|
阅读:2099回复:5
HOOK IoCreateDevice的问题。。
U盘插入,加载驱动,然后停驱动(停驱动会恢复HOOK的),当U盘拔出再插入就会蓝屏了UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS
NTSTATUS HookIoCreateDevice( IN PDRIVER_OBJECT DriverObject, IN ULONG DeviceExtensionSize, IN PUNICODE_STRING DeviceName OPTIONAL, IN DEVICE_TYPE DeviceType, IN ULONG DeviceCharacteristics, IN BOOLEAN Exclusive, OUT PDEVICE_OBJECT *DeviceObject ) { NTSTATUS NtStatus; ULONG Temp_Addr = 0; char buff[1024]; HANDLE handle = 0; PUNICODE_STRING unistr = (PUNICODE_STRING)&buff[0]; ULONG ReturnLength = 0; PDEVICE_OBJECT DeviceObjectTemp; DbgPrint("==>Hook IoCreateDevice()"); NtStatus = m_IoCreateDevice( DriverObject, DeviceExtensionSize, DeviceName OPTIONAL, DeviceType, DeviceCharacteristics, Exclusive, DeviceObject ); if(!NT_SUCCESS(NtStatus)) { DbgPrint("m_IoCreateDevice() fail"); return NtStatus; } //ObOpenObjectByPointer来打开进程(创建并返回进程句柄) if(ObOpenObjectByPointer(DriverObject, 0, NULL, 0, 0, KernelMode, &handle)) { DbgPrint("ObOpenObjectByPointer() Success and return"); return STATUS_SUCCESS; } /* NTSTATUS ZwQueryObject( IN HANDLE ObjectHandle, IN OBJECT_INFORMATION_CLASS ObjectInformationClass, OUT PVOID ObjectInformation, IN ULONG ObjectInformationLength, OUT PULONG ReturnLength OPTIONAL ); ObjectHandle是我们想要获取有关信息的句柄,ObjectInformationClass是信息类型, 保存在以字节计算长度为ObjectInformationLength的缓冲区ObjectInformation中。 我们对OBJECT_INFORMATION_CLASS使用的类是ObjectNameInformation和ObjectAllTypesInformation。 ObjectNameInfromation类在缓冲区中返回OBJECT_NAME_INFORMATION结构, 而ObjectAllTypesInformation类返回OBJECT_ALL_TYPES_INFORMATION结构。 */ ZwQueryObject(handle, 1, buff, 256, &ReturnLength); if(!unistr->Buffer) { ZwClose(handle); return STATUS_SUCCESS; } if(_wcsicmp(unistr->Buffer, L"\\Driver\\USBSTOR")) { ZwClose(handle); return STATUS_SUCCESS; } DeviceObjectTemp = *DeviceObject; DbgPrint("DriverObject:%X, *DeviceObject->DriverObject:%x\nDriverObject->MajorFunction[IRP_MJ_CREATE]:%x,HookCreateDispatch:%x\n", DriverObject, DeviceObjectTemp->DriverObject, (ULONG)DriverObject->MajorFunction[IRP_MJ_CREATE], HookCreateDispatch); //hook IRP_MJ_CREATE Temp_Addr = (ULONG)DriverObject->MajorFunction[IRP_MJ_CREATE]; if(Temp_Addr == (ULONG)HookCreateDispatch) return STATUS_SUCCESS; RealCreateDispatch = (ProxyDispatch)Temp_Addr; DriverObject->MajorFunction[IRP_MJ_CREATE] = HookCreateDispatch; // (*DeviceObject)->DriverObject->MajorFunction[IRP_MJ_CREATE] = HookCreateDispatch; UsbDriverObject = DriverObject; DbgPrint("UsbDriverObject: %x", UsbDriverObject); DbgPrint("<==Hook IoCreateDevice() success"); return NtStatus; } //================================================= 下面是恢复HOOK的代码 if((RealCreateDispatch != NULL) && (UsbDriverObject != NULL)) { DbgPrint("UsbDriverObject->MajorFunction[IRP_MJ_CREATE]: %x\nRealCreateDispatch: %x\nUsbDriverObject: %x\n", UsbDriverObject->MajorFunction[IRP_MJ_CREATE], RealCreateDispatch, UsbDriverObject); UsbDriverObject->MajorFunction[IRP_MJ_CREATE] = RealCreateDispatch; RealCreateDispatch = NULL; dprintf(("UnHook MajorFunction[IRP_MJ_CREATE] Success\n")); } |
|
|
沙发#
发布于:2007-04-15 17:52
一个好的忠告:
永远不要unload |
|
|
|
板凳#
发布于:2007-04-14 22:51
这个问题非常复杂,要使用汇编,调用一些非文档调用
|
|
|
地板#
发布于:2007-04-13 10:02
引用计数吧..
可能你unhook时,有一部分代码正在用,你的驱动却没了,肯定挂掉... |
|
|
|
地下室#
发布于:2007-04-12 21:56
问不如调试
|
|
|
|
5楼#
发布于:2007-04-04 12:35
有知道原因的吗??
|
|