內核驅動驅動對象 Driver_OBJECT

驅動對象講解

一丶驅動對象

1.1 結構

在內核中. 每一個驅動模塊都是一個驅動對象. 都有一個 DRIVER_OBJECT結構體代表. 可以想象成驅動對象是一個進程容器. 容納百川.
下面針對驅動對象做一下簡單的成員輸出.以熟悉驅動對象.

驅動對象結構如下:

typedef struct _DRIVER_OBJECT {
    CSHORT Type;
    CSHORT Size;

    //
    // The following links all of the devices created by a single driver
    // together on a list, and the Flags word provides an extensible flag
    // location for driver objects.
    //

    PDEVICE_OBJECT DeviceObject;
    ULONG Flags;

    //
    // The following section describes where the driver is loaded.  The count
    // field is used to count the number of times the driver has had its
    // registered reinitialization routine invoked.
    //

    PVOID DriverStart;                                                        //驅動對象的起始地址
    ULONG DriverSize;                                                         //驅動對象的大小
    PVOID DriverSection;                                                      //驅動對象結構.可以解析爲_LDR_DATA_TABLE_ENTRY  是一個鏈表存儲着下一個驅動對象                                                   
    PDRIVER_EXTENSION DriverExtension;                                        //驅動的擴展信息.可以自定義存放我們的數據                           

    //
    // The driver name field is used by the error log thread
    // determine the name of the driver that an I/O request is/was bound.
    //

    UNICODE_STRING DriverName;                                    //驅動對象的名字

    //
    // The following section is for registry support.  This is a pointer
    // to the path to the hardware information in the registry
    //

    PUNICODE_STRING HardwareDatabase;

    //
    // The following section contains the optional pointer to an array of
    // alternate entry points to a driver for "fast I/O" support.  Fast I/O
    // is performed by invoking the driver routine directly with separate
    // parameters, rather than using the standard IRP call mechanism.  Note
    // that these functions may only be used for synchronous I/O, and when
    // the file is cached.
    //

    PFAST_IO_DISPATCH FastIoDispatch;


    PDRIVER_INITIALIZE DriverInit;
    PDRIVER_STARTIO DriverStartIo;
    PDRIVER_UNLOAD DriverUnload;                              //驅動對象的卸載地址
    PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];

} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT; 

1.2 輸出代碼輸出基本的驅動對象信息

#include <ntddk.h>
VOID MyDriverUnLoad(
	_In_ struct _DRIVER_OBJECT* DriverObject
)
{
	DbgPrint("驅動卸載了\r\n");
}
extern "C" NTSTATUS DriverEntry(
	_In_ PDRIVER_OBJECT  DriverObject,
	_In_ PUNICODE_STRING RegistryPath
){
	ULONG64 uImage = 0;
	DriverObject->DriverUnload = MyDriverUnLoad;
	DbgPrint("驅動加載了開始打印輸出\r\n");
	DbgPrint("驅動名字 = %wZ \r\n", DriverObject->DriverName);
	DbgPrint("驅動起始地址 %x 大小 %x  結束地址 %x\r\n",
		DriverObject->DriverStart,
		DriverObject->DriverSize,
		uImage = ((ULONG64)DriverObject->DriverStart + DriverObject->DriverSize));
	DbgPrint("驅動對象的卸載地址 = %p\r\n", DriverObject->DriverUnload);
	//輸出驅動對象的所有回調地址.
	DbgPrint("驅動對象的IoControl回調地址 = %p\r\n", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]);
	DbgPrint("驅動對象的讀回調地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_READ]);
	DbgPrint("驅動對象的寫回調地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_WRITE]);
	DbgPrint("驅動對象的創建回調地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CREATE]);
	DbgPrint("驅動對象的關閉回調地址 = %p\r\n",DriverObject->MajorFunction[IRP_MJ_CLOSE]);

	DbgPrint("-------遍歷回調輸出------------\r\n");

	//宏從DrverObject對象中查找
	for (auto i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		DbgPrint("回調的IRP_MJ 調用號 = %d 回調函數地址 = %p \r\n", i, DriverObject->MajorFunction[i]);
	}

	DbgPrint("執行所有功能完畢");


	return STATUS_SUCCESS;
}

1.3 結果

1.4 其它簡介

利用驅動對象可以 遍歷驅動的信息.得出內核中所有模塊
代碼在另一個帖子
https://www.cnblogs.com/iBinary/p/11693606.html
可以集成到Ark工具中.
如 Pchunter

當然,涉及到驅動模塊對抗.隱藏模塊等另當別論. 喜歡內核的深入研究即可.

此帖作爲記錄貼 後續進行復習學習查看.