驱动开发与系统原理-应用与驱动通信框架-控制派遣

大理寺少卿

0环代码

        #include<ntifs.h>
        //设备对象名称
        #define DEVICE_NAME L"\\device\\Helloworld"
        //符号链接名称
        #define LINK_NAME L"\\dosdevices\\whitebird"
        //控制码起始地址
        #define IRP_IOCTRLL_BASE 0x8000
        //控制码的宏定义
        #define IRP_IOCTRL_CODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN,IRP_IOCTRLL_BASE+i,METHOD_BUFFERED,FILE_ANY_ACCESS)

        //控制码定义
        #define CTL_PRINT IRP_IOCTRL_CODE(0)


        VOID DriverUnload(PDRIVER_OBJECT pDriver) {

          //符号链接名称
          UNICODE_STRING uLinkName = { 0 };
          //初始化符号链接名称
          RtlInitUnicodeString(&uLinkName, LINK_NAME);
          //删除符号链接
          IoDeleteSymbolicLink(&uLinkName);
          //删除设备对象
          IoDeleteDevice(pDriver->DeviceObject);
          DbgPrint("Unload success!\n"); 

        }

        //IRP派遣函数-默认处理
        NTSTATUS DispatchCommon (PDEVICE_OBJECT pDeviceObject,PIRP pIrp){
          DbgPrint("Patched Success");
          //设置IRP处理成功,告诉3环
          pIrp->IoStatus.Status = STATUS_SUCCESS;
          //设置返回的字节数
          pIrp->IoStatus.Information = 0;
          //结束IRP处理流程
          IoCompleteRequest(pIrp, IO_NO_INCREMENT);
          return STATUS_SUCCESS;
        }


        //IRP派遣函数-控制派遣
        NTSTATUS DispatchIoCtrl(PDEVICE_OBJECT pDeviceObject, PIRP pIrp) {
          //控制码
          ULONG uIoCode = 0;
          //输入缓冲区
          PVOID pInputBuffer = NULL;
          //输出缓冲区
          PVOID pOutputBuffer = NULL;
          //输入缓冲区的长度
          ULONG uInputLength = 0;
          //栈结构指针
          PIO_STACK_LOCATION pStack = NULL;
          //获取缓冲区
          pInputBuffer = pOutputBuffer = pIrp->AssociatedIrp.SystemBuffer;
          //获取IRP栈
          pStack = IoGetCurrentIrpStackLocation(pIrp);
          uInputLength = pStack->Parameters.DeviceIoControl.InputBufferLength;
          //获取控制码
          uIoCode = pStack->Parameters.DeviceIoControl.IoControlCode;
          switch (uIoCode)
          {
          case CTL_PRINT:
          {
            DbgPrint("%s", pInputBuffer);
            //初始化缓冲区内存
            RtlZeroMemory(pOutputBuffer, 1024);
            //获取字符串长度
            ULONG uStringLength = strlen("IO Success whitebird");
            //内存拷贝
            RtlCopyMemory(pOutputBuffer, "IO Success whitebird", uStringLength);
            //设置IRP处理成功,告诉3环
            pIrp->IoStatus.Status = STATUS_SUCCESS;
            //设置返回的字节数
            pIrp->IoStatus.Information = uStringLength;
            //结束IRP处理流程
            IoCompleteRequest(pIrp, IO_NO_INCREMENT);
            return STATUS_SUCCESS;
          default:
            break;
          }
          //设置IRP处理成功,告诉3环
          pIrp->IoStatus.Status = STATUS_SUCCESS;
          //设置返回的字节数
          pIrp->IoStatus.Information = 0;
          //结束IRP处理流程
          IoCompleteRequest(pIrp, IO_NO_INCREMENT);
          return STATUS_SUCCESS;
          }
        }


        NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {//驱动对象指针，注册表路径 DriverEntry不能改

          //注册卸载函数，作用是指定用哪个函数来完成卸载
          pDriverObject->DriverUnload = DriverUnload;
          //返回状态
          NTSTATUS ntStatus = 0;
          //设备对象
          UNICODE_STRING uDevicename = { 0 };
          //符号链接名称
          UNICODE_STRING uLinkName = { 0 };
          //初始化设备对象
          RtlInitUnicodeString(&uDevicename, DEVICE_NAME);
          //初始化符号链接名称
          RtlInitUnicodeString(&uLinkName, LINK_NAME);
          //设备对象
          PDEVICE_OBJECT pDeviceObject = NULL;
          //创建设备对象
          ntStatus=IoCreateDevice(pDriverObject, 0, &uDevicename, FILE_DEVICE_UNKNOWN, 0, TRUE, &pDeviceObject);
          //判断设备对象是否创建成功
          if (!NT_SUCCESS(ntStatus))
          {
            DbgPrint("IoCreateDevice failed:%x", ntStatus);
            return ntStatus;
          }
          //通讯方式
          // 1.DO_BUFFERED_IO基于缓存
          // 2.DO_DIRECT_IO  直接读写
          // 3.DO_FORCE_NEITHER_IO 两者介不的通信方式 R0直接读R3
          pDeviceObject->Flags |= DO_BUFFERED_IO;

          //创建符号链接
          ntStatus = IoCreateSymbolicLink(&uLinkName, &uDevicename);
          //判断符号链接是否创建成功
          if (!NT_SUCCESS(ntStatus))
          { //删除设备对象
            IoDeleteDevice(&pDeviceObject);
            DbgPrint("IoCreateSymbolicLink failed:%x", ntStatus);
            return ntStatus;
          }

          //将所有IRP派遣处理函数，设置为默认处理函数
          for (size_t i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
          {
            pDriverObject->MajorFunction[i] = DispatchCommon;
          }
          pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoCtrl;
          DbgPrint("Driver Load Success!");
          return STATUS_SUCCESS;//状态成功0，一定要有返回值
        }

3环代码

        #define _CRT_SECURE_NO_WARNINGS
        #include<stdio.h>
        #include<Windows.h>

        #define LINK_NAME L"\\\\.\\whitebird"
        //控制码起始地址
        #define IRP_IOCTRLL_BASE 0x8000
        //控制码的宏定义
        #define IRP_IOCTRL_CODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN,IRP_IOCTRLL_BASE+i,METHOD_BUFFERED,FILE_ANY_ACCESS)

        //控制码定义
        #define CTL_PRINT IRP_IOCTRL_CODE(0)

        int main() {
          //打开符号链接
          HANDLE hDeviceHandle=CreateFile(LINK_NAME, GENERIC_ALL, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
          //判断符号链接是否打开成功
          if (hDeviceHandle==INVALID_HANDLE_VALUE)
          {
            printf("Error：%d\n",GetLastError);
            system("pause");
            return 0;
          }

          //IRP_MJ_DEVICE_CONTROL
          while (1) {
            char InputBuffer[1024] = { 0 };
            char OutputBuffer[1024] = { 0 };
            ULONG dwRet = 0;
            printf("请输入字符串:\n");
            scanf("%s", &InputBuffer);
            DeviceIoControl(hDeviceHandle, CTL_PRINT, InputBuffer, sizeof(InputBuffer), OutputBuffer, sizeof(OutputBuffer), &dwRet, NULL);
            printf("Return %d bytes\n", dwRet);
            printf("%s\n", OutputBuffer);
          }
          return 0;
        }