驱动开发与系统原理-驱动遍历

大理寺少卿

熟悉_DRIVER_OBJECT结构

DriverSection 是驱动的地址，一个指向驱动的指针

DriverInit 存储驱动的名称，一个指向驱动名称的指针

遍历驱动，就是通过DriverSection的双向链表，循环遍历

代码

include<ntifs.h>

include<intrin.h>

VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {

DbgPrint("Unload Driver Success! ");

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) { DbgPrint("Load Driver Success!"); pDriverObject->DriverUnload = DriverUnload; PLIST_ENTRY DriverList = NULL; PLIST_ENTRY NextList = NULL; UNICODE_STRING usDriverName; RtlInitUnicodeString(&usDriverName, L"ntoskrnl.exe"); PUNICODE_STRING pUSDriverName = NULL; DriverList = (PLIST_ENTRY)pDriverObject->DriverSection; NextList = DriverList->Flink; while (NextList!= DriverList) { pUSDriverName = (PUNICODE_STRING)((ULONG)NextList + 0x2c); DbgPrint("%wZ", pUSDriverName); if (RtlCompareUnicodeString(pUSDriverName, &usDriverName,TRUE)==0);//对某个驱动进行查找 { DbgPrint("0x%X", (ULONG)NextList);//打印出我们找到的驱动的相关信息 return STATUS_SUCCESS; } NextList = NextList->Flink; } return STATUS_SUCCESS; }

YINXN

谢谢分享支持楼主