#include <ntddk.h> // 准备接收该对象的回调消息 #define CONST_CALLBACK_NAME L"//Callback//TcpConnectionCallBack" // 注册成功后,返回的句柄,卸载时候需要用 PVOID CallbackRegisterationHandle = NULL; // 驱动入口例程 NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); // 驱动卸载例程 VOID DriverUnload( IN PDRIVER_OBJECT DriverObject ); // 注册例程 NTSTATUS RegisterCallbackNotify( IN PUNICODE_STRING CallbackName ); // 反注册例程 VOID UnRegisterCallbackNotify( IN VOID ); // 回调例程 VOID CallbackFunc( IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2 ); #ifdef ALLOC_PARGMA #pragma alloc_text(INIT, DriverEntry) #pragma alloc_text(PAGE, DriverUnload) #pragma alloc_text(PAGE, RegisterCallbackNotify) #pragma alloc_text(PAGE, UnRegisterCallbackNotify) #endif // ALLOC_PRAGMA /* 描述:驱动入口例程 */ NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS status = STATUS_SUCCESS; // 初始化要注册的回调对象的名称 UNICODE_STRING callbackName; RtlInitUnicodeString(&callbackName, CONST_CALLBACK_NAME); KdPrint(("DriverEntry invoke.")); // 动态卸载 DriverObject->DriverUnload = DriverUnload; if (!NT_SUCCESS(RegisterCallbackNotify(&callbackName))) { // 注册失败 KdPrint(("RegisterCallbackNotify failed. CallbackName=%wZ/n", &callbackName)); } else { // 注册成功 KdPrint(("RegisterCallbackNotify ok. CallbackName=%wZ/n", &callbackName)); } return status; } /* 描述:驱动卸载例程 */ VOID DriverUnload( IN PDRIVER_OBJECT DriverObject ) { KdPrint(("DriverUnload invoke./n")); UnRegisterCallbackNotify(); } /* 描述:注册例程 */ NTSTATUS RegisterCallbackNotify( IN PUNICODE_STRING CallbackName ) { PCALLBACK_OBJECT callbackObject; OBJECT_ATTRIBUTES objectAttributes; NTSTATUS status; PAGED_CODE(); KdPrint(("RegisterCallbackNotify invoke./n")); // 初始化对象属性 InitializeObjectAttributes( &objectAttributes, CallbackName, OBJ_CASE_INSENSITIVE | OBJ_PERMANENT, NULL, NULL ); // 创建回调对象,可能含有打开的意思 status = ExCreateCallback( &callbackObject, &objectAttributes, TRUE, TRUE ); if (!NT_SUCCESS(status)) { KdPrint(("ExCreateCallback failed./n")); return status; } // 给回调对象注册我们自己的回调例程 CallbackRegisterationHandle = ExRegisterCallback( callbackObject, CallbackFunc, (PVOID)NULL ); if (!CallbackRegisterationHandle) { return STATUS_UNSUCCESSFUL; } // 注册成功时,回调对象要解引用一次 ObDereferenceObject(callbackObject); return STATUS_SUCCESS; } /* 描述:反注册例程 */ VOID UnRegisterCallbackNotify( IN VOID ) { KdPrint(("UnRegisterCallbackNotify invoke./n")); if (!CallbackRegisterationHandle) { KdPrint(("ExUnregisterCallback invoke.CallbackRegisterationHandle != NULL/n")); ExUnregisterCallback(CallbackRegisterationHandle); } } /* 描述:回调例程 */ VOID CallbackFunc( IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2 ) { PEPROCESS curProcess; KdPrint(("CallbackFunc invoke./n")); curProcess = PsGetCurrentProcess(); KdPrint(("ProcessId=%ld./n", PsGetProcessId(curProcess))); }