|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
tp中创建了一个IO TIMER,所以我们来看一下如何遍历系统中的所有IO TIMER 至于基本概念,大家有不明白的就去参考一下WDK文档吧 PT中提供了这个功能:  最终我山寨的效果:  多了一个,应该是PT没有显示无效的IO TIMER 我们最终的目的是遍历IO TIMER链然后取消指定模块中的IO TIMER, 所以理想中我会最终封装出来一个这样的函数: BOOLEAN DeleteIoTimerInSpecialModule(PWCHAR pModuleName); 关于遍历IO TIMER,网上我搜了下貌似没什么具体的介绍,那么我们就看一下WRK中有没有相关线索, 还是从已导出的函数入手,相关函数: IoInitializeTimer初始化IO TIMER IoStartTimer启动IO TIMER IoStopTimer停止IO TIMER 先看一下IoInitializeTimer:  代码很简单,如果传入的设备对象没有关联IO TIMER就分配一个IO TIMER,并与设备对象相关联, 也就是保存到设备对象的Timer域, 最后将IO TIMER的TimerList域追加到了IopTimerQueueHead的尾部,来看一下 IO TIMER 结构:  这个结构在xp,2k3,win7中是相同的 TimerList是一个ListEntry,这样我们只要找到了IopTimerQueueHead就能遍历系统中的所有IO TIMER了 搜索IopTimerQueueHead过程就不列出了,无非就是定位 接下来将IO TIMER中对我们有用的信息保存出来,这里我自定义了一个结构用来保存信息:
typedef struct _MyIoTimer{
ULONG TimerObjectAddress;
ULONG TimerState;
ULONG TimerRoutine;
ULONG DeviceObject;
}MyIoTimer,*PMyIoTimer;
#define MAX_IOTIMER_COUNT 150
//遍历IopTimerQueueHead取得IO TIMER信息
//执行成功返回MyIoTimer结构的数量,否则为0
ULONG GetIoTimerInformationByIopTimerQueueHead(PVOID* pvBuf)
{
ULONG IopTimerQueueHeadAddress;
ULONG ulBufSize;
ULONG ulTemp;
ULONG ulCount = 0;
PLIST_ENTRY pIopTimerQueueHead = NULL;
PLIST_ENTRY pNextTimer = NULL;
PIoTimer pTimer = NULL;
MyIoTimer myTimer;
IopTimerQueueHeadAddress = GetIopTimerQueueHeadAddress();
if ( MmIsAddressValidEx((PVOID)IopTimerQueueHeadAddress) == VCS_INVALID ) return 0;
pIopTimerQueueHead = (PLIST_ENTRY)IopTimerQueueHeadAddress;
pNextTimer = pIopTimerQueueHead->Blink;
//分配足够大的空间
ulBufSize = MAX_IOTIMER_COUNT * sizeof(MyIoTimer);
*pvBuf = ExAllocatePoolWithTag(PagedPool,ulBufSize,123);
if (*pvBuf == NULL) return 0;
while ( TRUE )
{
if ( MmIsAddressValidEx(pNextTimer) == VCS_INVALID )
{
KdPrint(("检测到IopTimerQueueHead中存在非法地址"));
ExFreePool(*pvBuf);
*pvBuf = NULL;
return 0;
}
if ( pNextTimer == pIopTimerQueueHead ) break;
pTimer = CONTAINING_RECORD(pNextTimer,IoTimer,TimerList);
RtlZeroMemory(&myTimer,sizeof(MyIoTimer));
myTimer.TimerObjectAddress = (ULONG)pTimer; //IO TIMER对象地址
myTimer.TimerState = (ULONG)pTimer->TimerFlag;
myTimer.TimerRoutine = (ULONG)pTimer->TimerRoutine; //TIMER例程地址
myTimer.DeviceObject = (ULONG)pTimer->DeviceObject; //设备对象
RtlMoveMemory( (PVOID)((ULONG)*pvBuf+ulCount*sizeof(MyIoTimer)),&myTimer,sizeof(MyIoTimer) );
pNextTimer = pNextTimer->Blink;
ulCount++;
if ( ulCount > MAX_IOTIMER_COUNT )
{
KdPrint(("Io Timer 数量超过了150")); //这里简单退出了,可以更改为分配更大的缓冲
ExFreePool(*pvBuf);
*pvBuf = NULL;
return 0;
}
}
return (ulCount*sizeof(MyIoTimer));
}
通过封装的这个函数就能得到系统中的所有IO TIMER了 最后判断一下 TimerRoutine 是否在指定的模块地址范围之内,如果检测到了的话, 调用IoStopTimer取消定时器
BOOLEAN DeleteIoTimerInSpecialModule(PWCHAR pModuleName)
{
PVOID pvTimerBuf = NULL;
ULONG ulTimerReturn;
ULONG ulModuleBase;
ULONG ulModuleSize;
ULONG i;
ULONG ulCount = 0;
PMyIoTimer pMyTimer = NULL;
BOOLEAN Result = FALSE;
if (pModuleName == NULL) goto __exit1;
ulTimerReturn = GetDriverObjectByIopTimerQueueHead(&pvTimerBuf);
if (ulTimerReturn == 0) goto __exit1;
ulModuleBase = GetSpecialModuleBase(pModuleName,&ulModuleSize);
if ( (ulModuleBase < (ULONG)MmSystemRangeStart)||(ulModuleSize == 0) ) goto __exit1;
pMyTimer = (PMyIoTimer)pvTimerBuf;
//遍历所有IO TIMER
while (TRUE)
{
if ( (pMyTimer->TimerObjectAddress == 0)||(ulCount == MAX_IOTIMER_COUNT - 1) ) break;
if ( (pMyTimer->TimerRoutine > ulModuleBase)&&(pMyTimer->TimerRoutine < ulModuleBase + ulModuleSize) )
IoStopTimer((PDEVICE_OBJECT)pMyTimer->DeviceObject);
pMyTimer++;
ulCount++;
}
Result = TRUE;
__exit1:
if ( pvTimerBuf != NULL ) ExFreePool(pvTimerBuf);
pvTimerBuf = NULL;
return Result;
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 小菜路过,好久没玩了。。看下。
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
图文并茂,灰常谢谢楼主
|
|
|
|
|
|
|
|
|
|
