22.DriverBase-ObReferenceObjectByHandle通过Ring3句柄获得Ring0对象
2017-08-17 17:06
465 查看
ObReferenceObjectByHandle
示例ring3的event传入ring0,并在ring0设置有信号状态ring0:
#include "Driver.h"
#pragma INITCODE
extern "C" NTSTATUS DriverEntry (
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath )
{
NTSTATUS status;
pDriverObject->DriverUnload = HelloDDKUnload;
pDriverObject->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HelloDDKDeviceIOControl;
status = CreateDevice(pDriverObject);
return status;
}
#pragma PAGEDCODE
NTSTATUS CreateDevice (IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
//创建设备名称
UNICODE_STRING devName;
RtlInitUnicodeString(&devName,L"\\Device\\Handle2Object");
//创建设备
status = IoCreateDevice( pDriverObject,
sizeof(DEVICE_EXTENSION),
&(UNICODE_STRING)devName,
FILE_DEVICE_UNKNOWN,
0, TRUE,
&pDevObj );
if (!NT_SUCCESS(status))
return status;
pDevObj->Flags |= DO_DIRECT_IO;
pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension;
pDevExt->pDevice = pDevObj;
pDevExt->ustrDeviceName = devName;
//创建符号链接
UNICODE_STRING symLinkName;
RtlInitUnicodeString(&symLinkName,L"\\??\\Handle2ObjectLink");
pDevExt->ustrSymLinkName = symLinkName;
status = IoCreateSymbolicLink( &symLinkName,&devName );
if (!NT_SUCCESS(status))
{
IoDeleteDevice( pDevObj );
return status;
}
return STATUS_SUCCESS;
}
#pragma PAGEDCODE
VOID HelloDDKUnload (IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pNextObj;
KdPrint(("Enter DriverUnload\n"));
pNextObj = pDriverObject->DeviceObject;
while (pNextObj != NULL)
{
PDEVICE_EXTENSION pDevExt = (PDEVICE_EXTENSION)pNextObj->DeviceExtension;
//删除符号链接
UNICODE_STRING pLinkName = pDevExt->ustrSymLinkName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj = pNextObj->NextDevice;
IoDeleteDevice( pDevExt->pDevice );
}
}
#pragma PAGEDCODE
NTSTATUS HelloDDKDeviceIOControl(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("Enter HelloDDKDeviceIOControl\n"));
//得到当前堆栈
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
//得到输入缓冲区大小
ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
//得到输出缓冲区大小
ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
//得到IOCTL码
ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;
ULONG info = 0;
switch (code)
{ // process request
case IOCTL_TEST1:
{
KdPrint(("IOCTL_TEST1\n"));
HANDLE hUserEvent= *(HANDLE*)pIrp->AssociatedIrp.SystemBuffer;
PKEVENT pEvent;
// 由事件句柄得到内核事件数据结构
status = ObReferenceObjectByHandle(hUserEvent,EVENT_MODIFY_STATE,*ExEventObjectType,KernelMode,(PVOID*)&pEvent,NULL);// 参看MSDN
// 设置事件
KeSetEvent(pEvent,IO_NO_INCREMENT,FALSE);
// 减小引用计数
ObDereferenceObject(pEvent);
break;
}
default:
status = STATUS_INVALID_VARIANT;
}
// 完成IRP
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = info; // bytes xfered
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("Leave HelloDDKDeviceIOControl\n"));
return status;
}
#pragma PAGEDCODE
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
KdPrint(("Enter HelloDDKDispatchRoutine\n"));
NTSTATUS status = STATUS_SUCCESS;
// 完成IRP
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = 0; // bytes xfered
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
KdPrint(("Leave HelloDDKDispatchRoutine\n"));
return status;
}ring3:
// Handle2ObjectRing3.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <windows.h>
#include <process.h>
#define IOCTL_TEST1 CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)
unsigned __stdcall ThreadProc(PVOID lp)
{
HANDLE hEvent = *(HANDLE*)lp;
WaitForSingleObject(hEvent,INFINITE);
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hDevice =
CreateFileA("\\\\.\\Handle2ObjectLink",
GENERIC_READ | GENERIC_WRITE,
0, // share mode none
NULL, // no security
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL ); // no template
if (INVALID_HANDLE_VALUE == hDevice)
{
printf("fail:%d",GetLastError());
system("pause");
return 1;
}
// 创建用户模式同步事件
HANDLE hEvent = CreateEvent(NULL,FALSE,FALSE,NULL);
HANDLE hThread = (HANDLE)_beginthreadex(NULL,0,ThreadProc,&hEvent,0,NULL);
DWORD dwOutPut;
DeviceIoControl(hDevice,IOCTL_TEST1,&hEvent,sizeof(hEvent),NULL,0,&dwOutPut,NULL);
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hDevice);
CloseHandle(hThread);
CloseHandle(hEvent);
system("pause");
return 0;
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Dissecting the Windows Kernel - 关于ObReferenceObjectByHandle中对句柄的处理
- 自己尝试还原的ObReferenceObjectByHandle
- ObReferenceObjectByHandle内核函数
- (转) ObReferenceObjectByHandle 的使用
- ObReferenceObjectByHandle内核函数
- ObReferenceObjectByHandle例程
- ObReferenceObjectByName通过对象名得到对象指针_例如 设备 事件 互斥体
- 函数......ObReferenceObjectByHandle
- InlineHookObReferenceObjectByHandle(0环)
- Inline hook ObReferenceObjectByHandle,附加问题笔记做记录
- ObReferenceObjectByHandle() 函数简略分析
- ObReferenceObjectByHandle
- 通过驱动名称得到(T雪工具)驱动对象名_ObReferenceObjectByName_函数的用法
- MFC通过对话框窗口句柄获得对话框对象指针
- MFC通过对话框窗口句柄获得对话框对象指针
- Ring3 调用 NtQueryObject 获得文件句柄对应的对象名时调用线程死锁的原因
- IoGetDeviceObjectPointer和ObReferenceObjectByName得到设备对象指针
- MFC通过对话框窗口句柄获得对话框对象指针
- 通过指定Shell Embedding/IEFrame类窗口的句柄获得浏览器(IE)对象
- ObOpenObjectByPointer获取进程句柄