windows内核学习一

变量类型

kernel user
ULONG unsigned long
PULONG unsigned long*
UCHAR unsigned char
PUCHAR unsigned char*
UINT unsigned int
PUNIT unsigned int*
VOID void
PVOID void*

P代表指针

程序入口

DriverEntry,相当于main函数
函数原型
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)

typedef struct _DRIVER_OBJECT {
    CSHORT Type;
    CSHORT Size;

    PDEVICE_OBJECT DeviceObject;
    ULONG Flags;

    PVOID DriverStart;
    ULONG DriverSize;
    PVOID DriverSection;
    PDRIVER_EXTENSION DriverExtension;

    UNICODE_STRING DriverName;
    PUNICODE_STRING HardwareDatabase;
    PFAST_IO_DISPATCH FastIoDispatch;

    PDRIVER_INITIALIZE DriverInit;
    PDRIVER_STARTIO DriverStartIo;
    PDRIVER_UNLOAD DriverUnload;
    PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];

} DRIVER_OBJECT;

字符串

内核中使用ANSI_STRING/UNICODE_STRING来代表普通字符和宽字符

NTSTATUS testString()
{
    //初始化字符串
    ANSI_STRING as0;
    UNICODE_STRING us0;
    RtlInitAnsiString(&as0, "ansi string");
    RtlInitUnicodeString(&us0, L"unicode string");
    KdPrint(("%Z\n  %wZ\n", &as0, &us0));

    ////拷贝字符串
    //复制字符串要自定义缓冲区
    ANSI_STRING as1;
    UNICODE_STRING us1;
    CHAR as[128] = { 0 };
    WCHAR ws[128] = { 0 };

    RtlInitEmptyAnsiString(&as1, as, sizeof(as));
    RtlInitEmptyUnicodeString(&us1, ws, sizeof(ws));
    RtlCopyString(&as1, &as0);
    RtlCopyUnicodeString(&us1, &us0);
    KdPrint(("%Z\n  %wZ\n", &as1, &us1));

    ////比较字符串
    ANSI_STRING as2;
    UNICODE_STRING us2;
    RtlInitAnsiString(&as2, "second ansi string");
    RtlInitUnicodeString(&us2, L"second unicode string");
    //为true代表忽略大小写
    BOOLEAN b0 = RtlCompareString(&as0, &as2, FALSE);
    BOOLEAN b1 = RtlCompareString(&as0, &as2, TRUE);
    BOOLEAN b2 = RtlCompareUnicodeString(&us0, &us2, FALSE);
    BOOLEAN b3 = RtlCompareString(&as0, &as1, FALSE);
    KdPrint(("%d %d %d %d\n", b0, b1, b2, b3));

    ////ansi与unicode相互转化
    ANSI_STRING as3;
    UNICODE_STRING us3;
    RtlAnsiStringToUnicodeString(&us3, &as0, TRUE);
    RtlUnicodeStringToAnsiString(&as3, &us0, TRUE);
    KdPrint(("%Z\n  %wZ\n", &as3, &us3));

    //释放
    RtlFreeAnsiString(&as3);
    RtlFreeUnicodeString(&us3);
    return STATUS_SUCCESS;
}

句柄表

一个进程打开或创建一个内核对象时会得到一个句柄,这样可以防止直接操作内存引起蓝屏。每个进程一个句柄表。句柄表在_EPROCESS结构体+0xc4处。句柄项位于句柄值/4*8+句柄表基址。可以通过遍历其他进程的句柄表来判断自身是否被其他程序所使用。
存在一个全局句柄表,为多级结构。

posted @ 2022-10-04 22:21  岁云暮  阅读(70)  评论(0编辑  收藏  举报