驱动IrpHook代码

#include <ntddk.h>
#ifdef __cplusplus  
extern "C"  
{  
#endif  

PDRIVER_OBJECT pHookDriver;

NTKERNELAPI NTSTATUS ObReferenceObjectByName(
    PUNICODE_STRING,
    ULONG,
    PACCESS_STATE,
    ACCESS_MASK,
    POBJECT_TYPE,
    KPROCESSOR_MODE,
    PVOID,
    PVOID*);
POBJECT_TYPE* IoDriverObjectType;
PDRIVER_DISPATCH g_pfOldIrpFun;
void DriverUnload(PDRIVER_OBJECT pDiriver)
{
    if (MmIsAddressValid(g_pfOldIrpFun))
    {
        pHookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = g_pfOldIrpFun;
    }
    KdPrint(("UnLoad..."));
}
NTSTATUS irpHookProc(PDEVICE_OBJECT pDriver,PIRP pIrp)
{
    KdPrint(("ssssss"));
    return g_pfOldIrpFun(pDriver,pIrp);
}

NTSTATUS FilterDriverQuery()
{
    NTSTATUS		Status;
    UNICODE_STRING	usObjectName;

    RtlInitUnicodeString(&usObjectName,L"\\Driver\\Xuetr");

    Status = ObReferenceObjectByName(
        &usObjectName,
        OBJ_CASE_INSENSITIVE,
        NULL,
        0,
        *IoDriverObjectType,
        KernelMode,
        NULL,
        (PVOID*)&pHookDriver
        );
    if (!NT_SUCCESS(Status))
    {
        KdPrint(("failed!"));
        return Status;
    }
    KdPrint(("0x%X",pHookDriver));


    g_pfOldIrpFun = pHookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL];
    pHookDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = irpHookProc;

    ObDereferenceObject(pHookDriver);

    return STATUS_SUCCESS;
}

NTSTATUS CreateDevice(PDRIVER_OBJECT pDriver)
{
    NTSTATUS status = STATUS_SUCCESS;

    KdPrint(("createDevice success"));
    return status;
}



NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver,PUNICODE_STRING pReg)
{
    NTSTATUS staus = STATUS_SUCCESS;
    KdPrint(("load...."));
    staus = CreateDevice(pDriver);
    staus = FilterDriverQuery();
    pDriver->DriverUnload = DriverUnload;
    return staus;
}

#ifdef __cplusplus  
}  
#endif

本文链接地址: https://www.dbgpro.com/archives/4748.html

——版权声明——

猜你喜欢

夜影

Just for fun .

Author archive Author website

2018年11月30日

C++, 内核, 驱动

发表评论取消回复

© 2018 夜影工作室-专注二进制安全 — 朕就想用用 WordPress

朕的版权声明了解一下？ — Up ↑