DriverEntry.c- #include "ntifs.h"
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define MAX_TABLE 37
- #define MAX_OBJECT_COUNT 0x10000
- typedef ULONG DEVICE_MAP;
- typedef ULONG EX_PUSH_LOCK;
- typedef struct _OBJECT_DIRECTORY_ENTRY{
- struct _OBJECT_DIRECTORY_ENTRY *ChainLink;
- PVOID Object;
- ULONG HashValue;
- }OBJECT_DIRECTORY_ENTRY,*POBJECT_DIRECTORY_ENTRY;
- typedef struct _OBJECT_DIRECTORY{
- POBJECT_DIRECTORY_ENTRY HashBuckets[MAX_TABLE];
- EX_PUSH_LOCK Lock;
- DEVICE_MAP DeviceMap;
- ULONG SessionId;
- PVOID NamespaceEntry;
- ULONG Flags;
- }OBJECT_DIRECTORY,*POBJECT_DIRECTORY;
- typedef struct _OBJECT_HEADER_NAME_INFO{
- POBJECT_DIRECTORY Directory;
- UNICODE_STRING Name;
- ULONG ReferenceCount;
- }OBJECT_HEADER_NAME_INFO,*POBJEC}OBJECT_HEADER_NAME_INFO,*POBJECT_HEADER_NAME_INFO;
- typedef struct _OBJECT_CREATE_INFORMATION {
- ULONG Attributes;
- HANDLE RootDirectory;
- PVOID ParseContext;
- KPROCESSOR_MODE ProbeMode;
- ULONG PagedPoolCharge;
- ULONG NonPagedPoolCharge;
- ULONG SecurityDescriptorCharge;
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- PSECURITY_QUALITY_OF_SERVICE SecurityQos;
- SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
- } OBJECT_CREATE_INFORMATION;
- typedef struct _OBJECT_CREATE_INFORMATION *POBJECT_CREATE_INFORMATION;;
- typedef struct _OBJECT_HEADER {
- LONG_PTR PointerCount;
- union {
- LONG_PTR HandleCount;
- PVOID NextToFree;
- };
- POBJECT_TYPE Type;
- UCHAR NameInfoOffset;
- UCHAR HandleInfoOffset;
- UCHAR QuotaInfoOffset;
- UCHAR Flags;
- union {
- POBJECT_CREATE_INFORMATION ObjectCreateInfo;
- PVOID QuotaBlockCharged;
- };
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- QUAD Body;
- } OBJECT_HEADER, *POBJECT_HEADER;
- #define OBJECT_TO_OBJECT_HEADER( o ) \
- CONTAINING_RECORD( (o), OBJECT_HEADER, Body )
- #define OBJECT_HEADER_TO_NAME_INFO( oh ) ((POBJECT_HEADER_NAME_INFO) \
- ((oh)->NameInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->NameInfoOffset)))
- typedef struct _OBJECT_TYPE_INITIALIZER {
- USHORT Length;
- BOOLEAN UseDefaultObject;
- BOOLEAN CaseInsensitive;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- BOOLEAN SecurityRequired;
- BOOLEAN MaintainHandleCount;
- BOOLEAN MaintainTypeList;
- POOL_TYPE PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
- PVOID DumpProcedure;
- PVOID OpenProcedure;
- PVOID CloseProcedure;
- PVOID DeleteProcedure;
- PVOID ParseProcedure;
- PVOID SecurityProcedure;
- PVOID QueryNameProcedure;
- PVOID OkayToCloseProcedure;
- } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
- typedef struct _OBJECT_TYPE {
- ERESOURCE Mutex;
- LIST_ENTRY TypeList;
- UNICODE_STRING Name; // Copy from object header for convenience
- PVOID DefaultObject;
- ULONG Index;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- OBJECT_TYPE_INITIALIZER TypeInfo;
- #ifdef POOL_TAGGING
- ULONG Key;
- #endif //POOL_TAGGING
- ERESOURCE ObjectLocks[4];
- } OBJECT_TYPE, *POBJECT_TYPE;
- //global
- ULONG g_uObpRootDirectoryObjectAddr;
- PUNICODE_STRING ObGetObjectName (
- IN PVOID Object
- )
- {
- POBJECT_HEADER ObjectHeader;
- POBJECT_HEADER_NAME_INFO NameInfo;
- ObjectHeader = OBJECT_TO_OBJECT_HEADER( Object );
- NameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader );
- if ((NameInfo != NULL) && (NameInfo->Name.Length != 0)) {
- return &NameInfo->Name;
- } else {
- return NULL;
- }
- }
- #pragma PAGEDCODE
- ULONG GetObpRootDirectoryObjectAddr()
- {
- ULONG uAddr = (ULONG)ObQueryNameString;
- PUCHAR p = (PUCHAR)uAddr;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x200)
- {
- if (*p == 0xa1
- && *(p + 5) == 0x39
- && *(p + 8) == 0x0f
- && *(p - 7) == 0xc7)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find faile!\n"));
- return 0;
- }
- uAddr = *(PULONG)(p + 1);
- return uAddr;
- }
- VOID EnumObjectDirectory()
- {
- ULONG u_index;
- ULONG u_front, u_rear;
- POBJECT_DIRECTORY ObpRootDirectoryObject;
- POBJECT_DIRECTORY_ENTRY *queue;
- PUNICODE_STRING pusObjectName;
- ULONG uType;
- POBJECT_TYPE pObjectType;
-
-
- ObpRootDirectoryObject = (POBJECT_DIRECTORY)(*(PULONG)g_uObpRootDirectoryObjectAddr);
- queue = (POBJECT_DIRECTORY_ENTRY *)ExAllocatePool(NonPagedPool, MAX_OBJECT_COUNT * sizeof(ULONG));
- if (!MmIsAddressValid(queue))
- {
- KdPrint(("queue is null\n"));
- return;
- }
- u_front = u_rear = 0;
- for (u_index = 0; u_index < MAX_TABLE; u_index++)
- {
-
- if (MmIsAddressValid(ObpRootDirectoryObject->HashBuckets[u_index]))
- {
- u_rear = (u_rear + 1) % MAX_OBJECT_COUNT;
- queue[u_rear] = ObpRootDirectoryObject->HashBuckets[u_index];
- }
- }
- while(u_front != u_rear)
- {
- u_front = (u_front + 1) % MAX_OBJECT_COUNT;
-
- pusObjectName = ObGetObjectName(queue[u_front]->Object);
- if (MmIsAddressValid(pusObjectName))
- {
- KdPrint(("%X:%wZ\n", queue[u_front]->Object, pusObjectName));
- }
- pObjectType = *(POBJECT_TYPE *)((ULONG)queue[u_front]->Object - 0x10);
- uType = pObjectType->Index;
-
- // 2 is Directory;
- if (uType == 2)
- {
- for (u_index = 0; u_index < MAX_TABLE; u_index++)
- {
- if (MmIsAddressValid(((POBJECT_DIRECTORY)queue[u_front]->Object)->HashBuckets[u_index]))
- {
- u_rear = (u_rear + 1) % MAX_OBJECT_COUNT;
- queue[u_rear] = ((POBJECT_DIRECTORY)queue[u_front]->Object)->HashBuckets[u_index];
- }
- }
- }
- if (queue[u_front]->ChainLink != NULL)
- {
- u_rear = (u_rear + 1) % MAX_OBJECT_COUNT;
- queue[u_rear] = queue[u_front]->ChainLink;
- }
-
- }
- ExFreePool(queue);
- }
- #pragma PAGEDCODE
- VOID MyDriverUnload(IN PDRIVER_OBJECT pDriverObject)
- {
- KdPrint(("DriverEntry unLoading...\n"));
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
-
- g_uObpRootDirectoryObjectAddr = GetObpRootDirectoryObjectAddr();
- if (g_uObpRootDirectoryObjectAddr != 0)
- {
- EnumObjectDirectory();
- }
-
- pDriverObject->DriverUnload = MyDriverUnload;
- return status;
- }
复制代码 |