一段简单代码，调用函数ZwCreateFile，总返回错误0xc000000d，不知什么原因？

楼主^#

更多发布于：2008-09-22 16:03

下面的代码，其中调用函数ZwCreateFile，总返回错误0xc000000d，不知什么原因？
我的调试环境WINDBG+VM，VM虚拟机系统为XPSP2，不知这个错误是否是因为驱动工作在VM虚拟机下？

－－－－－－－－－－－Hookfilesystem.c－－－－－－－－－－－－－－－－－－－－－
#include "Hookfilesystem.h"

HANDLE hFileHandle;
OBJECT_ATTRIBUTES ObjectAttrib;
PDEVICE_OBJECT pFileDeviceObject;

struct _DRIVER_OBJECT *pDeviceObject;

PDRIVER_DISPATCH RealCreateDispatch;

KEVENT eventFile;

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject ,IN PUNICODE_STRING RegistryPath)
{
   UNICODE_STRING uninameString,unilinkString;
   NTSTATUS ntStatus;
   PDEVICE_OBJECT pDeviceObject;
   HANDLE hThread;

   RtlInitUnicodeString(&uninameString,L"\\Device\\Shadow3");

   ntStatus = IoCreateDevice(DriverObject,
   0,
   &uninameString,
   FILE_DEVICE_UNKNOWN,
   0,
   TRUE,
   &pDeviceObject
   );

   if(!NT_SUCCESS(ntStatus)) //如果创建设备失败，则直接退出
   return ntStatus;

   //创建Win32可见的符号连接
   RtlInitUnicodeString( &unilinkString, L"\\DosDevices\\shadow3" );

   ntStatus = IoCreateSymbolicLink(&unilinkString ,&uninameString);
   if(!NT_SUCCESS(ntStatus))
   {
   return ntStatus;
   }

   //设置Dispatch
   DriverObject->MajorFunction[IRP_MJ_CREATE] = DriverDispatch;
   DriverObject->MajorFunction[IRP_MJ_CLOSE] = DriverDispatch;
   //设置Unload
   DriverObject->DriverUnload = DriverUnload;
   //Hook File System
   //HookFileSystem();

   KeInitializeEvent(&eventFile, NotificationEvent, FALSE);

   ntStatus = PsCreateSystemThread(&hThread, (ACCESS_MASK)0L, NULL, NULL, NULL, HookFileSystem, NULL);
   if(!NT_SUCCESS(ntStatus))
   {
   IoDeleteDevice(pDeviceObject);
   return ntStatus;
   }

   //ZwClose(hThread);
   KeSetEvent(&eventFile, (KPRIORITY)0, FALSE);
   return 0;
}

NTSTATUS
DriverDispatch(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   )
{

   Irp->IoStatus.Status = STATUS_SUCCESS;
   IoCompleteRequest (Irp,IO_NO_INCREMENT);
   return Irp->IoStatus.Status;
}

void DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
   UNICODE_STRING uniNameString;

   RtlInitUnicodeString(&uniNameString, L"\\DosDevices\\shadow3");
   IoDeleteSymbolicLink(&uniNameString); //删除win32可见
   IoDeleteDevice(pDriverObject->DeviceObject); //删除设备

   return ;
}

//void HookFileSystem(void)
void HookFileSystem(IN PVOID Context)
{
   UNICODE_STRING uniDeviceName;
   NTSTATUS Ntstatus;
   IO_STATUS_BLOCK IoStatusBlock;
   PVOID pFileObject;

   KeWaitForSingleObject(&eventFile, Executive, KernelMode, FALSE, NULL);

   RtlInitUnicodeString(&uniDeviceName ,L"\\DosDevices\\C:\\");

   InitializeObjectAttributes(&ObjectAttrib ,&uniDeviceName ,OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL);
   //打开一个设备，但函数总是返回错误0xc000000d，不知什么原因？
   Ntstatus = ZwCreateFile(
   &hFileHandle,
   SYNCHRONIZE|FILE_ANY_ACCESS,
   &ObjectAttrib,
   &IoStatusBlock,
   0,
   0,
   FILE_SHARE_READ|FILE_SHARE_WRITE,
   FILE_OPEN,
   FILE_SYNCHRONOUS_IO_NONALERT|FILE_DIRECTORY_FILE,
   0,
   0
   );

   if(!NT_SUCCESS(Ntstatus))
   {
   DbgPrint("ZwCreateFile Failed,ntstatus:%ld\n",Ntstatus);
   return;
   }

   //通过文件句柄得到与之向对应的文件对象
   Ntstatus = ObReferenceObjectByHandle(hFileHandle,FILE_READ_DATA,0,0,&pFileObject,NULL);
   if(!NT_SUCCESS(Ntstatus))
   {
   ZwClose(hFileHandle);
   DbgPrint("ObReferenceObjectByHandle Failed,ntstatus:%ld\n",Ntstatus);
   return;
   }

   //在通过该文件对象查找相对应的文件设备
   pFileDeviceObject = IoGetRelatedDeviceObject(pFileObject);
   //文件对象引用计数器减一
   ObDereferenceObject(pFileObject);
   ZwClose(hFileHandle);

   if(pFileDeviceObject==NULL)
   {
   DbgPrint("Get File Object Failed\n");
   return ;
   }

   pDeviceObject = pFileDeviceObject->DriverObject;

   if(pDeviceObject->MajorFunction[IRP_MJ_CREATE] == HookCreateDispatch)
   {
   DbgPrint("already hook IRP_MJ_CREATE\n");
   return ;
   }

   //保存IRP_MJ_CREATE处理的地址
   RealCreateDispatch = pDeviceObject->MajorFunction[IRP_MJ_CREATE];

   //Hook Create DisPatch
   pDeviceObject->MajorFunction[IRP_MJ_CREATE] = HookCreateDispatch;

   return;
}

NTSTATUS
HookCreateDispatch(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   )
{
   // DbgPrint("hook success\r\n");
   PIO_STACK_LOCATION pIocurrentstack;
   PFILE_OBJECT pFileObject;

   DbgPrint("DeviceName:%S\r\n",DeviceObject->DriverObject->DriverName.Buffer);


   pIocurrentstack = IoGetCurrentIrpStackLocation(Irp);

   pFileObject = pIocurrentstack->FileObject;

   DbgPrint("FileName:%S\r\n",pFileObject->FileName.Buffer);

   _asm
   {
   push Irp
   push DeviceObject
   call RealCreateDispatch
   }

   return 0;
}

－－－－－－－－－－－Hookfilesystem.h－－－－－－－－－－－－－－－－－－－－－

#ifndef _INCLUDE_
#define _INCLUDE_

#include "ntifs.h"

NTSTATUS
DriverDispatch(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   );

void DriverUnload(IN PDRIVER_OBJECT DriverObject);

//void HookFileSystem(void);
void HookFileSystem(IN PVOID Context);

NTSTATUS
HookCreateDispatch(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP Irp
   );

#endif

－－－－安装使用INF文件，是根据DDK中Sfilter稍加修改来的－－－－－－－－－－－
;;;
;;; Sfilter
;;;
;;;
;;; Copyright (c) 2000, Microsoft Corporation
;;;

[Version]
signature = "$Windows NT$"
Class = "ActivityMonitor" ;This is determined by the work this filter driver does
ClassGuid = {b86dff51-a31e-4bac-b3cf-e8cfe75c9fc2} ;This value is determined by the Class
Provider = %Msft%
DriverVer = 08/28/2000,1.0.0.1
CatalogFile = sfilter.cat ; A CatalogFile entry is required for a WHQL signature.
   ; The actual catalog file will be provided by WHQL. The
   ; catalog file for this sample is not provided for use.
[DestinationDirs]
DefaultDestDir = 12
Sfilter.DriverFiles = 12 ;%windir%\system32\drivers

[SourceDisksNames]
1 = %Disk1%

[SourceDisksFiles]
Hookfilesystem.sys = 1

;;
;; Default install sections
;;

[DefaultInstall]
OptionDesc = %SfilterServiceDesc%
CopyFiles = Sfilter.DriverFiles

[DefaultInstall.Services]
AddService = %SfilterServiceName%,,Sfilter.Service
AddReg = Sfilter.AddRegistry

;;
;; Default uninstall sections
;;

[DefaultUninstall]
DelFiles = Sfilter.DriverFiles
DelReg = Sfilter.DelRegistry

[DefaultUninstall.Services]
DelService = Sfilter,0x200 ; Flags note to stop service first

;
; Services Section
;

[Sfilter.Service]
DisplayName = %SfilterServiceName%
Description = %SfilterServiceDesc%
ServiceBinary = %12%\Hookfilesystem.sys ;%windir%\system32\drivers\Hookfilesystem.sys
ServiceType = 2 ;SERVICE_FILE_SYSTEM_DRIVER
StartType = 0 ;SERVICE_BOOT_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
LoadOrderGroup = "filter"
AddReg = Sfilter.AddRegistry

;
; Registry Modifications
;

[Sfilter.AddRegistry]
HKLM,%SfilterRegistry%,%SfilterDebugFlags%,0x00010001 ,0

[Sfilter.DelRegistry]
HKLM,%SfilterRegistry%,%SfilterDebugFlags%

;
; Copy Files
;

[Sfilter.DriverFiles]
Hookfilesystem.sys

;;
;; String Section
;;

[Strings]
Msft = "Microsoft Corporation"
SfilterServiceDesc = "Hookfilesystem Filter Driver"
SfilterServiceName = "Hookfilesystem"
SfilterRegistry = "system\currentcontrolset\services\Hookfilesystem"
SfilterDebugFlags = "DebugFlags"
Disk1 = "Hookfilesystem Source Media"

喜欢0

destinyqq 驱动牛犊注册日期2006-09-18 最后登录2013-01-29 粉丝0 关注0 积分7分威望35点贡献值0点好评度0点原创分0分专家分0分加关注写私信	沙发^# 发布于：2008-09-22 17:15 无效参数兄弟，想啥呢？驱动刚起来了，但是设备还没准备好啊
	回复(0) 喜欢(0)

chudd 驱动牛犊注册日期2003-07-02 最后登录2010-09-21 粉丝0 关注0 积分5分威望20点贡献值0点好评度4点原创分0分专家分0分加关注写私信	板凳^# 发布于：2008-09-22 23:43 引用第1楼destinyqq于2008-09-22 17:15发表的 : 无效参数兄弟，想啥呢？驱动刚起来了，但是设备还没准备好啊谢谢，初学驱动，没太明白你的意思？能具体说说该怎么改吗？
	回复(0) 喜欢(0)

wowocock

VIP专家组

注册日期2002-04-08
最后登录2016-01-09
粉丝16
关注2
积分601分
威望1651点
贡献值1点
好评度1227点
原创分1分
专家分0分

加关注写私信

地板^#

发布于：2008-09-23 09:18

StartType = 0 ;SERVICE_BOOT_START
改成2或动态加载看看,0型TYPE的话,可能卷管理驱动还没有加载.建议你注册一个DRIVERREINITIALIZATION,在里面不断检测判断.

花开了，然后又会凋零，星星是璀璨的，可那光芒也会消失。在这样一瞬间，人降生了，笑者，哭着，战斗，伤害，喜悦，悲伤憎恶，爱。一切都只是刹那间的邂逅，而最后都要归入死亡的永眠

回复喜欢

chudd 驱动牛犊注册日期2003-07-02 最后登录2010-09-21 粉丝0 关注0 积分5分威望20点贡献值0点好评度4点原创分0分专家分0分加关注写私信	地下室^# 发布于：2008-09-23 10:49 谢谢各位，确实是StartType的问题！
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

一段简单代码，调用函数ZwCreateFile，总返回错误0xc000000d，不知什么原因？

最新喜欢：