注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

从C开始

 
 
 

日志

 
 

IRP HOOK  

2011-03-22 18:52:54|  分类: 驱动编程 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
#include "ntddk.h"

typedef NTSTATUS (FASTCALL
 *pIofCallDriver)(
 IN PDEVICE_OBJECT DeviceObject,
 IN OUT PIRP Irp);
 
 pIofCallDriver old_piofcalldriver;
 UNICODE_STRING SymbolicLinkName;
 PDRIVER_OBJECT g_drvobj;
 UNICODE_STRING DeviceName;
PDEVICE_OBJECT deviceObject;
ULONG oData;

#define IOCTL_DISABLE  CTL_CODE(FILE_DEVICE_UNKNOWN ,0x8101,METHOD_BUFFERED,FILE_ANY_ACCESS)   
#define IOCTL_ENABLE   CTL_CODE(FILE_DEVICE_UNKNOWN ,0x8100,METHOD_BUFFERED,FILE_ANY_ACCESS)   


 NTSTATUS FASTCALL
 NewpIofCallDriver(
 IN PDEVICE_OBJECT DeviceObject,
 IN OUT PIRP Irp
 )
 {
   NTSTATUS stat;
   DbgPrint("%08x\n", Irp);
  
   __asm
   {
   mov ecx,DeviceObject
   mov edx,Irp
   Call old_piofcalldriver
   mov stat,eax
   }
   return stat;
 }

 NTSTATUS DriverIoControl(
 IN PDEVICE_OBJECT DeviceObject,
 IN PIRP Irp)
 {
   PIO_STACK_LOCATION pisl;
   NTSTATUS ns = STATUS_UNSUCCESSFUL;
   ULONG BuffSize, DataSize;
   PVOID pBuff, pData,pInout;
   KIRQL OldIrql;
   ULONG i;
   pisl = IoGetCurrentIrpStackLocation (Irp);
  
   BuffSize = pisl->Parameters.DeviceIoControl.OutputBufferLength;
  
   pBuff = Irp->AssociatedIrp.SystemBuffer;
  
   Irp->IoStatus.Information = 0;
   switch(pisl->Parameters.DeviceIoControl.IoControlCode)
   {
     case IOCTL_DISABLE:
     {
       
       DbgPrint("IOCTL_DISABLE");
       ns = STATUS_SUCCESS;
      
     }
     break;
     case IOCTL_ENABLE:
     {
       
       DbgPrint("IOCTL_ENABLE");
       ns = STATUS_SUCCESS;
       
     }
     break;
   }
  
   Irp->IoStatus.Status = ns;
   IoCompleteRequest(Irp, IO_NO_INCREMENT);
   return ns;
 }
  
 NTSTATUS DrivercreateClose(
 IN PDEVICE_OBJECT DeviceObject,
 IN PIRP Irp)
 {
   Irp->IoStatus.Information = 0;
   Irp->IoStatus.Status = STATUS_SUCCESS;
   IoCompleteRequest(Irp, IO_NO_INCREMENT);
   return STATUS_SUCCESS;
  
 }
 
  void UnHookpIofCallDriver()
 {
   KIRQL oldIrql;
   ULONG addr = (ULONG)IofCallDriver;

   oldIrql = KeRaiseIrqlToDpcLevel();
   __asm
   {
     mov eax,cr0
     mov oData,eax
     and eax,0xffffffff
     mov cr0,eax
     mov eax,addr
     mov esi,[eax+2]
     mov eax,old_piofcalldriver
     mov dword ptr [esi],eax
     mov eax,oData
     mov cr0,eax
   }
   KeLowerIrql(oldIrql);
   return ;
 }
  
 VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
 {
    UnHookpIofCallDriver();
   IoDeleteSymbolicLink(&SymbolicLinkName);
   IoDeleteDevice(deviceObject);
 }

 NTSTATUS DriverClose(
 IN PDEVICE_OBJECT DeviceObject,
 IN PIRP Irp)
 {
   return DrivercreateClose(DeviceObject,Irp);
 }

 NTSTATUS IoComplete(
 IN PDEVICE_OBJECT DeviceObject,
 IN PIRP Irp)
 {
   IoCompleteRequest(Irp,IO_NO_INCREMENT);
   return STATUS_SUCCESS; 
 }
  

 void HookpIofCallDriver()
 {
   KIRQL oldIrql;
   ULONG addr = (ULONG)IofCallDriver;
   __asm
   {
  mov eax,addr
  mov esi,[eax+2]
  mov eax,[esi]
  mov old_piofcalldriver,eax
   }
   oldIrql = KeRaiseIrqlToDpcLevel();
   __asm
   {
  mov eax,cr0
  mov oData,eax
  and eax,0xffffffff
  mov cr0,eax
  mov eax,addr
  mov esi,[eax+2]
  mov dword ptr [esi],offset NewpIofCallDriver
  mov eax,oData
  mov cr0,eax
   }
   KeLowerIrql(oldIrql);
   return ;
 }
 
 NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath)
 {
NTSTATUS status;
PDRIVER_DISPATCH *ppdd;
ULONG i;
PCWSTR dDeviceName = L"\\Device\\irphook";
PCWSTR dSymbolicLinkName = L"\\DosDevices\\irphook";
 
RtlInitUnicodeString(&DeviceName, dDeviceName);
RtlInitUnicodeString(&SymbolicLinkName, dSymbolicLinkName);
status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &deviceObject);
if (!NT_SUCCESS(status)) return status;
status = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
 
 
DriverObject->DriverUnload = DriverUnload;
ppdd = DriverObject->MajorFunction;
for(i =0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++)
ppdd[i] = IoComplete;
 
ppdd [IRP_MJ_CREATE] = DrivercreateClose;
ppdd [IRP_MJ_DEVICE_CONTROL ] = DriverIoControl;
g_drvobj = DriverObject;
HookpIofCallDriver();
return status;
 }
 

  评论这张
 
阅读(816)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018