寒江独钓的键盘过滤驱动的一个子函数
PDEVICE_OBJECT ccpOpenCom(ULONG id,NTSTATUS *status)
{
UNICODE_STRING name_str;
static WCHAR name[32]={0};
PFILE_OBJECT fileobj=NULL;
PDEVICE_OBJECT devobj = NULL;
memset(name,0,sizeof(WCHAR)*32);
RtlStringCchPrintfW(
name,32,
L"\\Device\\Serial%d",id);
RtlInitUnicodeString(&name_str,name);
//打开设备对象
*status = IoGetDeviceObjectPointer(
&name_str,
FILE_ALL_ACCESS,
&fileobj, &devobj);
//如果打开成功了。记得一定要将文件对象解除引用
if (*status == STATUS_SUCCESS)
{
KdPrint(("IoGetDeviceObjectPointer成功"));
ObDereferenceObject(fileobj);
}
return devobj;
}
例如,我想打开Kbdclass这个驱动,要怎么才能知道它的ID呢
///////////////////////////////////////分割线////////////////////////////////////////////////////
如果通过ObReferenceObjectByName打开,程序返回式成功的,但是要获取PDEVICE_OBJECT的时候,会导致系统蓝屏
NTSTATUS SearchServiceCallback() {
NTSTATUS ntStatus;
UNICODE_STRING uniNtNameString;
PDRIVER_OBJECT KbdDriverObject;
PVOID KbdDriverStart = NULL;
ULONG KbdDriverSize = 0;
ULONG i = 0;
PUCHAR tmp;
RtlInitUnicodeString(&uniNtNameString,KBD_DRIVER_NAME);
PVOID pDriverObject = (PVOID) (&KbdDriverObject);
ntStatus = ObReferenceObjectByName(
&uniNtNameString,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
&pDriverObject
);
if(!NT_SUCCESS(ntStatus)) {
KdPrint(("ObReferenceObjectByName failed!"));
return STATUS_UNSUCCESSFUL;
} else {
gClassDeviceObject = KbdDriverObject->DeviceObject;
KbdDriverStart = KbdDriverObject->DriverStart;
KbdDriverSize = KbdDriverObject->DriverSize;
PDEVICE_EXTENSION deviceExtension=(PDEVICE_EXTENSION)gClassDeviceObject->DeviceExtension;//这句代码会导致蓝屏
ObDereferenceObject(&KbdDriverObject);
}
return STATUS_SUCCESS;
}
///////////////////////////////////////分割线////////////////////////////////////////////////////
我的主要目的是想获取KeyboardClassServiceCallback函数的地址,贴上代码
//下面是查找KeyboardClassServiceCallback的关键函数,鼠标设备查找方法类似,我合成了一个函数
NTSTATUS GetKmclassInfo(PDEVICE_OBJECT DeviceObject, USHORT Index)
{
NTSTATUS status;
UNICODE_STRING ObjectName;
PCWSTR kmhidName, kmclassName, kmName;
PVOID kmDriverStart;
ULONG kmDriverSize;
PVOID* TargetDeviceObject;
PVOID* TargetclassCallback;
PDEVICE_EXTENSION deviceExtension;
PDRIVER_OBJECT kmDriverObject = NULL;
PDRIVER_OBJECT kmclassDriverObject = NULL;
deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
//return 1;
switch(Index)
{
case 1:
kmName = L"kbd";
kmhidName = L"\\Driver\\kbdhid";
kmclassName = L"\\Driver\\kbdclass";
TargetDeviceObject = (PVOID*)&(deviceExtension->kbdDeviceObject);
TargetclassCallback = (PVOID*)&(deviceExtension->My_KbdCallback);
break;
case 2:
kmName = L"mou";
kmhidName = L"\\Driver\\mouhid";
kmclassName = L"\\Driver\\mouclass";
TargetDeviceObject = (PVOID*)&(deviceExtension->mouDeviceObject);
TargetclassCallback = (PVOID*)&(deviceExtension->My_MouCallback);
break;
default:
return STATUS_INVALID_PARAMETER;
}
// 通过USB类设备获取驱动对象
RtlInitUnicodeString(&ObjectName, kmhidName);
status = ObReferenceObjectByName(&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL,
FILE_READ_ACCESS,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&kmDriverObject);
if(!NT_SUCCESS(status))
{
// 通过i8042prt获取驱动对象
RtlInitUnicodeString(&ObjectName, L"\\Driver\\i8042prt");
status = ObReferenceObjectByName(&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL,
FILE_READ_ACCESS,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&kmDriverObject);
if(!NT_SUCCESS(status))
{
KdPrint(("Couldn't Get the i8042prt Driver Object\n"));
return status;
}
}
// 通过kmclass获取键盘鼠标类驱动对象
RtlInitUnicodeString(&ObjectName, kmclassName);
status = ObReferenceObjectByName(&ObjectName,
OBJ_CASE_INSENSITIVE,
NULL,
FILE_READ_ACCESS,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&kmclassDriverObject);
if(!NT_SUCCESS(status))
{
KdPrint(("Couldn't Get the kmclass Driver Object\n"));
return status;
}
else
{
kmDriverStart = kmclassDriverObject->DriverStart;
kmDriverSize = kmclassDriverObject->DriverSize;
}
ULONG DeviceExtensionSize;
PULONG kmDeviceExtension;
PDEVICE_OBJECT kmTempDeviceObject;
PDEVICE_OBJECT kmclassDeviceObject;
PDEVICE_OBJECT kmDeviceObject = kmDriverObject->DeviceObject;
while (kmDeviceObject)
{
kmTempDeviceObject = kmDeviceObject;
while (kmTempDeviceObject)
{
kmDeviceExtension = (PULONG)kmTempDeviceObject->DeviceExtension;
kmclassDeviceObject = kmclassDriverObject->DeviceObject;
DeviceExtensionSize = ((ULONG)kmTempDeviceObject->DeviceObjectExtension - (ULONG)kmTempDeviceObject->DeviceExtension) / 4;
while (kmclassDeviceObject)
{
for (ULONG i = 0; i < DeviceExtensionSize; i++)
{
if (kmDeviceExtension[i] == (ULONG)kmclassDeviceObject &&
kmDeviceExtension[i + 1] > (ULONG)kmDriverStart &&
kmDeviceExtension[i + 1] < (ULONG)kmDriverStart + kmDriverSize)
{
// 将获取到的设备对象保存到自定义扩展设备结构
*TargetDeviceObject = (PVOID)kmDeviceExtension;
*TargetclassCallback = (PVOID)kmDeviceExtension[i + 1];
KdPrint(("%SDeviceObject == 0x%x\n", kmName, kmDeviceExtension));
KdPrint(("%SClassServiceCallback == 0x%x\n", kmName, kmDeviceExtension[i + 1]));
return STATUS_SUCCESS;
}
}
kmclassDeviceObject = kmclassDeviceObject->NextDevice;
}
kmTempDeviceObject = kmTempDeviceObject->AttachedDevice;
}
kmDeviceObject = kmDeviceObject->NextDevice;
}
return STATUS_UNSUCCESSFUL;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
