内核驱动驱动对象 Driver_OBJECT---IBinary

目录

驱动对象讲解一丶驱动对象1.1 结构1.2 输出代码输出基本的驱动对象信息1.3 结果1.4 其它简介驱动对象讲解一丶驱动对象1.1 结构

在内核中. 每一个驱动模块都是一个驱动对象. 都有一个 DRIVER_OBJECT结构体代表. 可以想象成驱动对象是一个进程容器. 容纳百川. 下面针对驱动对象做一下简单的成员输出.以熟悉驱动对象.

驱动对象结构如下:

typedef struct _DRIVER_OBJECT { CSHORT Type; CSHORT Size; // // The following links all of the devices created by a single driver // together on a list, and the Flags word provides an extensible flag // location for driver objects. // PDEVICE_OBJECT DeviceObject; ULONG Flags; // // The following section describes where the driver is loaded. The count // field is used to count the number of times the driver has had its // registered reinitialization routine invoked. // PVOID DriverStart; //驱动对象的起始地址 ULONG DriverSize; //驱动对象的大小 PVOID DriverSection; //驱动对象结构.可以解析为_LDR_DATA_TABLE_ENTRY 是一个链表存储着下一个驱动对象 PDRIVER_EXTENSION DriverExtension; //驱动的扩展信息.可以自定义存放我们的数据 // // The driver name field is used by the error log thread // determine the name of the driver that an I/O request is/was bound. // UNICODE_STRING DriverName; //驱动对象的名字 // // The following section is for registry support. This is a pointer // to the path to the hardware information in the registry // PUNICODE_STRING HardwareDatabase; // // The following section contains the optional pointer to an array of // alternate entry points to a driver for "fast I/O" support. Fast I/O // is performed by invoking the driver routine directly with separate // parameters, rather than using the standard IRP call mechanism. Note // that these functions may only be used for synchronous I/O, and when // the file is cached. // PFAST_IO_DISPATCH FastIoDispatch; PDRIVER_INITIALIZE DriverInit; PDRIVER_STARTIO DriverStartIo; PDRIVER_UNLOAD DriverUnload; //驱动对象的卸载地址 PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1]; } DRIVER_OBJECT; typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT; 1.2 输出代码输出基本的驱动对象信息#include <ntddk.h> VOID MyDriverUnLoad( _In_ struct _DRIVER_OBJECT* DriverObject ) { DbgPrint("驱动卸载了rn"); } extern "C" NTSTATUS DriverEntry( _In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath ){ ULONG64 uImage = 0; DriverObject->DriverUnload = MyDriverUnLoad; DbgPrint("驱动加载了开始打印输出rn"); DbgPrint("驱动名字 = %wZ rn", DriverObject->DriverName); DbgPrint("驱动起始地址 %x 大小 %x 结束地址 %xrn", DriverObject->DriverStart, DriverObject->DriverSize, uImage = ((ULONG64)DriverObject->DriverStart + DriverObject->DriverSize)); DbgPrint("驱动对象的卸载地址 = %prn", DriverObject->DriverUnload); //输出驱动对象的所有回调地址. DbgPrint("驱动对象的IoControl回调地址 = %prn", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]); DbgPrint("驱动对象的读回调地址 = %prn",DriverObject->MajorFunction[IRP_MJ_READ]); DbgPrint("驱动对象的写回调地址 = %prn",DriverObject->MajorFunction[IRP_MJ_WRITE]); DbgPrint("驱动对象的创建回调地址 = %prn",DriverObject->MajorFunction[IRP_MJ_CREATE]); DbgPrint("驱动对象的关闭回调地址 = %prn",DriverObject->MajorFunction[IRP_MJ_CLOSE]); DbgPrint("-------遍历回调输出------------rn"); //宏从DrverObject对象中查找 for (auto i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) { DbgPrint("回调的IRP_MJ 调用号 = %d 回调函数地址 = %p rn", i, DriverObject->MajorFunction[i]); } DbgPrint("执行所有功能完毕"); return STATUS_SUCCESS; }1.3 结果1.4 其它简介

利用驱动对象可以 遍历驱动的信息.得出内核中所有模块 代码在另一个帖子 https://www.cnblogs.com/iBinary/p/11693606.html 可以集成到Ark工具中. 如 Pchunter

---来自腾讯云社区的---IBinary