写了一个读写驱动(源码)

其他 2020-04-25 09:11:52 阅读次数: 0

完整工程:

链接:https://pan.baidu.com/s/1IGrYu60Mr9gjCLtq-tSqLA
提取码:rrsr

在这里插入图片描述

头文件

#pragma once
#include<ntifs.h>
#include<windef.h>

#define READCODE CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ALL_ACCESS)
#define WRITECODE CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_ALL_ACCESS)

#define DEVICENAME L"\\Device\\ReadWriteDevice"
#define SYMBOLNAME L"\\??\\ReadWriteSymbolName"

typedef struct DATA
{
	DWORD pid;//要读写的进程ID
	unsigned __int64 address;//要读写的地址
	DWORD size;//读写长度
	BYTE* data;//要读写的数据,
}Data;

void DriverUnload(PDRIVER_OBJECT driver);
NTSTATUS CreateDevice(PDRIVER_OBJECT driver);
NTSTATUS DriverIrpCtl(PDEVICE_OBJECT device, PIRP pirp);
BOOL ReadMemory(Data* data);
BOOL WriteMemory(Data* data);

.C文件

#include"Driver.h"

NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING path)
{
	DbgPrint("驱动已加载,路径:%wZ", path);

	driver->DriverUnload = DriverUnload;

	CreateDevice(driver);

	driver->MajorFunction[IRP_MJ_CREATE] = DriverIrpCtl;
	driver->MajorFunction[IRP_MJ_CLOSE] = DriverIrpCtl;
	driver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIrpCtl;

	return STATUS_SUCCESS;
}

void DriverUnload(PDRIVER_OBJECT driver)
{

	if (driver->DeviceObject)
	{
		UNICODE_STRING SymbolName;
		RtlInitUnicodeString(&SymbolName, SYMBOLNAME);

		IoDeleteSymbolicLink(&SymbolName);
		IoDeleteDevice(driver->DeviceObject);
	}

	DbgPrint("驱动已卸载");
}

NTSTATUS CreateDevice(PDRIVER_OBJECT driver)
{
	NTSTATUS status = STATUS_SUCCESS;
	PDEVICE_OBJECT device=NULL;
	UNICODE_STRING DeviceName;

	RtlInitUnicodeString(&DeviceName, DEVICENAME);

	status = IoCreateDevice(
		driver,
		sizeof(driver->DriverExtension),
		&DeviceName,
		FILE_DEVICE_UNKNOWN,
		FILE_DEVICE_SECURE_OPEN,
		FALSE,
		&device
		);

	if (status == STATUS_SUCCESS)
	{
		UNICODE_STRING SymbolName;
		RtlInitUnicodeString(&SymbolName, SYMBOLNAME);

		status = IoCreateSymbolicLink(&SymbolName, &DeviceName);

		if (status != STATUS_SUCCESS)
		{
			DbgPrint("创建符号链接失败");
			IoDeleteDevice(device);
		}
	}

	DbgPrint("驱动设备已创建");

	return status;

}

NTSTATUS DriverIrpCtl(PDEVICE_OBJECT device, PIRP pirp)
{
	PIO_STACK_LOCATION stack;

	stack = IoGetCurrentIrpStackLocation(pirp);

	Data* data;

	switch (stack->MajorFunction)
	{

	case IRP_MJ_CREATE:
	{
		DbgPrint("设备已打开");
		break;
	}

	case IRP_MJ_CLOSE:
	{
		DbgPrint("设备已关闭");
		break;
	}

	case IRP_MJ_DEVICE_CONTROL:
	{
		data=pirp->AssociatedIrp.SystemBuffer;
		DbgPrint("PID:%d  地址:%x  大小:%d",data->pid,data->address,data->size);
		switch (stack->Parameters.DeviceIoControl.IoControlCode)
		{

		case READCODE:
		{
			ReadMemory(data);
			break;
		}

		case WRITECODE:
		{
			WriteMemory(data);
			break;
		}

		}

		pirp->IoStatus.Information = sizeof(data);
		
		break;
	}

	}

	pirp->IoStatus.Status = STATUS_SUCCESS;
	IoCompleteRequest(pirp, IO_NO_INCREMENT);

	return STATUS_SUCCESS;
}

BOOL ReadMemory(Data* data)
{
	BOOL bRet=TRUE;
	PEPROCESS process = NULL;

	PsLookupProcessByProcessId(data->pid, &process);

	if (process == NULL)
	{
		DbgPrint("获取进程对象失败");
		return FALSE;
	}

	BYTE* GetData;
	__try
	{
		GetData = ExAllocatePool(PagedPool, data->size);
	}
	__except (1)
	{
		DbgPrint("内存分配失败");
		return FALSE;
	}

	KAPC_STATE stack = {0};
	KeStackAttachProcess(process, &stack);

	__try
	{
		ProbeForRead(data->address, data->size, 1);
		RtlCopyMemory(GetData, data->address, data->size);
	}
	__except (1)
	{
		DbgPrint("读取内存出错");
		bRet = FALSE;
	}

	ObDereferenceObject(process);
	KeUnstackDetachProcess(&stack);

	RtlCopyMemory(data->data, GetData, data->size);

	/*DbgPrint("进程ID:%d",data->pid);
	for (int i = 0; i < data->size; i++)
	{
		//data->data[i] = GetData[i];
		DbgPrint("地址:%x 数据:%x data:%x", data->address+i,GetData[i],data->data[i]);
	}
	DbgPrint("输出完毕");*/

	ExFreePool(GetData);
	return bRet;
}

BOOL WriteMemory(Data* data)
{
	BOOL bRet = TRUE;
	PEPROCESS process=NULL;

	PsLookupProcessByProcessId(data->pid, &process);
	if (process == NULL)
	{
		DbgPrint("获取进程对象失败");
		return FALSE;
	}

	//在进入进程地址空间之前先赋值
	BYTE* GetData;
	__try
	{
		GetData = ExAllocatePool(PagedPool, data->size);
	}
	__except (1)
	{
		DbgPrint("内存分配失败");
		return FALSE;
	}

	for (int i = 0; i < data->size; i++)
	{
		GetData[i] = data->data[i];
	}

	KAPC_STATE stack = {0};
	KeStackAttachProcess(process, &stack);

	PMDL mdl = IoAllocateMdl(data->address, data->size, 0, 0, NULL);
	if (mdl == NULL)
	{
		DbgPrint("创建MDL失败");
		return FALSE;
	}

	MmBuildMdlForNonPagedPool(mdl);

	BYTE* ChangeData = NULL;

	__try
	{
		ChangeData = MmMapLockedPages(mdl, KernelMode);
		RtlCopyMemory(ChangeData, GetData, data->size);
	}
	__except (1)
	{
		DbgPrint("内存映射失败,%d",sizeof(ChangeData));
		bRet = FALSE;
		goto END;
	}
	
END:
	IoFreeMdl(mdl);
	ExFreePool(GetData);
	KeUnstackDetachProcess(&stack);
	ObDereferenceObject(process);

	return bRet;
}
吾无法无天
发布了23 篇原创文章 · 获赞 51 · 访问量 1万+
私信 关注

猜你喜欢

转载自blog.csdn.net/weixin_44286745/article/details/100098125
今日推荐
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
报告:Django 仍然是 74% 开发者的首选
《2024 年一季度互联网投融资运行情况》研究报告
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
GCC 14.1 发布
面壁智能发布 Eurux-8x22B 开源大模型 —— 堪称「理科状元」
开源日报 | 谷歌扶持鸿蒙上位;开源Rabbit R1;Docker加持的安卓手机;微软的焦虑和野心;海尔电器把开放平台关了
周排行
计算机组成与设计(七)—— 除法器
Integer Approximation(分治+枚举)
大话数据库索引
windows10系统JDK的配置及下载地址
mysql实现秒值转换中原六仔平台搭建
Codeforces Round #556 (Div. 1)
百练1064 网线主管
Codeforces 995F Cowmpany Cowmpensation
子集生成之增量构造法,位向量法,二进制法
ERROR: cmd.exe failed with args /c "/APK\gradle\rungradle.bat...
每日归档
更多
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)
2024-05-03(19)
2024-05-02(0)
2024-05-01(4)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022