为什么同样在这个函数里面,IRP_MJ_CREATE里不是在系统进程内而 IRP_MJ_SHUTDOWN是呢?到底什么时候要用IoQueueWorkItem将函数放入列队中呢?
NTSTATUS RegmonDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
PSTORE_BUF old;
PIO_WORKITEM workItem;
//为了替换过期的函数增加的
workitem_DeviceObject=DeviceObject;
//
// Go ahead and set the request up as successful
//
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
//
// Get the pointer to the input/output buffer and its length
//
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
DbgPrint(("Regmon: IRP_MJ_CREATE\n"));
//
// Turn off boot logging
//
if( BootLogging ) {//bootlogging初始为false
BootLogging = FALSE;
IoUnregisterShutdownNotification( DeviceObject );
MUTEX_WAIT( StoreMutex );
workItem = IoAllocateWorkItem( DeviceObject );//函数已过期等我已修改*********************************
IoQueueWorkItem( workItem, (PIO_WORKITEM_ROUTINE)RegmonCloseBootLog, DelayedWorkQueue ,0 );//函数已过期等我已修改***********************
IoFreeWorkItem( workItem );//函数已过期等我已修改***********************
KeWaitForSingleObject( &LoggingEvent, Executive, KernelMode, FALSE, NULL );//等信号,目的是为了保证写到日志文件后或日志文件关闭后才更新
MUTEX_RELEASE( StoreMutex );
}
Sequence = 0;
GUIActive = TRUE;
DbgPrint((" GUI Active: %d\n", GUIActive ));
break;
case IRP_MJ_SHUTDOWN:
//
// Dump all accumulated buffers. We are in the system process so
// there's no need to queue a worker thread item
//
while( old = RegmonOldestStore()) {
RegmonWriteBootLog( old );//为什么在这里调用就是在系统进程内,而在IRP_MJ_CREATE里就不是在系统进程内??????????????????????
if( old == Store ) break;
}
break;
case IRP_MJ_CLOSE:
DbgPrint(("Regmon: IRP_MJ_CLOSE\n"));
GUIActive = FALSE;
DbgPrint((" GUI closing: %d\n", GUIActive ));
RegmonResetStore();
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint (("Regmon: IRP_MJ_DEVICE_CONTROL\n"));
//
// See if the output buffer is really a user buffer that we
// can just dump data into.
//
if( IOCTL_TRANSFER_TYPE(ioControlCode) == METHOD_NEITHER ) { // 值为3,直接向驱动程序提供用户缓冲区
outputBuffer = Irp->UserBuffer;
}
//
// Its a request from the GUI
//
RegmonDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
workitem_DeviceObject=NULL;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
[课程]Android-CTF解题方法汇总!