|
阅读:2781回复:3
TDI查询本地地址的问题
我在做tdihook,在IRP_MJ_CREATE分发函数中想得到本机地址,我是参照tdifw做的,在TdiCreateComplete中用IoCallDriver下发查询irp时蓝屏了,大神快来相救!
typedef struct _QueryContext { PDEVICE_OBJECT device; PIRP irp; } QueryContext; //自己的分发函数,已经hook了的 NTSTATUS Dispatch(PDeviceObject device, PIRP irp) { switch(stack->MajorFunction) { case IRP_MJ_CREATE: status = TDICreate(device, irp); break; ....... } status = HookedDispatch[stack->MajorFunction](device, irp);//调用hook住的函数。 return status; } //IRP_MJ_CREATE调用 NTSTATUS TDICreate(PDEVICE_OBJECT device, PIRP irp) { NTSTATUS status = STATUS_SUCCESS; FILE_FULL_EA_INFORMATION *ea = (FILE_FULL_EA_INFORMATION *)irp->AssociatedIrp.SystemBuffer; if(ea) { PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp); if(ea->EaNameLength == TDI_TRANSPORT_ADDRESS_LENGTH && memcmp(ea->EaName, TdiTransportAddress, TDI_TRANSPORT_ADDRESS_LENGTH) == 0) { PIRP query_irp = NULL; QueryContext *qc = NULL; query_irp = TdiBuildInternalDeviceControlIrp(TDI_QUERY_INFORMATION, device, stack->FileObject, NULL, NULL); qc = MyMalloc(sizeof(QueryContext)); if(!qc) { DbgPrint("TDI Create: Allocate qc failed\n"); return status; } if(!query_irp) { DbgPrint("TDI Create: build query irp failed\n"); return status; } //设置完成函数信息,使用 IoSetCompletionRoutine不奏效,跟本不运行完成函数,所以这样设置了 qc->device = device; qc->irp = query_irp; stack->Context = qc; stack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)TdiCreateComplete; stack->Control = SL_INVOKE_ON_ERROR|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_CANCEL; } } return status; } //完成函数,执行到IoCallDriver蓝屏 NTSTATUS TdiCreateComplete(PDEVICE_OBJECT device, PIRP irp, PVOID context) { //这里的device为空,所以我从context里传过来,得到的device是udp设备,我调过的,因为我是打开的浏览器,浏览器先查找域名,用DNS协议,所以是UDP的 NTSTATUS status = STATUS_SUCCESS; TDI_ADDRESS_INFO *tai = NULL; PMDL mdl = NULL; UINT length = TDI_ADDRESS_LENGTH_OSI_TSAP + sizeof(TDI_ADDRESS_INFO) - 1; PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp); QueryContext *qc = (QueryContext *)context; PDEVICE_OBJECT devobj = qc->device; PIRP query_irp = (PIRP)qc->irp; if(device); if(!qc) return status; if(!devobj) return status; if(!query_irp) return status; if(stack); do { tai = ExAllocatePoolWithTag(NonPagedPool, length, 'TATG'); if(!tai) { DbgPrint("TDI Create: Allocate TDI_ADDRESS_INFO failed.\n"); break; } mdl = IoAllocateMdl(tai, length, FALSE, FALSE, NULL); if(!mdl) { DbgPrint("TDI Create: Allocate Mdl failed.\n"); break; } MmBuildMdlForNonPagedPool(mdl); TdiBuildQueryInformation(query_irp, devobj, stack->FileObject, TdiQueryAddrComplete, tai, TDI_QUERY_ADDRESS_INFO, mdl); if(devobj && query_irp->CurrentLocation > 1) { if(IoGetCurrentIrpStackLocation(query_irp) && IoGetNextIrpStackLocation(query_irp)) { status = IoCallDriver(devobj, query_irp);//蓝了 irp->IoStatus.Status = status; return status; } } }while(FALSE); if(tai) ExFreePoolWithTag(tai, 'TATG'); if(mdl) IoFreeMdl(mdl); if(query_irp) IoCompleteRequest(query_irp, IO_NO_INCREMENT); return status; } |
|
|
沙发#
发布于:2010-03-25 11:29
回 楼主(NEU-Punk) 的帖子
遇到相同的问题,请问楼主是怎么解决的?问题出在哪里?? |
|
|
板凳#
发布于:2010-03-29 18:24
transport driver create 时,尚未绑定address object,此fileobject根本不是address fileobject,TDI_QUERY_ADDRESS_INFO 是不会成功的。不过应该是失败,而不是蓝屏,一大堆代码,看着头痛呢,原因就是如此。似乎您传递的fileobject 不是每层都已经call IoCompleteRequest。 自己找找吧。
|
|
|
地板#
发布于:2011-03-02 10:30
TdiQueryAddrComplete 这个呢?
这个不发怎么知道为什么蓝? |
|