驱动通讯
DeviceIoControl通讯
驱动代码:
#include <ntifs.h>
#define DEVICE_NAME L"\\Device\\catsay"
#define SYM_NAME L"\\??\\catsay"
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
NTSTATUS DefDispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS Dispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
if (ioStack->MajorFunction == IRP_MJ_DEVICE_CONTROL)
{
DbgBreakPoint();
int size = ioStack->Parameters.DeviceIoControl.InputBufferLength;
int OutputBufferLength = ioStack->Parameters.DeviceIoControl.OutputBufferLength;
ULONG IoControlCode = ioStack->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case TEST:
{
int * x = (int *)Irp->AssociatedIrp.SystemBuffer;
int y = 500;
KdPrintEx((77, 0, "[db]:-------%x----------\r\n", *x));
memcpy(Irp->AssociatedIrp.SystemBuffer, &y, OutputBufferLength);
Irp->IoStatus.Information = OutputBufferLength;
}
break;
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
IoDeleteSymbolicLink(&symName);
IoDeleteDevice(pDriver->DeviceObject);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
UNICODE_STRING unName = { 0 };
RtlInitUnicodeString(&unName, DEVICE_NAME);
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
PDEVICE_OBJECT pDevice = NULL;
NTSTATUS status = IoCreateDevice(pDriver, 0, &unName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
if (!NT_SUCCESS(status))
{
KdPrintEx((77, 0, "[db]:%x\r\n", status));
//DbgPrintEx(77, 0, "");
return status;
}
status = IoCreateSymbolicLink(&symName, &unName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevice);
KdPrintEx((77, 0, "[db]:%x\r\n", status));
return status;
}
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
pDriver->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Dispatch;
pDriver->DriverUnload = DriverUnload;
return status;
}
下面是应用层代码
应用层代码:
// R3R0通信.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#define SYM_NAME "\\\\.\\catsay"
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hDevice = CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
int x = 100;
int y = 0;
DWORD p = 0;
BOOL DeviceBool = DeviceIoControl(hDevice, TEST, &x, 4, &y, 4, &p, NULL);
CloseHandle(hDevice);
printf("%d\r\n", DeviceBool);
printf("从驱动获取:%d\r\n", y);
system("pause");
return 0;
}
ReadFile通讯
驱动层:
#include <ntifs.h>
#define DEVICE_NAME L"\\Device\\catsay"
#define SYM_NAME L"\\??\\catsay"
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
NTSTATUS DefDispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS Dispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
if (ioStack->MajorFunction == IRP_MJ_DEVICE_CONTROL)
{
DbgBreakPoint();
int size = ioStack->Parameters.DeviceIoControl.InputBufferLength;
int OutputBufferLength = ioStack->Parameters.DeviceIoControl.OutputBufferLength;
ULONG IoControlCode = ioStack->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case TEST:
{
int * x = (int *)Irp->AssociatedIrp.SystemBuffer;
int y = 500;
KdPrintEx((77, 0, "[db]:-------%x----------\r\n", *x));
memcpy(Irp->AssociatedIrp.SystemBuffer, &y, OutputBufferLength);
Irp->IoStatus.Information = OutputBufferLength;
}
break;
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS ReadDispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp){
//从驱动读数据
DbgBreakPoint();
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
if (ioStack->MajorFunction == IRP_MJ_READ){
LARGE_INTEGER size = ioStack->Parameters.Read.ByteOffset;
ULONG Length = ioStack->Parameters.Read.Length;
int* xxx = Irp->AssociatedIrp.SystemBuffer;
*xxx = 100;
Irp->IoStatus.Information = Length;
}
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
IoDeleteSymbolicLink(&symName);
IoDeleteDevice(pDriver->DeviceObject);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
UNICODE_STRING unName = { 0 };
RtlInitUnicodeString(&unName, DEVICE_NAME);
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
PDEVICE_OBJECT pDevice = NULL;
NTSTATUS status = IoCreateDevice(pDriver, 0, &unName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
if (!NT_SUCCESS(status))
{
KdPrintEx((77, 0, "[db]:%x\r\n", status));
//DbgPrintEx(77, 0, "");
return status;
}
status = IoCreateSymbolicLink(&symName, &unName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevice);
KdPrintEx((77, 0, "[db]:%x\r\n", status));
return status;
}
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
pDriver->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Dispatch;
pDriver->MajorFunction[IRP_MJ_READ] = ReadDispatch;
pDriver->DriverUnload = DriverUnload;
return status;
}
```c
应用层:
// R3R0通信.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#define SYM_NAME "\\\\.\\catsay"
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hDevice = CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
int x = 500;
int y = 0;
DWORD p = 0;
ReadFile(hDevice, &x, 4, &p, NULL);
CloseHandle(hDevice);
printf("从驱动获取:%d\r\n", x);
system("pause");
return 0;
}
WriteFile通信
这里我们需要用到二级指针来操作,定义一个结构,第一个变量是传入指针,第二个参数是传出指针。
驱动代码:
#include <ntifs.h>
#define DEVICE_NAME L"\\Device\\catsay"
#define SYM_NAME L"\\??\\catsay"
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
typedef struct WriteInfo
{
int* a;
int* b;
}WriteInfo;
NTSTATUS DefDispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS Dispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp)
{
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
if (ioStack->MajorFunction == IRP_MJ_DEVICE_CONTROL)
{
DbgBreakPoint();
int size = ioStack->Parameters.DeviceIoControl.InputBufferLength;
int OutputBufferLength = ioStack->Parameters.DeviceIoControl.OutputBufferLength;
ULONG IoControlCode = ioStack->Parameters.DeviceIoControl.IoControlCode;
switch (IoControlCode)
{
case TEST:
{
int * x = (int *)Irp->AssociatedIrp.SystemBuffer;
int y = 500;
KdPrintEx((77, 0, "[db]:-------%x----------\r\n", *x));
memcpy(Irp->AssociatedIrp.SystemBuffer, &y, OutputBufferLength);
Irp->IoStatus.Information = OutputBufferLength;
}
break;
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS ReadDispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp){
//从驱动读数据
DbgBreakPoint();
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
if (ioStack->MajorFunction == IRP_MJ_READ){
LARGE_INTEGER size = ioStack->Parameters.Read.ByteOffset;
ULONG Length = ioStack->Parameters.Read.Length;
int* xxx = Irp->AssociatedIrp.SystemBuffer;
*xxx = 100;
Irp->IoStatus.Information = Length;
}
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS WriteDispatch(DEVICE_OBJECT *DeviceObject, IRP *Irp){
//从驱动读数据
DbgBreakPoint();
PIO_STACK_LOCATION ioStack = IoGetCurrentIrpStackLocation(Irp);
if (ioStack->MajorFunction == IRP_MJ_WRITE){
LARGE_INTEGER size = ioStack->Parameters.Write.ByteOffset;
ULONG Length = ioStack->Parameters.Write.Length;
WriteInfo* xxx = (WriteInfo*)Irp->AssociatedIrp.SystemBuffer;
*xxx->b = 3;
Irp->IoStatus.Information = Length;
}
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
IoDeleteSymbolicLink(&symName);
IoDeleteDevice(pDriver->DeviceObject);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
UNICODE_STRING unName = { 0 };
RtlInitUnicodeString(&unName, DEVICE_NAME);
UNICODE_STRING symName = { 0 };
RtlInitUnicodeString(&symName, SYM_NAME);
PDEVICE_OBJECT pDevice = NULL;
NTSTATUS status = IoCreateDevice(pDriver, 0, &unName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
if (!NT_SUCCESS(status))
{
KdPrintEx((77, 0, "[db]:%x\r\n", status));
//DbgPrintEx(77, 0, "");
return status;
}
status = IoCreateSymbolicLink(&symName, &unName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevice);
KdPrintEx((77, 0, "[db]:%x\r\n", status));
return status;
}
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
pDriver->MajorFunction[IRP_MJ_CREATE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_CLOSE] = DefDispatch;
pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Dispatch;
pDriver->MajorFunction[IRP_MJ_READ] = ReadDispatch;
pDriver->MajorFunction[IRP_MJ_WRITE] = WriteDispatch;
pDriver->DriverUnload = DriverUnload;
return status;
}
应用层代码:
// R3R0通信.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#define SYM_NAME "\\\\.\\catsay"
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
typedef struct WriteInfo
{
int* a;
int* b;
};
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE hDevice = CreateFileA(SYM_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
DWORD p = 0;
WriteInfo info;
info.a = (int*)malloc(sizeof(int));
info.b = (int*)malloc(sizeof(int));
*info.a = 1;
*info.b = 2;
WriteFile(hDevice, &info,8, &p, NULL);
CloseHandle(hDevice);
printf("从驱动获取:%d\r\n", *info.b);
system("pause");
return 0;
}
