|
阅读:1867回复:0
驱动加载失败,求助。
刚涉及驱动
 。加载其他的驱动都没问题,不知道这个为什么不行,麻烦给看看问题出在哪里,调试的时候似乎进入不到DriverEntry提示信息如下: 由于下列错误,EnumProcess 服务启动失败: 找不到指定的程序。 源码: .386 .model flat, stdcall option casemap:none include EnumProcess.inc include EnumProcess.mac .data? pSystem DWORD ? pebAddress ULONG ? .data ;Vsersion_x buildTable dd 2195, 2600, 3790 ;EPROCESS offset pebOffsetTable dd 0, 0, 0, 0, 0, 0 dd 25ch, 1b0h, 174h, 88h, 84h, 78h dd 270h, 1a0h, 164h, 98h, 94h, 88h .const BUILD_COUNT equ 3 ;OffsetType_y EPROCESS_SIZE equ 0 PEB_OFFSET equ 1 FILE_NAME_OFFSET equ 2 PROCESS_LINK_OFFSET equ 3 PROCESS_ID_OFFSET equ 4 EXIT_TIME_OFFSET equ 5 .code DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local ProcessNameOffset ;枚举进程 invoke EnumProcess mov eax, STATUS_SUCCESS ret DriverEntry endp EnumProcess proc local dwPIdOffset local dwPNameOffset local dwPLinkOffset invoke GetEprocessOffset, PROCESS_ID_OFFSET mov dwPIdOffset, eax invoke GetEprocessOffset, FILE_NAME_OFFSET mov dwPNameOffset, eax invoke GetEprocessOffset, PROCESS_LINK_OFFSET mov dwPLinkOffset, eax invoke DbgPrint, $CTA0("PidOff=0x%X NameOff=0x%X LinkOff=0x%X"), dwPIdOffset, dwPNameOffset, dwPLinkOffset ret EnumProcess endp ;根据传递的类别,返回偏移量 GetEprocessOffset proc offsetType:DWORD local currentBuild local build invoke GetModuleHandle, $CTA0("ntdll.dll") invoke GetProcAddress, eax, $CTA0("PsGetVersion") push NULL lea ecx, currentBuild push ecx push NULL push NULL call eax ; invoke PsGetVersion, NULL, NULL, addr currentBuild, NULL ;确定版本 xor esi, esi mov ebx, offset buildTable @@: cmp eax, [ebx + esi * 4] je RetValue cmp esi, BUILD_COUNT je NoBuild inc esi jmp @B NoBuild: ;异常情况处理 or eax, -1 ret RetValue: ;计算偏移量 lea ebx, pebOffsetTable mov edi, offsetType mov ecx, 24 xor eax, eax mov eax, esi mul ecx mov esi, eax mov eax, offsetType mov ecx, 4 mul ecx add esi, eax mov eax, [ebx + esi] ret GetEprocessOffset endp end DriverEntry 注册表信息在附件中 |
|
|
