把TA教程的SCM驱动加载代码改成了“面向过程”版

gfw · 发表于 2015-9-16 16:37:58

本帖最后由 gfw 于 2015-9-16 16:43 编辑

原版的代码比较啰嗦于是抽空改写了份现在看来舒爽多了方便大家不隐藏不卖B了哈哈

#pragma comment(lib,"advapi32.lib") //Finishing by GFW@vbasm.com
SC_HANDLE InstallDriver(PCHAR m_pSysPath, PCHAR m_pServiceName)
{
PCHAR m_pDisplayName = m_pServiceName;
SC_HANDLE m_hSCManager = OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (NULL == m_hSCManager)
{
return 0;
}
SC_HANDLE m_hService = CreateServiceA(m_hSCManager,
m_pServiceName,
m_pDisplayName,
SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL,
m_pSysPath,
NULL,NULL,NULL,NULL,NULL);
if (NULL == m_hService)
{
if (ERROR_SERVICE_EXISTS == GetLastError())
{
m_hService = OpenServiceA(m_hSCManager,m_pServiceName,SERVICE_ALL_ACCESS);
}
}
CloseServiceHandle(m_hSCManager);
return m_hService;
}
BOOL StartDriver(SC_HANDLE m_hService)
{
return StartServiceA(m_hService,NULL,NULL);
}
BOOL StopDriver(SC_HANDLE m_hService)
{
SERVICE_STATUS ss = {0};
return ControlService(m_hService,SERVICE_CONTROL_STOP,&ss);
}
BOOL RemoveDriver(SC_HANDLE m_hService)
{
return DeleteService(m_hService);
}
HANDLE OpenDriver(PCHAR pLinkName)/* \\\\.\\test */
{
HANDLE m_hDriver = CreateFileA(pLinkName, GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
if(m_hDriver != INVALID_HANDLE_VALUE)
return m_hDriver;
else
return 0;
}
BOOL CloseDriver(HANDLE m_hDriver)
{
__try
{
return CloseHandle(m_hDriver);
}
__except(1)
{
return 0;
}
}
_inline DWORD CTL_CODE_GEN(DWORD lngFunction)
{
return (FILE_DEVICE_UNKNOWN * 65536) | (FILE_ANY_ACCESS * 16384) | (lngFunction * 4) | METHOD_BUFFERED;
}
BOOL ControlDriver(HANDLE m_hDriver, DWORD dwIoCode, PVOID InBuff, DWORD InBuffLen, PVOID OutBuff, DWORD OutBuffLen, DWORD *RealRetBytes)
{
DWORD dw=0;
BOOL b=DeviceIoControl(m_hDriver,CTL_CODE_GEN(dwIoCode),InBuff,InBuffLen,OutBuff,OutBuffLen,&dw,NULL);
if(RealRetBytes)
{
*RealRetBytes=dw;
}
return b;
}
void GetAppPath(char *szPathString)
{
GetModuleFileNameA(0,szPathString,MAX_PATH);
for(SIZE_T i=strlen(szPathString)-1;i>=0;i--)
{
if(szPathString[i]=='\\')
{
szPathString[i+1]='\0';
break;
}
}
}
SC_HANDLE GetServiceHandle(PCHAR m_pServiceName)
{
SC_HANDLE m_hSCManager = OpenSCManagerA(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if (NULL == m_hSCManager)
{
return 0;
}
SC_HANDLE m_hService = OpenServiceA(m_hSCManager,m_pServiceName,SERVICE_ALL_ACCESS);
if (NULL == m_hService)
{
CloseServiceHandle(m_hSCManager);
return 0;
}
CloseServiceHandle(m_hSCManager);
return m_hService;
}

复制代码

如何使用？

void test()
{
CHAR szDrvFile[MAX_PATH]={0};
GetAppPath(szDrvFile);
strcat(szDrvFile,"KrnlHW64.sys");
SC_HANDLE hSc=InstallDriver(szDrvFile,"KrnlHW64");
if(hSc)
{
StartDriver(hSc);
HANDLE hDrv=OpenDriver("\\\\.\\KrnlHW64");
ControlDriver(hDrv,0x800,0,0,0,0,0);
CloseDriver(hDrv);
StopDriver(hSc);
RemoveDriver(hSc);
}
}

复制代码

Tesla.Angela · 发表于 2015-9-16 22:55:39

嗯，不错。已将链接加入教程帖目录。此外最后应该加上：CloseServiceHandle(hSC)，防止句柄泄漏。

又把你的例子加上了点内容，『驱动本体』和『加载器』完全模板化了。WIN32+WIN64都可以用。

SC_HANDLE g_hSc;
HANDLE g_hDrv;
BOOLEAN DriverInit(BOOLEAN IsInit)
{
if(IsInit)
{
char szFileName[]="XXXX.sys";//TODO: CHANGE THIS VALUE
char szLinkName[]="\\\\.\\XXXX";//TODO: CHANGE THIS VALUE
CHAR szDrvFile[MAX_PATH]={0};
GetAppPath(szDrvFile);
strcat(szDrvFile,szFileName);
g_hSc=InstallDriver(szDrvFile,szFileName);
if(g_hSc)
{
StartDriver(g_hSc);
g_hDrv=OpenDriver(szLinkName);
if(g_hDrv)
return 1;
else
return 0;
}
return 0;
}
else
{
BOOLEAN b;
b=CloseDriver(g_hDrv);if(!b) return 0;
b=StopDriver(g_hSc);if(!b) return 0;
b=RemoveDriver(g_hSc);if(!b) return 0;
b=CloseServiceHandle(g_hSc);if(!b) return 0;
return 1;
}
}
void main()
{
BOOLEAN b;
b=DriverInit(1);if(b){puts("load driver OK!");}else{puts("load driver failed!");return;}
system("pause");
//ControlDriver(g_hDrv,0x800,0,0,0,0,0);
b=DriverInit(0);if(b){puts("unload driver OK!");}else{puts("unload driver failed!");}
system("pause");
}

复制代码

帐号		自动登录	找回密码
密码			加入我们

把TA教程的SCM驱动加载代码改成了“面向过程”版

评分