📄 driverentry.c
字号:
#include <ntddk.h>
#include "ntifs.h"
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
UNICODE_STRING parameter_path;//备份注册表设备服务键的键名
RTL_QUERY_REGISTRY_TABLE query_table[2];//保存查询注册表树时返回相应键的内容
ULONG n_devices;//支持的设备个数
NTSTATUS status;//状态值,具体请参阅ntstatus.h
UNICODE_STRING device_dir_name;//保存目录设备名
OBJECT_ATTRIBUTES object_attributes;//保存对象属性
ULONG n;
USHORT n_created_devices;
//初始化parameter_path
parameter_path.Length = 0;
parameter_path.MaximumLength = RegistryPath->Length + sizeof(PARAMETER_KEY);
parameter_path.Buffer = (PWSTR) ExAllocatePool(PagedPool, parameter_path.MaximumLength);
if (parameter_path.Buffer == NULL)
{
return STATUS_INSUFFICIENT_RESOURCES;
}
RtlCopyUnicodeString(¶meter_path, RegistryPath);
RtlAppendUnicodeToString(¶meter_path, PARAMETER_KEY);
RtlZeroMemory(&query_table[0], sizeof(query_table));
query_table[0].Flags = RTL_QUERY_REGISTRY_DIRECT | RTL_QUERY_REGISTRY_REQUIRED;
//RTL_QUERY_REGISTRY_DIRECT在ntddk.h中定义为0x00000020
//RTL_QUERY_REGISTRY_REQUIRED在ntddk.h中定义为0x00000004
//结果应为0x00000024
query_table[0].Name = NUMBEROFDEVICES_VALUE;
//NUMBEROFDEVICES_VALUE在ntifs中定义为L"NumberOfDevices"
query_table[0].EntryContext = &n_devices;
status = RtlQueryRegistryValues(
RTL_REGISTRY_ABSOLUTE,
parameter_path.Buffer,
&query_table[0],
NULL,
NULL
);
//RTL_REGISTRY_ABSOLUTE在ntddk.h中定义为0,代表路径为完全路径
ExFreePool(parameter_path.Buffer);
if (!NT_SUCCESS(status))
{
KdPrint(("FileDisk: Query registry failed, using default values.\n"));
n_devices = DEFAULT_NUMBEROFDEVICES;
}
RtlInitUnicodeString(&device_dir_name, DEVICE_DIR_NAME);
InitializeObjectAttributes(
&object_attributes,
&device_dir_name,
OBJ_PERMANENT,
NULL,
NULL
);
//OBJ_PERMANENT在ntdef.h中定义为0x00000010L
status = ZwCreateDirectoryObject(
&dir_handle,
DIRECTORY_ALL_ACCESS,
&object_attributes
);
//DIRECTORY_ALL_ACCESS在ntddk.h中定义为(STANDARD_RIGHTS_REQUIRED | 0xF)
//即为STANDARD_RIGHTS_REQUIRED与0xF按位或
//STANDARD_RIGHTS_REQUIRED在ntddk.h中定义为0x000F0000L
if (!NT_SUCCESS(status))
{
return status;
}
ZwMakeTemporaryObject(dir_handle);
for (n = 0, n_created_devices = 0; n < n_devices; n++)
{
status = FileDiskCreateDevice(DriverObject, n, FILE_DEVICE_DISK);
if (NT_SUCCESS(status))
{
n_created_devices++;
}
}
////for (n = 0; n < n_devices; n++)
////{
//// status = FileDiskCreateDevice(DriverObject, n, FILE_DEVICE_CD_ROM);
//// if (NT_SUCCESS(status))
//// {
//// n_created_devices++;
//// }
////}
if (n_created_devices == 0)
{
ZwClose(dir_handle);
return status;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = FileDiskCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = FileDiskCreateClose;
DriverObject->MajorFunction[IRP_MJ_READ] = FileDiskReadWrite;
DriverObject->MajorFunction[IRP_MJ_WRITE] = FileDiskReadWrite;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = FileDiskDeviceControl;
//常用的IRP主功能代码
//IRP_MJ_CREATE:创建或打开设备文件,ntddk.h中定义为0x00
//IRP_MJ_CLOSE:关闭句柄,ntddk.h中定义为0x02
//IRP_MJ_READ:读,ntddk.h中定义为0x03
//IRP_MJ_WRITE:写,ntddk.h中定义为0x04
//IRP_MJ_CLEANUP:取消文件句柄上的任何等待的IRP,ntddk.h中定义为0x12
//IRP_MJ_DEVICE_CONTROL:设备I/O控制,ntddk.h中定义为0x0e
//IRP_MJ_INTERNAL_DEVICE_CONTROL(IRP_MJ_SCSI):来自高层驱动程序的设备I/O控制,ntddk.h中定义为0x0f
//IRP_MJ_SYSTEM_CONTROL:WMI,ntddk.h中定义为0x17
//IRP_MJ_POWER:电源管理请求,ntddk.h中定义为0x16
//IRP_MJ_PNP:即插即用消息,ntddk.h中定义为0x1b
//IRP_MJ_SHUTDOWN:关闭通知,ntddk.h中定义为0x10
DriverObject->DriverUnload = FileDiskUnload;
return STATUS_SUCCESS;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -