前面通过读写驱动程序来实现ring3与ring0的交互,即通过发送IRP_MJ_READ或者IRP_MJ_WRITE来实现。
接下来是通过Control_CODE实现ring3与ring0的通信,ring3通过API DeviceIoControl发送Control_CODe并由相应的IRP处理例程处理这些Control_CODE.
ring0层几个主要处理代码如下:
#include "stdafx.h"
void DriverCtrUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS DriverCtrCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
NTSTATUS DriverCtrDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);
#ifdef __cplusplus
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
#endif
//定义IO_CONTROL_CODE
#define IOCTL_BUFFERED_IO\
CTL_CODE(FILE_DEVICE_UNKNOWN,0x890,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define IOCTL_INDIRECT_IO\
CTL_CODE(FILE_DEVICE_UNKNOWN,0x891,METHOD_IN_DIRECT,FILE_ANY_ACCESS)
#define IOCTL_NEITHER_IO\
CTL_CODE(FILE_DEVICE_UNKNOWN,0x892,METHOD_NEITHER,FILE_ANY_ACCESS)
//处理Control_CODE的函数
NTSTATUS DriverCtr(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS status=STATUS_SUCCESS;
PIO_STACK_LOCATION pSP=IoGetCurrentIrpStackLocation(Irp);
ULONG uControlCode=pSP->Parameters.DeviceIoControl.IoControlCode;
PVOID pInBuf=NULL;
PVOID pOutBuf=NULL;
ULONG uInLen=0,uOutLen=0;
KdPrint(("In DriverCtr"));
uInLen=pSP->Parameters.DeviceIoControl.InputBufferLength;
uInLen=uInLen>10?10:uInLen;
uOutLen=pSP->Parameters.DeviceIoControl.OutputBufferLength;
uOutLen=uOutLen>10?10:uOutLen;
KdPrint(("uInLen: %d uOutLen: %d \n",uInLen,uOutLen));
switch(uControlCode)
{
case IOCTL_BUFFERED_IO:
pInBuf=pOutBuf=Irp->AssociatedIrp.SystemBuffer;
if(uInLen)
{
RtlCopyMemory(DeviceObject->DeviceExtension,pInBuf,uInLen);
}
if(uOutLen)
{
RtlCopyMemory(pOutBuf,DeviceObject->DeviceExtension,uOutLen);
}
break;
c