能力值:
( LV12,RANK:1010 )
4 楼
顺便问下大叔:
加载驱动的方法很多, 偶用ZwLoadDriver , 出现问题
-----------------------------------------------------------------------------------
程序运行后释放sudami.sys 到 C:\WINDOWS\system32\drivers 目录下
然后加载驱动,
加载驱动的代码如下: /******************************************************************************
* FileName : LoadDriver.h
* Author : sudami
* Time : 2007/10/15
*
* Comment : 加载驱动
******************************************************************************/
//HANDLE OpenDriver() 打开驱动建立的符号链接的句柄
//void UninstallDriver() 卸载驱动,要把OpenDriver打开的句柄关闭才可以成功卸载
#include "stdafx.h"
#include <windows.h>
////////////////////////////////////////////////////////////////////////////////
#define DRV_NAME "sudami" //驱动名
#define DRV_FILENAME "sudami.sys" //驱动文件
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
////////////////////////////////////////////////////////////////////////////////
typedef LONG NTSTATUS;
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} ANSI_STRING, *PANSI_STRING;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
/***************************************************************************
* *
* 封状类 CLoadDriver *
* *
***************************************************************************/
class CLoadDriver
{
public:
BOOL GetLoadDriverPriv();
BOOL SetupRegistry();
HANDLE OpenDriver();
BOOL UnloadDriver();
BOOL LoadDriver();
void CleanupDriver();
void UninstallDriver();
};
//////////////////////////////////////////////////////////////////////////////////
//--------------------------------------------------------------------------------
// 函数名: GetLoadDriverPriv
//
// 参数: NULL
//
// 返回值: TRUE | FALSE
//
// 函数功能: Assign loaddriver priviledge to our process,
// so we can load our support driver.
//--------------------------------------------------------------------------------
BOOL CLoadDriver::GetLoadDriverPriv()
{
HANDLE hToken;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
{
LUID huid;
if(LookupPrivilegeValue(NULL, "SeLoadDriverPrivilege", &huid))
{
LUID_AND_ATTRIBUTES priv;
priv.Attributes = SE_PRIVILEGE_ENABLED;
priv.Luid = huid;
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0] = priv;
if(AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL))
{
return TRUE;
}
}
}
return FALSE;
}
//////////////////////////////////////////////////////////////////////////////////
//--------------------------------------------------------------------------------
// 函数名: SetupRegistry
//
// 参数: NULL
//
// 返回值: TRUE | FALSE
//
// 函数功能: Sets up the necessary registry settings to load the support driver
//--------------------------------------------------------------------------------
BOOL CLoadDriver::SetupRegistry()
{
// 创建子键
HKEY hkey;
if(RegCreateKey(
HKEY_LOCAL_MACHINE,
"System\\CurrentControlSet\\Services\\"DRV_NAME,
&hkey)
!= ERROR_SUCCESS)
return FALSE;
///////////////////////////////////////////////////////////////////////////////////
DWORD val;
val = 1;
if(RegSetValueEx(hkey, "Type", 0, REG_DWORD, (PBYTE)&val, sizeof(val)) != ERROR_SUCCESS)
return FALSE;
if(RegSetValueEx(hkey, "ErrorControl", 0, REG_DWORD, (PBYTE)&val, sizeof(val)) != ERROR_SUCCESS)
return FALSE;
val = 3;
if(RegSetValueEx(hkey, "Start", 0, REG_DWORD, (PBYTE)&val, sizeof(val)) != ERROR_SUCCESS)
return FALSE;
///////////////////////////////////////////////////////////////////////////////////
char *imgName = "system32\\DRIVERS\\"DRV_FILENAME;
if(RegSetValueEx(hkey, "ImagePath", 0, REG_EXPAND_SZ, (PBYTE)imgName, strlen(imgName)) != ERROR_SUCCESS)
return FALSE;
return TRUE;
} //////////////////////////////////////////////////////////////////////////////////
//--------------------------------------------------------------------------------
// 函数名: LoadDriver
//
// 参数: NULL
//
// 返回值: TRUE | FALSE
//
// 函数功能: load our driver into memory
//--------------------------------------------------------------------------------
BOOL CLoadDriver::LoadDriver()
{
// call ntdll APIs
HMODULE hntdll;
NTSTATUS (WINAPI *_RtlAnsiStringToUnicodeString)(PUNICODE_STRING DestinationString,IN PANSI_STRING SourceString,IN
BOOLEAN);
VOID (WINAPI *_RtlInitAnsiString)
(IN OUT PANSI_STRING DestinationString,
IN PCHAR SourceString);
NTSTATUS (WINAPI * _ZwLoadDriver)
(IN PUNICODE_STRING DriverServiceName);
NTSTATUS (WINAPI * _ZwUnloadDriver)
(IN PUNICODE_STRING DriverServiceName);
VOID (WINAPI * _RtlFreeUnicodeString)
(IN PUNICODE_STRING UnicodeString);
hntdll = GetModuleHandle("ntdll.dll");
// 得到这些API的实际地址
*(FARPROC *)&_ZwLoadDriver = GetProcAddress(hntdll, "NtLoadDriver");
*(FARPROC *)&_ZwUnloadDriver = GetProcAddress(hntdll, "NtUnloadDriver");
*(FARPROC *)&_RtlAnsiStringToUnicodeString =
GetProcAddress(hntdll, "RtlAnsiStringToUnicodeString");
*(FARPROC *)&_RtlInitAnsiString =
GetProcAddress(hntdll, "RtlInitAnsiString");
*(FARPROC *)&_RtlFreeUnicodeString =
GetProcAddress(hntdll, "RtlFreeUnicodeString");
/////////////////////////////////////////////////////////////////////////
if(_ZwLoadDriver && _ZwUnloadDriver && _RtlAnsiStringToUnicodeString &&
_RtlInitAnsiString && _RtlFreeUnicodeString)
{
ANSI_STRING aStr;
_RtlInitAnsiString(&aStr,
"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"DRV_NAME);
UNICODE_STRING uStr;
if(_RtlAnsiStringToUnicodeString(&uStr, &aStr, TRUE) != STATUS_SUCCESS)
{
return FALSE;
AfxMessageBox("_RtlAnsiStringToUnicodeString failed");
}
else
{
if(_ZwLoadDriver(&uStr) == STATUS_SUCCESS)
{
_RtlFreeUnicodeString(&uStr);
return TRUE;
}
else
{
_RtlFreeUnicodeString(&uStr);
AfxMessageBox("_ZwLoadDriver(&uStr) failed");
}
}
}
return FALSE;
}
//////////////////////////////////////////////////////////////////////////////////
//--------------------------------------------------------------------------------
// 函数名: UnloadDriver
//
// 参数: NULL
//
// 返回值: TRUE | FALSE
//
// 函数功能: remove our driver from memory
//--------------------------------------------------------------------------------
BOOL CLoadDriver::UnloadDriver()
{
// call ntdll APIs
HMODULE hntdll;
NTSTATUS (WINAPI * _RtlAnsiStringToUnicodeString)
(PUNICODE_STRING DestinationString,
IN PANSI_STRING SourceString,
IN BOOLEAN);
VOID (WINAPI *_RtlInitAnsiString)
(IN OUT PANSI_STRING DestinationString,
IN PCHAR SourceString);
NTSTATUS (WINAPI * _ZwLoadDriver)
(IN PUNICODE_STRING DriverServiceName);
NTSTATUS (WINAPI * _ZwUnloadDriver)
(IN PUNICODE_STRING DriverServiceName);
VOID (WINAPI * _RtlFreeUnicodeString)
(IN PUNICODE_STRING UnicodeString);
hntdll = GetModuleHandle("ntdll.dll");
*(FARPROC *)&_ZwLoadDriver = GetProcAddress(hntdll, "NtLoadDriver");
*(FARPROC *)&_ZwUnloadDriver = GetProcAddress(hntdll, "NtUnloadDriver");
*(FARPROC *)&_RtlAnsiStringToUnicodeString =
GetProcAddress(hntdll, "RtlAnsiStringToUnicodeString");
*(FARPROC *)&_RtlInitAnsiString =
GetProcAddress(hntdll, "RtlInitAnsiString");
*(FARPROC *)&_RtlFreeUnicodeString =
GetProcAddress(hntdll, "RtlFreeUnicodeString");
/////////////////////////////////////////////////////////////////////////////
if(_ZwLoadDriver && _ZwUnloadDriver && _RtlAnsiStringToUnicodeString &&
_RtlInitAnsiString && _RtlFreeUnicodeString)
{
ANSI_STRING aStr;
_RtlInitAnsiString(&aStr,
"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\"DRV_NAME);
UNICODE_STRING uStr;
if(_RtlAnsiStringToUnicodeString(&uStr, &aStr, TRUE) != STATUS_SUCCESS)
return FALSE;
else
{
if(_ZwUnloadDriver(&uStr) == STATUS_SUCCESS)
{
_RtlFreeUnicodeString(&uStr);
return TRUE;
}
_RtlFreeUnicodeString(&uStr);
}
}
return FALSE;
} //////////////////////////////////////////////////////////////////////////////////
//--------------------------------------------------------------------------------
// 函数名: CleanupDriver
//
// 参数: NULL
//
// 返回值: TRUE | FALSE
//
// 函数功能: Removes our driver file and registry settings
//--------------------------------------------------------------------------------
void CLoadDriver::CleanupDriver()
{
char sysDir[MAX_PATH + 1];
GetSystemDirectory(sysDir, MAX_PATH);
strncat(sysDir, "\\drivers\\"DRV_FILENAME, MAX_PATH);
DeleteFile(sysDir);
RegDeleteKey(HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\"DRV_NAME"\\Enum");
RegDeleteKey(HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\"DRV_NAME);
}
//////////////////////////////////////////////////////////////////////////////////
//--------------------------------------------------------------------------------
// 函数名: OpenDriver
//
// 参数: NULL
//
// 返回值: HANDLE
//
// 函数功能: Attempts to get a handle to our kernel driver.
// If fails, try to install the driver.
//--------------------------------------------------------------------------------
HANDLE CLoadDriver::OpenDriver()
{
HANDLE hDevice;
if(!GetLoadDriverPriv())
{
AfxMessageBox("Error getting load driver privilege! ");
}
else
{
if(!SetupRegistry())
{
AfxMessageBox("Error setting driver registry keys! Make sure you are running this as Administrator. ");
}
else
{
if (LoadDriver())
{
hDevice = CreateFile(
"\\\\.\\"DRV_NAME,
GENERIC_WRITE | GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
AfxMessageBox("Error loading kernel support driver! Make sure you are\
running this as Administrator. ");
}
else
{
AfxMessageBox("loading kernel support driver success");
}
}
else
{
AfxMessageBox("LoadDriver() failed");
}
}
}
return hDevice;
}
//////////////////////////////////////////////////////////////////////////////////
//--------------------------------------------------------------------------------
// 函数名: UninstallDriver
//
// 参数: NULL
//
// 返回值: NULL
//
// 函数功能: Remove our kernel driver from memory
//--------------------------------------------------------------------------------
void CLoadDriver::UninstallDriver()
{
/****************************************************************************8
char drvFullPath[MAX_PATH+1];
char *filePart;
ZeroMemory(drvFullPath, MAX_PATH);
GetFullPathName(DRV_FILENAME, MAX_PATH, drvFullPath, &filePart);
HANDLE hFile = CreateFile(drvFullPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, 0);
if(hFile == INVALID_HANDLE_VALUE)
{
AfxMessageBox("Cannot find required driver file ");
return;
}
else
{
CloseHandle(hFile);
char sysDir[MAX_PATH + 1];
GetSystemDirectory(sysDir, MAX_PATH);
strncat(sysDir, "\\drivers\\"DRV_FILENAME, MAX_PATH);
CopyFile(drvFullPath, sysDir, TRUE);
*****************************************************************/
if(!GetLoadDriverPriv())
{
AfxMessageBox("Error getting load driver privilege! ");
}
else
{
if(!SetupRegistry())
{
AfxMessageBox("Error setting driver registry keys! Make sure you are running this as Administrator. ");
}
else
{
if(UnloadDriver())
AfxMessageBox("Support driver successfully unloaded. ");
else
AfxMessageBox("Unload support driver failed. It is probably not loaded. ");
}
}
CleanupDriver();
}
--------------------------------------------------------------------------------
蓝颜色部分就是出错的地方.
sudami.sys已经释放出来了, 可是到
if(_ZwLoadDriver(&uStr) == STATUS_SUCCESS)
显示加载不成功.
这是什么原因造成的啊?