驱动对象
在内核中. 每一个驱动模块都是一个驱动对象. 都有一个 DRIVER_OBJECT结构体代表。
驱动对象结构如下:
typedef struct _DRIVER_OBJECT {
CSHORT Type;
CSHORT Size;
//
// The following links all of the devices created by a single driver
// together on a list, and the Flags word provides an extensible flag
// location for driver objects.
//
PDEVICE_OBJECT DeviceObject;
ULONG Flags;
//
// The following section describes where the driver is loaded. The count
// field is used to count the number of times the driver has had its
// registered reinitialization routine invoked.
//
PVOID DriverStart; //驱动对象的起始地址
ULONG DriverSize; //驱动对象的大小
PVOID DriverSection; //驱动对象结构.可以解析为_LDR_DATA_TABLE_ENTRY 是一个链表存储着下一个驱动对象
PDRIVER_EXTENSION DriverExtension; //驱动的扩展信息.可以自定义存放我们的数据
//
// The driver name field is used by the error log thread
// determine the name of the driver that an I/O request is/was bound.
//
UNICODE_STRING DriverName; //驱动对象的名字
//
// The following section is for registry support. This is a pointer
// to the path to the hardware information in the registry
//
PUNICODE_STRING HardwareDatabase;
//
// The following section contains the optional pointer to an array of
// alternate entry points to a driver for "fast I/O" support. Fast I/O
// is performed by invoking the driver routine directly with separate
// parameters, rather than using the standard IRP call mechanism. Note
// that these functions may only be used for synchronous I/O, and when
// the file is cached.
//
PFAST_IO_DISPATCH FastIoDispatch;
PDRIVER_INITIALIZE DriverInit;
PDRIVER_STARTIO DriverStartIo;
PDRIVER_UNLOAD DriverUnload; //驱动对象的卸载地址
PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;
输出代码输出基本的驱动对象信息:
#include <ntddk.h>
VOID MyDriverUnLoad(
_In_ struct _DRIVER_OBJECT* DriverObject
)
{
DbgPrint("驱动卸载了\r\n");
}
extern "C" NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
){
ULONG64 uImage = 0;
DriverObject->DriverUnload = MyDriverUnLoad;
DbgPrint("驱动加载了开始打印输出\r\n");
DbgPrint("驱动名字 = %wZ \r\n", DriverObject->DriverName);
DbgPrint("驱动起始地址 %x 大小 %x 结束地址 %x\r\n",
DriverObject->DriverStart,
DriverObject->DriverSize,
uImage = ((ULONG64)DriverObject->DriverStart + DriverObject->DriverSize));
DbgPrint("驱动对象的卸载地址 = %p\r\n", DriverObject->DriverUnload);
//输出驱动对象的所有回调地址.
DbgPrint("驱动对象的IoControl回调地址 = %p\r\n", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]);
DbgPrint("驱动对象的读回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_READ]);
DbgPrint("驱动对象的写回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_WRITE]);
DbgPrint("驱动对象的创建回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CREATE]);
DbgPrint("驱动对象的关闭回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CLOSE]);
DbgPrint("-------遍历回调输出------------\r\n");
//宏从DrverObject对象中查找
for (auto i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DbgPrint("回调的IRP_MJ 调用号 = %d 回调函数地址 = %p \r\n", i, DriverObject->MajorFunction[i]);
}
DbgPrint("执行所有功能完毕");
return STATUS_SUCCESS;
}
结果:
利用驱动对象可以 遍历驱动的信息.得出内核中所有模块
代码在另一个帖子
https://www.cnblogs.com/iBinary/p/11693606.html
可以集成到Ark工具中.
如 Pchunter
