第一次写驱动,水平很低
模仿的Intercessor
目的是用PsSetLoadImageNotifyRoutine监视DLL的加载
可是在Stop Service这个.sys文件后 再对系统进行其他操作 会蓝屏
#include <ntddk.h>
#define IOCTL_DLL_LOAD \
(ULONG) CTL_CODE(FILE_DEVICE_DISK_FILE_SYSTEM, 0x901, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct _DLL_INFO
{
PUNICODE_STRING FullImageName;
PVOID ImageBase;
LARGE_INTEGER current_time;
} DLL_INFO, * PDLL_INFO;
typedef struct _DEVICE_EXTENSION
{
KSPIN_LOCK protect_lock;
SIZE_T data_num;
DLL_INFO dll_info[200];
} DEVICE_EXTENSION,*PDEVICE_EXTENSION;
static DEVICE_EXTENSION devExtension;
static NTSTATUS MydrvDispatch(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp);
static NTSTATUS DrvIOCtrlDispatch( IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
static VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj);
VOID LoadDllMon(IN PUNICODE_STRING FullImageName,IN HANDLE ProcessId,IN PIMAGE_INFO ImageInfo);
#define DEVICE_NAME L"\\Device\\LoadDll"
#define LINK_NAME L"\\DosDevices\\LoadDll"
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrDevName,ustrLinkName;
PDEVICE_OBJECT pDevObj;
int i;
for (i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
pDriverObj->MajorFunction[i]=MydrvDispatch;
}
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DrvIOCtrlDispatch;
pDriverObj->DriverUnload = DriverUnload;
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
if(!NT_SUCCESS(status))
{
return status;
}
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
IoDeleteDevice(pDevObj);
return status;
}
devExtension.data_num=0;
status=PsSetLoadImageNotifyRoutine(LoadDllMon);
if (!NT_SUCCESS(status))
{
DbgPrint("PsSetLoadImageNotifyRoutine()\n");
return status;
}
return STATUS_SUCCESS;
}
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
DbgPrint("LoadDll Stop\n");
return;
}
NTSTATUS MydrvDispatch(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID LoadDllMon(IN PUNICODE_STRING FullImageName,IN HANDLE ProcessId,IN PIMAGE_INFO ImageInfo)
{
KIRQL old_spin_lock_val;
KeAcquireSpinLock(&devExtension.protect_lock,&old_spin_lock_val);
devExtension.dll_info[devExtension.data_num].FullImageName=FullImageName;
devExtension.dll_info[devExtension.data_num].ImageBase=ImageInfo->ImageBase;
KeQuerySystemTime(&devExtension.dll_info[devExtension.data_num].current_time);
++devExtension.data_num;
if (devExtension.data_num>=200)
{
devExtension.data_num=199;
}
KeReleaseSpinLock(&devExtension.protect_lock,old_spin_lock_val);
}
static NTSTATUS DrvIOCtrlDispatch( IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack;
PVOID ioBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
KIRQL old_spin_lock_val;
SIZE_T desiredBufferLength;
irpStack = IoGetCurrentIrpStackLocation(Irp);
ioControlCode= irpStack->Parameters.DeviceIoControl.IoControlCode;
ioBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
status = STATUS_SUCCESS;
switch(ioControlCode)
{
case IOCTL_DLL_LOAD:
desiredBufferLength=sizeof(DLL_INFO)*200+sizeof(SIZE_T);
if (outputBufferLength<desiredBufferLength||NULL==ioBuffer)
{
status=STATUS_BUFFER_TOO_SMALL;
break;
}
KeAcquireSpinLock(&devExtension.protect_lock,&old_spin_lock_val);
RtlCopyMemory(ioBuffer, &devExtension.data_num, desiredBufferLength);
devExtension.data_num=0;
KeReleaseSpinLock(&devExtension.protect_lock,old_spin_lock_val);
break;
default:
break;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = outputBufferLength;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
另外的问题是
得到的 IN PUNICODE_STRING FullImageName 和 IN PIMAGE_INFO ImageInfo 里面的信息
如何在应用程序经转换后打印出来
我写的DrvIOCtrlDispatch对不对?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课