正规的签名需要几千块钱一年,但是可以多次签名。反外挂小组一般会检测驱动签名,没有签名的会拉到黑名单中,有签名的会认为是正规程序(安全性高没有破坏性)就放行。
一、驱动练习-helloworld
- 内核层
//#include <ntddk.h>
#include <ntifs.h>
VOID Unload(IN PDRIVER_OBJECT pDriverObject)
{
KdPrint(("Goodbye driver 卸载例程序DriverObject=%p 行号=%d \n", pDriverObject,__LINE__));
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = Unload;
KdPrint(("hello driver 进入例程序DriverObject=%p 行号=%d \n", DriverObject, __LINE__));
return STATUS_SUCCESS;
}
- 效果演示
二、驱动练习-IRP
用户层如何调用内核层的CreateFile与CloseHandle
- 内核层
#include <ntifs.h>
VOID Unload(IN PDRIVER_OBJECT pDriverObject)
{
KdPrint(("Goodbye driver\n"));
}
NTSTATUS IRP_CALL(PDEVICE_OBJECT device, PIRP pirp)
{
KdPrint(("进入派遣函数"));
PIO_STACK_LOCATION irpStackL;
irpStackL = IoGetCurrentIrpStackLocation(pirp); //获取应用层传来的参数
switch (irpStackL->MajorFunction)
{
case IRP_MJ_CREATE: //CreateFile
{
KdPrint(("用户层调用了 CreateFile"));
break;
}
case IRP_MJ_CLOSE: //CloseHandle
{
KdPrint(("用户层调用了 CloseHandle"));
break;
}
}
pirp->IoStatus.Status = STATUS_SUCCESS;
pirp->IoStatus.Information = 4;//返回给DeviceIoControl中的 倒数第二个参数lpBytesReturned
IoCompleteRequest(pirp, IO_NO_INCREMENT);//调用方已完成所有I/O请求处理操作 并且不增加优先级
KdPrint(("离开派遣函数"));
return STATUS_SUCCESS; //0 返回成功
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = Unload; //注册卸载例程 回调函数
DriverObject->MajorFunction[IRP_MJ_CREATE] = IRP_CALL;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = IRP_CALL;
KdPrint(("进入 DriverEntry入口点\n"));
return STATUS_SUCCESS;
}
-
用户层
-
效果演示
三、驱动练习-IRP(CreateFile)
- 内核层
#include <ntifs.h>
NTSTATUS DeviceIrpCtl(PDEVICE_OBJECT device, PIRP pirp)
{
KdPrint(("进入派遣函数"));
PIO_STACK_LOCATION irpStackL;
ULONG CtlCode;
ULONG InputBuffLength;
irpStackL = IoGetCurrentIrpStackLocation(pirp); //获取应用层传来的参数
switch (irpStackL->MajorFunction)
{
case IRP_MJ_DEVICE_CONTROL: //DeviceIoControl
{
KdPrint(("用户层调用了 DeviceIoControl"));
break;
}
case IRP_MJ_CREATE: //CreateFile
{
KdPrint(("用户层调用了 CreateFile"));
break;
}
case IRP_MJ_CLOSE: //CloseHandle
{
KdPrint(("用户层调用了 CloseHandle"));
break;
}
}
pirp->IoStatus.Status = STATUS_SUCCESS;
pirp->IoStatus.Information = 4;//返回给DeviceIoControl中的 倒数第二个参数lpBytesReturned
IoCompleteRequest(pirp, IO_NO_INCREMENT);//调用方已完成所有I/O请求处理操作 并且不增加优先级
KdPrint(("离开派遣函数"));
return STATUS_SUCCESS;
}
NTSTATUS DeviceIrpCtl_Close(PDEVICE_OBJECT device, PIRP pirp)
{
KdPrint(("进入派遣函数 DeviceIrpCtl_Close"));
PIO_STACK_LOCATION irpStackL;
ULONG CtlCode;
ULONG InputBuffLength;
irpStackL = IoGetCurrentIrpStackLocation(pirp); //获取应用层传来的参数
KdPrint(("用户层调用了 CloseHandle DeviceIrpCtl_Close"));
pirp->IoStatus.Status = STATUS_SUCCESS;
pirp->IoStatus.Information = 4;//返回给DeviceIoControl中的 倒数第二个参数lpBytesReturned
IoCompleteRequest(pirp, IO_NO_INCREMENT);//调用方已完成所有I/O请求处理操作 并且不增加优先级
KdPrint(("离开派遣函数 DeviceIrpCtl_Close"));
return STATUS_SUCCESS;
}
//创建驱动设备对象
NTSTATUS CreateDevice(PDRIVER_OBJECT driver)
{
NTSTATUS status;
UNICODE_STRING MyDriver;
PDEVICE_OBJECT device;//用于存放设备对象
RtlInitUnicodeString(&MyDriver, L"\\DEVICE\\MyDriver");//驱动设备名字
status = IoCreateDevice(driver, sizeof(driver->DriverExtension), &MyDriver, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device);
if (status == STATUS_SUCCESS)//STATUS_SUCCESS)
{
KdPrint(("驱动设备对象创建成功,OK \n"));
//创建符号链接
UNICODE_STRING uzSymbolName; //符号链接名字
RtlInitUnicodeString(&uzSymbolName, L"\\??\\MyDriver"); //CreateFile
status = IoCreateSymbolicLink(&uzSymbolName, &MyDriver);
if (status == STATUS_SUCCESS)
{
KdPrint(("创建符号链接 %wZ 成功 ", &uzSymbolName));
}
else
{
KdPrint(("创建符号链接 %wZ 失败 status=%X", &uzSymbolName, status));
}
}
else
{
KdPrint(("驱动设备对象创建失败,删除设备\n"));
IoDeleteDevice(device);
}
return status;
}
void DriverUnLoad(PDRIVER_OBJECT pDriver)
{
KdPrint(("进入了 DriverUnLoad例程"));
if (pDriver->DeviceObject)
{
//删除符号链接
UNICODE_STRING uzSymbolName; //符号链接名字
RtlInitUnicodeString(&uzSymbolName, L"\\??\\MyDriver"); //CreateFile
KdPrint(("删除符号链接=%wZ", &uzSymbolName));
IoDeleteSymbolicLink(&uzSymbolName);
//
KdPrint(("删除驱动设备"));
IoDeleteDevice(pDriver->DeviceObject);//删除设备对象
}
KdPrint(("退出 DriverUnLoad例程"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING szReg)
{
KdPrint(("我的第一个驱动,注册路径=%wZ", szReg));
driver->DriverUnload = DriverUnLoad;
//为驱动对象创建一个设备
NTSTATUS status = CreateDevice(driver);//
//注册IRP处理 例程
driver->MajorFunction[IRP_MJ_CREATE] = DeviceIrpCtl; //CreateFile
driver->MajorFunction[IRP_MJ_CLOSE] = DeviceIrpCtl_Close;//卸载驱动 CloseHandle
driver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIrpCtl;//DeviceIoControl
return STATUS_SUCCESS;
}
-
用户层
-
效果演示
三、驱动练习-IRP(CreateFile)
-
内核层
-
用户层
-
效果演示