這節課來學習常規的通信方式，非常規方式在這里：

0環與3環通信非常規方式 —— 0環InlineHook

一、設備對象和3環窗口對象的類比

3環窗口程序中的MSG結構體和窗口對象，與0環的設備對象和IRP結構體的關系有點像：

我們在開發窗口程序的時候，消息被封裝成一個結構體：MSG，在內核開發時，消息被封裝成另外一個結構體：IRP(I/O Request Package)。

在窗口程序中，能夠接收消息的只能是窗口對象。在內核中，能夠接收IRP消息的只能是設備對象。

驅動程序原本的目的是用來控制硬件，但我們也可以用驅動做一些安全相關的事情，因為驅動運行在0環。為了控制驅動運行，我們需要在3環向驅動發數據，所以我們需要有一種方法來建立0環到3環的通信。本文介紹常規方式，也就是創建設備對象的方式。

二、數據交互方式

主要有兩種方式，數據量小，一般用拷貝緩沖區的方式(DO_BUFFERED_IO)；數據量大，一般用直接方式讀寫(DO_DIRECT_IO)。

緩沖區方式讀寫(DO_BUFFERED_IO) ：操作系統將應用程序提供緩沖區的數據復制到內核模式下的地址中。

直接方式讀寫(DO_DIRECT_IO) ：操作系統會將用戶模式下的緩沖區鎖住。然后操作系統將這段緩沖區在內核模式地址再次映射一遍。這樣，用戶模式的緩沖區和內核模式的緩沖區指向的是同一區域的物理內存。缺點就是要單獨占用物理頁面。

三、0環與3環通信實驗

更多細節，我打算放在代碼里，因為這部分內容都是按照Windows的規則調用API，沒什么特別的，有什么不懂查文檔即可。

驅動代碼

#include <ntddk.h>#define DEVICE_NAME L"\\Device\\HbgDev" #define SYMBOLICLINK_NAME L"\\??\\HbgDevLnk"#define OPER1 CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS) #define OPER2 CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)// 函數聲明 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING RegPath); VOID DriverUnload(PDRIVER_OBJECT pDriver); NTSTATUS IrpCreateProc(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTSTATUS IrpCloseProc(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTSTATUS IrpDeviceControlProc(PDEVICE_OBJECT pDevObj, PIRP pIrp);// 入口函數 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING RegPath) {NTSTATUS status;ULONG uIndex = 0;PDEVICE_OBJECT pDeviceObj = NULL; // 設備對象指針UNICODE_STRING DeviceName; // 設備名，0環用UNICODE_STRING SymbolicLinkName; // 符號鏈接名，3環用// 創建設備名稱RtlInitUnicodeString(&DeviceName,DEVICE_NAME);// 創建設備status = IoCreateDevice(pDriver,0,&DeviceName,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,FALSE,&pDeviceObj);if (status != STATUS_SUCCESS){IoDeleteDevice(pDeviceObj);DbgPrint("創建設備失敗.\n");return status;}DbgPrint("創建設備成功.\n");// 設置交互數據的方式pDeviceObj->Flags |= DO_BUFFERED_IO;// 創建符號鏈接RtlInitUnicodeString(&SymbolicLinkName, SYMBOLICLINK_NAME);IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);// 設置分發函數pDriver->MajorFunction[IRP_MJ_CREATE] = IrpCreateProc;pDriver->MajorFunction[IRP_MJ_CLOSE] = IrpCloseProc;pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IrpDeviceControlProc;// 設置卸載函數pDriver->DriverUnload = DriverUnload;return STATUS_SUCCESS; }// 卸載驅動 VOID DriverUnload(PDRIVER_OBJECT pDriver) {UNICODE_STRING SymbolicLinkName;// 刪除符號鏈接，刪除設備RtlInitUnicodeString(&SymbolicLinkName, SYMBOLICLINK_NAME);IoDeleteSymbolicLink(&SymbolicLinkName);IoDeleteDevice(pDriver->DeviceObject);DbgPrint("驅動卸載成功\n"); }// 不設置這個函數，則Ring3調用CreateFile會返回1 // IRP_MJ_CREATE 處理函數 NTSTATUS IrpCreateProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {DbgPrint("應用層連接設備.\n");// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = STATUS_SUCCESS;pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }// IRP_MJ_CLOSE 處理函數 NTSTATUS IrpCloseProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {DbgPrint("應用層斷開連接設備.\n");// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = STATUS_SUCCESS;pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }// IRP_MJ_DEVICE_CONTROL 處理函數 NTSTATUS IrpDeviceControlProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {// DbgPrint("IrpDeviceControlProc.\n");NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;PIO_STACK_LOCATION pIrpStack;ULONG uIoControlCode;PVOID pIoBuffer;ULONG uInLength;ULONG uOutLength;ULONG uRead;ULONG uWrite;// 設置臨時變量的值uRead = 0;uWrite = 0x12345678;// 獲取IRP數據pIrpStack = IoGetCurrentIrpStackLocation(pIrp);// 獲取控制碼uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;// 獲取緩沖區地址（輸入輸出是同一個）pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;// Ring3 發送數據的長度uInLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;// Ring0 發送數據的長度uOutLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;switch (uIoControlCode){case OPER1:{DbgPrint("IrpDeviceControlProc -> OPER1...\n");pIrp->IoStatus.Information = 0;status = STATUS_SUCCESS;break;}case OPER2:{DbgPrint("IrpDeviceControlProc -> OPER2 輸入字節數: %d\n", uInLength);DbgPrint("IrpDeviceControlProc -> OPER2 輸出字節數: %d\n", uOutLength);// 讀取緩沖區memcpy(&uRead,pIoBuffer,4);DbgPrint("IrpDeviceControlProc -> OPER2 uRead: %x\n", uRead);// 寫入緩沖區memcpy(pIoBuffer, &uWrite, 4);// 設置狀態pIrp->IoStatus.Information = 2; // 返回兩字節status = STATUS_SUCCESS;break;}}// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = status;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }

應用程序代碼

// IRPTest_R3.cpp : 定義控制臺應用程序的入口點。 //#include "stdafx.h" #include <Windows.h>//#define DEVICE_NAME L"\\Device\\HbgDev" #define SYMBOLICLINK_NAME L"\\\\.\\HbgDevLnk" #define OPER1 CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS) #define OPER2 CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS) #define IN_BUFFER_MAXLENGTH 4 #define OUT_BUFFER_MAXLENGTH 4int _tmain(int argc, _TCHAR* argv[]) {// 獲取設備句柄HANDLE hDevice = CreateFileW(SYMBOLICLINK_NAME,GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);DWORD dwError = GetLastError();if (hDevice == INVALID_HANDLE_VALUE){ printf("獲取設備句柄失敗 %d.\n", dwError); // 如果返回1，請在驅動中指定 IRP_MJ_CREATE 處理函數getchar();return 1;}else{printf("獲取設備句柄成功.\n");}// 測試通信DWORD dwInBuffer = 0x11111111;DWORD dwOutBuffer = 0xFFFFFFFF;DWORD dwOut; DeviceIoControl(hDevice,OPER2,&dwInBuffer,IN_BUFFER_MAXLENGTH,&dwOutBuffer,OUT_BUFFER_MAXLENGTH,&dwOut,NULL);printf("dwOutBuffer: %08X dwOut: %08X\n", dwOutBuffer, dwOut);// 關閉設備CloseHandle(hDevice);getchar();return 0; }

運行結果

四、驅動加載程序

現在，希望自己編程實現驅動的注冊，運行，停止，卸載。

給出一個demo，包含一個能完成加法程序的驅動，以及對它進行操作的3環程序。
代碼較多，都是API的用法。

應用程序代碼

// 驅動加載.cpp : 定義控制臺應用程序的入口點。 //#include "stdafx.h" #include <Windows.h>// 編寫一個簡單的驅動，在驅動入口和卸載函數打印一些提示信息 // 這個驅動可以做加法，3環程序可以給他傳兩個4字節整數，驅動會返回相加的結果 #define DRIVER_NAME L"MathsDriver" #define DRIVER_PATH L"MathsDriver.sys" #define DRIVER_LINK L"\\\\.\\MathsDriverLnk" #define OPERADD CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)BOOL LoadDriver(PCWSTR lpszDriverName, PCWSTR lpszDriverPath) {// 獲取驅動完整路徑WCHAR szDriverFullPath[MAX_PATH] = { 0 };GetFullPathNameW(lpszDriverPath,MAX_PATH,szDriverFullPath,NULL);//printf("%s\n", szDriverFullPath);// 打開服務控制管理器SC_HANDLE hServiceMgr = NULL; // SCM管理器句柄 hServiceMgr = OpenSCManagerW(NULL,NULL,SC_MANAGER_ALL_ACCESS);if (NULL == hServiceMgr){printf("OpenSCManagerW 失敗, %d\n", GetLastError());return FALSE;}printf("打開服務控制管理器成功.\n");// 創建驅動服務SC_HANDLE hServiceDDK = NULL; // NT驅動程序服務句柄hServiceDDK = CreateServiceW(hServiceMgr,lpszDriverName,lpszDriverName,SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE,szDriverFullPath,NULL,NULL,NULL,NULL,NULL);if (NULL == hServiceDDK){DWORD dwErr = GetLastError();if (dwErr != ERROR_IO_PENDING && dwErr != ERROR_SERVICE_EXISTS){printf("創建驅動服務失敗, %d\n", dwErr);return FALSE;}}printf("創建驅動服務成功.\n");// 驅動服務已經創建，打開服務hServiceDDK = OpenServiceW(hServiceMgr,lpszDriverName,SERVICE_ALL_ACCESS);if (!StartService(hServiceDDK, NULL, NULL)){DWORD dwErr = GetLastError();if (dwErr != ERROR_SERVICE_ALREADY_RUNNING){printf("運行驅動服務失敗, %d\n", dwErr);return FALSE;}}printf("運行驅動服務成功.\n");if (hServiceDDK){CloseServiceHandle(hServiceDDK);}if (hServiceMgr){CloseServiceHandle(hServiceMgr);}return TRUE; }void RunMathDriver() {HANDLE hDevice = CreateFileW(DRIVER_LINK, GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);if (hDevice == INVALID_HANDLE_VALUE){printf("創建設備失敗. %d\n", GetLastError());return;}// 加法DWORD n1 = 100, n2 = 50;BYTE InBuffer[8];DWORD OutBuffer;memcpy(InBuffer,&n1,4);memcpy(InBuffer+4,&n2,4);DWORD dwOut; DeviceIoControl(hDevice,OPERADD,InBuffer,8,&OutBuffer,4,&dwOut,NULL);printf("%d + %d = %d\n", n1, n2, OutBuffer);// 關閉設備CloseHandle(hDevice); }void UnLoadDriver(PCWSTR lpszDriverName) {SC_HANDLE hServiceMgr = OpenSCManagerW(0,0,SC_MANAGER_ALL_ACCESS);SC_HANDLE hServiceDDK = OpenServiceW(hServiceMgr,lpszDriverName,SERVICE_ALL_ACCESS);SERVICE_STATUS SvrStatus;ControlService(hServiceDDK,SERVICE_CONTROL_STOP,&SvrStatus);DeleteService(hServiceDDK);if (hServiceDDK){CloseServiceHandle(hServiceDDK);}if (hServiceMgr){CloseServiceHandle(hServiceMgr);} }int _tmain(int argc, _TCHAR* argv[]) {if (!LoadDriver(DRIVER_NAME, DRIVER_PATH)){printf("加載驅動失敗.\n");getchar();return 1;}RunMathDriver();UnLoadDriver(DRIVER_NAME);getchar();return 0; }

驅動代碼

注意，驅動項目名應和三環中定義的 DRIVER_NAME 一致。

#include <ntddk.h>// 編寫一個簡單的驅動，在驅動入口和卸載函數打印一些提示信息 // 這個驅動可以做加法，3環程序可以給他傳兩個4字節整數，驅動會返回相加的結果 #define DEVICE_NAME L"\\Device\\MathsDriverDev" #define DRIVER_LINK L"\\??\\MathsDriverLnk" #define OPERADD CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)// 函數聲明 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING RegPath); VOID DriverUnload(PDRIVER_OBJECT pDriver); NTSTATUS IrpCreateProc(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTSTATUS IrpCloseProc(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTSTATUS IrpDeviceControlProc(PDEVICE_OBJECT pDevObj, PIRP pIrp);// 入口函數 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING RegPath) {NTSTATUS status;ULONG uIndex = 0;PDEVICE_OBJECT pDeviceObj = NULL; // 設備對象指針UNICODE_STRING DeviceName; // 設備名，0環用UNICODE_STRING SymbolicLinkName; // 符號鏈接名，3環用// 創建設備名稱RtlInitUnicodeString(&DeviceName,DEVICE_NAME);// 創建設備status = IoCreateDevice(pDriver,0,&DeviceName,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,FALSE,&pDeviceObj);if (status != STATUS_SUCCESS){IoDeleteDevice(pDeviceObj);DbgPrint("創建設備失敗.\n");return status;}DbgPrint("創建設備成功.\n");// 設置交互數據的方式pDeviceObj->Flags |= DO_BUFFERED_IO;// 創建符號鏈接RtlInitUnicodeString(&SymbolicLinkName, DRIVER_LINK);IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);// 設置分發函數pDriver->MajorFunction[IRP_MJ_CREATE] = IrpCreateProc;pDriver->MajorFunction[IRP_MJ_CLOSE] = IrpCloseProc;pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IrpDeviceControlProc;// 設置卸載函數pDriver->DriverUnload = DriverUnload;return STATUS_SUCCESS; }// 卸載驅動 VOID DriverUnload(PDRIVER_OBJECT pDriver) {UNICODE_STRING SymbolicLinkName;// 刪除符號鏈接，刪除設備RtlInitUnicodeString(&SymbolicLinkName, DRIVER_LINK);IoDeleteSymbolicLink(&SymbolicLinkName);IoDeleteDevice(pDriver->DeviceObject);DbgPrint("驅動卸載成功\n"); }// 不設置這個函數，則Ring3調用CreateFile會返回1 // IRP_MJ_CREATE 處理函數 NTSTATUS IrpCreateProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {DbgPrint("應用層連接設備.\n");// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = STATUS_SUCCESS;pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }// IRP_MJ_CLOSE 處理函數 NTSTATUS IrpCloseProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {DbgPrint("應用層斷開連接設備.\n");// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = STATUS_SUCCESS;pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }// IRP_MJ_DEVICE_CONTROL 處理函數 NTSTATUS IrpDeviceControlProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {// DbgPrint("IrpDeviceControlProc.\n");NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;PIO_STACK_LOCATION pIrpStack;ULONG uIoControlCode;PVOID pIoBuffer;ULONG uInLength;ULONG uOutLength;ULONG uRead1;ULONG uRead2;ULONG uWrite;// 設置臨時變量的值uRead1 = uRead2 = 0;uWrite = 0x12345678;// 獲取IRP數據pIrpStack = IoGetCurrentIrpStackLocation(pIrp);// 獲取控制碼uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;// 獲取緩沖區地址（輸入輸出是同一個）pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;// Ring3 發送數據的長度uInLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;// Ring0 發送數據的長度uOutLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;switch (uIoControlCode){case OPERADD:{// 讀取緩沖區memcpy(&uRead1,pIoBuffer,4);memcpy(&uRead2,(PUCHAR)pIoBuffer+4,4); uWrite = uRead1 + uRead2;// 寫入緩沖區memcpy(pIoBuffer, &uWrite, 4);// 設置狀態pIrp->IoStatus.Information = 4;status = STATUS_SUCCESS;break;}}// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = status;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }

運行結果

五、進程終結工具（基于 PspTerminateProcess）

關于未導出函數 PspTerminateProcess，可以看上一篇博客：《內核空間與內核模塊》

編寫一個3環程序，可以將任意一個進程的名字傳遞給0環的驅動程序，如果這個進程存在，驅動程序將該進程終結.

將要求中的傳遞進程名改成傳遞PID，這樣會省事很多。另外，如果工具可以以一個單文件的形式存在，即不帶sys文件，那么看起來會高級不少，然而我現在無法完成該需求，如果你知道怎么做，請在評論中留言。

這個項目和第四大點的demo非常像，3環部分，只需將傳遞兩個4字節加數改成傳遞一個4字節PID，并且修改一下宏定義中，驅動項目的名字即可。

3環代碼

// 驅動加載.cpp : 定義控制臺應用程序的入口點。 //#include "stdafx.h" #include <Windows.h>#define DRIVER_NAME L"HbgProcessKillerDriver" #define DRIVER_PATH L"HbgProcessKillerDriver.sys" #define DRIVER_LINK L"\\\\.\\HbgProcessKillerDriverLnk" #define OPERKILLPID CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)BOOL LoadDriver(PCWSTR lpszDriverName, PCWSTR lpszDriverPath) {// 獲取驅動完整路徑WCHAR szDriverFullPath[MAX_PATH] = { 0 };GetFullPathNameW(lpszDriverPath,MAX_PATH,szDriverFullPath,NULL);//printf("%s\n", szDriverFullPath);// 打開服務控制管理器SC_HANDLE hServiceMgr = NULL; // SCM管理器句柄 hServiceMgr = OpenSCManagerW(NULL,NULL,SC_MANAGER_ALL_ACCESS);if (NULL == hServiceMgr){printf("OpenSCManagerW 失敗, %d\n", GetLastError());return FALSE;}printf("打開服務控制管理器成功.\n");// 創建驅動服務SC_HANDLE hServiceDDK = NULL; // NT驅動程序服務句柄hServiceDDK = CreateServiceW(hServiceMgr,lpszDriverName,lpszDriverName,SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE,szDriverFullPath,NULL,NULL,NULL,NULL,NULL);if (NULL == hServiceDDK){DWORD dwErr = GetLastError();if (dwErr != ERROR_IO_PENDING && dwErr != ERROR_SERVICE_EXISTS){printf("創建驅動服務失敗, %d\n", dwErr);return FALSE;}}printf("創建驅動服務成功.\n");// 驅動服務已經創建，打開服務hServiceDDK = OpenServiceW(hServiceMgr,lpszDriverName,SERVICE_ALL_ACCESS);if (!StartService(hServiceDDK, NULL, NULL)){DWORD dwErr = GetLastError();if (dwErr != ERROR_SERVICE_ALREADY_RUNNING){printf("運行驅動服務失敗, %d\n", dwErr);return FALSE;}}printf("運行驅動服務成功.\n");if (hServiceDDK){CloseServiceHandle(hServiceDDK);}if (hServiceMgr){CloseServiceHandle(hServiceMgr);}return TRUE; }void TransferPID() {HANDLE hDevice = CreateFileW(DRIVER_LINK, GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);if (hDevice == INVALID_HANDLE_VALUE){printf("創建設備失敗. %d\n", GetLastError());return;}DWORD InBuffer;DWORD OutBuffer; DWORD dwOut;printf("請輸入你要干掉的進程PID：");scanf("%d", &InBuffer);DeviceIoControl(hDevice,OPERKILLPID,&InBuffer,4,&OutBuffer,4,&dwOut,NULL); // 關閉設備CloseHandle(hDevice); }void UnLoadDriver(PCWSTR lpszDriverName) {SC_HANDLE hServiceMgr = OpenSCManagerW(0,0,SC_MANAGER_ALL_ACCESS);SC_HANDLE hServiceDDK = OpenServiceW(hServiceMgr,lpszDriverName,SERVICE_ALL_ACCESS);SERVICE_STATUS SvrStatus;ControlService(hServiceDDK,SERVICE_CONTROL_STOP,&SvrStatus);DeleteService(hServiceDDK);if (hServiceDDK){CloseServiceHandle(hServiceDDK);}if (hServiceMgr){CloseServiceHandle(hServiceMgr);} }int _tmain(int argc, _TCHAR* argv[]) {if (!LoadDriver(DRIVER_NAME, DRIVER_PATH)){printf("加載驅動失敗.\n");getchar();return 1;}TransferPID();UnLoadDriver(DRIVER_NAME);getchar();getchar();return 0; }

驅動代碼

#include <ntddk.h>#define DEVICE_NAME L"\\Device\\HbgProcessKillerDriverDev" #define DRIVER_LINK L"\\??\\HbgProcessKillerDriverLnk" #define OPERKILLPID CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)// 結構聲明 typedef struct _LDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks;LIST_ENTRY InMemoryOrderLinks;LIST_ENTRY InInitializationOrderLinks;PVOID DllBase;PVOID EntryPoint;UINT32 SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;UINT32 Flags;UINT16 LoadCount;UINT16 TlsIndex;LIST_ENTRY HashLinks;PVOID SectionPointer;UINT32 CheckSum;UINT32 TimeDateStamp;PVOID LoadedImports;PVOID EntryPointActivationContext;PVOID PatchInformation; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;// 全局變量 PDRIVER_OBJECT g_pDriver;// 函數聲明 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING RegPath); VOID DriverUnload(PDRIVER_OBJECT pDriver); NTSTATUS IrpCreateProc(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTSTATUS IrpCloseProc(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTSTATUS IrpDeviceControlProc(PDEVICE_OBJECT pDevObj, PIRP pIrp); VOID GetKernelBase(PDRIVER_OBJECT driver, PVOID *pKrnlBase, PUINT32 uKrnlImageSize); PVOID MemorySearch(PVOID bytecode, UINT32 bytecodeLen, PVOID pBeginAddress, PVOID pEndAddress); void KillPid(ULONG uPid, PDRIVER_OBJECT driver);// 入口函數 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING RegPath) {NTSTATUS status;ULONG uIndex = 0;PDEVICE_OBJECT pDeviceObj = NULL; // 設備對象指針UNICODE_STRING DeviceName; // 設備名，0環用UNICODE_STRING SymbolicLinkName; // 符號鏈接名，3環用g_pDriver = pDriver;// 創建設備名稱RtlInitUnicodeString(&DeviceName,DEVICE_NAME);// 創建設備status = IoCreateDevice(pDriver,0,&DeviceName,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,FALSE,&pDeviceObj);if (status != STATUS_SUCCESS){IoDeleteDevice(pDeviceObj);DbgPrint("創建設備失敗.\n");return status;}DbgPrint("創建設備成功.\n");// 設置交互數據的方式pDeviceObj->Flags |= DO_BUFFERED_IO;// 創建符號鏈接RtlInitUnicodeString(&SymbolicLinkName, DRIVER_LINK);IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);// 設置分發函數pDriver->MajorFunction[IRP_MJ_CREATE] = IrpCreateProc;pDriver->MajorFunction[IRP_MJ_CLOSE] = IrpCloseProc;pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IrpDeviceControlProc;// 設置卸載函數pDriver->DriverUnload = DriverUnload;return STATUS_SUCCESS; }// 卸載驅動 VOID DriverUnload(PDRIVER_OBJECT pDriver) {UNICODE_STRING SymbolicLinkName;// 刪除符號鏈接，刪除設備RtlInitUnicodeString(&SymbolicLinkName, DRIVER_LINK);IoDeleteSymbolicLink(&SymbolicLinkName);IoDeleteDevice(pDriver->DeviceObject);DbgPrint("驅動卸載成功\n"); }// 不設置這個函數，則Ring3調用CreateFile會返回1 // IRP_MJ_CREATE 處理函數 NTSTATUS IrpCreateProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {DbgPrint("應用層連接設備.\n");// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = STATUS_SUCCESS;pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }// IRP_MJ_CLOSE 處理函數 NTSTATUS IrpCloseProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {DbgPrint("應用層斷開連接設備.\n");// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = STATUS_SUCCESS;pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }// IRP_MJ_DEVICE_CONTROL 處理函數 NTSTATUS IrpDeviceControlProc(PDEVICE_OBJECT pDevObj, PIRP pIrp) {// DbgPrint("IrpDeviceControlProc.\n");NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;PIO_STACK_LOCATION pIrpStack;ULONG uIoControlCode;PVOID pIoBuffer;ULONG uInLength;ULONG uOutLength;ULONG uPid; // 要關閉的進程號ULONG uRet; // PspTerminateProcess 返回值返回給3環// 設置臨時變量的值uPid = uRet = 0;// 獲取IRP數據pIrpStack = IoGetCurrentIrpStackLocation(pIrp);// 獲取控制碼uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;// 獲取緩沖區地址（輸入輸出是同一個）pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;// Ring3 發送數據的長度uInLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;// Ring0 發送數據的長度uOutLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;switch (uIoControlCode){case OPERKILLPID:{// 讀取緩沖區memcpy(&uPid,pIoBuffer,4);// 調用 PspTerminateProcessKillPid(uPid,g_pDriver);// 寫入緩沖區memcpy(pIoBuffer, &uRet, 4);// 設置狀態pIrp->IoStatus.Information = 4;status = STATUS_SUCCESS;break;}}// 返回狀態如果不設置，Ring3返回值是失敗pIrp->IoStatus.Status = status;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; }// 獲取內核基址，大小 VOID GetKernelBase(PDRIVER_OBJECT driver, PVOID *pKrnlBase, PUINT32 uKrnlImageSize) {PLDR_DATA_TABLE_ENTRY pLdteHead; // 內核模塊鏈表頭PLDR_DATA_TABLE_ENTRY pLdteCur; // 遍歷指針UNICODE_STRING usKrnlBaseDllName; // 內核模塊名RtlInitUnicodeString(&usKrnlBaseDllName,L"ntoskrnl.exe");pLdteHead = (PLDR_DATA_TABLE_ENTRY)driver->DriverSection;pLdteCur = pLdteHead;do {PLDR_DATA_TABLE_ENTRY pLdte = CONTAINING_RECORD(pLdteCur, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);//DbgPrint("DllBase: %p, SizeOfImage: %08X %wZ\n", pLdteCur->DllBase, pLdteCur->SizeOfImage, &(pLdteCur->FullDllName));if (RtlCompareUnicodeString(&pLdteCur->BaseDllName, &usKrnlBaseDllName, TRUE) == 0){*pKrnlBase = pLdteCur->DllBase;*uKrnlImageSize = pLdteCur->SizeOfImage;return;}pLdteCur = (PLDR_DATA_TABLE_ENTRY)pLdteCur->InLoadOrderLinks.Flink;} while (pLdteHead != pLdteCur);return; }// 特征碼搜索 PVOID MemorySearch(PVOID bytecode, UINT32 bytecodeLen, PVOID pBeginAddress, PVOID pEndAddress) {PVOID pCur = pBeginAddress;while (pCur != pEndAddress){if (RtlCompareMemory(bytecode,pCur,bytecodeLen) == bytecodeLen){return pCur;}((UINT32)pCur)++;}return 0; }// 殺進程 void KillPid(ULONG uPid, PDRIVER_OBJECT driver) {typedef NTSTATUS (*_PspTerminateProcess)(PEPROCESS pEprocess, NTSTATUS ExitCode);_PspTerminateProcess PspTerminateProcess;UINT32 bytecode[] = {0x0124a164, 0x758b0000, 0x44703b08, 0x0db80775,0xebc00000, 0xbe8d575a, 0x00000248, 0x200147f6,0x868d1274, 0x00000174};PVOID pKrnlBase; // 內核基址UINT32 uKrnlImageSize; // 內核大小PEPROCESS pEprocess; // 要關閉的進程的EPROCESS// 獲取內核模塊基址和大小GetKernelBase(driver, &pKrnlBase, &uKrnlImageSize);//DbgPrint("內核基址: %p，大小: %X\n", pKrnlBase, uKrnlImageSize);// 獲取 PspTerminateProcess 函數地址PspTerminateProcess = (_PspTerminateProcess)((UINT32)MemorySearch( \bytecode,sizeof(bytecode),pKrnlBase,(PVOID)((UINT32)pKrnlBase+uKrnlImageSize)) - 6);//DbgPrint("PspTerminateProcess: %p\n", PspTerminateProcess);// 根據PID獲取EPROCESSPsLookupProcessByProcessId((HANDLE)uPid,&pEprocess);// 調用 PspTerminateProcess 關閉進程PspTerminateProcess(pEprocess, 0); }

關進程前

關進程后

總結

以上是生活随笔為你收集整理的（37）0环与3环通信常规方式，PspTerminateProcess 关闭进程工具的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。