osinfo.h

驱动编程学习代码

#include "Interface.h"


#if DBG
    #define OSINFO_KDPRINT(_x_) \
                DbgPrint("OSINFO.SYS: ");\
                DbgPrint _x_;

#else
    #define OSINFO_KDPRINT(_x_)
#endif 

typedef struct _SERVICE_DESCRIPTOR_TABLE
{
  PVOID     ServiceTableBase;
  PULONG    ServiceCounterTableBase;
  ULONG     NumberOfService;
  ULONG     ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; 

#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]



typedef struct _MODULE_INFO 
{
    DWORD   d_Reserved1;
    DWORD   d_Reserved2;
    PVOID   p_Base;
    DWORD   d_Size;
    DWORD   d_Flags;
    WORD    w_Index;
    WORD    w_Rank;
    WORD    w_LoadCount;
    WORD    w_NameOffset;
    BYTE    a_bPath [MAXIMUM_FILENAME_LENGTH];
} MODULE_INFO, *PMODULE_INFO, **PPMODULE_INFO;



typedef struct _MODULE_LIST
{
    DWORD       d_Modules;
    MODULE_INFO a_Modules[];
} MODULE_LIST, *PMODULE_LIST, **PPMODULE_LIST;






#define SystemProcessesAndThreadsInformation 5
#define SystemModuleInformation 11 

typedef enum _SYSTEM_INFORMATION_CLASS 
{
    SystemBasicInformation                  = 0,
    SystemPerformanceInformation            = 2,
    SystemTimeOfDayInformation              = 3,
    SystemProcessInformation                = 5,
    SystemProcessorPerformanceInformation   = 8,
    SystemInterruptInformation              = 23,
    SystemExceptionInformation              = 33,
    SystemRegistryQuotaInformation          = 37,
    SystemLookasideInformation              = 45
} SYSTEM_INFORMATION_CLASS;


#define MOVEAX		0xb8
#pragma pack( push, 1 )
typedef struct _SSDTENTRY 
{
    BYTE  bMovEax;   // 0xb8, MOV EAX, xxx
    DWORD dwIndex;
} SSDTENTRY;



#pragma pack( pop )


////////////////////////////////////////////////////////////////////
#define CM_KEY_INDEX_ROOT 0x6972 // ir
#define CM_KEY_INDEX_LEAF 0x696c // il
#define CM_KEY_FAST_LEAF 0x666c // fl
#define CM_KEY_HASH_LEAF 0x686c // hl

// 一些CM的数据结构，只列出用到的开头部分
#pragma pack(1)

typedef struct _CM_KEY_NODE 
{
    USHORT          Signature;
    USHORT          Flags;
    LARGE_INTEGER   LastWriteTime;
    ULONG           Spare; // used to be TitleIndex
    HANDLE          Parent;
    ULONG           SubKeyCounts[2]; // Stable and Volatile
    HANDLE          SubKeyLists[2]; // Stable and Volatile
    // ...
} CM_KEY_NODE, *PCM_KEY_NODE;




typedef struct _CM_KEY_INDEX 
{
    USHORT Signature;
    USHORT Count;
    HANDLE List[1];
} CM_KEY_INDEX, *PCM_KEY_INDEX;

typedef struct _CM_KEY_BODY 
{
    ULONG       Type; // "ky02"
    PVOID       KeyControlBlock;
    PVOID       NotifyBlock;
    PVOID       Process; // the owner process
    LIST_ENTRY  KeyBodyList; // key_nodes using the same kcb
} CM_KEY_BODY, *PCM_KEY_BODY;

typedef PVOID (__stdcall *PGET_CELL_ROUTINE)(PVOID, HANDLE);

typedef struct _HHIVE 
{
    ULONG               Signature;
    PGET_CELL_ROUTINE   GetCellRoutine;
    // ...
} HHIVE, *PHHIVE;


typedef struct
{
    ULONG                   ConvKey;
    PVOID *                 NextHash;
    PHHIVE                  KeyHive;        // Hive containing CM_KEY_NODE
    ULONG                   KeyCell;        // Cell containing CM_KEY_NODE
} KEYHASH;

#define KCB_TO_KEYBODY_LINK

typedef struct _CM_KEY_CONTROL_BLOCK {
#ifdef CM_DEBUG_KCB
    ULONG                       Signature;
#endif
    BOOLEAN                     Delete;
    USHORT                      RefCount;
    KEYHASH                     KeyHash;
    // ......
} CM_KEY_CONTROL_BLOCK, *PCM_KEY_CONTROL_BLOCK;



////////////////////////////////////////////////////////////////////

//
// Object Directory Structure
//
typedef struct _EX_PUSH_LOCK
{
     union
     {
          ULONG Locked: 1;
          ULONG Waiting: 1;
          ULONG Waking: 1;
          ULONG MultipleShared: 1;
          ULONG Shared: 28;
          ULONG Value;
          PVOID Ptr;
     };
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;


#define NUMBER_HASH_BUCKETS 37
#define OBJ_INVALID_SESSION_ID 0xFFFFFFFF

typedef struct _OBJECT_DIRECTORY 
{
    struct _OBJECT_DIRECTORY_ENTRY *HashBuckets[ NUMBER_HASH_BUCKETS ];
    EX_PUSH_LOCK                    Lock;
    struct _DEVICE_MAP *            DeviceMap;
    ULONG SessionId;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;

//
// Object Directory Entry Structure
//
typedef struct _OBJECT_DIRECTORY_ENTRY 
{
    struct _OBJECT_DIRECTORY_ENTRY *ChainLink;
    PVOID Object;
    //ULONG HashValue;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;

typedef struct _OBJECT_HEADER_NAME_INFO 
{
    POBJECT_DIRECTORY Directory;
    UNICODE_STRING Name;
    ULONG QueryReferences;
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;

typedef struct _QUOTA_BLOCK
{
 	/*000*/ DWORD Flags;
 	/*004*/ DWORD ChargeCount;
 	/*008*/ DWORD PeakPoolUsage [2]; // NonPagedPool, PagedPool
 	/*010*/ DWORD PoolUsage   [2]; // NonPagedPool, PagedPool
 	/*018*/ DWORD PoolQuota   [2]; // NonPagedPool, PagedPool
	/*020*/
} QUOTA_BLOCK, *PQUOTA_BLOCK,   **PPQUOTA_BLOCK;

typedef struct _OBJECT_CREATOR_INFO
{
    LIST_ENTRY ObjectList; // OBJECT_CREATOR_INFO
    HANDLE UniqueProcessId;
    WORD Reserved1;
    WORD Reserved2;
}OBJECT_CREATOR_INFO, *POBJECT_CREATOR_INFO, **PPOBJECT_CREATOR_INFO; 

typedef struct _OBJECT_HEADER
{
     DWORD PointerCount; // 指针引用的数目
     DWORD HandleCount; // 打开句柄的数目
     POBJECT_TYPE ObjectType;  //指向类型对象的指针
     BYTE NameOffset; //对象名的偏移
     BYTE HandleDBOffset; // HANDLE DB的偏移
     BYTE QuotaChargesOffset; //QUOTA CHARGES的偏移
     BYTE ObjectFlags; // 对象标志
     union
     { // 对象标志中OB_FLAG_CREATE_INFO ? ObjectCreateInfo : QuotaBlock
         PQUOTA_BLOCK QuotaBlock;
         POBJECT_CREATOR_INFO ObjectCreateInfo;
     };
    PSECURITY_DESCRIPTOR SecurityDescriptor;
}OBJECT_HEADER, *POBJECT_HEADER;
 
typedef struct _OBJECT_NAME
{
/*000*/ POBJECT_DIRECTORY Directory;
/*004*/ UNICODE_STRING Name;
/*00C*/ DWORD Reserved;
/*010*/ 
}OBJECT_NAME, *POBJECT_NAME;

/////////////////////////////////////////////////////////
typedef struct _HANDLE_TABLE_ENTRY 
{
    union 
    {
        ULONG Object;
        ULONG ObAttributes;
    };

    union 
    {
        union 
        {
            ACCESS_MASK GrantedAccess;
            struct 
            {
                USHORT GrantedAccessIndex;
                USHORT CreatorBackTraceIndex;
            };
        };
        LONG NextFreeTableEntry;
    };
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;

typedef struct _HANDLE_TABLE
{
  ULONG                 Flags;
  LONG                  HandleCount;
  PHANDLE_TABLE_ENTRY **Table;
  PEPROCESS             QuotaProcess;
  HANDLE                UniqueProcessId;
  LONG                  FirstFreeTableEntry;
  LONG                  NextIndexNeedingPool;
  ERESOURCE             HandleTableLock;
  LIST_ENTRY            HandleTableList;
  KEVENT                HandleContentionEvent;
} HANDLE_TABLE , *PHANDLE_TABLE ;


typedef BOOLEAN (*PFNEX_ENUMERATE_HANDLE_ROUTINE)(
    IN PHANDLE_TABLE_ENTRY  HandleTableEntry,
    IN HANDLE               Handle,
    IN PVOID                EnumParameter
);

typedef BOOLEAN (*PFNEXENUMHANDLETABLE) (
    IN  PVOID                           HandleTable,
    IN  PFNEX_ENUMERATE_HANDLE_ROUTINE  EnumHandleProcedure,
    IN  PVOID                           EnumParameter,
    OUT PHANDLE                         Handle OPTIONAL
);

typedef NTSTATUS (*PFNPSLOOKUPPROCESSBYPROCESSID) (
    IN  HANDLE          hCid, 
    OUT PEPROCESS  *    PpEProcess
);


#pragma pack()


/////////////////////////////////////////////////////////////////////////