遍历windows驱动
驱动都存在
\\Driver 或者 \\FileSystem 目录对象里 我们只需要遍历这两个目录就可以遍历windows所有驱动
知识点
\\Driver \\FileSystem (dt _OBJECT_DIRECOTRY)都属于 ObpDirectoryObjectType(window内核全局变量) 对象
其他对象全局变量 可以参考 作者:潘爱民 书名:windows内核原理与实现 的 2.4图
一个目录对象 含有37个DirectoryEnTry 对象(dt _OBJECT_DIRECTORY_ENTRY)
_OBJECT_DIRECTORY_ENTRY 里的Object 指向的就是 驱动的 DriverObject( dt _DRIVER_OBJECT)
具体内容看代码
VOID init()
{
UNICODE_STRING vDriverName = { 0 };
RtlInitUnicodeString(&vDriverName, L"\\Driver");
POBJECT_DIRECTORY vPObjectDirectory;
NTSTATUS vStatus;
vStatus = ObReferenceObjectByName(
&vDriverName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
0,
(POBJECT_TYPE)0x869d0040,
KernelMode,
NULL,
(PVOID *)&vPObjectDirectory
);
if (NT_SUCCESS(vStatus))
{
KdPrint(("成功"));
for (ULONG vI = 0; vI < NUMBER_HASH_BUCKETS; vI++)
{
PDRIVER_OBJECT vDriverObject = NULL;
POBJECT_DIRECTORY_ENTRY vObjectDirectoryEntry = NULL;
vObjectDirectoryEntry = vPObjectDirectory->HashBuckets[vI];
while (vObjectDirectoryEntry && MmIsAddressValid((PVOID)vObjectDirectoryEntry))
{
vDriverObject = (PDRIVER_OBJECT)vObjectDirectoryEntry->Object;
if (MmIsAddressValid((PVOID)vDriverObject))
{
if (MmIsAddressValid(&vDriverObject->DriverName))
{
if (wcsstr(vDriverObject->DriverName.Buffer, L"PCHunter32") != NULL)
{
KdPrint(("\r\n\r\n找到了\r\n\r\n"));
RtlInitUnicodeString(&vDriverObject->DriverName, L"\Driver\text32");
}
KdPrint(("名:%wZ\r\n", &vDriverObject->DriverName));
}
}
vObjectDirectoryEntry = vObjectDirectoryEntry->ChainLink;
}
}
ObDereferenceObject(vPObjectDirectory);
}
else
KdPrint(("vStatus = 0x%08X\r\n", vStatus));
RtlInitUnicodeString(&vDriverName, L"\\FileSystem");
vStatus = ObReferenceObjectByName(
&vDriverName,
OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
NULL,
0,
(POBJECT_TYPE)0x869d0040,
KernelMode,
NULL,
(PVOID *)&vPObjectDirectory
);
if (NT_SUCCESS(vStatus))
{
KdPrint(("成功"));
for (ULONG vI = 0; vI < NUMBER_HASH_BUCKETS; vI++)
{
PDRIVER_OBJECT vDriverObject = NULL;
POBJECT_DIRECTORY_ENTRY vObjectDirectoryEntry = NULL;
vObjectDirectoryEntry = vPObjectDirectory->HashBuckets[vI];
while (vObjectDirectoryEntry && MmIsAddressValid((PVOID)vObjectDirectoryEntry))
{
vDriverObject = (PDRIVER_OBJECT)vObjectDirectoryEntry->Object;
if (MmIsAddressValid((PVOID)vDriverObject))
{
if (MmIsAddressValid(&vDriverObject->DriverName))
{
KdPrint(("名:%wZ\r\n", &vDriverObject->DriverName));
}
}
vObjectDirectoryEntry = vObjectDirectoryEntry->ChainLink;
}
}
ObDereferenceObject(vPObjectDirectory);
}
else
KdPrint(("vStatus = 0x%08X\r\n", vStatus));
}
jpg 改 rar
最新文章
- (九)Maven坐标详解
- div不换行_div同行_div强制不换行
- 添加删除虚拟ip
- osg 中鼠标拾取线段的端点和中点
- java中XMLGregorianCalendar类型和Date类型之间的相互转换
- 关于cocos2d安装时编译不成功(个人心得)
- 与众不同 windows phone (32) - Communication(通信)之任意源组播 ASM(Any Source Multicast)
- 简单说下Kanzi Studio
- Python 发展历史
- UITabbarController左右滑动切换标签页
- LVS-DR模式(原理图详解)
- 常用表单验证&&常用正则
- oracle 11g数据库 DMP还原数据库
- 精通CSS+DIV网页样式与布局--页面背景
- TensorFlow-谷歌深度学习库 文件I/O Wrapper
- LeetCode算法题-Repeated String Match(Java实现)
- linux 安装所有软件可以使用这个网站搜索RPM包
- win10自带邮箱添加网易企业邮箱
- lintcode 单词接龙II
- matlab与示波器连接及电脑连接