X86 win7 平台
驱动
#include <ntifs.h>
#define DEVICE_NAME L"\\Device\\wangliang"
#define SYM_NAME L"\\??\\wangliang"
#define _COMM_ID 0x12345678
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY exp;
ULONG un;
ULONG NonPagedDebugInfo;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Undefined5;
ULONG __Undefined6;
ULONG CheckSum;
ULONG TimeDateStamp;
} KLDR_DATA_TABLE_ENTRY, * PKLDR_DATA_TABLE_ENTRY;
NTKERNELAPI NTSTATUS ObReferenceObjectByName(
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID* Object
);
extern POBJECT_TYPE* IoDriverObjectType;
typedef struct _CommPackage {
ULONG64 id;
ULONG64 pid;
CHAR name[64];
}CommPackage, * PCommPackage;
typedef NTSTATUS(NTAPI* CommCallback)(PCommPackage package);
CommCallback gCommCallback = NULL;
NTSTATUS DefDispatch(DEVICE_OBJECT* DeviceObject, IRP* Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS ReadDispatch(DEVICE_OBJECT* DeviceObject, IRP* Irp)
{
//DbgBreakPoint();
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
LARGE_INTEGER ByteOffset = ioStack->Parameters.Read.ByteOffset;
int Length = ioStack->Parameters.Read.Length;
PCommPackage package = Irp->UserBuffer;
NTSTATUS status = STATUS_UNSUCCESSFUL;
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)DeviceObject->DeviceExtension;
PKLDR_DATA_TABLE_ENTRY pre = (PKLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderLinks.Flink;
PKLDR_DATA_TABLE_ENTRY next = (PKLDR_DATA_TABLE_ENTRY)pre->InLoadOrderLinks.Flink;
if (package->pid > 1) {
ULONG64 i = (ULONG64)1;
for (; i < package->pid; i++) {
next = (PKLDR_DATA_TABLE_ENTRY)next->InLoadOrderLinks.Flink;
}
}
if (Length == sizeof(CommPackage) ) {
UNICODE_STRING driverName1 = next->FullDllName;
PDRIVER_OBJECT Driver = NULL;
ANSI_STRING ansi_buffer_target = { 0 };
NTSTATUS status = ObReferenceObjectByName(&driverName1, FILE_ALL_ACCESS, 0, 0, *IoDriverObjectType, KernelMode, NULL, &Driver);//通过驱动的到驱动的对象
if (package->id == _COMM_ID) {
RtlUnicodeStringToAnsiString(&ansi_buffer_target, &driverName1, TRUE);
strcpy(package->name, ansi_buffer_target.Buffer);
RtlFreeAnsiString(&ansi_buffer_target);
}
};
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, 0);
return status;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
IoDeleteSymbolicLink(&symName);
IoDeleteDevice(pDriver->DeviceObject);
DbgPrint("END\r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
UNICODE_STRING unName = { 0 };
RtlInitUnicodeString(&unName, DEVICE_NAME);
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
PDEVICE_OBJECT pDevice = NULL;
NTSTATUS status = IoCreateDevice(pDriver, sizeof(PKLDR_DATA_TABLE_ENTRY)+1, &unName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);//创建一个驱动设备使用的设备对象
if (!NT_SUCCESS(status))
{
DbgPrint("[db]:%x\r\n", status);
return status;
}
memcpy(pDevice->DeviceExtension, ldr, sizeof(PKLDR_DATA_TABLE_ENTRY));
status = IoCreateSymbolicLink(&symName, &unName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevice);
DbgPrint("[db]:%x\r\n", status);
return status;
}
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
pDriver->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_READ] = ReadDispatch;
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
R3
#include <stdio.h>
#include <Windows.h>
#define SYM_NAME "\\\\.\\wangliang"
typedef struct _CommPackage {
ULONG64 id;
ULONG64 pid;
CHAR name[64];
}CommPackage, * PCommPackage;
#define _COMM_ID 0x12345678
int main()
{
CommPackage packag;
packag.id = _COMM_ID;
packag.pid = (ULONG64)1;
for (int i = 0; i < 64; i++) {
packag.name[i] = 0;
}
HANDLE hDevice = CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDevice == NULL || hDevice == INVALID_HANDLE_VALUE)
{
printf("%d", hDevice);
system("pause");
return 0;
}
DWORD p = 0;
ReadFile(hDevice, &packag, sizeof(CommPackage), &p, NULL);
char First[64] = {0};
strcpy_s(First, 64, packag.name);
printf("%s\r\n", packag.name);
do{
packag.pid = packag.pid + 1;
for (int i = 0; i < 64; i++) {
packag.name[i] = 0;
}
ReadFile(hDevice, &packag, sizeof(CommPackage), &p, NULL);
printf("%s\r\n", packag.name);
Sleep(1000);
} while (strcmp(First, packag.name) != NULL);
CloseHandle(hDevice);
system("pause");
return 0;
}