ntddk.pas

Delphi开发驱动的一个例子 1.映射ntoskrnl.exe到内存 2.重定位信息... 3.搜索SSDT基址 4.补丁回去

  DpcListEntry:TListEntry;
  DeferredRoutine:Pointer;                      //PKDEFERRED_ROUTINE
  DeferredContext:Pointer;
  SystemArgument1:Pointer;
  SystemArgument2:Pointer;
  Lock:Pointer;                                 //PULONG_PTR
 end;
 KDPC=TKDpc;
 PRKDPC=PKDPC;

 PDispatcherHeader=^TDispatcherHeader;
 TDispatcherHeader=packed record
  bType:Byte;
  bAbsolute:Byte;
  Size:Byte;
  Inserted:Byte;
  SignalState:Cardinal;
  WaitListHead:TListEntry
 end;
 DISPATCHER_HEADER=TDispatcherHeader;

 PKEvent=^TKEvent;
 TKEvent=packed record
  Header:TDispatcherHeader;
 end;
 KEVENT=TKEvent;
 PRKEVENT=PKEVENT;

 TDeviceObject=packed record
  wType:Word;
  Size:Word;
  ReferenceCount:Integer;
  DriverObject:PDriverObject;
  NextDevice:PDeviceObject;
  AttachedDevice:PDeviceObject;
  CurrentIrp:PIrp;
  Timer:Pointer;                                //PIO_TIMER
  Flags:Cardinal;
  Characteristics:Cardinal;
  DoNotUse1:Pointer;
  DeviceExtension:Pointer;
  DeviceType:TDeviceType;
  StackSize:Byte;
  Queue:TDeviceObjectUnionQueue;
  AlignmentRequirement:Cardinal;
  DeviceQueue:TKDeviceQueue;
  Dpc:TKDpc;

  ActiveThreadCount:Cardinal;
  SecurityDescriptor:Pointer;                   //PSECURITY_DESCRIPTOR
  DeviceLock:TKEvent;

  SectorSize:Word;
  Spare1:Word;

  DeviceObjectExtension:PDevObjExtension;
  Reserved:Pointer;
 end;
 DEVICE_OBJECT=TDeviceObject;
 PDEVICE_OBJECT=^DEVICE_OBJECT;

 TIrpUnionAssociatedIrp=packed record
  case Byte of
   0:(MasterIrp:PIrp);
   1:(IrpCount:Cardinal);
   2:(SystemBuffer:Pointer);
 end;

 PIoStatusBlock=^TIoStatusBlock;
 TIoStatusBlock=packed record
  Status:NTSTATUS;
  Information:Cardinal;                         //ULONG_PTR
 end;
 IO_STATUS_BLOCK=TIoStatusBlock;
 PIO_STATUS_BLOCK=^IO_STATUS_BLOCK;


 TIrpUnionOverlayStructAsynchronousParameters=packed record
  UserApcRoutine:Pointer;                       //PIO_APC_ROUTINE
  UserApcContext:Pointer;
 end;

 TIrpUnionOverlay=packed record
  case Byte of 
   0:(AsynchronousParameters:TIrpUnionOverlayStructAsynchronousParameters);
   1:(AllocationSize:TLargeInteger);
 end;

 TIrpUnionTailStructOverlayUnion1=packed record
  case Byte of 
   0:(DeviceQueueEntry:TKDeviceQueueEntry);
   1:(DriverContext:array[0..3] of Pointer);
 end;

 TIrpUnionTailStructOverlayStruct1Union1=packed record
  case Byte of 
   0:(CurrentStackLocation:Pointer);            //PIO_STACK_LOCATION
   1:(PacketType:Cardinal);
 end;

 TIrpUnionTailStructOverlayStruct1=packed record
  ListEntry:TListEntry;
  u1:TIrpUnionTailStructOverlayStruct1Union1;
 end;

 TIrpUnionTailStructOverlay=packed record
  u1:TIrpUnionTailStructOverlayUnion1;
  Thread:PEThread;
  AuxiliaryBuffer:PChar;
  s1:TIrpUnionTailStructOverlayStruct1;
  OriginalFileObject:Pointer;                   //PFILE_OBJECT
 end;

 TIrpUnionTail=packed record
  case Byte of 
   0:(Overlay:TIrpUnionTailStructOverlay);
   1:(Apc:TKApc);
   2:(CompletionKey:Pointer);
 end;

 TIrp=packed record
  wType:Word;
  Size:Word;
  MdlAddress:Pointer;                           //PMDL
  Flags:Cardinal;
  AssociatedIrp:TIrpUnionAssociatedIrp;
  ThreadListEntry:TListEntry;
  IoStatus:TIoStatusBlock;
  RequestorMode:TKProcessorMode;
  PendingReturned:Boolean;
  StackCount:Byte;
  CurrentLocation:Byte;
  Cancel:Boolean;
  CancelIrql:TKIrql;
  ApcEnvironment:Byte;
  AllocationFlags:Byte;
  UserIosb:PIoStatusBlock;
  UserEvent:PKEvent;
  Overlay:TIrpUnionOverlay;
  CancelRoutine:Pointer;                        //PDRIVER_CANCEL
  UserBuffer:Pointer;
  Tail:TIrpUnionTail;
 end;
 IRP=TIrp;


 TDriverObject=packed record
  wType:Word;
  Size:Word;
  DeviceObject:PDeviceObject;
  Flags:Cardinal;
  DriverStart:Pointer;
  DriverSize:Cardinal;
  DriverSection:Pointer;
  DriverExtension:Pointer;                      //PDRIVER_EXTENSION
  DriverName:TUnicodeString;
  HardwareDatabase:PUnicodeString;
  FastIoDispatch:Pointer;                       //PFAST_IO_DISPATCH
  DriverInit:Pointer;                           //PDRIVER_INITIALIZE
  DriverStartIo:Pointer;                        //PDRIVER_STARTIO
  DriverUnload:Pointer;                         //PDRIVER_UNLOAD
  MajorFunction:array[0..IRP_MJ_MAXIMUM_FUNCTION] of Pointer;   //PDRIVER_DISPATCH
 end;
 PDRIVER_OBJECT=PDriverObject;
 DRIVER_OBJECT=TDriverObject;

 PFileObject=^TFileObject;
 TFileObject=packed record 
  wType:Word;
  Size:Word;
  DeviceObject:PDeviceObject;
  DoNotUser1:Pointer;
  FsContext:Pointer;
  FsContext2:Pointer;
  SectionObjectPointer:Pointer;                 //PSECTION_OBJECT_POINTERS
  PrivateCacheMap:Pointer;
  FinalStatus:NTSTATUS;
  RelatedFileObject:PFileObject;
  LockOperation:Boolean;
  DeletePending:Boolean;
  ReadAccess:Boolean;
  WriteAccess:Boolean;
  DeleteAccess:Boolean;
  SharedRead:Boolean;
  SharedWrite:Boolean;
  SharedDelete:Boolean;
  Flags:Cardinal;
  FileName:TUnicodeString;
  CurrentByteOffset:TLargeInteger;
  Waiters:Cardinal;
  Busy:Cardinal;
  LastLock:Pointer;
  Lock:TKEvent;
  Event:TKEvent;
  CompletionContext:Pointer;                    //PIO_COMPLETION_CONTEXT
 end;
 FILE_OBJECT=TFileObject;
 PFILE_OBJECT=^FILE_OBJECT;

 TFileInformationClass=Cardinal;
 TFsInformationClass=Cardinal;
 TDeviceRelationType=Cardinal;
 TBusQueryIdType=Cardinal;
 TDeviceTextType=Cardinal;
 TDeviceUsageNotificationType=Cardinal;
 TSystemPowerState=Cardinal;
 TPowerAction=Cardinal;
 TDevicePowerState=Cardinal;
 TPowerStateType=Cardinal;
 TKWaitReason=Cardinal;
 TPoolType=Cardinal;

 PPowerState=^TPowerState;
 TPowerState=packed record 
  case Byte of 
   0:(SystemState:TSystemPowerState);
   1:(DeviceState:TDevicePowerState);
 end;
 POWER_STATE=TPowerState;
 PPOWER_STATE=^POWER_STATE;

 TIoStackLocationUnionParametersStructCreate=packed record
  SecurityContext:Pointer;                      //PIO_SECURITY_CONTEXT
  Options:Cardinal;
  FileAttributes:Word;
  ShareAccess:Word;
  EaLength:Cardinal;
 end;

 TIoStackLocationUnionParametersStructRead=packed record
  Length:Cardinal;
  Key:Cardinal;
  ByteOffset:TLargeInteger;
 end;

 TIoStackLocationUnionParametersStructWrite=packed record
  Length:Cardinal;
  Key:Cardinal;
  ByteOffset:TLargeInteger;
 end;

 TIoStackLocationUnionParametersStructQueryFile=packed record
  Length:Cardinal;
  FileInformationClass:TFileInformationClass;
 end;

 TIoStackLocationUnionParametersStructSetFile=packed record
  Length:Cardinal;
  FileInformationClass:TFileInformationClass;
  FileObject:PFileObject;
  case Byte of
   0:(ReplaceIfExists:Boolean;
      AdvanceOnly:Boolean);
   1:(CluserCount:Cardinal);
   2:(DeleteHandle:THandle);
 end;

 TIoStackLocationUnionParametersStructQueryVolume=packed record
  Length:Cardinal;
  FsInformationClass:TFsInformationClass;
 end;

 TIoStackLocationUnionParametersStructDeviceIoControl=packed record
  OutputBufferLength:Cardinal;
  InputBufferLength:Cardinal;
  IoControlCode:Cardinal;
  Type3InputBuffer:Pointer;
 end;

 TIoStackLocationUnionParametersStructMountVolume=packed record
  DoNotUse1:Pointer;
  DeviceObject:PDeviceObject;
 end;

 TIoStackLocationUnionParametersStructVerifyVolume=packed record
  DoNotUse1:Pointer;
  DeviceObject:PDeviceObject;
 end;

 TIoStackLocationUnionParametersStructScsi=packed record
  Srn:Pointer;                                  //_SCSI_REQUEST_BLOCK *
 end;

 TIoStackLocationUnionParametersStructQueryDeviceRelations=packed record
  drType:TDeviceRelationType;
 end;

 TIoStackLocationUnionParametersStructQueryInterface=packed record
  InterfaceType:Pointer;                        //CONST GUID *
  Size:Word;
  Version:Word;
  pInterface:Pointer;                           //PINTERFACE
  InterfaceSpecificData:Pointer;
 end;

 TIoStackLocationUnionParametersStructDeviceCapabilities=packed record
  Capabilities:Pointer;                         //PDEVICE_CAPABILITIES
 end;

 TIoStackLocationUnionParametersStructFilterResourceRequirements=packed record
  IoResourceRequirementList:Pointer;            //PIO_RESOURCE_REQUIREMENTS_LIST
 end;

 TIoStackLocationUnionParametersStructReadWriteConfig=packed record
  WhichSpace:Cardinal;
  Buffer:Pointer;
  Offset:Cardinal;
  Length:Cardinal;
 end;

 TIoStackLocationUnionParametersStructSetLock=packed record
  Lock:LongBool;
 end;

 TIoStackLocationUnionParametersStructQueryId=packed record
  IdType:TBusQueryIdType;
 end;

 TIoStackLocationUnionParametersStructQueryDeviceText=packed record
  DeviceTextType:TDeviceTextType;
  LocaleId:LCID;
 end;

 TIoStackLocationUnionParametersStructUsageNotification=packed record
  InPath:Boolean;
  Reserved:array[0..2] of Boolean;
  dunType:TDeviceUsageNotificationType;
 end;

 TIoStackLocationUnionParametersStructWaitWake=packed record
  PowerState:TSystemPowerState;
 end;

 TIoStackLocationUnionParametersStructPowerSequence=packed record
  PowerSequence:Pointer;                        //PPOWER_SEQUENCE
 end;

 TIoStackLocationUnionParametersStructPower=packed record
  SystemContext:Cardinal;
  psType:TPowerStateType;
  State:TPowerState;
  ShutdownType:TPowerAction;
 end;

 TIoStackLocationUnionParametersStructStartDevice=packed record
  AllocatedResources:Pointer;                   //PCM_RESOURCE_LIST
  AllocatedResourcesTranslated:Pointer;         //PCM_RESOURCE_LIST
 end;

 TIoStackLocationUnionParametersStructWMI=packed record
  ProviderId:Pointer;                           //ULONG_PTR
  DataPath:Pointer;
  BufferSize:Cardinal;
  Buffer:Cardinal;
 end;

 TIoStackLocationUnionParametersStructOthers=packed record
  Argument1:Pointer;
  Argument2:Pointer;
  Argument3:Pointer;
  Argument4:Pointer;
 end;

 TIoStackLocationUnionParameters=packed record
  case Byte of
   00:(Create:TIoStackLocationUnionParametersStructCreate);
   01:(Read:TIoStackLocationUnionParametersStructRead);
   02:(Write:TIoStackLocationUnionParametersStructWrite);
   03:(QueryFile:TIoStackLocationUnionParametersStructQueryFile);
   04:(SetFile:TIoStackLocationUnionParametersStructSetFile);
   05:(QueryVolume:TIoStackLocationUnionParametersStructQueryVolume);
   06:(DeviceIoControl:TIoStackLocationUnionParametersStructDeviceIoControl);
   07:(MountVolume:TIoStackLocationUnionParametersStructMountVolume);
   08:(VerifyVolume:TIoStackLocationUnionParametersStructVerifyVolume);
   09:(Scsi:TIoStackLocationUnionParametersStructScsi);
   10:(QueryDeviceRelations:TIoStackLocationUnionParametersStructQueryDeviceRelations);
   11:(QueryInterface:TIoStackLocationUnionParametersStructQueryInterface);
   12:(DeviceCapabilities:TIoStackLocationUnionParametersStructDeviceCapabilities);
   13:(FilterResourceRequirements:TIoStackLocationUnionParametersStructFilterResourceRequirements);
   14:(ReadWriteConfig:TIoStackLocationUnionParametersStructReadWriteConfig);
   15:(SetLock:TIoStackLocationUnionParametersStructSetLock);
   16:(QueryId:TIoStackLocationUnionParametersStructQueryId);
   17:(QueryDeviceText:TIoStackLocationUnionParametersStructQueryDeviceText);
   18:(UsageNotification:TIoStackLocationUnionParametersStructUsageNotification);
   19:(WaitWake:TIoStackLocationUnionParametersStructWaitWake);
   20:(PowerSequence:TIoStackLocationUnionParametersStructPowerSequence);
   21:(Power:TIoStackLocationUnionParametersStructPower);
   22:(StartDevice:TIoStackLocationUnionParametersStructStartDevice);
   23:(WMI:TIoStackLocationUnionParametersStructWMI);
   24:(Others:TIoStackLocationUnionParametersStructOthers);
 end;

 PIoStackLocation=^TIoStackLocation;
 TIoStackLocation=packed record
  MajorFunction:Byte;
  MinorFunction:Byte;
  Flags:Byte;
  Control:Byte;
  Parameters:TIoStackLocationUnionParameters;
  DeviceObject:PDeviceObject;
  FileObject:PFileObject;
  CompletionRoutine:Pointer;                    //PIO_COMPLETION_ROUTINE
  Context:Pointer;
 end;
 IO_STACK_LOCATION=TIoStackLocation;
 PIO_STACK_LOCATION=^IO_STACK_LOCATION;

  PServiceDescriptorEntry=^TServiceDescriptorEntry;
  TServiceDescriptorEntry=packed record
    ServiceTableBase: PULONG;
    ServiceCounterTableBase: PULONG;
    NumberOfServices: ULONG;
    ParamTableBase: PByte;
  end;
  SERVICE_DESCRIPTOR_ENTRY=TServiceDescriptorEntry;
  PSERVICE_DESCRIPTOR_ENTRY=^SERVICE_DESCRIPTOR_ENTRY;

  PKMutant=^TKMutant;
  TKMutant=packed record
    Header:TDispatcherHeader;
    MutantListEntry:TListEntry;
    OwnerThread:PKThread;
    Abandoned:Boolean;
    ApcDisable:Byte;
    Alignment0:Word;
  end;
  TKMutex=TKMutant;
  PKMutex=^TKMutex;

type
  PMDL = ^_MDL;
  _MDL = packed record
    Next: PMDL;
    Size: USHORT;
    MdlFlags: USHORT;
    Process: Pointer;
    MappedSystemVa: PVOID;
    StartVa: PVOID;
    ByteCount: ULONG;
    ByteOffset: ULONG;
  end;
  MDL = _MDL;