-
-
[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
-
发表于: 2014-5-16 13:41
-
xp用monitordriver加载驱动后,运行,然后就提示这个错误了
ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
我用win7的编译后在win7下正常运行,请问是什么情况,好纠结
第一次发帖=_=
ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
我用win7的编译后在win7下正常运行,请问是什么情况,好纠结
#include<ntddk.h>
#define DWORD ULONG
//xp
#if 1
#define UniqueProcessID 0x84
#define ActiveProcessLinks 0x88
#define ImageFileName 0x174
#endif
//win7x86
#if 0
#define UniqueProcessID 0xb4
#define ActiveProcessLinks 0xb8
#define ImageFileName 0x16c
#endif
#define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_WRITE_ACCESS)
PDEVICE_OBJECT g_Device = NULL;
const WCHAR LinkName[] = L"\\DosDevices\\MyHideProcess";
const WCHAR DriverName[] = L"\\Device\\MyHideProcess";
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp) ;
NTSTATUS HelloDriverUnload(IN PDRIVER_OBJECT Driver_Object);
//判断系统版本
NTSTATUS InitVersion();
//根据PID找到进程
DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* ***);
//入口函数
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver_Object,
IN PUNICODE_STRING RegisterPath)
{
NTSTATUS status;
UNICODE_STRING DriverNameUnicodeString;
UNICODE_STRING DriverLinkUnicodeString;
RtlInitUnicodeString (&DriverNameUnicodeString, DriverName );
RtlInitUnicodeString (&DriverLinkUnicodeString, LinkName );
status = InitVersion();
if(!NT_SUCCESS(status))
{
DbgPrint("非6.x系统\n");
return STATUS_FAILED_DRIVER_ENTRY;
}
else
{
DbgPrint("是6.x系统\n");
}
DbgPrint("hideprocess \r\n");
//创建设备
status = IoCreateDevice ( Driver_Object,
0,
&DriverNameUnicodeString,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&g_Device );
if( !NT_SUCCESS(status))
{
KdPrint(("Failed to CreateDevice!\n"));
return status;
}
//创建符号链接
status = IoCreateSymbolicLink (&DriverLinkUnicodeString, &DriverNameUnicodeString );
if( !NT_SUCCESS(status))
{
KdPrint(("Failed to CreateSymbolicLink!\n"));
return status;
}
//MajorFunction[IRP_MJ_CREATE] 例程返回了ERROR_MR_MID_NOT_FOUND
//ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
Driver_Object->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;
Driver_Object->MajorFunction[IRP_MJ_CLOSE] = HelloDDKDispatchRoutine;
Driver_Object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HelloDDKDispatchRoutine;
Driver_Object->DriverUnload = HelloDriverUnload;
return STATUS_SUCCESS;
}
//判断系统版本,5.x指win 2000、xp、2003
// 6.x指win vista、7
NTSTATUS InitVersion()
{
RTL_OSVERSIONINFOW osVer;
RtlGetVersion(&osVer);
KdPrint(("MajorOversion:%d MinorVersion:%d\n",osVer.dwMajorVersion,osVer.dwMinorVersion));
if(osVer.dwMajorVersion!=6)
{
KdPrint(("不支持的系统版本\n"));
return STATUS_UNSUCCESSFUL;
}
return STATUS_SUCCESS;
}
//默认的例程
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp)
{
DWORD preprocess = 0x00000000;
PLIST_ENTRY pre_ActiveProcessLink;
int ***= 0;
NTSTATUS nStatus = STATUS_SUCCESS;
ULONG IoControlCode = 0;
PIO_STACK_LOCATION IrpStack = NULL;
long* inBuf = NULL;
char* outBuf = NULL;
ULONG inSize = 0;
ULONG outSize = 0;
PCHAR buffer = NULL;
NTSTATUS ntstatus = STATUS_SUCCESS;
int find_PID = 0;
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation (pIrp);
switch (IrpStack->MajorFunction)
{
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
switch ( IoControlCode )
{
case IOCTL_HIDE_PROCESS:
inSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
outSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
inBuf = (long*)pIrp->AssociatedIrp.SystemBuffer;
if ((inSize < sizeof(DWORD)) || (inBuf == NULL))
{
DbgPrint("inBuf Error\n");
ntstatus = STATUS_INVALID_BUFFER_SIZE;
break;
}
find_PID = *((DWORD *)inBuf); //获得应用程序输入的PID
DbgPrint("The Input PID is :%d\r\n",find_PID);
preprocess = FindProcessEPROCESS(find_PID,&***);
if(***)
{
pre_ActiveProcessLink = (PLIST_ENTRY)(preprocess);
pre_ActiveProcessLink->Flink = pre_ActiveProcessLink->Flink->Flink;
pre_ActiveProcessLink->Flink->Blink = pre_ActiveProcessLink;
DbgPrint("deleted!\n");
DbgPrint("found!\n");
}
else
{
DbgPrint(" don't exist!\n");
}
break;
default:
break;
}
}
ntstatus = pIrp->IoStatus.Status;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return ntstatus;
}
//设置卸载例程
NTSTATUS HelloDriverUnload(IN PDRIVER_OBJECT Driver_Object)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
DbgPrint ("Start MyUnload\n");
p_NextObj = Driver_Object->DeviceObject;
if (p_NextObj == NULL)
{
DbgPrint ("MyUnload Error\n");
return STATUS_SUCCESS;
}
else
{
RtlInitUnicodeString( &deviceLinkUnicodeString, LinkName );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
IoDeleteDevice( Driver_Object->DeviceObject );
}
DbgPrint ("End MyUnload\n");
return STATUS_SUCCESS;
}
DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* *** )
{
DWORD HideID = dwPID;
ANSI_STRING CurName;
PLIST_ENTRY cut_ActiveProcessLink = 0x00000000;
DWORD CUR_EPROCESS = 0x00000000;
DWORD curent_id = 0;//记录当前id
DWORD start_id =0;
int count = 0;//记录id总数
//首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄,这个句柄是指向_EPROCESS结构的指针,
CUR_EPROCESS = (DWORD)PsGetCurrentProcess();
curent_id = *((DWORD*)(CUR_EPROCESS + UniqueProcessID));
start_id = curent_id;
RtlInitAnsiString(&CurName,(char*)CUR_EPROCESS + ImageFileName);
cut_ActiveProcessLink = (PLIST_ENTRY)(CUR_EPROCESS + ActiveProcessLinks);
//通过进程ID
if(curent_id == HideID)
{
DbgPrint("curent_id : %d\n",curent_id);
**** = 1;
return ((DWORD)(cut_ActiveProcessLink->Blink));
}
while(1)
{
count++;
cut_ActiveProcessLink = cut_ActiveProcessLink->Flink;
//RtlInitAnsiString(&CurName,(char*)cut_ActiveProcessLink - 0xb8 + 0x16c);
curent_id = *((DWORD*)((DWORD)cut_ActiveProcessLink - ActiveProcessLinks + UniqueProcessID));
if(curent_id == HideID)
{
DbgPrint("curent_id : %d\n",curent_id);
**** = 1;
return ((DWORD)(cut_ActiveProcessLink->Blink));
}
else if (count>=1&&(start_id == curent_id))
{
DbgPrint("no such process!\n");
return 0x00000000;
}
}
}
第一次发帖=_=
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
