📄 kpdrv.cpp
字号:
//////////////////////////////////////////////////
// MyDDK.cpp文件
extern "C"
{
#include <ntddk.h>
#include "FindPspTerminateProcess.cpp"
//#include "KillProcess.cpp"
#define IOCTL_KPDRV_KILLPROCESS \
CTL_CODE(FILE_DEVICE_UNKNOWN, 0x830, METHOD_BUFFERED, FILE_ANY_ACCESS)
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
NTSTATUS DispatchCreateClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
void DriverUnload(PDRIVER_OBJECT pDriverObj);
typedef struct
{
PEPROCESS EPAddrToKill;
NTSTATUS ExitStatus;
ULONG PID;
ULONG BYKILLBYPEP;
ULONG sysmajorVer;
ULONG sysminorVer;
ULONG sysSPVer;
}KPDRV_IN,*PKPDRV_IN;
typedef NTSTATUS (*PSPTERMINATEPROCESS)(
PEPROCESS Process,
NTSTATUS ExitStatus );
PSPTERMINATEPROCESS PspTerminateProcess;
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS * pEProcess);
//extern FindPspTerminateProcessAddr(ULONG,ULONG,ULONG);
//=================================================
#define DEVICE_NAME L"\\Device\\KPDrvDN"
#define LINK_NAME L"\\DosDevices\\KPDrvLN"
//=================================================
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
UNICODE_STRING ustrDevName;
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
PDEVICE_OBJECT pDevObj;
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
if(!NT_SUCCESS(status))
{
return status;
}
UNICODE_STRING ustrLinkName;
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status))
{
IoDeleteDevice(pDevObj);
return status;
}
//DbgPrint ("FindPspTerminateProcessAddr ret=0x%X",FindPspTerminateProcessAddr(5,1,2));
return STATUS_SUCCESS;
}
void DriverUnload(PDRIVER_OBJECT pDriverObj)
{
UNICODE_STRING strLink;
RtlInitUnicodeString(&strLink, LINK_NAME);
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
}
NTSTATUS DispatchCreateClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
ULONG uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
PVOID ioBuf = pIrp->AssociatedIrp.SystemBuffer;
ULONG inBufLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
ULONG outBufLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode)
{
case IOCTL_KPDRV_KILLPROCESS:
{
KPDRV_IN datain;
PEPROCESS epb;
RtlCopyMemory(&datain,ioBuf,inBufLength);
if (datain.BYKILLBYPEP)
{
epb=datain.EPAddrToKill;
}
else
{
PsLookupProcessByProcessId(datain.PID,&epb);
ObDereferenceObject(epb);
}
NTSTATUS st;
//DbgPrint("%d,%d,%d",datain.sysmajorVer,datain.sysminorVer,datain.sysSPVer);
if (!PspTerminateProcess)
PspTerminateProcess=(PSPTERMINATEPROCESS)FindPspTerminateProcessAddr(
datain.sysmajorVer,datain.sysminorVer,datain.sysSPVer);
if (PspTerminateProcess)
{
/*DbgPrint("PspTerminateProcess:0x%X,PEPROCESS:0x%X,ExitStatus:%x",PspTerminateProcess,
datain.EPAddrToKill,datain.ExitStatus );*/
st=PspTerminateProcess(epb,datain.ExitStatus);
RtlCopyMemory(pIrp->UserBuffer,&st,outBufLength);
}
else
{
st=-1;
RtlCopyMemory(pIrp->UserBuffer,&st,outBufLength);
//DbgPrint("Wrong PspTerminateProcessAddr!");
}
break;
}
}
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = outBufLength;
else
pIrp->IoStatus.Information = 0;
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -