ |
| #define DEVICE_NAME_STRING L"giveio" |
| |
| /* |
| * This is the "structure" of the IOPM. It is just a simple |
| * character array of length 0x2000. |
| * |
| * This holds 8K * 8 bits -> 64K bits of the IOPM, which maps the |
| * entire 64K I/O space of the x86 processor. Any 0 bits will give |
| * access to the corresponding port for user mode processes. Any 1 |
| * bits will disallow I/O access to the corresponding port. |
| */ |
| #define IOPM_SIZE 0x2000 |
| typedef UCHAR IOPM[IOPM_SIZE]; |
| |
| /* |
| * This will hold simply an array of 0's which will be copied |
| * into our actual IOPM in the TSS by Ke386SetIoAccessMap(). |
| * The memory is allocated at driver load time. |
| */ |
| IOPM *IOPM_local = 0; |
| |
| /* |
| * These are the two undocumented calls that we will use to give |
| * the calling process I/O access. |
| * |
| * Ke386IoSetAccessMap() copies the passed map to the TSS. |
| * |
| * Ke386IoSetAccessProcess() adjusts the IOPM offset pointer so that |
| * the newly copied map is actually used. Otherwise, the IOPM offset |
| * points beyond the end of the TSS segment limit, causing any I/O |
| * access by the user mode process to generate an exception. |
| */ |
| void Ke386SetIoAccessMap(int, IOPM *); |
| void Ke386QueryIoAccessMap(int, IOPM *); |
| void Ke386IoSetAccessProcess(PEPROCESS, int); |
| |
| /********************************************************************* |
| Release any allocated objects. |
| *********************************************************************/ |
| VOID GiveioUnload(IN PDRIVER_OBJECT DriverObject) |
| { |
| WCHAR DOSNameBuffer[] = L"\\DosDevices\\" DEVICE_NAME_STRING; |
| UNICODE_STRING uniDOSString; |
| |
| if(IOPM_local) |
| MmFreeNonCachedMemory(IOPM_local, sizeof(IOPM)); |
| |
| RtlInitUnicodeString(&uniDOSString, DOSNameBuffer); |
| IoDeleteSymbolicLink (&uniDOSString); |
| IoDeleteDevice(DriverObject->DeviceObject); |
| } |
| |
| /********************************************************************* |
| Set the IOPM (I/O permission map) of the calling process so that it |
| is given full I/O access. Our IOPM_local[] array is all zeros, so |
| the IOPM will be all zeros. If OnFlag is 1, the process is given I/O |
| access. If it is 0, access is removed. |
| *********************************************************************/ |
| VOID SetIOPermissionMap(int OnFlag) |
| { |
| Ke386IoSetAccessProcess(PsGetCurrentProcess(), OnFlag); |
| Ke386SetIoAccessMap(1, IOPM_local); |
| } |
| |
| void GiveIO(void) |
| { |
| SetIOPermissionMap(1); |
| } |
| |
| /********************************************************************* |
| Service handler for a CreateFile() user mode call. |
| |
| This routine is entered in the driver object function call table by |
| the DriverEntry() routine. When the user mode application calls |
| CreateFile(), this routine gets called while still in the context of |
| the user mode application, but with the CPL (the processor's Current |
| Privelege Level) set to 0. This allows us to do kernel mode |
| operations. GiveIO() is called to give the calling process I/O |
| access. All the user mode application needs do to obtain I/O access |
| is open this device with CreateFile(). No other operations are |
| required. |
| *********************************************************************/ |
| NTSTATUS GiveioCreateDispatch( |
| IN PDEVICE_OBJECT DeviceObject, |
| IN PIRP Irp |
| ) |
| { |
| GiveIO(); // give the calling process I/O access |
| |
| Irp->IoStatus.Information = 0; |
| Irp->IoStatus.Status = STATUS_SUCCESS; |
| IoCompleteRequest(Irp, IO_NO_INCREMENT); |
| return STATUS_SUCCESS; |
| } |
| |
| /********************************************************************* |
| Driver Entry routine. |
| |
| This routine is called only once after the driver is initially |
| loaded into memory. It allocates everything necessary for the |
| driver's operation. In our case, it allocates memory for our IOPM |
| array, and creates a device which user mode applications can open. |
| It also creates a symbolic link to the device driver. This allows |
| a user mode application to access our driver using the \\.\giveio |
| notation. |
| *********************************************************************/ |
| NTSTATUS DriverEntry( |
| IN PDRIVER_OBJECT DriverObject, |
| IN PUNICODE_STRING RegistryPath |
| ) |
| { |
| PDEVICE_OBJECT deviceObject; |
| NTSTATUS status; |
| WCHAR NameBuffer[] = L"\\Device\\" DEVICE_NAME_STRING; |
| WCHAR DOSNameBuffer[] = L"\\DosDevices\\" DEVICE_NAME_STRING; |
| UNICODE_STRING uniNameString, uniDOSString; |
| |
| // |
| // Allocate a buffer for the local IOPM and zero it. |
| // |
| IOPM_local = MmAllocateNonCachedMemory(sizeof(IOPM)); |
| if(IOPM_local == 0) |
| return STATUS_INSUFFICIENT_RESOURCES; |
| RtlZeroMemory(IOPM_local, sizeof(IOPM)); |
| |
| // |
| // Set up device driver name and device object. |
| // |
| RtlInitUnicodeString(&uniNameString, NameBuffer); |
| RtlInitUnicodeString(&uniDOSString, DOSNameBuffer); |
| |
| status = IoCreateDevice(DriverObject, 0, |
| &uniNameString, |
| FILE_DEVICE_UNKNOWN, |
| 0, FALSE, &deviceObject); |
| |
| if(!NT_SUCCESS(status)) |
| return status; |
| |
| status = IoCreateSymbolicLink (&uniDOSString, &uniNameString); |
| |
| if (!NT_SUCCESS(status)) |
| return status; |
| |
| // |
| // Initialize the Driver Object with driver's entry points. |
| // All we require are the Create and Unload operations. |
| // |
| DriverObject->MajorFunction[IRP_MJ_CREATE] = GiveioCreateDispatch; |
| DriverObject->DriverUnload = GiveioUnload; |
| return STATUS_SUCCESS; |
| } |
| |
