用驱动实现自己的 ZwOpenProcess ZwReadVirtualMemory ZwWriteVirtualMemory
前几天网路上看到的驱动程式码用WDK 7600.16385.1编译不出来sys我完全不会用 看教学做编译失败
请问有办法编译成sys
我只有学过VB6能力不够 呜呜
希望能编译成sys能让VB使用这各驱动 请求大大帮忙了
// jhxxs.C
#include "dbghelp.h"
#include "jhxxs.h"
#include <stdio.h>
#include <ntdef.h>
#include <ntstatus.h>
#include <ntddk.h>
//
// A structure representing the instance information associated with
// a particular device
//
typedef struct _DEVICE_EXTENSION
{
ULONG StateVariable;
} DEVICE_EXTENSION, *PDEVICE_EXTENSION;
typedef struct _KAPC_STATE{
LIST_ENTRY ApcListHead;
PEPROCESS Process;
UCHAR KernelApcInProgress;
UCHAR KernelApcPending;
UCHAR UserApcPending;
}KAPC_STATE,*PKAPC_STATE;
NTKERNELAPI void KeStackAttachProcess(IN PEPROCESS Process, OUT PKAPC_STATE ApcState);
NTKERNELAPI void KeUnstackDetachProcess(IN PKAPC_STATE ApcState);
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS * pEProcess);
NTKERNELAPI NTSTATUS ObOpenObjectByPointer(
IN PVOID Object,
IN ULONG HandleAttributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PHANDLE Handle
);
//
// Device driver routine declarations.
//
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
NTSTATUS
JhxxsDispatchCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
JhxxsDispatchClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
JhxxsDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
JhxxsUnload(
IN PDRIVER_OBJECT DriverObject
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, JhxxsDispatchCreate)
#pragma alloc_text(PAGE, JhxxsDispatchClose)
#pragma alloc_text(PAGE, JhxxsDispatchDeviceControl)
#pragma alloc_text(PAGE, JhxxsUnload)
#endif // ALLOC_PRAGMA
NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (writebuffer, Pbuff, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
if (NT_SUCCESS(status))
{
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
}
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}
NTSTATUS
MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
if(NT_SUCCESS(status))
{
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (Pbuff, readbuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
}
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}
NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
HANDLE handle = NULL;
UNICODE_STRING y;
PULONG PsProcessType;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
handle = 0;
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType = MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
if (NT_SUCCESS(status))
{
*pHandle = handle;
}
}
ObfDereferenceObject(EProcess);
}
return status;
}
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING dosDeviceName;
PDEVICE_EXTENSION deviceExtension;
PDEVICE_OBJECT deviceObject = NULL;
BOOLEAN fSymbolicLink = FALSE;
KdBreakPoint();
RtlInitUnicodeString(&ntDeviceName, JHXXS_DEVICE_NAME_W);
status = IoCreateDevice(
DriverObject,
sizeof(DEVICE_EXTENSION),
&ntDeviceName,
FILE_DEVICE_JHXXS,
0,
TRUE,
&deviceObject
);
if (!NT_SUCCESS(status))
{
goto __failed;
}
deviceExtension = (PDEVICE_EXTENSION)deviceObject->DeviceExtension;
RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
status = IoCreateSymbolicLink(&dosDeviceName, &ntDeviceName);
if (!NT_SUCCESS(status))
{
goto __failed;
}
fSymbolicLink = TRUE;
DriverObject->MajorFunction = JhxxsDispatchCreate;
DriverObject->MajorFunction = JhxxsDispatchClose;
DriverObject->MajorFunction = JhxxsDispatchDeviceControl;
DriverObject->DriverUnload = JhxxsUnload;
if (NT_SUCCESS(status))
return status;
__failed:
if (fSymbolicLink)
IoDeleteSymbolicLink(&dosDeviceName);
if (deviceObject)
IoDeleteDevice(deviceObject);
return status;
}
NTSTATUS
JhxxsDispatchCreate(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS
JhxxsDispatchClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS
JhxxsDispatchDeviceControl(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS status = STATUS_SUCCESS;
PIO_STACK_LOCATION irpStack;
PDEVICE_EXTENSION deviceExtension;
PVOID ioBuf;
ULONG inBufLength, outBufLength;
ULONG ioControlCode;
UCHAR *buff =0;
ULONG OutByteCount =0;
HANDLE Writehandel;
PVOID WriteDstAddr;
PVOID WriteSrcAddr;
ULONG WriteSize;
NTSTATUS WriteReturn;
HANDLE Readhandel;
PVOID ReadBaseAddr;
PVOID ReadBuffer;
ULONG ReadSize;
NTSTATUS ReadReturn;
ULONG OpenPid;
PHANDLE PProcessHandle;
NTSTATUS OpenReturn;
irpStack = IoGetCurrentIrpStackLocation(Irp);
deviceExtension = (PDEVICE_EXTENSION)DeviceObject->DeviceExtension;
Irp->IoStatus.Information = 0;
ioBuf = Irp->AssociatedIrp.SystemBuffer;
inBufLength = irpStack->;Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpStack->;Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->;Parameters.DeviceIoControl.IoControlCode;
switch (ioControlCode)
{
case 0X0022E004:
{
buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
memmove(&Writehandel,&buff,4);
memmove(&WriteDstAddr,&buff,4);
memmove(&WriteSrcAddr,&buff,4);
memmove(&WriteSize,&buff,4);
WriteReturn=MyWriteMemory(Writehandel,WriteDstAddr,WriteSrcAddr,WriteSize);
memmove(Irp->AssociatedIrp.SystemBuffer,&WriteReturn,4);
OutByteCount=4;
break;
}
case 0X0022E008:
{
buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
memmove(&Readhandel,&buff,4);
memmove(&ReadBaseAddr,&buff,4);
memmove(&ReadBuffer,&buff,4);
memmove(&ReadSize,&buff,4);
ReadReturn=MyReadMemory(Readhandel,ReadBaseAddr,ReadBuffer,ReadSize);
memmove(&buff,&ReadReturn,4);
OutByteCount=4;
break;
}
case 0X0022E000:
{
OpenReturn = MyOpenProcess(*(PULONG)ioBuf,ioBuf);
buff=(UCHAR *)Irp->AssociatedIrp.SystemBuffer ;
memmove(&buff,&OpenReturn,4);
OutByteCount=8;
break;
}
case IOCTL_JHXXS_HELLO:
{
break;
}
default:
status = STATUS_INVALID_PARAMETER;
break;
}
Irp->IoStatus.Status = status;
Irp->IoStatus.Information = OutByteCount;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
VOID
JhxxsUnload(
IN PDRIVER_OBJECT DriverObject
)
{
UNICODE_STRING dosDeviceName;
RtlInitUnicodeString(&dosDeviceName, JHXXS_DOS_DEVICE_NAME_W);
IoDeleteSymbolicLink(&dosDeviceName);
IoDeleteDevice(DriverObject->DeviceObject);
}
楼主可以参考一下这个帖子:http://www.m5home.com/bbs/forum.php?mod=viewthread&tid=3614
另外我的电脑已经卸载了WDK,无法帮你了。 回复 Tesla.Angela 的帖子
请问我用Microsoft Visual C++ 6.0 按 Build > Start Debug > Go 然后出现一个错误合WDK写的一个错误一样 (应该是有错误无法编译) 能请你用 C++检查吗 造成你的困扰真的很抱歉 非常想让这个驱动成功使用 回复 ipaddress8086 的帖子
看来你不怎么明白我的话。。。
这个驱动编译成功了你也没用,因为游戏保护肯定会Hook Ke(Stack)AttachProcess,不可能仅仅Hook Nt***。。。
而且这么写内存肯定是不稳定的(不信你看看WRK中Nt***是怎么读写进程内存的),所以你没必要这样做。。。
驱动不稳定,就是蓝......... 回复 马大哈 的帖子
请问我看了 VB小子玩转驱动程序 文章 加入了 sources makefile 这2各档案 sources里名字有改jhxxs.c 可是还是编译时出现1各错误
会蓝HS Inline Hook很奇特 Intel的CPU不会蓝频 而AMD的的CPU会蓝频 会不会也是像这种情况 VirtualBox这软体 体积满小的可以虚拟作业系统我是AMD的会蓝频在VirtualBox就不会
以下档案可以请看一下吗 我是哪里做错了
回复 ipaddress8086 的帖子
驱动的事情别找老马,老马看到驱动就蛋疼。 回复 Tesla.Angela 的帖子
看的出来 马大哈 回覆每次有驱动都感觉放弃的样子
那 我该看 VB小子玩转驱动程序文章 看到底吗
还是先学 VC++语言 再看 VB小子玩转驱动程序文章
我VC++语言的书本看一半就没再看了看的头好痛VB的模式忘不掉 不知道要不要硬的头皮看到完
回复 ipaddress8086 的帖子
我的建议是:C语言和驱动一起学。 :Q的确看着驱动就蛋疼........ 只有这两段有用:
NTSTATUS
MyWriteMemory(IN HANDLE hProcess,OUT PVOID BaseAddress,IN PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID writebuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
writebuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(writebuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)writebuffer=(ULONG)0x1;
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForRead ((CONST PVOID)Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (writebuffer, Pbuff, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
if (NT_SUCCESS(status))
{
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForWrite ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (BaseAddress,writebuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
}
ObDereferenceObject(EProcess);
ExFreePool (writebuffer);
return status;
}
NTSTATUS
MyReadMemory(IN HANDLE hProcess,IN PVOID BaseAddress,OUT PVOID Pbuff,IN ULONG BufferSize)
{
PEPROCESS EProcess;
KAPC_STATE ApcState;
PVOID readbuffer=NULL;
NTSTATUS status;
status = ObReferenceObjectByHandle(
hProcess,
PROCESS_VM_WRITE|PROCESS_VM_READ,
NULL,
KernelMode,
&EProcess,
NULL
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject(EProcess);
return STATUS_UNSUCCESSFUL;
}
readbuffer = ExAllocatePoolWithTag (NonPagedPool, BufferSize, 'Sys');
if(readbuffer==NULL)
{
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return STATUS_UNSUCCESSFUL;
}
*(ULONG*)readbuffer=(ULONG)0x1;
KeStackAttachProcess (EProcess, &ApcState);
if (MmIsAddressValid(BaseAddress))
{
__try
{
ProbeForRead ((CONST PVOID)BaseAddress, BufferSize, sizeof(CHAR));
RtlCopyMemory (readbuffer, BaseAddress, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
KeUnstackDetachProcess (&ApcState);
if(NT_SUCCESS(status))
{
if (MmIsAddressValid(Pbuff))
{
__try
{
ProbeForWrite(Pbuff, BufferSize, sizeof(CHAR));
RtlCopyMemory (Pbuff, readbuffer, BufferSize);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
status = STATUS_UNSUCCESSFUL;
}
}
else
{
status = STATUS_UNSUCCESSFUL;
}
}
ObDereferenceObject(EProcess);
ExFreePool (readbuffer);
return status;
}
NTSTATUS MyOpenProcess(ULONG PID, PHANDLE pHandle)
{
NTSTATUS status;
PEPROCESS EProcess = NULL;
HANDLE handle = NULL;
UNICODE_STRING y;
PULONG PsProcessType;
status = PsLookupProcessByProcessId(PID, &EProcess);
if (NT_SUCCESS(status))
{
handle = 0;
RtlInitUnicodeString(&y, L"PsProcessType");
PsProcessType = MmGetSystemRoutineAddress(&y);
if (PsProcessType)
{
status = ObOpenObjectByPointer(EProcess, 0, 0, PROCESS_ALL_ACCESS, (PVOID)*PsProcessType, UserMode, &handle);
if (NT_SUCCESS(status))
{
*pHandle = handle;
}
}
ObfDereferenceObject(EProcess);
}
return status;
}
其它地方可以参考我的驱动模板。 學習學習 ObReferenceObjectByHandle。。。。。。。。。。。。。。。。。。{:soso_e127:}{:soso_e140:} a627414850 发表于 2011-11-14 22:52 static/image/common/back.gif
ObReferenceObjectByHandle。。。。。。。。。。。。。。。。。。
不错学习了~~~
页:
[1]