首页
社区
课程
招聘
[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
发表于: 2014-5-16 13:41 12396

[求助]驱动开发ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本

2014-5-16 13:41
12396
xp用monitordriver加载驱动后,运行,然后就提示这个错误了
ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
我用win7的编译后在win7下正常运行,请问是什么情况,好纠结

#include<ntddk.h>

#define DWORD ULONG
//xp
#if 1
#define UniqueProcessID     0x84
#define ActiveProcessLinks  0x88
#define ImageFileName       0x174
#endif
//win7x86
#if 0
#define UniqueProcessID     0xb4
#define ActiveProcessLinks  0xb8
#define ImageFileName       0x16c
#endif

#define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_WRITE_ACCESS)

PDEVICE_OBJECT g_Device = NULL; 
const WCHAR LinkName[]  = L"\\DosDevices\\MyHideProcess";
const WCHAR DriverName[]  = L"\\Device\\MyHideProcess";

NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT DeviceObject,  IN PIRP pIrp) ;
NTSTATUS HelloDriverUnload(IN PDRIVER_OBJECT Driver_Object);

//判断系统版本
NTSTATUS InitVersion();

//根据PID找到进程
DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* ***);


//入口函数
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver_Object,  
	                 IN PUNICODE_STRING RegisterPath) 
{
	NTSTATUS status;

	UNICODE_STRING          DriverNameUnicodeString;
	UNICODE_STRING          DriverLinkUnicodeString; 
	RtlInitUnicodeString (&DriverNameUnicodeString, DriverName );
	RtlInitUnicodeString (&DriverLinkUnicodeString, LinkName );

	status = InitVersion();
	if(!NT_SUCCESS(status))
	{
		DbgPrint("非6.x系统\n");
		return STATUS_FAILED_DRIVER_ENTRY;
	}
	else
	{
		DbgPrint("是6.x系统\n");
	}

	DbgPrint("hideprocess \r\n");

	//创建设备
	status = IoCreateDevice ( Driver_Object, 
		                      0,
		                      &DriverNameUnicodeString, 
							  FILE_DEVICE_UNKNOWN,
		                      0,
							  TRUE, 
							  &g_Device );

	if( !NT_SUCCESS(status))
	{
		KdPrint(("Failed to CreateDevice!\n"));
		return status;
	}
	//创建符号链接
	status = IoCreateSymbolicLink (&DriverLinkUnicodeString, &DriverNameUnicodeString );
	if( !NT_SUCCESS(status))
	{
		KdPrint(("Failed to CreateSymbolicLink!\n"));
		return status;
	}

  //MajorFunction[IRP_MJ_CREATE] 例程返回了ERROR_MR_MID_NOT_FOUND 
  //ERROR(317)系统无法在消息文件中为%2找到消息号为0x%1的消息文本
	Driver_Object->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;  
	Driver_Object->MajorFunction[IRP_MJ_CLOSE]  = HelloDDKDispatchRoutine;  
	Driver_Object->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HelloDDKDispatchRoutine;
	Driver_Object->DriverUnload = HelloDriverUnload;  


	return STATUS_SUCCESS;
}

//判断系统版本,5.x指win 2000、xp、2003
//              6.x指win vista、7
NTSTATUS InitVersion()
{
	RTL_OSVERSIONINFOW osVer;
	RtlGetVersion(&osVer);
	KdPrint(("MajorOversion:%d MinorVersion:%d\n",osVer.dwMajorVersion,osVer.dwMinorVersion));

	if(osVer.dwMajorVersion!=6)
	{
		KdPrint(("不支持的系统版本\n"));
		return STATUS_UNSUCCESSFUL;
	}

	return STATUS_SUCCESS;

}

//默认的例程  

NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT DeviceObject,  IN PIRP pIrp)  
{  
	DWORD preprocess = 0x00000000;
	PLIST_ENTRY  pre_ActiveProcessLink; 
	int ***= 0;  
	NTSTATUS nStatus = STATUS_SUCCESS;
	ULONG IoControlCode = 0;
	PIO_STACK_LOCATION IrpStack = NULL;
	long* inBuf = NULL;
	char* outBuf = NULL;
	ULONG inSize = 0;
	ULONG outSize = 0;
	PCHAR buffer = NULL;
	NTSTATUS	ntstatus = STATUS_SUCCESS;
	int	find_PID = 0;

	

	
	pIrp->IoStatus.Status = STATUS_SUCCESS;
	pIrp->IoStatus.Information = 0;

	IrpStack = IoGetCurrentIrpStackLocation (pIrp);
	switch (IrpStack->MajorFunction) 
	{
	case IRP_MJ_CREATE:
		break;

	case IRP_MJ_SHUTDOWN:
		break;

	case IRP_MJ_CLOSE:
		break;

	case IRP_MJ_DEVICE_CONTROL:
		IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
		switch (  IoControlCode ) 
		{
		case IOCTL_HIDE_PROCESS:
			inSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
			outSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;			
			inBuf = (long*)pIrp->AssociatedIrp.SystemBuffer;

			if ((inSize < sizeof(DWORD)) || (inBuf == NULL))
			{
				DbgPrint("inBuf Error\n");
				ntstatus = STATUS_INVALID_BUFFER_SIZE;
				break;
			}

			find_PID = *((DWORD *)inBuf); //获得应用程序输入的PID
			DbgPrint("The Input PID is :%d\r\n",find_PID);
			preprocess = FindProcessEPROCESS(find_PID,&***);
			if(***)  
			{  
				pre_ActiveProcessLink = (PLIST_ENTRY)(preprocess);  
				pre_ActiveProcessLink->Flink = pre_ActiveProcessLink->Flink->Flink;  
				pre_ActiveProcessLink->Flink->Blink = pre_ActiveProcessLink;  

				DbgPrint("deleted!\n"); 
				DbgPrint("found!\n"); 
			}  
			else  
			{  
				DbgPrint(" don't exist!\n");  
			} 

			break;
		default:
			break;
		}
	}
	ntstatus =  pIrp->IoStatus.Status;
	IoCompleteRequest( pIrp, IO_NO_INCREMENT );
	
	return ntstatus;   
}  

//设置卸载例程  
NTSTATUS HelloDriverUnload(IN PDRIVER_OBJECT Driver_Object)  
{    
	UNICODE_STRING          deviceLinkUnicodeString;
	PDEVICE_OBJECT			p_NextObj;
	DbgPrint ("Start MyUnload\n");
	p_NextObj = Driver_Object->DeviceObject;
	if (p_NextObj == NULL)
	{

		DbgPrint ("MyUnload Error\n");
		return STATUS_SUCCESS;
	}

	else
	{
		RtlInitUnicodeString( &deviceLinkUnicodeString, LinkName );
		IoDeleteSymbolicLink( &deviceLinkUnicodeString );
		IoDeleteDevice( Driver_Object->DeviceObject );
	}
	DbgPrint ("End MyUnload\n");
	return STATUS_SUCCESS;
	
}  


DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* *** )
{  
	DWORD HideID = dwPID;
	ANSI_STRING CurName;  
	PLIST_ENTRY   cut_ActiveProcessLink = 0x00000000;  
	DWORD CUR_EPROCESS = 0x00000000;  
	DWORD curent_id = 0;//记录当前id  
	DWORD start_id =0;  
	int count = 0;//记录id总数  
	//首先利用PsGetCurrentProcess或IoGetCurrentProcess函数得到当前进程的句柄,这个句柄是指向_EPROCESS结构的指针,
	CUR_EPROCESS = (DWORD)PsGetCurrentProcess();  
	curent_id = *((DWORD*)(CUR_EPROCESS + UniqueProcessID));  
	start_id = curent_id;  
	

	RtlInitAnsiString(&CurName,(char*)CUR_EPROCESS + ImageFileName);  
	cut_ActiveProcessLink = (PLIST_ENTRY)(CUR_EPROCESS + ActiveProcessLinks);  

	//通过进程ID
	if(curent_id == HideID)
	{
		DbgPrint("curent_id : %d\n",curent_id);
		**** = 1;  
		return ((DWORD)(cut_ActiveProcessLink->Blink));  
	}
	while(1)  
	{  
		count++;  
		cut_ActiveProcessLink = cut_ActiveProcessLink->Flink;  
		//RtlInitAnsiString(&CurName,(char*)cut_ActiveProcessLink - 0xb8 + 0x16c);  
		
		curent_id = *((DWORD*)((DWORD)cut_ActiveProcessLink - ActiveProcessLinks + UniqueProcessID));  
		if(curent_id == HideID)
		{
			DbgPrint("curent_id : %d\n",curent_id);
			**** = 1;  
			return ((DWORD)(cut_ActiveProcessLink->Blink));  
		} 
		else if (count>=1&&(start_id == curent_id))  
		{   
			DbgPrint("no such process!\n");
			return 0x00000000;  
		}  
	}

}  


第一次发帖=_=

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 220
活跃值: (37)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
DWORD FindProcessEPROCESS( IN DWORD dwPID, OUT int* *** )后面3个星号是***
2014-5-16 13:49
0
雪    币: 220
活跃值: (37)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
好吧,发帖后才发现我是逗B。。。
忘记把版本判断去掉了
  status = InitVersion();
  if(!NT_SUCCESS(status))
  {
    DbgPrint("非6.x系统\n");
    return STATUS_FAILED_DRIVER_ENTRY;
  }
  else
  {
    DbgPrint("是6.x系统\n");
  }
2014-5-16 14:01
0
游客
登录 | 注册 方可回帖
返回
//