初学驱动的疑问

刚开始学驱动，一个很简单的驱动，什么也不做，就是mov  eax, STATUS_SUCCESS, 调用StartService总是不成功，当调用GetLastError时返回的错误代码是87，是UNKNOWN的意思吧,应该是DriverEntry执行之后就结束了，并未取得驱动的状态。
但我想让客户端程序和驱动程序进行一些交互，比如在驱动程序里IoCreateDevice,在客户端里再CreateFile，然后交流一点数据。如果要这样的话StartService返回错误就办不到了。比如，IoCreateDevice, IoCreateSymbolicLink 之后 在\Device,
\??下都没有发现创建的新对象，甚至在\Driver下也没有新的东东。
不知如何StartService才能成功调用？是程序获得驱动状态呢？

我平时习惯用asm了，所以学驱动是也就用它了，和C是一样的，大家帮忙看一下吧

先谢过。


源程序如下：


源程序里include的头文件就省略了

驱动源程序
;myDriver1.asm
.386
.model .....
....
....
include ....
...

.code
DriverEntry proc   pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

mov eax, STATUS_SUCCESS
ret
DriverEntry

end DriverEntry

;***********编译过程*********
ml /c /coff myDriver1.asm
link /driver /out:myDriver1.sys /subsystem:native myDriver1.obj



驱动安装的源程序
;scp1.asm
.386
.model .....
......
....
include ....
...

.const
szServceName db 'SvName', 0
szDisplayName db 'DpName', 0
szImagePath db 'c:\myDriver1.sys', 0

ErrorCode   dd   ERROR_ACCESS_DENIED
            dd  ERROR_INVALID_HANDLE
            dd  ERROR_PATH_NOT_FOUND
            dd  ERROR_SERVICE_ALREADY_RUNNING
            dd  ERROR_SERVICE_DATABASE_LOCKED
            dd  ERROR_SERVICE_DEPENDENCY_DELETED
            dd  ERROR_SERVICE_DEPENDENCY_FAIL
            dd  ERROR_SERVICE_DISABLED
            dd  ERROR_SERVICE_LOGON_FAILED
            dd  ERROR_SERVICE_MARKED_FOR_DELETE
            dd  ERROR_SERVICE_NO_THREAD
            dd  ERROR_REQUEST_TIMEOUT

ErrorMsg  db  'ERROR_ACCESS_DENIED', 0
          db  'ERROR_INVALID_HANDLE', 0
          db  'ERROR_PATH_NOT_FOUND', 0
          db  'ERROR_SERVICE_ALREADY_RUNNING', 0
          db  'ERROR_SERVICE_DATABASE_LOCKED', 0
          db  'ERROR_SERVICE_DEPENDENCY_DELETED', 0
          db  'ERROR_SERVICE_DEPENDENCY_FAIL', 0
          db  'ERROR_SERVICE_DISABLED', 0
          db  'ERROR_SERVICE_LOGON_FAILED', 0
          db  'ERROR_SERVICE_MARKED_FOR_DELETE', 0
          db  'ERROR_SERVICE_NO_THREAD', 0
          db  'ERROR_REQUEST_TIMEOUT', 0, 0
          db  'Fail to Define Error Code', 0


.code

;************ Procedure Used to Define Error
ParseError     proc
               push  ebp
               mov   ebp, esp

               ;[ebp + 8]     ErrorCode
          
               mov   ebx, offset ErrorCode
               mov   esi, offset ErrorMsg
               mov   ecx, [ebp + 8]
         _@_@@3:
               cmp   [ebx], ecx
               jz    _@_@@1
         _@_@@2:
               lodsb
               or   al, al
               jnz  _@_@@2
               lodsb
               or   al, al
               jz   _@_@@1
               dec   esi
               add   ebx, 4
               jmp   _@_@@3
         _@_@@1:
               invoke MessgeBox, 0, 0, esi, 0
          
               mov  esp, ebp
               pop  ebp
               ret   4
ParseError     endp

start:
invoke OpenSCManager, 0, 0, SC_MANAGER_CREATE_SERVICE
；
；为简单其间，都设调用成功，下同
；
push eax
invoke CreateService, eax, offset szServiceName, offset zDisplayName,\
SERVICE_START+DELETE, SERVICE_KERNEL_DRIVER, SREVICE_DEMAND_START,\
SERVICE_ERROR_IGNORE, offset szImagePath, 0, 0, 0, 0, 0
push eax
invoke StartService, eax, 0, 0
                or   eax, eax
                jnz  _@@@@1
                call  GetLastError
                push   eax
                call ParseError
                
;
;
;这里总是返回0,调用不成功，前面OpenSCManager, CreateService的调用都是成功的
;
_@@@@1:
call CloseServiceHandle
call CloseServiceHandle
mov eax, STATUS_SUCCESS
invoke ExitProcess, 0
end start

;***********编译过程*********
ml /c /coff scp1.asm
link /subsystem:windows scp1.obj

为什么要用汇编写呢？使用C不是更简单吗？

刚开始学驱动，一个很简单的驱动，什么也不做，就是mov  eax, STATUS_SUCCESS, 调用StartService总是不成功，当调用GetLastError时返回的错误代码是87，是UNKNOWN的意思吧,应该是DriverEntry执行之后就结束了，并未取得驱动的状态。
但我想让客户端程序和驱动程序进行一些交互，比如在驱动程序里IoCreateDevice,在客户端里再CreateFile，然后交流一点数据。如果要这样的话StartService返回错误就办不到了。比如，IoCreateDevice, IoCreateSymbolicLink 之后 在Device,
??下都没有发现创建的新对象，甚至在Driver下也没有新的东东。
不知如何StartService才能成功调用？是程序获得驱动状态呢？

我平时习惯用asm了，所以学驱动是也就用它了，和C是一样的，大家帮忙看一下吧

先谢过。


源程序如下：


源程序里include的头文件就省略了

驱动源程序
;myDriver1.asm
.386
.model .....
....
....
include ....
...

.code
DriverEntry proc   pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

mov eax, STATUS_SUCCESS
ret
DriverEntry

end DriverEntry

;***********编译过程*********
ml /c /coff myDriver1.asm
link /driver /out:myDriver1.sys /subsystem:native myDriver1.obj



驱动安装的源程序
;scp1.asm
.386
.model .....
......
....
include ....
...

.const
szServceName db 'SvName', 0
szDisplayName db 'DpName', 0
szImagePath db 'c:myDriver1.sys', 0

ErrorCode   dd   ERROR_ACCESS_DENIED
            dd  ERROR_INVALID_HANDLE
            dd  ERROR_PATH_NOT_FOUND
            dd  ERROR_SERVICE_ALREADY_RUNNING
            dd  ERROR_SERVICE_DATABASE_LOCKED
            dd  ERROR_SERVICE_DEPENDENCY_DELETED
            dd  ERROR_SERVICE_DEPENDENCY_FAIL
            dd  ERROR_SERVICE_DISABLED
            dd  ERROR_SERVICE_LOGON_FAILED
            dd  ERROR_SERVICE_MARKED_FOR_DELETE
            dd  ERROR_SERVICE_NO_THREAD
            dd  ERROR_REQUEST_TIMEOUT

ErrorMsg  db  'ERROR_ACCESS_DENIED', 0
          db  'ERROR_INVALID_HANDLE', 0
          db  'ERROR_PATH_NOT_FOUND', 0
          db  'ERROR_SERVICE_ALREADY_RUNNING', 0
          db  'ERROR_SERVICE_DATABASE_LOCKED', 0
          db  'ERROR_SERVICE_DEPENDENCY_DELETED', 0
          db  'ERROR_SERVICE_DEPENDENCY_FAIL', 0
          db  'ERROR_SERVICE_DISABLED', 0
          db  'ERROR_SERVICE_LOGON_FAILED', 0
          db  'ERROR_SERVICE_MARKED_FOR_DELETE', 0
          db  'ERROR_SERVICE_NO_THREAD', 0
          db  'ERROR_REQUEST_TIMEOUT', 0, 0
          db  'Fail to Define Error Code', 0


.code

;************ Procedure Used to Define Error
ParseError     proc
               push  ebp
               mov   ebp, esp

               ;[ebp + 8]     ErrorCode
          
               mov   ebx, offset ErrorCode
               mov   esi, offset ErrorMsg
               mov   ecx, [ebp + 8]
         _@_@@3:
               cmp   [ebx], ecx
               jz    _@_@@1
         _@_@@2:
               lodsb
               or   al, al
               jnz  _@_@@2
               lodsb
               or   al, al
               jz   _@_@@1
               dec   esi
               add   ebx, 4
               jmp   _@_@@3
         _@_@@1:
               invoke MessgeBox, 0, 0, esi, 0
          
               mov  esp, ebp
               pop  ebp
               ret   4
ParseError     endp

start:
invoke OpenSCManager, 0, 0, SC_MANAGER_CREATE_SERVICE
；
；为简单其间，都设调用成功，下同
；
push eax
invoke CreateService, eax, offset szServiceName, offset zDisplayName,
SERVICE_START+DELETE, SERVICE_KERNEL_DRIVER, SREVICE_DEMAND_START,
SERVICE_ERROR_IGNORE, offset szImagePath, 0, 0, 0, 0, 0
push eax
invoke StartService, eax, 0, 0
                or   eax, eax
                jnz  _@@@@1
                call  GetLastError
                push   eax
                call ParseError
                
;
;
;这里总是返回0,调用不成功，前面OpenSCManager, CreateService的调用都是成功的
;
_@@@@1:
call CloseServiceHandle
call CloseServiceHandle
mov eax, STATUS_SUCCESS
invoke ExitProcess, 0
end start

;***********编译过程*********
ml /c /coff scp1.asm
link /subsystem:windows scp1.obj

 

哈哈，这个应用程序比驱动麻烦。我给你试试看

参考KMDKIT里SKELETON的例子.
;@echo off
;goto make

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
; skeleton - Kernel Mode Driver
;
; Written by Four-F (four-f@mail.ru)
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.386
.model flat, stdcall
option casemap:none

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                  I N C L U D E   F I L E S                                        
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc

include \masm32\include\w2k\ntoskrnl.inc

includelib \masm32\lib\w2k\ntoskrnl.lib

include \masm32\Macros\Strings.mac

include ..\common.inc

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     C O N S T A N T S                                            
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.const
CCOUNTED_UNICODE_STRING "\\Device\\skeletonsys", g_usDeviceName, 4
;CCOUNTED_UNICODE_STRING "\\??\\skeleton", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "\\DosDevices\\skeletonsys", g_usSymbolicLinkName, 4

DriverVersion DRIVER_VERSION {1,0}

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                            N O N D I S C A R D A B L E   C O D E                                  
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                   DispatchCreateClose                                            
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DispatchCreateClose proc pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP

; CreateFile was called, to get driver handle
; CloseHandle was called, to close driver handle
; In both cases we are in user process context here

mov eax, pIrp
assume eax:ptr _IRP
mov [eax].IoStatus.Status, STATUS_SUCCESS
and [eax].IoStatus.Information, 0
assume eax:nothing

fastcall IofCompleteRequest, pIrp, IO_NO_INCREMENT

mov eax, STATUS_SUCCESS
ret

DispatchCreateClose endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     DispatchControl                                              
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DispatchControl proc uses esi edi pDeviceObject:PDEVICE_OBJECT, pIrp:PIRP

; DeviceIoControl was called
; We are in user process context here

local status:NTSTATUS
local dwBytesReturned:DWORD

and dwBytesReturned, 0

mov esi, pIrp
assume esi:ptr _IRP

IoGetCurrentIrpStackLocation esi
mov edi, eax
assume edi:ptr IO_STACK_LOCATION

.if [edi].Parameters.DeviceIoControl.IoControlCode == IOCTL_GET_VERSION
.if [edi].Parameters.DeviceIoControl.OutputBufferLength >= sizeof DRIVER_VERSION

mov eax, [esi].AssociatedIrp.SystemBuffer
push DriverVersion
pop dword ptr [eax]

mov dwBytesReturned, sizeof DRIVER_VERSION
mov status, STATUS_SUCCESS
.else
mov status, STATUS_BUFFER_TOO_SMALL
.endif
.else
mov status, STATUS_INVALID_DEVICE_REQUEST
.endif

assume edi:nothing

push status
pop [esi].IoStatus.Status

push dwBytesReturned
pop [esi].IoStatus.Information

assume esi:nothing

fastcall IofCompleteRequest, esi, IO_NO_INCREMENT

mov eax, status
ret

DispatchControl endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       DriverUnload                                                
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverUnload proc pDriverObject:PDRIVER_OBJECT

; ControlService,,SERVICE_CONTROL_STOP was called
; We are in System process (pid = 8) context here

invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName

mov eax, pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject

ret

DriverUnload endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                              D I S C A R D A B L E   C O D E                                      
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code INIT

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       DriverEntry                                                
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

; StartService was called
; We are in System process (pid = 8) context here

local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT

mov status, STATUS_DEVICE_CONFIGURATION_ERROR

invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
invoke IoCreateSymbolicLink, addr g_usSymbolicLinkName, addr g_usDeviceName
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].MajorFunction[IRP_MJ_CREATE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_CLOSE*(sizeof PVOID)], offset DispatchCreateClose
mov [eax].MajorFunction[IRP_MJ_DEVICE_CONTROL*(sizeof PVOID)], offset DispatchControl
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
mov status, STATUS_SUCCESS
.else
invoke IoDeleteDevice, pDeviceObject
.endif
.endif

mov eax, status
ret

DriverEntry endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                                                                                  
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

end DriverEntry

:make

set drv=skeleton

\masm32\bin\ml /nologo /c /coff %drv%.bat
\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native /ignore:4078 %drv%.obj rsrc.obj

del %drv%.obj
move %drv%.sys ..

echo.
pause



;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;  skeleton.asm
;
;  Service Control Program for skeleton.sys driver
;
;  Written by Four-F (four-f@mail.ru)
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.386
.model flat, stdcall
option casemap:none

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                  I N C L U D E   F I L E S                                        
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

include \masm32\include\windows.inc

include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\advapi32.lib

include \masm32\include\winioctl.inc

include \masm32\Macros\Strings.mac

include common.inc

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                     C O N S T A N T S                                            
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.const

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                              I N I T I A L I Z E D  D A T A                                      
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.data

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                              U N I N I T I A L I Z E D  D A T A                                  
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.data?

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       C O D E                                                    
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                       start                                                      
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

start proc uses esi edi

local hSCManager:HANDLE
local hService:HANDLE
local acModulePath[MAX_PATH]:CHAR
local _ss:SERVICE_STATUS
local hDevice:HANDLE

local abyOutBuffer[4]:BYTE
local dwBytesReturned:DWORD

local acVersion[16]:CHAR

; Open a handle to the SC Manager database
invoke OpenSCManager, NULL, NULL, SC_MANAGER_ALL_ACCESS
.if eax != NULL
mov hSCManager, eax

;invoke GetCurrentDirectory, sizeof g_acBuffer, addr g_acBuffer
push eax
invoke GetFullPathName, $CTA0("skeleton.sys"), sizeof acModulePath, addr acModulePath, esp
     pop eax

; Install service
invoke CreateService, hSCManager, $CTA0("skeleton"), $CTA0("Skeleton Driver"), \
SERVICE_START + SERVICE_STOP + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
SERVICE_ERROR_IGNORE, addr acModulePath, NULL, NULL, NULL, NULL, NULL

.if eax != NULL
mov hService, eax

; Driver's DriverEntry procedure will be called
invoke StartService, hService, 0, NULL
.if eax != 0

; Driver will receive I/O request packet (IRP) of type IRP_MJ_CREATE
invoke CreateFile, $CTA0("\\\\.\\skeleton"), GENERIC_READ + GENERIC_WRITE, \
0, NULL, OPEN_EXISTING, 0, NULL

.if eax != INVALID_HANDLE_VALUE
mov hDevice, eax

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

; Driver will receive IRP of type IRP_MJ_DEVICE_CONTROL
invoke DeviceIoControl, hDevice, IOCTL_GET_VERSION, NULL, 0, \
addr abyOutBuffer, sizeof abyOutBuffer, addr dwBytesReturned, NULL

.if ( eax != 0 ) && ( dwBytesReturned != 0 )

lea eax, abyOutBuffer
assume eax:ptr DRIVER_VERSION
movzx ecx, [eax].MajorVersion
movzx eax, [eax].MinorVersion
assume eax:nothing
invoke wsprintf, addr acVersion, $CTA0("%u.%02u"), ecx, eax

invoke MessageBox, NULL, addr acVersion, $CTA0("Driver Version"), MB_OK + MB_ICONINFORMATION
.else
invoke MessageBox, NULL, $CTA0("Can't send control code to device."), NULL, MB_OK + MB_ICONSTOP
.endif

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

; Driver will receive IRP of type IRP_MJ_CLOSE
invoke CloseHandle, hDevice
.else
invoke MessageBox, NULL, $CTA0("Device is not present."), NULL, MB_ICONSTOP
.endif
; DriverUnload proc in our driver will be called
invoke ControlService, hService, SERVICE_CONTROL_STOP, addr _ss
.else
invoke MessageBox, NULL, $CTA0("Can't start driver."), NULL, MB_OK + MB_ICONSTOP
.endif
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL, $CTA0("Can't register driver."), NULL, MB_OK + MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL, $CTA0("Can't connect to Service Control Manager."), NULL, MB_OK + MB_ICONSTOP
.endif

invoke ExitProcess, 0

start endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;                                                                                                  
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

end start

看了kmdkit，对比之后发现一个极低级的错误，谢过楼上