-
-
[求助]驱动加载出现 系统找不到指定文件的错误
-
发表于: 2017-7-18 16:27
-
我用drivermonitor记载也会出现这个错误,如图
一开始我还以为是我自己写的驱动加载的工具有问题,后面用其它的工具加载也出现了这个问题,就是第一可以正常加载驱动,然后卸载之后再次加载就会出错,不知道什么原因,望各位帮我参考参考(我感觉代码是出在设备对象和符号链接这一块,因为我之前没有创建设备对象和符号链接是没有这个问题的,后面加上才出,我的测试的系统是Win 7 32位)
一下是源代码:
#include "Driver.h"
pNtOpenProcess OriginalAddr;
HANDLE ObtainPID;
int ProtectPID;
BOOLEAN isProtectProcess = FALSE;
//使用extern关键字声明外部全局变量
extern UCHAR first_five_byte[5];
//派遣函数 应用层调用CreateFile进入该例程
NTSTATUS Dispatch_CreateFile(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
//派遣函数 应用层调用DeviceIoControl进入该例程
NTSTATUS Dispatch_DeviceControl(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
ULONG ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
switch (ControlCode)
{
case ADD_CODE_OPEN:
ProtectPID = *((int*)Irp->AssociatedIrp.SystemBuffer);
isProtectProcess = TRUE;
break;
case ADD_CODE_CLOSE:
isProtectProcess = FALSE;
break;
default:
break;
}
Irp->IoStatus.Status = STATUS_SUCCESS;//返回成功
IoCompleteRequest(Irp, IO_NO_INCREMENT);//指示完成此IRP
return STATUS_SUCCESS;
}
void DriverUnload(PDRIVER_OBJECT DriverObject){
PDEVICE_OBJECT pDevObjNext;
PDEVICE_EXTENSION pDevExt;
//SSDT_UnHook((char*)KeServiceDescriptorTable->ServiceTableBase + 190 * 4, OriginalAddr);
SSDT_UnInlineHook((DWORD32)OriginalAddr);
pDevObjNext = DriverObject->DeviceObject;
while (pDevObjNext != NULL)
{
pDevExt = (PDEVICE_EXTENSION)pDevObjNext->DeviceExtension;
IoDeleteSymbolicLink(&(pDevExt->ustrSymLinkName));
pDevObjNext = pDevObjNext->NextDevice;
IoDeleteDevice(pDevExt->pDevice);
}
KdPrint(("驱动卸载成功"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
PDEVICE_OBJECT pDeviceObject;
PDEVICE_EXTENSION pDeivceExt;
KdPrint(("驱动加载成功"));
DriverObject->DriverUnload = DriverUnload;
//注册派遣函数
DriverObject->MajorFunction[IRP_MJ_CREATE] = Dispatch_CreateFile;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Dispatch_DeviceControl;
RtlInitUnicodeString(&DeviceName, L"\\Device\\DriverDevice");
RtlInitUnicodeString(&SymLinkName, L"\\??\\inlinehook");
CreateDeviceStatus = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &pDeviceObject);
if (NT_SUCCESS(CreateDeviceStatus))
{
KdPrint(("设备创建成功"));
pDeviceObject->Flags = DO_BUFFERED_IO;
pDeivceExt = (PDEVICE_EXTENSION)pDeviceObject->DeviceExtension;
pDeivceExt->pDevice = pDeviceObject;
pDeivceExt->ustrDeviceName = DeviceName;
pDeivceExt->ustrSymLinkName = SymLinkName;
}
else
{
KdPrint(("设备创建失败"));
}
CreateSymLinkStatus=IoCreateSymbolicLink(&SymLinkName, &DeviceName);
if (NT_SUCCESS(CreateSymLinkStatus))
{
KdPrint(("符号链接创建成功"));
}
else
{
KdPrint(("符号链接创建失败"));
IoDeleteDevice(pDeviceObject);
}
return STATUS_SUCCESS;
}这是头文件 Driver.h
#include <ntddk.h>
#include <wdmsec.h>
#pragma comment(lib,"wdmsec.lib")
#define ADD_CODE_OPEN CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_READ_DATA|FILE_WRITE_DATA)//开启保护
#define ADD_CODE_CLOSE CTL_CODE(FILE_DEVICE_UNKNOWN,0x802,METHOD_BUFFERED,FILE_READ_DATA|FILE_WRITE_DATA)//关闭保护
typedef struct ServiceDescriptorTable {
PVOID ServiceTableBase;
PVOID ServiceCounterTable;
unsigned int NumberOfServices;
PVOID ParamTableBase;
}*pServiceDescriptorTable;
extern pServiceDescriptorTable KeServiceDescriptorTable;
typedef NTSTATUS (NTAPI *pNtOpenProcess)(
_Out_ PHANDLE ProcessHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_In_opt_ PCLIENT_ID ClientId
);
typedef struct _DEVICE_EXTENSION {
PDEVICE_OBJECT pDevice;
UNICODE_STRING ustrDeviceName; //设备名称
UNICODE_STRING ustrSymLinkName; //符号链接名
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
UNICODE_STRING DeviceName, SymLinkName;
NTSTATUS CreateDeviceStatus, CreateSymLinkStatus; [培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
原来是这个少写了一个运算符,谢谢了,我真是太粗心了 
|
