windows驱动开发详解遍历设备栈
程序员文章站
2022-03-02 13:43:12
查找设备名内核对象地址-0x18 为OBJECT_HEADER的地址 kd> dt _OBJECT_HEADER +0x000 PointerCount : Int4B +0x004 HandleCount : Int4B +0x004 NextToFree : Ptr32 Void +0x008 Type : Ptr32 _OBJECT_TYPE +0x00c NameInfoOffset : UChar...
查找设备名
内核对象地址-0x18 为OBJECT_HEADER的地址
kd> dt _OBJECT_HEADER +0x000 PointerCount : Int4B +0x004 HandleCount : Int4B +0x004 NextToFree : Ptr32 Void +0x008 Type : Ptr32 _OBJECT_TYPE +0x00c NameInfoOffset : UChar _OBJECT_HEADER-NameInfoOffset的值是_OBJECT_HEADER_NAME_INFO结构里面保存有对面的名字. +0x00d HandleInfoOffset : UChar +0x00e QuotaInfoOffset : UChar +0x00f Flags : UChar +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION +0x010 QuotaBlockCharged : Ptr32 Void +0x014 SecurityDescriptor : Ptr32 Void +0x018 Body : _QUAD
typedef struct _OBJECT_HEADER_NAME_INFO { POBJECT_DIRECTORY Directory; UNICODE_STRING Name; //内核对象的名字在这里 ULONG Reserved; #if DBG ULONG Reserved2 ; LONG DbgDereferenceCount ; #endif } OBJECT_HEADER_NAME_INFO, * POBJECT_HEADER_NAME_INFO;
根据设备对象指针,获取设备名
VOID GetDeviceName(PDEVICE_OBJECT pDevObj) { if (!pDevObj) { DbgPrint("设备对象指针为空,无法获取设备名\n"); return; } //获取设备对象头指针 POBJECT_HEADER pDeviceObjectHeader = (POBJECT_HEADER)((ULONG)pDevObj - 0x18); //获取OBJECT_HEADER_NAME_INFO结构指针 POBJECT_HEADER_NAME_INFO pObjectNameInfo = (POBJECT_HEADER_NAME_INFO)((ULONG)pDeviceObjectHeader - pDeviceObjectHeader->NameInfoOffset); //打印对象名 DbgPrint("device name is %wZ",&pObjectNameInfo->Name); }
根据设备对象,遍历设备栈 以传进来的设备对象为栈底,往上遍历每一个设备对象. 因为附加的时候,都是下一层的AttachedDevice记录上一层设备对象指针.
VOID GetAttachedDeviceInfo( PDEVICE_OBJECT DevObj ) { PDEVICE_OBJECT DeviceObject; if ( DevObj == NULL ) { DbgPrint( "DevObj is NULL!\n" ); return; } DeviceObject = DevObj->AttachedDevice; while ( DeviceObject ) { DbgPrint( "Attached Driver Name:%wZ,Attached Driver Address:0x%x,Attached DeviceAddress:0x%x\n", &DeviceObject->DriverObject->DriverName, DeviceObject->DriverObject, DeviceObject ); DeviceObject = DeviceObject->AttachedDevice; } }
根据驱动名,枚举驱动所有的设备栈
PDRIVER_OBJECT EnumDeviceStack( PWSTR pwszDeviceName ) { UNICODE_STRING DriverName; PDRIVER_OBJECT DriverObject = NULL; PDEVICE_OBJECT DeviceObject = NULL; RtlInitUnicodeString( &DriverName, pwszDeviceName ); ObReferenceObjectByName( &DriverName, OBJ_CASE_INSENSITIVE, NULL, 0, ( POBJECT_TYPE ) IoDriverObjectType, KernelMode, NULL, (PVOID*)&DriverObject ); if ( DriverObject == NULL ) { return NULL; } DeviceObject = DriverObject->DeviceObject; while ( DeviceObject ) { GetDeviceObjectInfo( DeviceObject ); // 判断当前设备上是否有过滤驱动(Filter Driver) if ( DeviceObject->AttachedDevice ) { GetAttachedDeviceInfo( DeviceObject ); } // 进一步判断当前设备上 VPB 中的设备 特定的设备类型 VPB才会有值. if ( DeviceObject->Vpb && DeviceObject->Vpb->DeviceObject ) { GetDeviceObjectInfo( DeviceObject->Vpb->DeviceObject ); if ( DeviceObject->Vpb->DeviceObject->AttachedDevice ) { GetAttachedDeviceInfo( DeviceObject->Vpb->DeviceObject ); } } // 得到建立在此驱动上的下一个设备 DEVICE_OBJECT DeviceObject = DeviceObject->NextDevice; } return DriverObject; }
本文地址:https://blog.csdn.net/qq_41490873/article/details/107686329