内核驱动驱动对象 Driver_OBJECT

目录

• 驱动对象讲解
  • 一丶驱动对象
    • 1.1 结构
    • 1.2 输出代码输出基本的驱动对象信息
    • 1.3 结果
    • 1.4 其它简介

驱动对象讲解

一丶驱动对象

1.1 结构

在内核中. 每一个驱动模块都是一个驱动对象. 都有一个 DRIVER_OBJECT结构体代表. 可以想象成驱动对象是一个进程容器. 容纳百川.
下面针对驱动对象做一下简单的成员输出.以熟悉驱动对象.

驱动对象结构如下:

typedef struct _DRIVER_OBJECT {
    CSHORT Type;
    CSHORT Size;

    //
    // The following links all of the devices created by a single driver
    // together on a list, and the Flags word provides an extensible flag
    // location for driver objects.
    //

    PDEVICE_OBJECT DeviceObject;
    ULONG Flags;

    //
    // The following section describes where the driver is loaded.  The count
    // field is used to count the number of times the driver has had its
    // registered reinitialization routine invoked.
    //

    PVOID DriverStart;                                                        //驱动对象的起始地址
    ULONG DriverSize;                                                         //驱动对象的大小
    PVOID DriverSection;                                                      //驱动对象结构.可以解析为_LDR_DATA_TABLE_ENTRY  是一个链表存储着下一个驱动对象                                                   
    PDRIVER_EXTENSION DriverExtension;                                        //驱动的扩展信息.可以自定义存放我们的数据                           

    //
    // The driver name field is used by the error log thread
    // determine the name of the driver that an I/O request is/was bound.
    //

    UNICODE_STRING DriverName;                                    //驱动对象的名字

    //
    // The following section is for registry support.  This is a pointer
    // to the path to the hardware information in the registry
    //

    PUNICODE_STRING HardwareDatabase;

    //
    // The following section contains the optional pointer to an array of
    // alternate entry points to a driver for "fast I/O" support.  Fast I/O
    // is performed by invoking the driver routine directly with separate
    // parameters, rather than using the standard IRP call mechanism.  Note
    // that these functions may only be used for synchronous I/O, and when
    // the file is cached.
    //

    PFAST_IO_DISPATCH FastIoDispatch;


    PDRIVER_INITIALIZE DriverInit;
    PDRIVER_STARTIO DriverStartIo;
    PDRIVER_UNLOAD DriverUnload;                              //驱动对象的卸载地址
    PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];

} DRIVER_OBJECT;
typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT; 

1.2 输出代码输出基本的驱动对象信息

#include <ntddk.h>
VOID MyDriverUnLoad(
	_In_ struct _DRIVER_OBJECT* DriverObject
)
{
	DbgPrint("驱动卸载了
");
}
extern "C" NTSTATUS DriverEntry(
	_In_ PDRIVER_OBJECT  DriverObject,
	_In_ PUNICODE_STRING RegistryPath
){
	ULONG64 uImage = 0;
	DriverObject->DriverUnload = MyDriverUnLoad;
	DbgPrint("驱动加载了开始打印输出
");
	DbgPrint("驱动名字 = %wZ 
", DriverObject->DriverName);
	DbgPrint("驱动起始地址 %x 大小 %x  结束地址 %x
",
		DriverObject->DriverStart,
		DriverObject->DriverSize,
		uImage = ((ULONG64)DriverObject->DriverStart + DriverObject->DriverSize));
	DbgPrint("驱动对象的卸载地址 = %p
", DriverObject->DriverUnload);
	//输出驱动对象的所有回调地址.
	DbgPrint("驱动对象的IoControl回调地址 = %p
", DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]);
	DbgPrint("驱动对象的读回调地址 = %p
",DriverObject->MajorFunction[IRP_MJ_READ]);
	DbgPrint("驱动对象的写回调地址 = %p
",DriverObject->MajorFunction[IRP_MJ_WRITE]);
	DbgPrint("驱动对象的创建回调地址 = %p
",DriverObject->MajorFunction[IRP_MJ_CREATE]);
	DbgPrint("驱动对象的关闭回调地址 = %p
",DriverObject->MajorFunction[IRP_MJ_CLOSE]);

	DbgPrint("-------遍历回调输出------------
");

	//宏从DrverObject对象中查找
	for (auto i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		DbgPrint("回调的IRP_MJ 调用号 = %d 回调函数地址 = %p 
", i, DriverObject->MajorFunction[i]);
	}

	DbgPrint("执行所有功能完毕");


	return STATUS_SUCCESS;
}

1.3 结果

1.4 其它简介

利用驱动对象可以 遍历驱动的信息.得出内核中所有模块
代码在另一个帖子
https://www.cnblogs.com/iBinary/p/11693606.html
可以集成到Ark工具中.
如 Pchunter

当然,涉及到驱动模块对抗.隐藏模块等另当别论. 喜欢内核的深入研究即可.

此帖作为记录贴 后续进行复习学习查看.