驅動IrpHook程式碼
摘要:
#include <ntddk.h>
#ifdef __cplusplus
extern "C"
{
#endif
PDRIVER_OBJECT pHookDriver;
NTKERNELAPI NTSTATUS ObReferenceObjec...
#include <ntddk.h>
#ifdef __cplusplus
extern "C"
{
#endif
PDRIVER_OBJECT pHookDriver;
NTKERNELAPI NTSTATUS ObReferenceObjectByName(
PUNICODE_STRING,
ULONG,
PACCESS_STATE,
ACCESS_MASK,
POBJECT_TYPE,
KPROCESSOR_MODE,
PVOID,
PVOID*);
POBJECT_TYPE* IoDriverObjectType;
PDRIVER_DISPATCH g_pfOldIrpFun;
void DriverUnload(PDRIVER_OBJECT pDiriver)
{
if (MmIsAddressValid(g_pfOldIrpFun))
{
pHookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = g_pfOldIrpFun;
}
KdPrint(("UnLoad..."));
}
NTSTATUS irpHookProc(PDEVICE_OBJECT pDriver,PIRP pIrp)
{
KdPrint(("ssssss"));
return g_pfOldIrpFun(pDriver,pIrp);
}
NTSTATUS FilterDriverQuery()
{
NTSTATUSStatus;
UNICODE_STRINGusObjectName;
RtlInitUnicodeString(&usObjectName,L"\\Driver\\Xuetr");
Status = ObReferenceObjectByName(
&usObjectName,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&pHookDriver
);
if (!NT_SUCCESS(Status))
{
KdPrint(("failed!"));
return Status;
}
KdPrint(("0x%X",pHookDriver));
g_pfOldIrpFun = pHookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL];
pHookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = irpHookProc;
ObDereferenceObject(pHookDriver);
return STATUS_SUCCESS;
}
NTSTATUS CreateDevice(PDRIVER_OBJECT pDriver)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("createDevice success"));
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver,PUNICODE_STRING pReg)
{
NTSTATUS staus = STATUS_SUCCESS;
KdPrint(("load...."));
staus = CreateDevice(pDriver);
staus = FilterDriverQuery();
pDriver->DriverUnload = DriverUnload;
return staus;
}
#ifdef __cplusplus
}
#endif
本文連結地址: ofollow,noindex" target="_blank"> https://www.dbgpro.com/archives/4748.html