📄 wdm.h
字号:
#define IN
#define OUT
#define VOID void
#define CONST const
typedef NTSTATUS(__stdcall *PDRIVER_DISPATCH) ( DWORD, DWORD );
typedef void (__stdcall *PDRIVER_UNLOAD) (IN struct _DRIVER_OBJECT *DriverObject);
typedef NTSTATUS(__stdcall *PDRIVER_ADD_DEVICE) (struct _DRIVER_OBJECT *DriverObject,struct _DEVICE_OBJECT *PhysicalDeviceObject);
typedef struct _DRIVER_EXTENSION {
struct _DRIVER_OBJECT *DriverObject;
PDRIVER_ADD_DEVICE AddDevice;
ULONG Count;
UNICODE_STRING ServiceKeyName;
} DRIVER_EXTENSION, *PDRIVER_EXTENSION;
typedef void (__stdcall *PDRIVER_STARTIO) ( struct _DEVICE_OBJECT *DeviceObject, struct _IRP *Irp);
typedef struct _DRIVER_OBJECT {
CSHORT Type; // 0,2
CSHORT Size; // 2,2
DWORD DeviceObject;//4,4 PDEVICE_OBJECT DeviceObject;
ULONG Flags; // 8,4
PVOID DriverStart; // c,4
ULONG DriverSize; // 10,4
PVOID DriverSection; // 14,4
PDRIVER_EXTENSION DriverExtension; // 18,4
UNICODE_STRING DriverName; // 1c,8
PUNICODE_STRING HardwareDatabase; //24,4
DWORD FastIoDispatch;//28,4 PFAST_IO_DISPATCH FastIoDispatch;
DWORD DriverInit;//2c,4 PDRIVER_INITIALIZE DriverInit;
PDRIVER_STARTIO DriverStartIo; // 30,4
PDRIVER_UNLOAD DriverUnload; // 34,4
//PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];
PDRIVER_DISPATCH MajorFunction[0x1c]; //38,?
//DWORD MajorFunction[0x1c];
} DRIVER_OBJECT, *PDRIVER_OBJECT;
typedef struct _DISPATCHER_HEADER {
UCHAR Type;
UCHAR Absolute;
UCHAR Size;
UCHAR Inserted;
LONG SignalState;
LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER;
typedef struct _KEVENT {
DISPATCHER_HEADER Header;
} KEVENT, *PKEVENT, *PRKEVENT;
typedef unsigned char BOOLEAN;
typedef struct _IO_REMOVE_LOCK_COMMON_BLOCK {
BOOLEAN Removed;
BOOLEAN Reserved [3];
LONG IoCount;
KEVENT RemoveEvent;
} IO_REMOVE_LOCK_COMMON_BLOCK;
typedef struct _IO_REMOVE_LOCK {
IO_REMOVE_LOCK_COMMON_BLOCK Common;
} IO_REMOVE_LOCK, *PIO_REMOVE_LOCK;
NTSTATUS __stdcall IoAcquireRemoveLockEx (PIO_REMOVE_LOCK RemoveLock, PVOID Tag, PCSTR File, ULONG Line, ULONG RemlockSize);
typedef DWORD ULONG_PTR; //yes, its really DWORD
typedef ULONG_PTR SIZE_T, *PSIZE_T, *PULONG_PTR;
typedef struct _IO_STATUS_BLOCK { //sizeof = 8
//union {
NTSTATUS Status;
// PVOID Pointer;
//};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef CCHAR KPROCESSOR_MODE;
typedef void (__stdcall *PDRIVER_CANCEL) ( struct _DEVICE_OBJECT *DeviceObject, struct _IRP *Irp);
typedef struct _MDL {
struct _MDL *Next; //+00
CSHORT Size; //+04
CSHORT MdlFlags; //+06
struct _EPROCESS *Process; //+08
PVOID MappedSystemVa; //+0c
PVOID StartVa;
ULONG ByteCount;
ULONG ByteOffset;
} MDL, *PMDL;
typedef struct _LARGE_INTEGER {
ULONG LowPart;
LONG HighPart;
} LARGE_INTEGER;
typedef
VOID
(__stdcall *PKNORMAL_ROUTINE) (
IN PVOID NormalContext,
IN PVOID SystemArgument1,
IN PVOID SystemArgument2
);
typedef
VOID
(__stdcall *PKKERNEL_ROUTINE) (
IN struct _KAPC *Apc,
IN OUT PKNORMAL_ROUTINE *NormalRoutine,
IN OUT PVOID *NormalContext,
IN OUT PVOID *SystemArgument1,
IN OUT PVOID *SystemArgument2
);
typedef
VOID
(__stdcall *PKRUNDOWN_ROUTINE) (
IN struct _KAPC *Apc
);
typedef struct _KAPC {
CSHORT Type; //+00
CSHORT Size; //+02
ULONG Spare0; //+04
struct _KTHREAD *Thread; //+08
LIST_ENTRY ApcListEntry; //+0c
PKKERNEL_ROUTINE KernelRoutine; //+14
PKRUNDOWN_ROUTINE RundownRoutine; //+18
PKNORMAL_ROUTINE NormalRoutine; //+1c
PVOID NormalContext; //+20
//
// N.B. The following two members MUST be together.
//
PVOID SystemArgument1; //+24
PVOID SystemArgument2; //+28
CCHAR ApcStateIndex; //+2c
KPROCESSOR_MODE ApcMode; //+2d
BOOLEAN Inserted; //+2e
char reserve; //+2f i add
} KAPC, *PKAPC;
typedef struct _FILE_OBJECT {
CSHORT Type;
CSHORT Size;
/*
PDEVICE_OBJECT DeviceObject;
PVOID DoNotUse1;
PVOID FsContext;
PVOID FsContext2;
PSECTION_OBJECT_POINTERS SectionObjectPointer;
PVOID PrivateCacheMap;
NTSTATUS FinalStatus;
struct _FILE_OBJECT *RelatedFileObject;
BOOLEAN LockOperation;
BOOLEAN DeletePending;
BOOLEAN ReadAccess;
BOOLEAN WriteAccess;
BOOLEAN DeleteAccess;
BOOLEAN SharedRead;
BOOLEAN SharedWrite;
BOOLEAN SharedDelete;
ULONG Flags;
UNICODE_STRING FileName;
LARGE_INTEGER CurrentByteOffset;
ULONG Waiters;
ULONG Busy;
PVOID LastLock;
KEVENT Lock;
KEVENT Event;
PIO_COMPLETION_CONTEXT CompletionContext;
*/
} FILE_OBJECT;
typedef struct _FILE_OBJECT *PFILE_OBJECT;
/*
typedef struct _IRP { //sizeof = 70h
CSHORT Type; //+00
USHORT Size; //+02
PMDL MdlAddress; //+04
ULONG Flags; //+08
union {
struct _IRP *MasterIrp;
LONG IrpCount; //+0c
PVOID SystemBuffer;
} AssociatedIrp;
LIST_ENTRY ThreadListEntry; //+10
IO_STATUS_BLOCK IoStatus; //+18h
KPROCESSOR_MODE RequestorMode; //+20
BOOLEAN PendingReturned; //+21
CHAR StackCount; //+22
CHAR CurrentLocation; //+23
BOOLEAN Cancel; //+24
KIRQL CancelIrql; //+25
CCHAR ApcEnvironment; //+26
UCHAR AllocationFlags; //+27
PIO_STATUS_BLOCK UserIosb; //+28
PKEVENT UserEvent; //+2c
//union {
// struct {
// PIO_APC_ROUTINE UserApcRoutine;
// PVOID UserApcContext;
// } AsynchronousParameters;
LARGE_INTEGER AllocationSize; //+30
//} Overlay;
PDRIVER_CANCEL CancelRoutine; //+38
PVOID UserBuffer; //+3c
//PVOID CompletionKey; //+40
//PVOID DriverContext[4]; //+40
//PETHREAD Thread; //+50
//PCHAR AuxiliaryBuffer; //+54
//LIST_ENTRY ListEntry; //+58
//ULONG PacketType; //+60
//60 Tail.Overlay.CurrentStackLocation
//PFILE_OBJECT OriginalFileObject;//+64
KAPC Apc; //+40, sizeof = 30
} IRP, *PIRP;
*/
typedef
VOID
(__stdcall *PIO_APC_ROUTINE) (
IN PVOID ApcContext,
IN PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG Reserved
);
typedef struct _KDEVICE_QUEUE_ENTRY {
LIST_ENTRY DeviceListEntry;
ULONG SortKey;
BOOLEAN Inserted;
char reserve1;
char reserve2;
char reserve3;
} KDEVICE_QUEUE_ENTRY, *PKDEVICE_QUEUE_ENTRY;
typedef struct _ETHREAD{} *PETHREAD;
typedef struct _IRP {
CSHORT Type;
USHORT Size;
//
// Define the common fields used to control the IRP.
//
//
// Define a pointer to the Memory Descriptor List (MDL) for this I/O
// request. This field is only used if the I/O is "direct I/O".
//
PMDL MdlAddress;
//
// Flags word - used to remember various flags.
//
ULONG Flags;
//
// The following union is used for one of three purposes:
//
// 1. This IRP is an associated IRP. The field is a pointer to a master
// IRP.
//
// 2. This is the master IRP. The field is the count of the number of
// IRPs which must complete (associated IRPs) before the master can
// complete.
//
// 3. This operation is being buffered and the field is the address of
// the system space buffer.
//
union {
struct _IRP *MasterIrp;
LONG IrpCount;
PVOID SystemBuffer;
} AssociatedIrp;
//
// Thread list entry - allows queueing the IRP to the thread pending I/O
// request packet list.
//
LIST_ENTRY ThreadListEntry;
//
// I/O status - final status of operation.
//
IO_STATUS_BLOCK IoStatus;
//
// Requestor mode - mode of the original requestor of this operation.
//
KPROCESSOR_MODE RequestorMode;
//
// Pending returned - TRUE if pending was initially returned as the
// status for this packet.
//
BOOLEAN PendingReturned;
//
// Stack state information.
//
CHAR StackCount;
CHAR CurrentLocation;
//
// Cancel - packet has been canceled.
//
BOOLEAN Cancel;
//
// Cancel Irql - Irql at which the cancel spinlock was acquired.
//
KIRQL CancelIrql;
//
// ApcEnvironment - Used to save the APC environment at the time that the
// packet was initialized.
//
CCHAR ApcEnvironment;
//
// Allocation control flags.
//
UCHAR AllocationFlags;
//
// User parameters.
//
PIO_STATUS_BLOCK UserIosb;
PKEVENT UserEvent;
union {
struct {
PIO_APC_ROUTINE UserApcRoutine;
PVOID UserApcContext;
} AsynchronousParameters;
LARGE_INTEGER AllocationSize;
} Overlay;
//
// CancelRoutine - Used to contain the address of a cancel routine supplied
// by a device driver when the IRP is in a cancelable state.
//
PDRIVER_CANCEL CancelRoutine;
//
// Note that the UserBuffer parameter is outside of the stack so that I/O
// completion can copy data back into the user's address space without
// having to know exactly which service was being invoked. The length
// of the copy is stored in the second half of the I/O status block. If
// the UserBuffer field is NULL, then no copy is performed.
//
PVOID UserBuffer;
//
// Kernel structures
//
// The following section contains kernel structures which the IRP needs
// in order to place various work information in kernel controller system
// queues. Because the size and alignment cannot be controlled, they are
// placed here at the end so they just hang off and do not affect the
// alignment of other fields in the IRP.
//
union {
struct {
union {
//
// DeviceQueueEntry - The device queue entry field is used to
// queue the IRP to the device driver device queue.
//
KDEVICE_QUEUE_ENTRY DeviceQueueEntry;
struct {
//
// The following are available to the driver to use in
// whatever manner is desired, while the driver owns the
// packet.
//
PVOID DriverContext[4];
} ;
} ;
//
// Thread - pointer to caller's Thread Control Block.
//
PETHREAD Thread;
//
// Auxiliary buffer - pointer to any auxiliary buffer that is
// required to pass information to a driver that is not contained
// in a normal buffer.
//
PCHAR AuxiliaryBuffer;
//
// The following unnamed structure must be exactly identical
// to the unnamed structure used in the minipacket header used
// for completion queue entries.
//
struct {
//
// List entry - used to queue the packet to completion queue, among
// others.
//
LIST_ENTRY ListEntry;
union {
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -