大理寺少卿 发表于 2025-5-7 22:23:14

驱动开发与系统原理-驱动遍历

熟悉_DRIVER_OBJECT结构
----------------------

![](https://raw.githubusercontent.com/Whitebird0/tuchuang/main/QQ%E6%88%AA%E5%9B%BE20220114223024.png)

DriverSection 是驱动的地址,一个指向驱动的指针

DriverInit 存储驱动的名称,一个指向驱动名称的指针

遍历驱动,就是通过DriverSection的双向链表,循环遍历

**代码**

#include<ntifs.h>
#include<intrin.h>

VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {

DbgPrint("Unload Driver Success! ");

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {
DbgPrint("Load Driver Success!");
pDriverObject->DriverUnload = DriverUnload;
PLIST_ENTRY DriverList = NULL;
PLIST_ENTRY NextList = NULL;
UNICODE_STRING usDriverName;
RtlInitUnicodeString(&usDriverName, L"ntoskrnl.exe");
PUNICODE_STRING pUSDriverName = NULL;
DriverList = (PLIST_ENTRY)pDriverObject->DriverSection;
NextList = DriverList->Flink;
while (NextList!= DriverList)
{
    pUSDriverName = (PUNICODE_STRING)((ULONG)NextList + 0x2c);
    DbgPrint("%wZ", pUSDriverName);
    if (RtlCompareUnicodeString(pUSDriverName, &usDriverName,TRUE)==0);//对某个驱动进行查找
    {
      DbgPrint("0x%X", (ULONG)NextList);//打印出我们找到的驱动的相关信息
      return STATUS_SUCCESS;
    }
    NextList = NextList->Flink;
}
return STATUS_SUCCESS;
}
![](https://raw.githubusercontent.com/Whitebird0/tuchuang/main/QQ%E6%88%AA%E5%9B%BE20220114224103.png)

YINXN 发表于 2025-5-11 10:54:44

谢谢分享支持楼主
页: [1]
查看完整版本: 驱动开发与系统原理-驱动遍历