过滤/ObReferenceObjectByName/XT
2017-02-24 21:30
573 查看
#include "ntddk.h"
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *Object
);
extern POBJECT_TYPE *IoDriverObjectType;
//global
PDRIVER_OBJECT g_FilterDriverObject;
PDRIVER_DISPATCH gfn_OrigReadCompleteRoutine;
NTSTATUS FilterReadCompleteRoutine(
__in struct _DEVICE_OBJECT *DeviceObject,
__inout struct _IRP *Irp
)
{
KdPrint(("IRP_MJ_DEVICE_CONTROL."));
return gfn_OrigReadCompleteRoutine(DeviceObject,Irp);
}
VOID UnFilterDriverRoutine()
{
if (MmIsAddressValid(gfn_OrigReadCompleteRoutine))
{
g_FilterDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = gfn_OrigReadCompleteRoutine;
}
}
NTSTATUS FilterDriverQuery()
{
NTSTATUS Status;
UNICODE_STRING usObjectName;
RtlInitUnicodeString(&usObjectName,L"\\Driver\\Xuetr");
Status = ObReferenceObjectByName(
&usObjectName,
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&g_FilterDriverObject
);
if(!NT_SUCCESS(Status))
{
KdPrint (("ObReferenceObjectByName failed"));
return Status;
}
KdPrint (("0x%X",g_FilterDriverObject));
gfn_OrigReadCompleteRoutine = g_FilterDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL];
g_FilterDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = (PDRIVER_DISPATCH)FilterReadCompleteRoutine;
ObDereferenceObject(g_FilterDriverObject);
return STATUS_SUCCESS;
}
VOID MyDriverUnLoad(PDRIVER_OBJECT pDriverObject)
{
UNICODE_STRING usSymName;
RtlInitUnicodeString(&usSymName,L"\\??\\FirstDevice");
if(pDriverObject->DeviceObject!=NULL)
{
IoDeleteSymbolicLink(&usSymName);
IoDeleteDevice(pDriverObject->DeviceObject);
KdPrint(("delete device success"));
}
UnFilterDriverRoutine();
}
NTSTATUS CreateDevice(PDRIVER_OBJECT pDriverObject)
{
NTSTATUS Status;
PDEVICE_OBJECT pDevObj;
UNICODE_STRING usDevName;//type error bluescreen
UNICODE_STRING usSymName;
RtlInitUnicodeString(&usDevName,L"\\Device\\FirstDevice");
Status = IoCreateDevice(pDriverObject,0,&usDevName,FILE_DEVICE_UNKNOWN,0,TRUE,&pDevObj);
if(!NT_SUCCESS(Status))
{
return Status;
}
pDevObj->Flags |= DO_BUFFERED_IO;
RtlInitUnicodeString(&usSymName,L"\\??\\FirstDevice");
Status = IoCreateSymbolicLink(&usSymName,&usDevName);
if(!NT_SUCCESS(Status))
{
IoDeleteDevice(pDevObj);
return Status;
}
return STATUS_SUCCESS;
}
NTSTATUS CreateCompleteRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS Status;
Status = STATUS_SUCCESS;
KdPrint(("create routine"));
pIrp->IoStatus.Status = Status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return Status;
}
NTSTATUS CloseCompleteRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS Status;
Status = STATUS_SUCCESS;
KdPrint(("close routine"));
pIrp->IoStatus.Status = Status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return Status;
}
NTSTATUS ReadCompleteRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS Status;
Status = STATUS_SUCCESS;
KdPrint(("read routine"));
pIrp->IoStatus.Status = Status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return Status;
}
NTSTATUS WriteCompleteRoutine(PDEVICE_OBJECT pDeviceObject,PIRP pIrp)
{
NTSTATUS Status;
Status = STATUS_SUCCESS;
KdPrint(("write routine"));
pIrp->IoStatus.Status = Status;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return Status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pRegistryPath)
{
NTSTATUS Status;
Status = CreateDevice(pDriverObject);
if (!NT_SUCCESS(Status))
{
KdPrint(("create device failed"));
}
else
{
KdPrint(("create device successed"));
KdPrint(("%wZ",pRegistryPath));
}
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCompleteRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCompleteRoutine;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ReadCompleteRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE] = WriteCompleteRoutine;
FilterDriverQuery();
pDriverObject->DriverUnload = MyDriverUnLoad;
return STATUS_SUCCESS;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ObReferenceObjectByName蓝屏问题
- [转载]关于驱动中的ObReferenceObjectByName 和 IoGetDeviceObjectPointer
- 蛋疼的ObReferenceObjectByName调试
- ObReferenceObjectByName的使用
- IoGetDeviceObjectPointer和ObReferenceObjectByName得到设备对象指针
- ObReferenceObjectByName vs IoGetDeviceObjectPointer
- [转载]关于驱动中的ObReferenceObjectByName 和 IoGetDeviceObjectPointer
- ObReferenceObjectByName蓝屏问题
- ObReferenceObjectByName
- ObReferenceObjectByName 函数解析
- ObReferenceObjectByName 函数解析
- ObReferenceObjectByName通过对象名得到对象指针_例如 设备 事件 互斥体
- 通过驱动名称得到(T雪工具)驱动对象名_ObReferenceObjectByName_函数的用法
- note : ObReferenceObjectByName usage
- ObReferenceObjectByName 函数
- ObReferenceObjectByName 函数
- ObReferenceObjectByHandle例程
- ObReferenceObjectByHandle内核函数
- ObReferenceObjectByName函数调用WIN7下的解决
- 由ObReferenceObject推导windows对象管理器