-
-
[求助]又蓝了?
-
发表于:
2012-10-7 13:44
3414
-
为什么这一段代码老是蓝屏呢?用dbg调试,发现是DispatchUnload例程里面的IoDeleteDevice蓝的
#include <Ntifs.h>
#include <Ntstrsafe.h>
#include <Ntimage.h>
typedef struct _DEVICE_EXTENSION
{
UNICODE_STRING ustrDeviceName;//设备名称
UNICODE_STRING ustrSymLinkName;//符号链接名
}DEVICE_EXTENSION, *PDEVICE_EXTENSION;
NTSTATUS MyCreateDevice(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pustrDeviceName, PUNICODE_STRING pustrSymLinkName);
VOID DispatchUnload (IN PDRIVER_OBJECT pDriverObject);
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
NTSTATUS DispatchDeviceIOControl(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
NTSTATUS DispatchClose(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);
#pragma code_seg("INIT")
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath )
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
UNICODE_STRING ustrDeviceName;
UNICODE_STRING ustrSymLinkName;
//注册其他驱动调用函数入口
pDriverObject->DriverUnload = DispatchUnload;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDeviceIOControl;
pDriverObject->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
//创建设备名称
RtlInitUnicodeString(&ustrDeviceName, L"\\Device\\DevAAD");
//创建符号链接
RtlInitUnicodeString(&ustrSymLinkName, L"\\??\\DevAAD");
//创建设备
status = MyCreateDevice(pDriverObject, &ustrDeviceName, &ustrSymLinkName);
if (!NT_SUCCESS(status))
return status;
return status;
}
#pragma code_seg("PAGE")
NTSTATUS MyCreateDevice(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pustrDeviceName, PUNICODE_STRING pustrSymLinkName)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
if(!pustrDeviceName || !pustrSymLinkName)
return status;
//创建设备
status = IoCreateDevice( pDriverObject,
sizeof(DEVICE_EXTENSION),
pustrDeviceName,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&pDevObj );
if (!NT_SUCCESS(status))
return status;
//创建符号链接
status = IoCreateSymbolicLink(pustrSymLinkName, pustrDeviceName );
if (!NT_SUCCESS(status))
{
IoDeleteDevice( pDevObj );
return status;
}
//取消设备正在初始化标志
pDevObj->Flags &= ~DO_DEVICE_INITIALIZING;
//直接读写设备
pDevObj->Flags |= DO_DIRECT_IO;
//获取设备扩展
pDevExt = (PDEVICE_EXTENSION)(pDevObj->DeviceObjectExtension);
//填充设备扩展
pDevExt->ustrDeviceName = *pustrDeviceName;
pDevExt->ustrSymLinkName = *pustrSymLinkName;
return status;
}
#pragma code_seg("PAGE")
VOID DispatchUnload (IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDevObj;
PDEVICE_OBJECT pNextDevObj;
PDEVICE_EXTENSION pDevExt;
pNextDevObj = pDriverObject->DeviceObject;
while(pDevObj = pNextDevObj)
{
//下一个设备
pNextDevObj = pDevObj->NextDevice;
//获取设备扩展
pDevExt = (PDEVICE_EXTENSION)(pDevObj->DeviceObjectExtension);
//删除符号链接
IoDeleteSymbolicLink(&pDevExt->ustrSymLinkName);
//删除设备
IoDeleteDevice( pDevObj );
}
}
#pragma code_seg("PAGE")
NTSTATUS DispatchCreate(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
return status;
}
#pragma code_seg("PAGE")
NTSTATUS DispatchDeviceIOControl(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
return status;
}
#pragma code_seg("PAGE")
NTSTATUS DispatchClose(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
return status;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
