本文整理汇总了C++中KdPrint函数的典型用法代码示例。如果您正苦于以下问题:C++ KdPrint函数的具体用法?C++ KdPrint怎么用?C++ KdPrint使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了KdPrint函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的C++代码示例。
示例1: ddk_DispatchRoutine_CONTROL
NTSTATUS ddk_DispatchRoutine_CONTROL(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp )
{ //
ULONG info;
int *pi=(int*)ExAllocatePool(PagedPool,sizeof(int));
//得到当前栈指针
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
ULONG mf=stack->MajorFunction;//区分IRP
switch (mf)
{
case IRP_MJ_DEVICE_CONTROL:
{ KdPrint(("Enter myDriver_DeviceIOControl\n"));
NTSTATUS status = STATUS_SUCCESS;
//得到输入缓冲区大小
ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
//得到输出缓冲区大小
ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
//得到IOCTL码
ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;
switch (code)
{
case add_code:
{
int a,b;
KdPrint(("add_code 1111111111111111111\n"));
//缓冲区方式IOCTL
//获取缓冲区数据 a,b
int * InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
_asm
{
mov eax,InputBuffer
mov ebx,[eax]
mov a,ebx
mov ebx,[eax+4]
mov b,ebx
}
KdPrint(("a=%d,b=%d \n", a,b));
a=a+b;
//C、驱动层返回数据至用户层
//操作输出缓冲区
int* OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
_asm
{
mov eax,a
mov ebx,OutputBuffer
mov [ebx],eax //bufferet=a+b
}
KdPrint(("a+b=%d \n",a));
//设置实际操作输出缓冲区长度
info = 4;
break;
}
case hook_code:
{ //从buffer获取MyPid
//获取缓冲区数据 a,b
int * InputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
_asm
{
mov eax,InputBuffer
mov ebx,[eax]
mov MyPID,ebx
}
int* OutputBuffer = (int*)pIrp->AssociatedIrp.SystemBuffer;
_asm
{
mov eax,1
mov ebx,OutputBuffer
mov [ebx],eax //
}
info = 4;
Hook();
break;
}
case unhook_code:
{ UnHook();
break;
}
case sub_code:
{
break;
}
}//end code switch
break;
}
case IRP_MJ_CREATE:
{
break;
}
case IRP_MJ_CLOSE:
{
break;
}
case IRP_MJ_READ:
{
break;
//.........这里部分代码省略.........
示例2: DriverUnload
// Çý¶¯Ð¶ÔØÀý³Ì
void DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
KdPrint(("hello DriverUnload \r\n"));
}
示例3: mt_malloc
void *
mt_malloc(ULONG size, const char *file, ULONG line)
{
KIRQL irql;
struct prefix *data;
struct postfix *pd;
#if 1
// check pool integrity
KeAcquireSpinLock(&guard, &irql);
for (data = first; data; data = data->next)
check(data);
for (data = last; data; data = data->prev)
check(data);
KeReleaseSpinLock(&guard, irql);
#endif
if (size == 0) {
KdPrint(("memtrack: mt_malloc: size == 0!\n"));
INT_3;
return NULL;
}
data = (struct prefix *)ExAllocatePool(NonPagedPool,
sizeof(struct prefix) + size + sizeof(struct postfix));
if (data == NULL)
return NULL;
data->magic = MAGIC;
data->next = NULL;
data->prev = NULL;
data->size = size;
data->file = file;
data->line = line;
memset(data->data, 0xcc, size); // fill by 0xcc: new
pd = (struct postfix *)(data->data + data->size);
pd->size = size;
pd->magic = MAGIC;
KeAcquireSpinLock(&guard, &irql);
if (last) {
last->next = data;
data->prev = last;
last = data;
}
else {
data->prev = NULL;
first = last = data;
}
count++;
KeReleaseSpinLock(&guard, irql);
return data->data;
}
示例4: tdi_set_event_handler
int
tdi_set_event_handler(PIRP irp, PIO_STACK_LOCATION irps, struct completion *completion)
{
PTDI_REQUEST_KERNEL_SET_EVENT r = (PTDI_REQUEST_KERNEL_SET_EVENT)&irps->Parameters;
NTSTATUS status;
struct ot_entry *ote_addr = NULL;
KIRQL irql;
int result = FILTER_DENY;
TDI_EVENT_CONTEXT *ctx;
KdPrint(("[tdi_fw] tdi_set_event_handler: [%s] devobj 0x%x; addrobj 0x%x; EventType: %d\n",
r->EventHandler ? "(+)ADD" : "(-)REMOVE",
irps->DeviceObject,
irps->FileObject,
r->EventType));
ote_addr = ot_find_fileobj(irps->FileObject, &irql);
if (ote_addr == NULL) {
KdPrint(("[tdi_fw] tdi_set_event_handler: ot_find_fileobj(0x%x)\n", irps->FileObject));
if (r->EventHandler == NULL) {
// for fileobjects loaded earlier than our driver allow removing
result = FILTER_ALLOW;
}
goto done;
}
if (r->EventType < 0 || r->EventType >= MAX_EVENT) {
KdPrint(("[tdi_fw] tdi_set_event_handler: unknown EventType %d!\n", r->EventType));
result = FILTER_ALLOW;
goto done;
}
ctx = &ote_addr->ctx[r->EventType];
if (r->EventHandler != NULL) {
/* add EventHandler */
int i;
for (i = 0; g_tdi_event_handlers[i].event != (ULONG)-1; i++)
if (g_tdi_event_handlers[i].event == r->EventType)
break;
if (g_tdi_event_handlers[i].event == (ULONG)-1) {
KdPrint(("[tdi_fw] tdi_set_event_handler: unknown EventType %d!\n", r->EventType));
result = FILTER_ALLOW;
goto done;
}
ctx->old_handler = r->EventHandler;
ctx->old_context = r->EventContext;
if (g_tdi_event_handlers[i].handler != NULL) {
r->EventHandler = g_tdi_event_handlers[i].handler;
r->EventContext = ctx;
} else {
r->EventHandler = NULL;
r->EventContext = NULL;
}
KdPrint(("[tdi_fw] tdi_set_event_handler: old_handler 0x%x; old_context 0x%x\n",
r->EventHandler, r->EventContext));
} else {
/* remove EventHandler */
ctx->old_handler = NULL;
ctx->old_context = NULL;
}
// change LISTEN state
if (r->EventType == TDI_EVENT_CONNECT) {
TA_ADDRESS *local_addr;
if (r->EventHandler != NULL) {
// add "LISTEN" info
status = add_listen(ote_addr);
if (status != STATUS_SUCCESS) {
KdPrint(("[tdi_fw] tdi_set_event_handler: add_listen: 0x%x!\n", status));
goto done;
}
} else if (ote_addr->listen_entry != NULL) {
// remove "LISTEN" info
del_listen_obj(ote_addr->listen_entry, FALSE);
ote_addr->listen_entry = NULL;
}
// log it if address is not 127.0.0.1
local_addr = (TA_ADDRESS *)(ote_addr->local_addr);
if (ntohl(((TDI_ADDRESS_IP *)(local_addr->Address))->in_addr) != 0x7f000001) {
struct flt_request request;
memset(&request, 0, sizeof(request));
request.struct_size = sizeof(request);
request.type = (r->EventHandler != NULL) ? TYPE_LISTEN : TYPE_NOT_LISTEN;
request.proto = IPPROTO_TCP; // correct?
if (r->EventHandler != NULL) {
// for removing event handler ProcessNotifyProc can be already called
//.........这里部分代码省略.........
示例5: ot_free
void
ot_free(void)
{
KIRQL irql;
int i;
struct ot_entry *ote;
if (g_ot_hash == NULL)
return; // have nothing to do
// do cleanup for address & connection objects
for (i = 0; i < HASH_SIZE; i++) {
for (;;) { // do it again and again
PFILE_OBJECT connobj = NULL, event_addrobj;
PVOID event_handler = NULL, event_context;
int event_type;
PDEVICE_OBJECT devobj;
KeAcquireSpinLock(&g_ot_hash_guard, &irql);
for (ote = g_ot_hash[i]; ote != NULL; ote = ote->next) {
if (ote->fileobj == NULL)
continue; // skip processed items
#ifdef _USE_TDI_HOOKING
devobj = ote->devobj;
#else
devobj = get_original_devobj(ote->devobj, NULL);
#endif
if (ote->type == FILEOBJ_ADDROBJ) {
// find at least one event handler & remove it @ PASSIVE level
int j;
event_addrobj = ote->fileobj;
for (j = 0; j < MAX_EVENT; j++)
if (ote->ctx[j].old_handler != NULL) {
event_type = j;
event_handler = ote->ctx[j].old_handler;
event_context = ote->ctx[j].old_context;
KdPrint(("[tdi_fw] ot_free: got event handler to restore (addrobj: 0x%x; type: %d; handler: 0x%x; context: 0x%x\n",
event_addrobj,
event_type,
event_handler,
event_context));
ote->ctx[j].old_handler = NULL;
break;
}
if (event_handler != NULL)
break;
KdPrint(("[tdi_fw] ot_free: no event handlers for addrobj: 0x%x\n",
ote->fileobj));
// remove this addrobj from "LISTEN" state
if (ote->listen_entry != NULL) {
del_listen_obj(ote->listen_entry, FALSE);
ote->listen_entry = NULL;
}
// no event handlers
ote->fileobj = NULL;
} else if (ote->type == FILEOBJ_CONNOBJ) {
// check connobj is connected (remote addr is not 0)
TA_ADDRESS *remote_addr = (TA_ADDRESS *)(ote->remote_addr);
if (((TDI_ADDRESS_IP *)(remote_addr->Address))->in_addr == 0) {
KdPrint(("[tdi_fw] ot_free: connobj 0x%x is not connected\n", connobj));
} else {
// disconnect this connection using TDI_DISCONNECT @ PASSIVE level
connobj = ote->fileobj;
KdPrint(("[tdi_fw] ot_free: got connobj 0x%x (%x:%x) to disconnect\n",
connobj,
((TDI_ADDRESS_IP *)(remote_addr->Address))->in_addr,
((TDI_ADDRESS_IP *)(remote_addr->Address))->sin_port));
}
// remove this connobj from "CONNECTED" state
if (ote->conn_entry != NULL) {
del_tcp_conn_obj(ote->conn_entry, FALSE);
ote->conn_entry = NULL;
// TODO: check if state TCP_STATE_TIME_WAIT don't delete it
}
// skip this object next time
ote->fileobj = NULL;
}
}
//.........这里部分代码省略.........
示例6: hpt_attach
static int hpt_attach(device_t dev)
{
PHBA hba = (PHBA)device_get_softc(dev);
HIM *him = hba->ldm_adapter.him;
PCI_ID pci_id;
HPT_UINT size;
PVBUS vbus;
PVBUS_EXT vbus_ext;
KdPrint(("hpt_attach(%d/%d/%d)", pci_get_bus(dev), pci_get_slot(dev), pci_get_function(dev)));
#if __FreeBSD_version >=440000
pci_enable_busmaster(dev);
#endif
pci_id.vid = pci_get_vendor(dev);
pci_id.did = pci_get_device(dev);
pci_id.rev = pci_get_revid(dev);
pci_id.subsys = (HPT_U32)(pci_get_subdevice(dev)) << 16 | pci_get_subvendor(dev);
size = him->get_adapter_size(&pci_id);
hba->ldm_adapter.him_handle = malloc(size, M_DEVBUF, M_WAITOK);
if (!hba->ldm_adapter.him_handle)
return ENXIO;
hba->pcidev = dev;
hba->pciaddr.tree = 0;
hba->pciaddr.bus = pci_get_bus(dev);
hba->pciaddr.device = pci_get_slot(dev);
hba->pciaddr.function = pci_get_function(dev);
if (!him->create_adapter(&pci_id, hba->pciaddr, hba->ldm_adapter.him_handle, hba)) {
free(hba->ldm_adapter.him_handle, M_DEVBUF);
return -1;
}
os_printk("adapter at PCI %d:%d:%d, IRQ %d",
hba->pciaddr.bus, hba->pciaddr.device, hba->pciaddr.function, pci_get_irq(dev));
if (!ldm_register_adapter(&hba->ldm_adapter)) {
size = ldm_get_vbus_size();
vbus_ext = malloc(sizeof(VBUS_EXT) + size, M_DEVBUF, M_WAITOK);
if (!vbus_ext) {
free(hba->ldm_adapter.him_handle, M_DEVBUF);
return -1;
}
memset(vbus_ext, 0, sizeof(VBUS_EXT));
vbus_ext->ext_type = EXT_TYPE_VBUS;
ldm_create_vbus((PVBUS)vbus_ext->vbus, vbus_ext);
ldm_register_adapter(&hba->ldm_adapter);
}
ldm_for_each_vbus(vbus, vbus_ext) {
if (hba->ldm_adapter.vbus==vbus) {
hba->vbus_ext = vbus_ext;
hba->next = vbus_ext->hba_list;
vbus_ext->hba_list = hba;
break;
}
}
return 0;
}
示例7: hpt_async
static void hpt_async(void * callback_arg, u_int32_t code, struct cam_path * path, void * arg)
{
KdPrint(("hpt_async"));
}
示例8: sizeof
//KeServiceDescriptorTable -- 包含了 SSDT,(其 Shadow SSDT 处都是NULL)
//KeServiceDescriptorTableShadow -- 包含了 SSDT + Shadow SSDT,因此GUI线程不用转换也能调用 SSDT 中的函数
SYSTEM_SERVICE_TABLE *GetKeServiceDescriptorTableShadowAddress ()
{
//32位系统中导出了KeServiceDescriptorTable变量,
//其后紧接着有未导出的 KeServiceDescriptorTableShadow, 其前部分的内容和 KeServiceDescriptorTable 内容一样
//通过从 KeAddSystemServiceTable 导出函数开始搜索,并比较内存中的内容,从而找到 KeServiceDescriptorTableShadow,
//通过搜索 操作SSDT的函数实现中的有效内存地址的办法 来查找 Shadow SSDT
//TODO: 能取到 KeServiceDescriptorTable 导出变量的地址,返回 KeServiceDescriptorTable[1] 不就是 KeServiceDescriptorTableShadow 的地址了?
// First, obtain a pointer to KeAddSystemServiceTable
unsigned char *check = (unsigned char*)KeAddSystemServiceTable;
int i;
//Initialize an instance of System Service Table, will be used to
//obtain an address from KeAddSystemServiceTable
SYSTEM_SERVICE_TABLE *rc=0;
if (g_pSystemServiceTable)
{
return g_pSystemServiceTable;
}
// Make 100 attempts to match a valid address with that of KeServiceDescriptorTable
for (i=0; i<4096; i++) { //PAGE_SIZE
__try {
// try to obtain an address from KeAddSystemServiceTable
rc = *(SYSTEM_SERVICE_TABLE **)check;
// if this address is NOT valid OR it itself is the address of
//KeServiceDescriptorTable OR its first entry is NOT equal
//to the first entry of KeServiceDescriptorTable
if (!MmIsAddressValid (rc)
|| (rc == (SYSTEM_SERVICE_TABLE *)KeServiceDescriptorTable)
|| (memcmp (rc, KeServiceDescriptorTable, sizeof (*rc)) != 0)) {
// Proceed with the next address
check++;
// don't forget to reset the old address
rc = 0;
}
} __except (EXCEPTION_EXECUTE_HANDLER)
{
rc = 0;
}
// when the loop is completed, check if it produced a valid address
if (rc)
{
// because if it didn't, we failed to find the address of KeServiceDescriptorTableShadow
break;
}
}
// otherwise, there is a valid address! So return it!
g_pSystemServiceTable = rc;
if (g_pSystemServiceTable)
{
KdPrint(("g_pSystemServiceTable : %#x, SSDT EntryCount=%d, Shadow EntryCount=%d\n",
g_pSystemServiceTable, g_pSystemServiceTable[0].NumberOfServices,
g_pSystemServiceTable[1].NumberOfServices));
}
else
{
KdPrint(("!!! Find Shadow SSDT Failed from KeAddSystemServiceTable=%p\n", KeAddSystemServiceTable));
}
return g_pSystemServiceTable;
}
示例9: OsrUsbIoctlGetInterruptMessage
VOID
OsrUsbIoctlGetInterruptMessage(
_In_ WDFDEVICE Device,
_In_ NTSTATUS ReaderStatus
)
/*++
Routine Description
This method handles the completion of the pended request for the IOCTL
IOCTL_OSRUSBFX2_GET_INTERRUPT_MESSAGE.
Arguments:
Device - Handle to a framework device.
Return Value:
None.
--*/
{
NTSTATUS status;
WDFREQUEST request;
PDEVICE_CONTEXT pDevContext;
size_t bytesReturned = 0;
PSWITCH_STATE switchState = NULL;
pDevContext = GetDeviceContext(Device);
do {
//
// Check if there are any pending requests in the Interrupt Message Queue.
// If a request is found then complete the pending request.
//
status = WdfIoQueueRetrieveNextRequest(pDevContext->InterruptMsgQueue, &request);
if (NT_SUCCESS(status)) {
status = WdfRequestRetrieveOutputBuffer(request,
sizeof(SWITCH_STATE),
&switchState,
NULL);// BufferLength
if (!NT_SUCCESS(status)) {
TraceEvents(TRACE_LEVEL_ERROR, DBG_IOCTL,
"User's output buffer is too small for this IOCTL, expecting a SWITCH_STATE\n");
bytesReturned = sizeof(SWITCH_STATE);
} else {
//
// Copy the state information saved by the continuous reader.
//
if (NT_SUCCESS(ReaderStatus)) {
switchState->SwitchesAsUChar = pDevContext->CurrentSwitchState;
bytesReturned = sizeof(SWITCH_STATE);
} else {
bytesReturned = 0;
}
}
//
// Complete the request. If we failed to get the output buffer then
// complete with that status. Otherwise complete with the status from the reader.
//
WdfRequestCompleteWithInformation(request,
NT_SUCCESS(status) ? ReaderStatus : status,
bytesReturned);
status = STATUS_SUCCESS;
} else if (status != STATUS_NO_MORE_ENTRIES) {
KdPrint(("WdfIoQueueRetrieveNextRequest status %08x\n", status));
}
request = NULL;
} while (status == STATUS_SUCCESS);
return;
}
示例10: SepRmCommandServerThreadInit
BOOLEAN
SepRmCommandServerThreadInit(
VOID
)
/*++
Routine Description:
This function performs initialization of the Reference Monitor Server
thread. The following steps are performed.
o Wait on the LSA signaling the event. When the event is signaled,
the LSA has already created the LSA Command Server LPC Port
o Close the LSA Init Event Handle. The event is not used again.
o Listen for the LSA to connect to the Port
o Accept the connection.
o Connect to the LSA Command Server LPC Port
Arguments:
None.
Return Value:
--*/
{
NTSTATUS Status;
UNICODE_STRING LsaCommandPortName;
PORT_MESSAGE ConnectionRequest;
SECURITY_QUALITY_OF_SERVICE DynamicQos;
OBJECT_ATTRIBUTES ObjectAttributes;
PORT_VIEW ClientView;
REMOTE_PORT_VIEW LsaClientView;
BOOLEAN BooleanStatus = TRUE;
PAGED_CODE();
//
// Save a pointer to our process so we can get back into this process
// to send commands to the LSA (using a handle to an LPC port created
// below).
//
SepRmLsaCallProcess = PsGetCurrentProcess();
ObReferenceObject(SepRmLsaCallProcess);
//
// Wait on the LSA signaling the event. This means that the LSA
// has created its command port, not that LSA initialization is
// complete.
//
Status = ZwWaitForSingleObject(
SepRmState.LsaInitEventHandle,
FALSE,
NULL);
if ( !NT_SUCCESS(Status) ) {
KdPrint(("Security Rm Init: Waiting for LSA Init Event failed 0x%lx\n", Status));
goto RmCommandServerThreadInitError;
}
//
// Close the LSA Init Event Handle. The event is not used again.
//
ZwClose(SepRmState.LsaInitEventHandle);
//
// Listen for a connection to be made by the LSA to the Reference Monitor
// Command Port. This connection will be made by the LSA process.
//
ConnectionRequest.u1.s1.TotalLength = sizeof(ConnectionRequest);
ConnectionRequest.u1.s1.DataLength = (CSHORT)0;
Status = ZwListenPort(
SepRmState.RmCommandServerPortHandle,
&ConnectionRequest
);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security Rm Init: Listen to Command Port failed 0x%lx\n",
Status));
goto RmCommandServerThreadInitError;
}
//
// Obtain a handle to the LSA process for use when auditing.
//
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL );
Status = ZwOpenProcess(
&SepLsaHandle,
PROCESS_VM_OPERATION | PROCESS_VM_WRITE,
//.........这里部分代码省略.........
示例11: SepRmCallLsa
//.........这里部分代码省略.........
);
ReplyMessage.ReturnedStatus = STATUS_SUCCESS;
} else {
Status = ZwRequestWaitReplyPort(
SepRmState.LsaCommandPortHandle,
(PPORT_MESSAGE) &CommandMessage,
(PPORT_MESSAGE) &ReplyMessage
);
}
//
// If the command was successful, copy the data back to the output
// buffer.
//
if (NT_SUCCESS(Status)) {
//
// Move output from command (if any) to buffer. Note that this
// is done even if the command returns status, because some status
// values are not errors.
//
if (ARGUMENT_PRESENT(WorkQueueItem->ReplyBuffer)) {
RtlCopyMemory(
WorkQueueItem->ReplyBuffer,
ReplyMessage.ReplyBuffer,
WorkQueueItem->ReplyBufferLength
);
}
//
// Return status from command.
//
Status = ReplyMessage.ReturnedStatus;
if (!NT_SUCCESS(Status)) {
KdPrint(("Security: Command sent from RM to LSA returned 0x%lx\n",
Status));
}
} else {
KdPrint(("Security: Sending Command RM to LSA failed 0x%lx\n", Status));
}
//
// On return from the LPC call to the LSA, we expect the called
// LSA worker routine to have copied the Command Parameters
// buffer (if any). If a custom shared memory buffer was allocated,
// free it now.
//
if (CommandMessage.CommandParamsMemoryType == SepRmLsaCustomSharedMemory) {
RegionSize = 0;
Status = ZwFreeVirtualMemory(
SepLsaHandle,
(PVOID *) &CommandMessage.CommandParams,
&RegionSize,
MEM_RELEASE
);
ASSERT(NT_SUCCESS(Status));
}
}
//
// Clean up. We must call the cleanup functions on its parameter
// and then free the used WorkQueueItem itself.
//
if ( ARGUMENT_PRESENT( WorkQueueItem->CleanupFunction)) {
(WorkQueueItem->CleanupFunction)(WorkQueueItem->CleanupParameter);
}
//
// Determine if there is more work to do on this list
//
WorkQueueItem = SepDequeueWorkItem();
}
KeDetachProcess();
if ( LocalListLength > SepLsaQueueLength ) {
SepLsaQueueLength = LocalListLength;
}
return Status;
}
示例12: SeRmInitPhase1
BOOLEAN
SeRmInitPhase1(
)
/*++
Routine Description:
This function is called by Phase 1 System Initialization to initialize
the Security Reference Monitor. Note that initialization of the
Reference Monitor Global State has already been performed in Phase 0
initialization to allow access validation routines to operate without
having to check that Reference Monitor Initialization is complete.
The steps listed below are performed in this routine. The remainder
of Reference Monitor initialization requires the LSA subsystem to have run,
so that initialization is performed in a separate thread (the RM Command
Server Thread, see below), so that the present thread can create the
Session Manager which execs the LSA.
o Create the Reference Monitor Command LPC port. The LSA subsystem sends
commands (e.g. turn on auditing) which change the Reference Monitor
Global State.
o Create an Event for use in synchronizing with the LSA subsystem. The
LSA will signal the event when the portion of LSA initialization upon
with the Reference Monitor depends is complete. The Reference Monitor
uses another LPC port, called the LSA Command Port to send commands
to the LSA, so the RM must know that this port has been created before
trying to connect to it.
o Create the Reference Monitor Command Server Thread. This thread is
a permanent thread of the System Init process that fields the Reference
Monitor State Change commands described above.
Arguments:
None.
Return Value:
BOOLEAN - TRUE if Rm Initialization (Phase 1) succeeded, else FALSE
--*/
{
NTSTATUS Status;
UNICODE_STRING RmCommandPortName;
OBJECT_ATTRIBUTES ObjectAttributes;
UNICODE_STRING LsaInitEventName;
OBJECT_ATTRIBUTES LsaInitEventObjectAttributes;
SECURITY_DESCRIPTOR LsaInitEventSecurityDescriptor;
ULONG AclSize;
PAGED_CODE();
//
// Create an LPC port called the Reference Monitor Command Port.
// This will be used by the LSA to send commands to the Reference
// Monitor to update its state data.
//
RtlInitUnicodeString( &RmCommandPortName, L"\\SeRmCommandPort" );
InitializeObjectAttributes(
&ObjectAttributes,
&RmCommandPortName,
0,
NULL,
NULL
);
Status = ZwCreatePort(
&SepRmState.RmCommandServerPortHandle,
&ObjectAttributes,
sizeof(SEP_RM_CONNECT_INFO),
sizeof(RM_COMMAND_MESSAGE),
sizeof(RM_COMMAND_MESSAGE) * 32
);
if( !NT_SUCCESS(Status) ) {
KdPrint(("Security: Rm Create Command Port failed 0x%lx\n", Status));
return FALSE;
}
//
// Prepare to create an event for synchronizing with the LSA.
// First, build the Security Descriptor for the Init Event Object
//
Status = RtlCreateSecurityDescriptor(
&LsaInitEventSecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION
);
if (!NT_SUCCESS(Status)) {
KdPrint(("Security: Creating Lsa Init Event Desc failed 0x%lx\n",
Status));
return FALSE;
//.........这里部分代码省略.........
示例13: SepRmCommandServerThread
VOID
SepRmCommandServerThread(
IN PVOID StartContext
)
/*++
Routine Description:
This function is executed indefinitely by a dedicated permanent thread
of the Sysinit Process, called the Reference Monitor Server Thread.
This thread updates Reference Monitor Global State Data by dispatching
commands sent from the LSA through the the Reference Monitor LPC Command
Port. The following steps are repeated indefinitely:
o Initialize RM Command receive and reply buffer headers
o Perform remaining Reference Monitor initialization involving LSA
o Wait for RM command sent from LSA, send reply to previous command
(if any)
o Validate command
o Dispatch to command worker routine to execute command.
Arguments:
None.
Return Value:
None.
--*/
{
NTSTATUS Status;
PRM_REPLY_MESSAGE Reply;
RM_COMMAND_MESSAGE CommandMessage;
RM_REPLY_MESSAGE ReplyMessage;
PAGED_CODE();
//
// Perform the rest of the Reference Monitor initialization, involving
// synchronization with the LSA or dependency on the LSA having run.
//
if (!SepRmCommandServerThreadInit()) {
KdPrint(("Security: Terminating Rm Command Server Thread\n"));
return;
}
Status = PoRequestShutdownEvent (NULL);
if (!NT_SUCCESS (Status)) {
ZwClose (SepRmState.RmCommandPortHandle);
ZwClose (SepRmState.RmCommandServerPortHandle);
ZwClose (SepRmState.LsaCommandPortHandle);
ZwClose (SepLsaHandle);
SepRmState.RmCommandPortHandle = NULL;
SepRmState.RmCommandServerPortHandle = NULL;
SepRmState.LsaCommandPortHandle = NULL;
SepLsaHandle = NULL;
return;
}
//
// Initialize LPC port message header type and length fields for the
// received command message.
//
CommandMessage.MessageHeader.u2.ZeroInit = 0;
CommandMessage.MessageHeader.u1.s1.TotalLength =
(CSHORT) sizeof(RM_COMMAND_MESSAGE);
CommandMessage.MessageHeader.u1.s1.DataLength =
CommandMessage.MessageHeader.u1.s1.TotalLength -
(CSHORT) sizeof(PORT_MESSAGE);
//
// Initialize the LPC port message header type and data sizes for
// for the reply message.
//
ReplyMessage.MessageHeader.u2.ZeroInit = 0;
ReplyMessage.MessageHeader.u1.s1.TotalLength =
(CSHORT) sizeof(RM_COMMAND_MESSAGE);
ReplyMessage.MessageHeader.u1.s1.DataLength =
ReplyMessage.MessageHeader.u1.s1.TotalLength -
(CSHORT) sizeof(PORT_MESSAGE);
//
// First time through, there is no reply.
//
Reply = NULL;
//
// Now loop indefinitely, processing incoming Rm commands from the LSA.
//
for(;;) {
//.........这里部分代码省略.........
示例14: DriverEntry
extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING B) //TYPEDEF LONG NTSTATUS
{
ULONG cur,old;
JMPCODE JmpCode;
cur=GetNt_CurAddr();//A
old=GetNt_OldAddr();//C
if (cur!=old)
{ //hook
ishook=true;
//保存前5字节
pcur=(PJMPCODE)(cur);//初始化指针
oldCode.E9=pcur->E9;//1字节
oldCode.JMPADDR=pcur->JMPADDR;//4字节
//
JmpCode.E9=0xE9;
JmpCode.JMPADDR=old-cur-5; //jmp是偏移
KdPrint(("要写入的地址%X",JmpCode.JMPADDR));
//写入JMP C-A-5=B //实际要写入地址
__asm //去掉页面保护
{
cli
mov eax,cr0
and eax,not 10000h //and eax,0FFFEFFFFh
mov cr0,eax
}
pcur->E9=0xE9;//jmp
pcur->JMPADDR=JmpCode.JMPADDR;//要跳转到的地址
__asm //恢复页保护
{
mov eax,cr0
or eax,10000h //or eax,not 0FFFEFFFFh
mov cr0,eax
sti
}
KdPrint(("NtOpenProcess被HOOK了"));
}
/* ULONG SSDT_NtOpenProcess_Cur_Addr;
KdPrint(("驱动成功被加载...OK++++++++\n\n"));
//读取SSDT表中 NtOpenProcess当前地址 KeServiceDescriptorTable
// [[KeServiceDescriptorTable]+0x7A*4]
__asm
{ int 3
push ebx
push eax
mov ebx,KeServiceDescriptorTable
mov ebx,[ebx] //表的基地址
mov eax,0x7a
shl eax,2//0x7A*4 //imul eax,eax,4//shl eax,2
add ebx,eax//[KeServiceDescriptorTable]+0x7A*4
mov ebx,[ebx]
mov SSDT_NtOpenProcess_Cur_Addr,ebx
pop eax
pop ebx
}
KdPrint(("SSDT_NtOpenProcess_Cur_Addr=%x\n\n",SSDT_NtOpenProcess_Cur_Addr));*/
//注册派遣函数
pDriverObject->MajorFunction[IRP_MJ_CREATE]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
pDriverObject->MajorFunction[IRP_MJ_READ]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=ddk_DispatchRoutine_CONTROL; //IRP_MJ_CREATE相关IRP处理函数
CreateMyDevice(pDriverObject);//创建相应的设备
pDriverObject->DriverUnload=DDK_Unload;
return (1);
}
示例15: RfsdCheckDismount
__drv_mustHoldCriticalRegion
BOOLEAN
RfsdCheckDismount (
IN PRFSD_IRP_CONTEXT IrpContext,
IN PRFSD_VCB Vcb,
IN BOOLEAN bForce )
{
KIRQL Irql;
PVPB Vpb = Vcb->Vpb;
BOOLEAN bDeleted = FALSE;
ULONG UnCleanCount = 0;
PAGED_CODE();
ExAcquireResourceExclusiveLite(
&RfsdGlobal->Resource, TRUE );
ExAcquireResourceExclusiveLite(
&Vcb->MainResource, TRUE );
if ((IrpContext->MajorFunction == IRP_MJ_CREATE) &&
(IrpContext->RealDevice == Vcb->RealDevice)) {
UnCleanCount = 3;
} else {
UnCleanCount = 2;
}
IoAcquireVpbSpinLock (&Irql);
if ((Vpb->ReferenceCount == UnCleanCount) || bForce) {
if ((Vpb->ReferenceCount != UnCleanCount) && bForce) {
KdPrint(("RfsdCheckDismount: force dismount ...\n"));
}
ClearFlag( Vpb->Flags, VPB_MOUNTED );
ClearFlag( Vpb->Flags, VPB_LOCKED );
#ifdef _MSC_VER
#pragma prefast( suppress: 28175, "allowed in file system drivers" )
#endif
if ((Vcb->RealDevice != Vpb->RealDevice) &&
(Vcb->RealDevice->Vpb == Vpb)) {
SetFlag( Vcb->RealDevice->Flags, DO_DEVICE_INITIALIZING );
SetFlag( Vpb->Flags, VPB_PERSISTENT );
}
RfsdRemoveVcb(Vcb);
ClearFlag(Vpb->Flags, VPB_MOUNTED);
SetFlag(Vcb->Flags, VCB_DISMOUNT_PENDING);
Vpb->DeviceObject = NULL;
bDeleted = TRUE;
}
IoReleaseVpbSpinLock(Irql);
ExReleaseResourceForThreadLite(
&Vcb->MainResource,
ExGetCurrentResourceThread() );
ExReleaseResourceForThreadLite(
&RfsdGlobal->Resource,
ExGetCurrentResourceThread() );
if (bDeleted) {
KdPrint(("RfsdCheckDismount: now free the vcb ...\n"));
RfsdFreeVcb(Vcb);
}
return bDeleted;
}