[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本

发表于: 2014-5-16 13:41 12519

[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本

姜世离

2014-5-16 13:41

12519

xp用monitordriver加载驱动后，运行，然后就提示这个错误了

ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
我用win7的编译后在win7下正常运行，请问是什么情况，好纠结

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

#include<ntddk.h>
 
#define DWORD ULONG
//xp
#if 1
#define UniqueProcessID     0x84
#define ActiveProcessLinks  0x88
#define ImageFileName       0x174
#endif
//win7x86
#if 0
#define UniqueProcessID     0xb4
#define ActiveProcessLinks  0xb8
#define ImageFileName       0x16c
#endif
 
#define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_WRITE_ACCESS)
 
PDEVICE_OBJECT g_Device = NULL; 
const WCHAR LinkName[]  = L"\\DosDevices\\MyHideProcess";
const WCHAR DriverName[]  = L"\\Device\\MyHideProcess";
 
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT DeviceObject,  IN PIRP pIrp) ;
NTSTATUS HelloDriverUnload(IN PDRIVER_OBJECT Driver_Object);
 
//判断系统版本
NTSTATUS InitVersion();
 
//根据PID找到进程
DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* ***);
 
 
//入口函数
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver_Object,  
                     IN PUNICODE_STRING RegisterPath) 
{
    NTSTATUS status;
 
    UNICODE_STRING          DriverNameUnicodeString;
    UNICODE_STRING          DriverLinkUnicodeString; 
    RtlInitUnicodeString (&DriverNameUnicodeString, DriverName );
    RtlInitUnicodeString (&DriverLinkUnicodeString, LinkName );
 
    status = InitVersion();
    if(!NT_SUCCESS(status))
    {
        DbgPrint("非6.x系统\n");
        return STATUS_FAILED_DRIVER_ENTRY;
    }
    else
    {
        DbgPrint("是6.x系统\n");
    }
 
    DbgPrint("hideprocess \r\n");
 
    //创建设备
    status = IoCreateDevice ( Driver_Object, 
                              0,
                              &DriverNameUnicodeString, 
                              FILE_DEVICE_UNKNOWN,
                              0,
                              TRUE, 
                              &g_Device );
 
    if( !NT_SUCCESS(status))
    {
        KdPrint(("Failed to CreateDevice!\n"));
        return status;
    }
    //创建符号链接
    status = IoCreateSymbolicLink (&DriverLinkUnicodeString, &DriverNameUnicodeString );
    if( !NT_SUCCESS(status))
    {
        KdPrint(("Failed to CreateSymbolicLink!\n"));
        return status;
    }
 
  //MajorFunction[IRP_MJ_CREATE] 例程返回了ERROR_MR_MID_NOT_FOUND 
  //ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
    Driver_Object->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;  
    Driver_Object->MajorFunction[IRP_MJ_CLOSE]  = HelloDDKDispatchRoutine;  
    Driver_Object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HelloDDKDispatchRoutine;
    Driver_Object->DriverUnload = HelloDriverUnload;  
 
 
    return STATUS_SUCCESS;
}
 
//判断系统版本，5.x指win 2000、xp、2003
//              6.x指win vista、7
NTSTATUS InitVersion()
{
    RTL_OSVERSIONINFOW osVer;
    RtlGetVersion(&osVer);
    KdPrint(("MajorOversion:%d MinorVersion:%d\n",osVer.dwMajorVersion,osVer.dwMinorVersion));
 
    if(osVer.dwMajorVersion!=6)
    {
        KdPrint(("不支持的系统版本\n"));
        return STATUS_UNSUCCESSFUL;
    }
 
    return STATUS_SUCCESS;
 
}
 
//默认的例程  
 
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT DeviceObject,  IN PIRP pIrp)  
{  
    DWORD preprocess = 0x00000000;
    PLIST_ENTRY  pre_ActiveProcessLink; 
    int ***= 0;  
    NTSTATUS nStatus = STATUS_SUCCESS;
    ULONG IoControlCode = 0;
    PIO_STACK_LOCATION IrpStack = NULL;
    long* inBuf = NULL;
    char* outBuf = NULL;
    ULONG inSize = 0;
    ULONG outSize = 0;
    PCHAR buffer = NULL;
    NTSTATUS    ntstatus = STATUS_SUCCESS;
    int find_PID = 0;
 
     
 
     
    pIrp->IoStatus.Status = STATUS_SUCCESS;
    pIrp->IoStatus.Information = 0;
 
    IrpStack = IoGetCurrentIrpStackLocation (pIrp);
    switch (IrpStack->MajorFunction) 
    {
    case IRP_MJ_CREATE:
        break;
 
    case IRP_MJ_SHUTDOWN:
        break;
 
    case IRP_MJ_CLOSE:
        break;
 
    case IRP_MJ_DEVICE_CONTROL:
        IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
        switch (  IoControlCode ) 
        {
        case IOCTL_HIDE_PROCESS:
            inSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
            outSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;           
            inBuf = (long*)pIrp->AssociatedIrp.SystemBuffer;
 
            if ((inSize < sizeof(DWORD)) || (inBuf == NULL))
            {
                DbgPrint("inBuf Error\n");
                ntstatus = STATUS_INVALID_BUFFER_SIZE;
                break;
            }
 
            find_PID = *((DWORD *)inBuf); //获得应用程序输入的PID
            DbgPrint("The Input PID is :%d\r\n",find_PID);
            preprocess = FindProcessEPROCESS(find_PID,&***);
            if(***)  
            {  
                pre_ActiveProcessLink = (PLIST_ENTRY)(preprocess);  
                pre_ActiveProcessLink->Flink = pre_ActiveProcessLink->Flink->Flink;  
                pre_ActiveProcessLink->Flink->Blink = pre_ActiveProcessLink;  
 
                DbgPrint("deleted!\n"); 
                DbgPrint("found!\n"); 
            }  
            else 
            {  
                DbgPrint(" don't exist!\n");  
            } 
 
            break;
        default:
            break;
        }
    }
    ntstatus =  pIrp->IoStatus.Status;
    IoCompleteRequest( pIrp, IO_NO_INCREMENT );
     
    return ntstatus;   
}  
 
//设置卸载例程  
NTSTATUS HelloDriverUnload(IN PDRIVER_OBJECT Driver_Object)  
{    
    UNICODE_STRING          deviceLinkUnicodeString;
    PDEVICE_OBJECT          p_NextObj;
    DbgPrint ("Start MyUnload\n");
    p_NextObj = Driver_Object->DeviceObject;
    if (p_NextObj == NULL)
    {
 
        DbgPrint ("MyUnload Error\n");
        return STATUS_SUCCESS;
    }
 
    else
    {
        RtlInitUnicodeString( &deviceLinkUnicodeString, LinkName );
        IoDeleteSymbolicLink( &deviceLinkUnicodeString );
        IoDeleteDevice( Driver_Object->DeviceObject );
    }
    DbgPrint ("End MyUnload\n");
    return STATUS_SUCCESS;
     
}  
 
 
DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* *** )
{  
    DWORD HideID = dwPID;
    ANSI_STRING CurName;  
    PLIST_ENTRY   cut_ActiveProcessLink = 0x00000000;  
    DWORD CUR_EPROCESS = 0x00000000;  
    DWORD curent_id = 0;//记录当前id 
    DWORD start_id =0;  
    int count = 0;//记录id总数  
    //首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄，这个句柄是指向_EPROCESS结构的指针，
    CUR_EPROCESS = (DWORD)PsGetCurrentProcess();  
    curent_id = *((DWORD*)(CUR_EPROCESS + UniqueProcessID));  
    start_id = curent_id;  
     
 
    RtlInitAnsiString(&CurName,(char*)CUR_EPROCESS + ImageFileName);  
    cut_ActiveProcessLink = (PLIST_ENTRY)(CUR_EPROCESS + ActiveProcessLinks);  
 
    //通过进程ID
    if(curent_id == HideID)
    {
        DbgPrint("curent_id : %d\n",curent_id);
        **** = 1;  
        return ((DWORD)(cut_ActiveProcessLink->Blink));  
    }
    while(1)  
    {  
        count++;  
        cut_ActiveProcessLink = cut_ActiveProcessLink->Flink;  
        //RtlInitAnsiString(&CurName,(char*)cut_ActiveProcessLink - 0xb8 + 0x16c);  
         
        curent_id = *((DWORD*)((DWORD)cut_ActiveProcessLink - ActiveProcessLinks + UniqueProcessID));  
        if(curent_id == HideID)
        {
            DbgPrint("curent_id : %d\n",curent_id);
            **** = 1;  
            return ((DWORD)(cut_ActiveProcessLink->Blink));  
        } 
        else if (count>=1&&(start_id == curent_id))  
        {   
            DbgPrint("no such process!\n");
            return 0x00000000;  
        }  
    }
 
}  

第一次发帖=_=

[注意]看雪招聘，专注安全领域的专业人才平台！

上传的附件：

hideprocess.zip （3.67kb，2次下载）

收藏・0

免费

支持

最新回复 (2)
姜世离雪币： 220 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 25 粉丝 0 关注私信	姜世离 2 楼 DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* * )后面3个星号是* 2014-5-16 13:49 0
姜世离雪币： 220 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 25 粉丝 0 关注私信	姜世离 3 楼好吧，发帖后才发现我是逗B。。。忘记把版本判断去掉了 status = InitVersion(); if(!NT_SUCCESS(status)) { DbgPrint("非6.x系统\n"); return STATUS_FAILED_DRIVER_ENTRY; } else { DbgPrint("是6.x系统\n"); } 2014-5-16 14:01 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

姜世离

发帖

回帖

RANK

关注

私信

他的文章

[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本 12520

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
姜世离雪币： 220 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 25 粉丝 0 关注私信	姜世离 2 楼 DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* * )后面3个星号是* 2014-5-16 13:49 0
姜世离雪币： 220 活跃值： (37) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 25 粉丝 0 关注私信	姜世离 3 楼好吧，发帖后才发现我是逗B。。。忘记把版本判断去掉了 status = InitVersion(); if(!NT_SUCCESS(status)) { DbgPrint("非6.x系统\n"); return STATUS_FAILED_DRIVER_ENTRY; } else { DbgPrint("是6.x系统\n"); } 2014-5-16 14:01 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本

账号登录 验证码登录

账号登录

验证码登录