内核驱动驱动对象 Driver_OBJECT

IBinary

发布于 2020-06-04 23:30:33

1.4K0

发布于 2020-06-04 23:30:33

文章被收录于专栏：逆向技术逆向技术

驱动对象讲解
- 一丶驱动对象
  - 1.1 结构
  - 1.2 输出代码输出基本的驱动对象信息
  - 1.3 结果
  - 1.4 其它简介

驱动对象讲解

一丶驱动对象

1.1 结构

在内核中. 每一个驱动模块都是一个驱动对象. 都有一个 DRIVER_OBJECT结构体代表. 可以想象成驱动对象是一个进程容器. 容纳百川.

下面针对驱动对象做一下简单的成员输出.以熟悉驱动对象.

驱动对象结构如下:

typedef struct _DRIVER_OBJECT {
    CSHORT Type;
    CSHORT Size;

    //
    // The following links all of the devices created by a single driver
    // together on a list, and the Flags word provides an extensible flag
    // location for driver objects.
    //

    PDEVICE_OBJECT DeviceObject;
    ULONG Flags;

    //
    // The following section describes where the driver is loaded.  The count
    // field is used to count the number of times the driver has had its
    // registered reinitialization routine invoked.
    //

    PVOID DriverStart;                                                        //驱动对象的起始地址
    ULONG DriverSize;                                                         //驱动对象的大小
    PVOID DriverSection;                                                      //驱动对象结构.可以解析为_LDR_DATA_TABLE_ENTRY  是一个链表存储着下一个驱动对象                                                   
    PDRIVER_EXTENSION DriverExtension;                                        //驱动的扩展信息.可以自定义存放我们的数据                           

    //
    // The driver name field is used by the error log thread
    // determine the name of the driver that an I/O request is/was bound.
    //

    UNICODE_STRING DriverName;                                    //驱动对象的名字

    //
    // The following section is for registry support.  This is a pointer
    // to the path to the hardware information in the registry
    //

    PUNICODE_STRING HardwareDatabase;

    //
    // The following section contains the optional pointer to an array of
    // alternate entry points to a driver for "fast I/O" support.  Fast I/O
    // is performed by invoking the driver routine directly with separate
    // parameters, rather than using the standard IRP call mechanism.  Note
    // that these functions may only be used for synchronous I/O, and when
    // the file is cached.
    //

    PFAST_IO_DISPATCH FastIoDispatch;


    PDRIVER_INITIALIZE DriverInit;
    PDRIVER_STARTIO DriverStartIo;
    PDRIVER_UNLOAD DriverUnload;                              //驱动对象的卸载地址
    PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];

} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT;

1.2 输出代码输出基本的驱动对象信息

#include <ntddk.h>
VOID MyDriverUnLoad(
	_In_ struct _DRIVER_OBJECT* DriverObject
)
{
	DbgPrint("驱动卸载了\r\n");
}
extern "C" NTSTATUS DriverEntry(
	_In_ PDRIVER_OBJECT  DriverObject,
	_In_ PUNICODE_STRING RegistryPath
){
	ULONG64 uImage = 0;
	DriverObject->DriverUnload = MyDriverUnLoad;
	DbgPrint("驱动加载了开始打印输出\r\n");
	DbgPrint("驱动名字 = %wZ \r\n", DriverObject->DriverName);
	DbgPrint("驱动起始地址 %x 大小 %x  结束地址 %x\r\n",
		DriverObject->DriverStart,
		DriverObject->DriverSize,
		uImage = ((ULONG64)DriverObject->DriverStart + DriverObject->DriverSize));
	DbgPrint("驱动对象的卸载地址 = %p\r\n", DriverObject->DriverUnload);
	//输出驱动对象的所有回调地址.
	DbgPrint("驱动对象的IoControl回调地址 = %p\r\n", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]);
	DbgPrint("驱动对象的读回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_READ]);
	DbgPrint("驱动对象的写回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_WRITE]);
	DbgPrint("驱动对象的创建回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CREATE]);
	DbgPrint("驱动对象的关闭回调地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CLOSE]);

	DbgPrint("-------遍历回调输出------------\r\n");

	//宏从DrverObject对象中查找
	for (auto i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		DbgPrint("回调的IRP_MJ 调用号 = %d 回调函数地址 = %p \r\n", i, DriverObject->MajorFunction[i]);
	}

	DbgPrint("执行所有功能完毕");


	return STATUS_SUCCESS;
}