|
阅读:660回复:0
一个奇怪的问题。
我的驱动入口函数是这样写的:
NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) { ULONG i; NTSTATUS ntStatus; WCHAR deviceNameBuffer[] = L\"\\\\Device\\\\Processhide\"; UNICODE_STRING deviceNameUnicodeString; WCHAR deviceLinkBuffer[] = L\"\\\\DosDevices\\\\Processhide\"; UNICODE_STRING deviceLinkUnicodeString; RtlInitUnicodeString (&deviceNameUnicodeString,deviceNameBuffer ); RtlInitUnicodeString (&deviceLinkUnicodeString,deviceLinkBuffer ); DriverObject->DriverUnload = DirUnLoad; ntStatus = IoCreateDevice (DriverObject,0,&deviceNameUnicodeString,FILE_DEVICE_PROCESSHIDE,0,TRUE,&ControlDeviceObject ); if (NT_SUCCESS(ntStatus)) { ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,&deviceNameUnicodeString ); DbgPrint((\"进入循环分发\\n\")); for(i=0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++) { DriverObject->MajorFunction = DispatchFun;//分发函数 } DbgPrint((\"退出循环分发\\n\")); } if (!NT_SUCCESS(ntStatus)) { DbgPrint((\"创建驱动时失败!\\n\")); if( ControlDeviceObject ) IoDeleteDevice( ControlDeviceObject ); IoDeleteSymbolicLink( &deviceLinkUnicodeString ); return ntStatus; } return STATUS_SUCCESS; } 我的分发例程是这样写的 NTSTATUS DispatchFun(IN IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp) { NTSTATUS rc; PIO_STACK_LOCATION IrpStack; PIO_STACK_LOCATION NextIrpStack; //定义ANSI的文件名 ANSI_STRING ansiFileName; //定义UNI的文件名 UNICODE_STRING uniFileName; //得到当前的I/O栈单元 IrpStack=IoGetCurrentIrpStackLocation(Irp); DbgPrint(\"分发例程\\n\"); //分发IRP switch (IrpStack->MajorFunction) { case IRP_MJ_CREATE: DbgPrint(\"创建\\n\"); Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0L; break; case IRP_MJ_CLOSE: DbgPrint(\"关闭\\n\"); Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0L; break; case IRP_MJ_WRITE: DbgPrint(\"写操作\\n\"); Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0L; break; case IRP_MJ_DIRECTORY_CONTROL: if(IrpStack->MinorFunction == IRP_MN_QUERY_DIRECTORY) { DbgPrint(\"查询目录\\n\"); } } } 可是为什么当我打开文件夹的时候在DEBUGVIEW上没有显示“查询目录”的消息字样呢??? 是不是我那里写错了呢??我是一个菜鸟请高手们帮助!!!!谢谢!!! |
|
