#include <ntddk.h>
#define DEVICE_NAME L"\\device\\NTModelDrv"
#define LINK_NAME L"\\dosDevices\\NTModelDrv"
#define IOCTL_BASE 0x8000
#define MY_CTL_CODE(i) \
CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_HELLO MY_CTL_CODE(0)
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("DriverUnload: DriverUnload is Run!\n");
}
NTSTATUS
LM87RequestComplete (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
PKEVENT Event;
Event = (PKEVENT) Context;
__asm int 3
KeSetEvent (Event, IO_NO_INCREMENT, FALSE);
return STATUS_MORE_PROCESSING_REQUIRED;
}
VOID WorkThread(PVOID pContext)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PIRP SMBIrp;
PIO_STACK_LOCATION irpStack;
IO_STACK_LOCATION status_block;
UNICODE_STRING usDeviceToFilter = { 0 };
KEVENT SyncEvent;
//注意这里定义的指针哦
PFILE_OBJECT FileObject = NULL;
PDEVICE_OBJECT DeviceObject = NULL;
ULONG i = 0;
LARGE_INTEGER waitTime = { 0 };
waitTime.QuadPart = -3 * 10000000i64;
DbgPrint("In WorkThread!\n");
KeInitializeEvent(&SyncEvent, NotificationEvent, FALSE);
while(1)
{
DbgPrint("WorkThread: %x\n", i);
//得到设备对象
__asm int 3
//尽管FileObject与DeviceObject定义的是指针,这里还是要取地址表示是双指针
ntStatus = IoGetDeviceObjectPointer(&usDeviceToFilter,
GENERIC_ALL,&FileObject,&DeviceObject);
if( !NT_SUCCESS(ntStatus) )
{
DbgPrint("IoGetDeviceObjectPointer is Failed!\n");
continue;
}
//根据设备对象创建针对该设备对象的IRP包
SMBIrp = IoAllocateIrp (DeviceObject->StackSize, FALSE);
if(!SMBIrp)
{
KdPrint(("IoAllocateIrp: Allocate irp failed!\n "));
continue;
}
SMBIrp->UserEvent = &SyncEvent;
//SMBIrp->UserIosb = &status_block;
//SMBIrp->Tail.Overlay.Thread = PsGetCurrentThread();
//这句有什么作用呢?
irpStack = IoGetNextIrpStackLocation(SMBIrp);
//设置IRP包的控制码
irpStack->MajorFunction = IRP_MJ_DEVICE_CONTROL;
irpStack->Parameters.DeviceIoControl.IoControlCode = IOCTL_HELLO;
//irpStack->FileObject = FileObject;
//设置完成函数,完成函数中要对我们发送的IRP包进行完成,不能再发回到IO管理器上
IoSetCompletionRoutine (SMBIrp, LM87RequestComplete, &SyncEvent, TRUE, TRUE, TRUE);
//直接向设备发送IRP包,这里设备对象为指针对象
IoCallDriver(DeviceObject, SMBIrp);
KeWaitForSingleObject(&SyncEvent, Executive, KernelMode, FALSE, NULL);
i++;
KeDelayExecutionThread(KernelMode, FALSE, &waitTime);//延迟3秒
//最后释放IRP包
IoFreeIrp(SMBIrp);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
HANDLE hThread;
ntStatus = PsCreateSystemThread(
&hThread,
0,
NULL,
(HANDLE)0,
NULL,
WorkThread,
NULL
);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("PsCreateSystemThread is Failed!\n");
}
ZwClose(hThread);
return STATUS_SUCCESS;
}
#define DEVICE_NAME L"\\device\\NTModelDrv"
#define LINK_NAME L"\\dosDevices\\NTModelDrv"
#define IOCTL_BASE 0x8000
#define MY_CTL_CODE(i) \
CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTL_BASE+i, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define IOCTL_HELLO MY_CTL_CODE(0)
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
DbgPrint("DriverUnload: DriverUnload is Run!\n");
}
NTSTATUS
LM87RequestComplete (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp,
IN PVOID Context
)
{
PKEVENT Event;
Event = (PKEVENT) Context;
__asm int 3
KeSetEvent (Event, IO_NO_INCREMENT, FALSE);
return STATUS_MORE_PROCESSING_REQUIRED;
}
VOID WorkThread(PVOID pContext)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PIRP SMBIrp;
PIO_STACK_LOCATION irpStack;
IO_STACK_LOCATION status_block;
UNICODE_STRING usDeviceToFilter = { 0 };
KEVENT SyncEvent;
//注意这里定义的指针哦
PFILE_OBJECT FileObject = NULL;
PDEVICE_OBJECT DeviceObject = NULL;
ULONG i = 0;
LARGE_INTEGER waitTime = { 0 };
waitTime.QuadPart = -3 * 10000000i64;
DbgPrint("In WorkThread!\n");
//这里使用的设备对象名而不是符号链接名称
RtlInitUnicodeString(&usDeviceToFilter, DEVICE_NAME);KeInitializeEvent(&SyncEvent, NotificationEvent, FALSE);
while(1)
{
DbgPrint("WorkThread: %x\n", i);
//得到设备对象
__asm int 3
//尽管FileObject与DeviceObject定义的是指针,这里还是要取地址表示是双指针
ntStatus = IoGetDeviceObjectPointer(&usDeviceToFilter,
GENERIC_ALL,&FileObject,&DeviceObject);
if( !NT_SUCCESS(ntStatus) )
{
DbgPrint("IoGetDeviceObjectPointer is Failed!\n");
continue;
}
//根据设备对象创建针对该设备对象的IRP包
SMBIrp = IoAllocateIrp (DeviceObject->StackSize, FALSE);
if(!SMBIrp)
{
KdPrint(("IoAllocateIrp: Allocate irp failed!\n "));
continue;
}
SMBIrp->UserEvent = &SyncEvent;
//SMBIrp->UserIosb = &status_block;
//SMBIrp->Tail.Overlay.Thread = PsGetCurrentThread();
//这句有什么作用呢?
irpStack = IoGetNextIrpStackLocation(SMBIrp);
//设置IRP包的控制码
irpStack->MajorFunction = IRP_MJ_DEVICE_CONTROL;
irpStack->Parameters.DeviceIoControl.IoControlCode = IOCTL_HELLO;
//irpStack->FileObject = FileObject;
//设置完成函数,完成函数中要对我们发送的IRP包进行完成,不能再发回到IO管理器上
IoSetCompletionRoutine (SMBIrp, LM87RequestComplete, &SyncEvent, TRUE, TRUE, TRUE);
//直接向设备发送IRP包,这里设备对象为指针对象
IoCallDriver(DeviceObject, SMBIrp);
KeWaitForSingleObject(&SyncEvent, Executive, KernelMode, FALSE, NULL);
i++;
KeDelayExecutionThread(KernelMode, FALSE, &waitTime);//延迟3秒
//最后释放IRP包
IoFreeIrp(SMBIrp);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
HANDLE hThread;
ntStatus = PsCreateSystemThread(
&hThread,
0,
NULL,
(HANDLE)0,
NULL,
WorkThread,
NULL
);
if(!NT_SUCCESS(ntStatus))
{
DbgPrint("PsCreateSystemThread is Failed!\n");
}
ZwClose(hThread);
return STATUS_SUCCESS;
}