NdisRegisterProtocol---code

ywledoc · 发表于 2011-7-5 16:46:37

本帖最后由 ywledoc 于 2011-7-5 16:49 编辑

突然发现自己潜水+灌水好久了～土木男真是悲剧～配筋算啊算，桥梁受力算啊算～考了一个星期，算了三个星期～
NdisRegisterProtocol的内部代码。以前放过一份别人逆的，后来自己动手发现不准确，略加修改。
代码如下：

#include <ndis.h>
#include <windef.h>
#include <wdm.h>
#include "global.h"
#include "regprotocol.h"
LONG KeInsertQueue(
PVOID Queue,
PLIST_ENTRY Entry
);
typedef struct{
PVOID OpenQueue; //: Ptr32 _NDIS_OPEN_BLOCK 0X00
REFERENCE Ref; //: _REFERENCE 0X04
PKEVENT DeregEvent; //: Ptr32 _KEVENT 0X0C
PNDIS_PROTOCOL_BLOCK NextProtocol; //: Ptr32 _NDIS_PROTOCOL_BLOCK 0X10
NDIS50_PROTOCOL_CHARACTERISTICS ProtocolCharacteristics; //: _NDIS50_PROTOCOL_CHARACTERISTICS 0X14
WORK_QUEUE_ITEM WorkItem; //: _WORK_QUEUE_ITEM 0X80
KMUTANT Mutex; //: _KMUTANT 0X90
ULONG MutexOwner; //: Uint4B 0XB0
PUNICODE_STRING BindDeviceName; //: Ptr32 _UNICODE_STRING 0XB4
PUNICODE_STRING RootDeviceName; //: Ptr32 _UNICODE_STRING 0XB8
PUNICODE_STRING AssociatedMiniDriver; //: Ptr32 _NDIS_M_DRIVER_BLOCK 0XBC
PVOID BindingAdapter; //: Ptr32 _NDIS_MINIPORT_BLOCK 0XC0
// USHORT NameBuff[Characteristics->Name.Length+2]; //0XC4
} MY_NDIS_PROTOCOL_BLOCK, *PMY_NDIS_PROTOCOL_BLOCK;
VOID
fake_NdisRegisterProtocol(
OUT PNDIS_HANDLE NdisProtocolHandle,
IN PNDIS_PROTOCOL_CHARACTERISTICS ProtocolCharacteris,
IN UINT CharacteristicsLength
)
{
KIRQL OldIrql;
PMY_NDIS_PROTOCOL_BLOCK p_protocol;
ULONG size;
//加一引用计数
MmLockPagableSectionByHandle((PVOID)(g_pkg+0x2c));
MmLockPagableSectionByHandle((PVOID)(g_pkg+0xc));
//主体功能代码
size = 0x6c;
p_protocol = (PMY_NDIS_PROTOCOL_BLOCK)ExAllocatePoolWithTag(NonPagedPool,
ProtocolCharacteris->Name.Length + 0xC6,
'bpDN');
RtlZeroMemory(&p_protocol->ProtocolCharacteristics,
ProtocolCharacteris->Name.Length + size);
RtlCopyMemory(&(p_protocol->ProtocolCharacteristics),
ProtocolCharacteris,
size);
//Upcase协议名
p_protocol->ProtocolCharacteristics.Name.Buffer = (PVOID)((ULONG)p_protocol+0xc4);
RtlUpcaseUnicodeString(&p_protocol->ProtocolCharacteristics.Name,
&ProtocolCharacteris->Name,
FALSE);
/*
*开始设置p_protocol结构中的内容
*/
p_protocol->OpenQueue = NULL;
//ndisInitializeRef的实现
p_protocol->Ref.Closing = 0;
p_protocol->Ref.ReferenceCount = 1;
KeInitializeSpinLock(&p_protocol->Ref.SpinLock);
//
KeInitializeMutex(&p_protocol->Mutex, 0xFFFF);
//继续设置，接入WorkQueue链表中
p_protocol->WorkItem.WorkerRoutine = g_ndisCheckProtocolBindings;
p_protocol->WorkItem.Parameter = p_protocol;
p_protocol->WorkItem.List.Flink = NULL;
KeInsertQueue(g_ndisWorkerQueue, &(p_protocol->WorkItem));
//插入protocol链表中
KeAcquireSpinLock(g_ndisProtocolListLock, &OldIrql);
p_protocol->NextProtocol = *(ULONG*)g_ndisProtocolList;
*(ULONG*)g_ndisProtocolList = p_protocol;
KeReleaseSpinLock(g_ndisProtocolListLock, OldIrql);
ObReferenceObject(g_ndisDriverObject);
//ndisReferenceRef的实现
KeAcquireSpinLock(p_protocol->Ref.SpinLock, &OldIrql);
if (p_protocol->Ref.Closing != 0) {
//NOTHING
} else {
p_protocol->Ref.ReferenceCount++;
if ( p_protocol->Ref.ReferenceCount == 0 ) {
p_protocol->Ref.ReferenceCount = p_protocol->Ref.ReferenceCount || 0xffff;
}
}
KeReleaseSpinLock(p_protocol->Ref.SpinLock, OldIrql);
//实现完毕
//返回句柄
NdisProtocolHandle = p_protocol;
//对引用计数减一
MmUnlockPagableImageSection((PVOID)(g_pkg+0x2c));
return;
}