遍历系统中加载的驱动程序以及通过设备对象指针获取设备对象名称
来源:互联网 发布:大数据相关课程 编辑:程序博客网 时间:2024/05/16 11:12
遍历系统中加载的驱动可以在R3层完成,通过几个未导出的函数:ZwOpenDirectoryObject、ZwQueryDirectoryObject,下面是具体的代码。
//在这定义些基本的数据结构,这些本身是在R0层用的比较多的typedef struct _UNICODE_STRING{ USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;typedef ULONG NTSTATUS;// 对象属性定义 typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; UNICODE_STRING *ObjectName; ULONG Attributes; PSECURITY_DESCRIPTOR SecurityDescriptor; PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;// 基本信息定义 typedef struct _DIRECTORY_BASIC_INFORMATION { UNICODE_STRING ObjectName; UNICODE_STRING ObjectTypeName;} DIRECTORY_BASIC_INFORMATION, *PDIRECTORY_BASIC_INFORMATION;// 返回值或状态类型定义 #define OBJ_CASE_INSENSITIVE 0x00000040L #define DIRECTORY_QUERY (0x0001) #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth #define STATUS_MORE_ENTRIES ((NTSTATUS)0x00000105L) #define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L) // 初始化对象属性宏定义 #define InitializeObjectAttributes( p, n, a, r, s ) { \ (p)->Length = sizeof(OBJECT_ATTRIBUTES); \ (p)->RootDirectory = r; \ (p)->Attributes = a; \ (p)->ObjectName = n; \ (p)->SecurityDescriptor = s; \ (p)->SecurityQualityOfService = NULL; \}// 字符串初始化 //用来存储设备驱动对象名称的链表extern vector<CString> g_DriverNameList;vector<DRIVER_INFO> g_DriverNameList;typedef VOID(CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING, PCWSTR);RTLINITUNICODESTRING RtlInitUnicodeString;// 打开对象 typedef NTSTATUS(WINAPI *ZWOPENDIRECTORYOBJECT)( OUT PHANDLE DirectoryHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );ZWOPENDIRECTORYOBJECT ZwOpenDirectoryObject;// 查询对象 typedefNTSTATUS(WINAPI *ZWQUERYDIRECTORYOBJECT)( IN HANDLE DirectoryHandle, OUT PVOID Buffer, IN ULONG BufferLength, IN BOOLEAN ReturnSingleEntry, IN BOOLEAN RestartScan, IN OUT PULONG Context, OUT PULONG ReturnLength OPTIONAL );ZWQUERYDIRECTORYOBJECT ZwQueryDirectoryObject;// 关闭已经打开的对象 typedef NTSTATUS (WINAPI *ZWCLOSE)(IN HANDLE Handle);ZWCLOSE ZwClose;BOOL EnumDriver(){ HMODULE hNtdll = NULL; UNICODE_STRING strDirName; OBJECT_ATTRIBUTES oba; NTSTATUS ntStatus; HANDLE hDirectory; hNtdll = LoadLibrary(_T("ntdll.dll")); if (NULL == hNtdll) { return FALSE; } RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(hNtdll, "RtlInitUnicodeString"); ZwOpenDirectoryObject = (ZWOPENDIRECTORYOBJECT)GetProcAddress(hNtdll, "ZwOpenDirectoryObject"); ZwQueryDirectoryObject = (ZWQUERYDIRECTORYOBJECT)GetProcAddress(hNtdll, "ZwQueryDirectoryObject"); ZwClose = (ZWCLOSE)GetProcAddress(hNtdll, "ZwClose"); RtlInitUnicodeString(&strDirName, _T("\\Driver")); InitializeObjectAttributes(&oba, &strDirName, OBJ_CASE_INSENSITIVE, NULL, NULL); ntStatus = ZwOpenDirectoryObject(&hDirectory, DIRECTORY_QUERY, &oba); if (ntStatus != STATUS_SUCCESS) { return FALSE; } PDIRECTORY_BASIC_INFORMATION pBuffer = NULL; PDIRECTORY_BASIC_INFORMATION pBuffer2 = NULL; ULONG ulLength = 0x800; // 2048 ULONG ulContext = 0; ULONG ulRet = 0; // 查询目录对象 do { if (pBuffer != NULL) { free(pBuffer); } ulLength = ulLength * 2; pBuffer = (PDIRECTORY_BASIC_INFORMATION)malloc(ulLength); if (NULL == pBuffer) { if (pBuffer != NULL) { free(pBuffer); } if (hDirectory != NULL) { ZwClose(hDirectory); } return FALSE; } ntStatus = ZwQueryDirectoryObject(hDirectory, pBuffer, ulLength, FALSE, TRUE, &ulContext, &ulRet); } while (ntStatus == STATUS_MORE_ENTRIES || ntStatus == STATUS_BUFFER_TOO_SMALL); if (STATUS_SUCCESS == ntStatus) { pBuffer2 = pBuffer; while ((pBuffer2->ObjectName.Length != 0) && (pBuffer2->ObjectTypeName.Length != 0)) { CString strDriverName; strDriverName = pBuffer2->ObjectName.Buffer; g_DriverNameList.push_back(strDriverName); pBuffer2++; } } if (pBuffer != NULL) { free(pBuffer); } if (hDirectory != NULL) { ZwClose(hDirectory); } return TRUE;}
通过设备对象的地址来获取设备对象的名称一般是在R0层完成,下面是具体的代码
//定义相关的结构体和宏typedef struct _OBJECT_CREATE_INFORMATION{ ULONG Attributes; HANDLE RootDirectory; PVOID ParseContext; KPROCESSOR_MODE ProbeMode; ULONG PagedPoolCharge; ULONG NonPagedPoolCharge; ULONG SecurityDescriptorCharge; PSECURITY_DESCRIPTOR SecurityDescriptor; PSECURITY_QUALITY_OF_SERVICE SecurityQos; SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;} OBJECT_CREATE_INFORMATION, * POBJECT_CREATE_INFORMATION;typedef struct _OBJECT_HEADER{ LONG PointerCount; union { LONG HandleCount; PSINGLE_LIST_ENTRY SEntry; }; POBJECT_TYPE Type; UCHAR NameInfoOffset; UCHAR HandleInfoOffset; UCHAR QuotaInfoOffset; UCHAR Flags; union { POBJECT_CREATE_INFORMATION ObjectCreateInfo; PVOID QuotaBlockCharged; }; PSECURITY_DESCRIPTOR SecurityDescriptor; QUAD Body;} OBJECT_HEADER, * POBJECT_HEADER;#define NUMBER_HASH_BUCKETS 37typedef struct _OBJECT_DIRECTORY{ struct _OBJECT_DIRECTORY_ENTRY* HashBuckets[NUMBER_HASH_BUCKETS]; struct _OBJECT_DIRECTORY_ENTRY** LookupBucket; BOOLEAN LookupFound; USHORT SymbolicLinkUsageCount; struct _DEVICE_MAP* DeviceMap;} OBJECT_DIRECTORY, * POBJECT_DIRECTORY;typedef struct _OBJECT_HEADER_NAME_INFO{ POBJECT_DIRECTORY Directory; UNICODE_STRING Name; ULONG Reserved;#if DBG ULONG Reserved2 ; LONG DbgDereferenceCount ;#endif} OBJECT_HEADER_NAME_INFO, * POBJECT_HEADER_NAME_INFO;#define OBJECT_TO_OBJECT_HEADER( o ) \ CONTAINING_RECORD( (o), OBJECT_HEADER, Body )#define OBJECT_HEADER_TO_NAME_INFO( oh ) ((POBJECT_HEADER_NAME_INFO) \ ((oh)->NameInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->NameInfoOffset)))void GetDeviceName(PDEVICE_OBJECT pDeviceObj){ POBJECT_HEADER ObjectHeader; POBJECT_HEADER_NAME_INFO ObjectNameInfo; if ( pDeviceObj == NULL ) { DbgPrint( "pDeviceObj is NULL!\n" ); return; } // 得到对象头 ObjectHeader = OBJECT_TO_OBJECT_HEADER( pDeviceObj ); if ( ObjectHeader ) { // 查询设备名称并打印 ObjectNameInfo = OBJECT_HEADER_TO_NAME_INFO( ObjectHeader ); if ( ObjectNameInfo && ObjectNameInfo->Name.Buffer ) { DbgPrint( "Driver Name:%wZ - Device Name:%wZ - Driver Address:0x%x - Device Address:0x%x\n", &pDeviceObj->DriverObject->DriverName, &ObjectNameInfo->Name, pDeviceObj->DriverObject, pDeviceObj ); } // 对于没有名称的设备,则打印 NULL else if ( pDeviceObj->DriverObject ) { DbgPrint( "Driver Name:%wZ - Device Name:%S - Driver Address:0x%x - Device Address:0x%x\n", &pDeviceObj->DriverObject->DriverName, L"NULL", pDeviceObj->DriverObject, pDeviceObj ); } }}
0 0
- 遍历系统中加载的驱动程序以及通过设备对象指针获取设备对象名称
- 如何通过设备名获取设备对象指针
- 从名称获取设备对象
- ObReferenceObjectByName函数,通过驱动程序得到设备对象
- 设备对象(DEVICE_OBJECT)-----------------设备名称
- 在功能驱动程序中创建设备对象
- 遍历PCI设备的Linux设备驱动程序
- 驱动程序对象和设备程序对象
- Windows 驱动中获取指定的设备对象
- 驱动对象、设备对象、设备栈----驱动程序基础概念
- ios获取设备信息-设备名称,系统名称等等
- 获取IOS设备的系统版本,硬件名称,mac地址
- js中获取对象的属性名称
- 设备对象的绑定
- 通过类名称得到该类的新对象指针
- ObReferenceObjectByName通过对象名得到对象指针_例如 设备 事件 互斥体
- 获取系统中存在的 优盘设备
- 如何控制设备驱动程序的加载顺序
- 文件读取、获取随机数、转换中文时间的方法
- SMO算法
- 纵观jBPM:从jBPM3到jBPM5以及Activiti5
- Java并发容器和框架
- 前端小白系列(2)—— 适配与响应式
- 遍历系统中加载的驱动程序以及通过设备对象指针获取设备对象名称
- Python 技巧(一)
- 从汽车到 IT
- windows系统下安装openssl
- Maven创建web项目
- LeetCode Problem No'169 Majority Element
- 200万像素网络摄像机一天要多少容量
- Redis Sentinel 机制与用法
- 学习python[1] Python入门教程 超详细1小时学会Python