微软的wdk开发包里自带了一些sample,这是些质量不错并且权威的学习资料,最好的学习驱动的方法就是阅读和修改这些代码。其中Ramdisk实现了一个虚拟磁盘,可以作为WDF编程的经典代码材料,《寒江独钓-Windows内核安全编程》第5章“磁盘的虚拟”便以此为例,这篇博客是一篇学习总结。
驱动的入口函数很简洁:
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
WDF_DRIVER_CONFIG config;
KdPrint(("Windows Ramdisk Driver - Driver Framework Edition.\n"));
WDF_DRIVER_CONFIG_INIT( &config, RamDiskEvtDeviceAdd );
return WdfDriverCreate(DriverObject, RegistryPath, WDF_NO_OBJECT_ATTRIBUTES, &config, WDF_NO_HANDLE);
}
上面代码最主要的任务就是创建一个“驱动对象”并马上返回了,我们看WDF_DRIVER_CONFIG这个玩意:
typedef struct _WDF_DRIVER_CONFIG {
ULONG Size; //这个结构体的大小,以自己为单位;
PFN_WDF_DRIVER_DEVICE_ADD EvtDriverDeviceAdd; //Windows驱动的EvtDriverDeviceAdd回调函数指针;
PFN_WDF_DRIVER_UNLOAD EvtDriverUnload; //Windows驱动的EvtDriverUnload回调函数指针;
ULONG DriverInitFlags; //驱动初始化标志位,由一个或者多个WDF_DRIVER_INIT_FLAGS类型值构成;
ULONG DriverPoolTag; //驱动定义的内存池标签,是Framework分配给驱动的内存标签。调试时可以显示这个标签。
} WDF_DRIVER_CONFIG, *PWDF_DRIVER_CONFIG;
上面的WDF_DRIVER_CONFIG_INIT( &config, RamDiskEvtDeviceAdd );其实就是把 RamDiskEvtDeviceAdd 赋给结构体的第2项。上面有注释,它是一个回调函数指针,注意这是一个非常重要的参数,因为创建完驱动对象后主函数就返回了,而这个回调函数是后面驱动和系统联系起来的唯一纽带,在今后系统运行过程中,一旦发现了此类设备, RamDiskEvtDeviceAdd就会被 Windows 的PnP manager调用,这个驱动的处理流程也将在此后上演。
接下来看 RamDiskEvtDeviceAdd 这个函数:
NTSTATUS
RamDiskEvtDeviceAdd(
IN WDFDRIVER Driver,
IN PWDFDEVICE_INIT DeviceInit
)
{
WDF_OBJECT_ATTRIBUTES deviceAttributes; //将建立的设备对象的属性描述变量
NTSTATUS status;
WDFDEVICE device; //将建立的设备
WDF_OBJECT_ATTRIBUTES queueAttributes; //将要建立的队列对象的属性描述变量
WDF_IO_QUEUE_CONFIG ioQueueConfig; //将要建立的队列配置变量
PDEVICE_EXTENSION pDeviceExtension; //此设备所对应的设备扩展域的指针
PQUEUE_EXTENSION pQueueContext = NULL; //将要建立的队列扩展域的指针
WDFQUEUE queue; //将要建立的队列
DECLARE_CONST_UNICODE_STRING(ntDeviceName, NT_DEVICE_NAME);
PAGED_CODE();
UNREFERENCED_PARAMETER(Driver); //此函数不使用Driver参数,加这句为避免编译告警
status = WdfDeviceInitAssignName(DeviceInit, &ntDeviceName); //1.为设备指定名字
if (!NT_SUCCESS(status)) {
return status;
}
//2.设置设备的一些属性
WdfDeviceInitSetDeviceType(DeviceInit, FILE_DEVICE_DISK);
WdfDeviceInitSetIoType(DeviceInit, WdfDeviceIoDirect);
WdfDeviceInitSetExclusive(DeviceInit, FALSE);
//指定设备的设备对象扩展
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttributes, DEVICE_EXTENSION);
deviceAttributes.EvtCleanupCallback = RamDiskEvtDeviceContextCleanup; //建立设备的清除回调函数
//3.创建设备
status = WdfDeviceCreate(&DeviceInit, &deviceAttributes, &device);
if (!NT_SUCCESS(status)) {
return status;
}
//声明一个指向设备扩展的指针
pDeviceExtension = DeviceGetExtension(device);
//将队列的配置变量初始化为默认值
WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE (
&ioQueueConfig,
WdfIoQueueDispatchSequential
);
//设置我们感兴趣的请求的处理函数,这里处理了Read/Write/DeviceIoControl请求
ioQueueConfig.EvtIoDeviceControl = RamDiskEvtIoDeviceControl;
ioQueueConfig.EvtIoRead = RamDiskEvtIoRead;
ioQueueConfig.EvtIoWrite = RamDiskEvtIoWrite;
WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&queueAttributes, QUEUE_EXTENSION); //指定一下队列的队列对象扩展
__analysis_assume(ioQueueConfig.EvtIoStop != 0);
status = WdfIoQueueCreate( device, //4.用初始化好的参数创建队列
&ioQueueConfig,
&queueAttributes,
&queue );
__analysis_assume(ioQueueConfig.EvtIoStop == 0);
if (!NT_SUCCESS(status)) {
return status;
}
pQueueContext = QueueGetExtension(queue); //指向队列设备扩展的指针
pQueueContext->DeviceExtension = pDeviceExtension; //队列扩展与设备扩展关联起来
//设备扩展中几个值的初始化
pDeviceExtension->DiskRegInfo.DriveLetter.Buffer =
(PWSTR) &pDeviceExtension->DriveLetterBuffer;
pDeviceExtension->DiskRegInfo.DriveLetter.MaximumLength =
sizeof(pDeviceExtension->DriveLetterBuffer);
//从本驱动提供的注册表键中取信息
RamDiskQueryDiskRegParameters(
WdfDriverGetRegistryPath(WdfDeviceGetDriver(device)),
&pDeviceExtension->DiskRegInfo
);
//分配指定大小的非分页内存
pDeviceExtension->DiskImage = ExAllocatePoolWithTag(
NonPagedPool,
pDeviceExtension->DiskRegInfo.DiskSize,
RAMDISK_TAG
);
if (pDeviceExtension->DiskImage) {
UNICODE_STRING deviceName;
UNICODE_STRING win32Name;
//初始化磁盘的函数,属于业务逻辑部分,这里不同的功能代码替换之
RamDiskFormatDisk(pDeviceExtension);
status = STATUS_SUCCESS;
RtlInitUnicodeString(&win32Name, DOS_DEVICE_NAME);
RtlInitUnicodeString(&deviceName, NT_DEVICE_NAME);
pDeviceExtension->SymbolicLink.Buffer = (PWSTR)
&pDeviceExtension->DosDeviceNameBuffer;
pDeviceExtension->SymbolicLink.MaximumLength =
sizeof(pDeviceExtension->DosDeviceNameBuffer);
pDeviceExtension->SymbolicLink.Length = win32Name.Length;
RtlCopyUnicodeString(&pDeviceExtension->SymbolicLink, &win32Name);
RtlAppendUnicodeStringToString(&pDeviceExtension->SymbolicLink,
&pDeviceExtension->DiskRegInfo.DriveLetter);
//5.为设备建立符号链接,即DOS_DEVICE_NAME+注册表中读取的盘符
status = WdfDeviceCreateSymbolicLink(device,
&pDeviceExtension->SymbolicLink);
}
return status;
}
上面代码注释的已经比较清晰,再简要描述一下我们做了什么。
首先创建一个“驱动对象”,并设置一个 RamDiskEvtDeviceAdd 回调函数,这个回调函数很重要,它是驱动和系统相联系的纽带。在 RamDiskEvtDeviceAdd 函数里面,最重要的任务便是建立一个“设备对象”,在这之后各种请求就会纷至踏来。而如何处理这些请求呢,一种常用的方式就是使用队列,把接收到的请求放入一个或多个队列中,另一个线程去处理这些队列,这是一个典型的生产者——消费者模型。为了方便我们编程,微软实现了这个轮子,这显然比我们自己处理方便许多,这里用到了“队列对象”。
目前为止我们用到了3个内核对象,分别是“驱动对象”,“设备对象”,“队列对象”,现在来总结一下他们有没有共性。
1.“对象”都有可配置的属性,如“驱动对象”通过WDF_DRIVER_CONFIG变量,“设备对象”和“队列对象”的WDF_OBJECT_ATTRIBUTES变量,“队列对象”的WDF_IO_QUEUE_CONFIG变量。
2.正确处理这上述“对象”结构的各个成员,那么驱动就实现它的功能了,这是使用框架开发带来的便捷。我们的编程工作最终就变成了:创建一个个“对象”,并妥善处理好它们。
现在我们还有几个问题没有处理,一是初始化磁盘的业务逻辑部分,二是请求的处理部分,三是设备的清除回调函数部分,下面分别说明。
初始化磁盘属于业务逻辑,与我们想要说明的WDF编程框架并没有联系,所以不作代码注释,如下:
NTSTATUS
RamDiskFormatDisk(
IN PDEVICE_EXTENSION devExt
)
{
PBOOT_SECTOR bootSector = (PBOOT_SECTOR) devExt->DiskImage;
PUCHAR firstFatSector;
ULONG rootDirEntries;
ULONG sectorsPerCluster;
USHORT fatType; // Type FAT 12 or 16
USHORT fatEntries; // Number of cluster entries in FAT
USHORT fatSectorCnt; // Number of sectors for FAT
PDIR_ENTRY rootDir; // Pointer to first entry in root dir
PAGED_CODE();
ASSERT(sizeof(BOOT_SECTOR) == 512);
ASSERT(devExt->DiskImage != NULL);
RtlZeroMemory(devExt->DiskImage, devExt->DiskRegInfo.DiskSize);
devExt->DiskGeometry.BytesPerSector = 512;
devExt->DiskGeometry.SectorsPerTrack = 32; // Using Ramdisk value
devExt->DiskGeometry.TracksPerCylinder = 2; // Using Ramdisk value
devExt->DiskGeometry.Cylinders.QuadPart = devExt->DiskRegInfo.DiskSize / 512 / 32 / 2;
devExt->DiskGeometry.MediaType = RAMDISK_MEDIA_TYPE;
KdPrint((
"Cylinders: %I64d\n TracksPerCylinder: %lu\n SectorsPerTrack: %lu\n BytesPerSector: %lu\n",
devExt->DiskGeometry.Cylinders.QuadPart, devExt->DiskGeometry.TracksPerCylinder,
devExt->DiskGeometry.SectorsPerTrack, devExt->DiskGeometry.BytesPerSector
));
rootDirEntries = devExt->DiskRegInfo.RootDirEntries;
sectorsPerCluster = devExt->DiskRegInfo.SectorsPerCluster;
if (rootDirEntries & (DIR_ENTRIES_PER_SECTOR - 1)) {
rootDirEntries =
(rootDirEntries + (DIR_ENTRIES_PER_SECTOR - 1)) &
~ (DIR_ENTRIES_PER_SECTOR - 1);
}
KdPrint((
"Root dir entries: %lu\n Sectors/cluster: %lu\n",
rootDirEntries, sectorsPerCluster
));
bootSector->bsJump[0] = 0xeb;
bootSector->bsJump[1] = 0x3c;
bootSector->bsJump[2] = 0x90;
bootSector->bsOemName[0] = ‘R‘;
bootSector->bsOemName[1] = ‘a‘;
bootSector->bsOemName[2] = ‘j‘;
bootSector->bsOemName[3] = ‘u‘;
bootSector->bsOemName[4] = ‘R‘;
bootSector->bsOemName[5] = ‘a‘;
bootSector->bsOemName[6] = ‘m‘;
bootSector->bsOemName[7] = ‘ ‘;
bootSector->bsBytesPerSec = (SHORT)devExt->DiskGeometry.BytesPerSector;
bootSector->bsResSectors = 1;
bootSector->bsFATs = 1;
bootSector->bsRootDirEnts = (USHORT)rootDirEntries;
bootSector->bsSectors = (USHORT)(devExt->DiskRegInfo.DiskSize /
devExt->DiskGeometry.BytesPerSector);
bootSector->bsMedia = (UCHAR)devExt->DiskGeometry.MediaType;
bootSector->bsSecPerClus = (UCHAR)sectorsPerCluster;
fatEntries =
(bootSector->bsSectors - bootSector->bsResSectors -
bootSector->bsRootDirEnts / DIR_ENTRIES_PER_SECTOR) /
bootSector->bsSecPerClus + 2;
if (fatEntries > 4087) {
fatType = 16;
fatSectorCnt = (fatEntries * 2 + 511) / 512;
fatEntries = fatEntries + fatSectorCnt;
fatSectorCnt = (fatEntries * 2 + 511) / 512;
}
else {
fatType = 12;
fatSectorCnt = (((fatEntries * 3 + 1) / 2) + 511) / 512;
fatEntries = fatEntries + fatSectorCnt;
fatSectorCnt = (((fatEntries * 3 + 1) / 2) + 511) / 512;
}
bootSector->bsFATsecs = fatSectorCnt;
bootSector->bsSecPerTrack = (USHORT)devExt->DiskGeometry.SectorsPerTrack;
bootSector->bsHeads = (USHORT)devExt->DiskGeometry.TracksPerCylinder;
bootSector->bsBootSignature = 0x29;
bootSector->bsVolumeID = 0x12345678;
bootSector->bsLabel[0] = ‘R‘;
bootSector->bsLabel[1] = ‘a‘;
bootSector->bsLabel[2] = ‘m‘;
bootSector->bsLabel[3] = ‘D‘;
bootSector->bsLabel[4] = ‘i‘;
bootSector->bsLabel[5] = ‘s‘;
bootSector->bsLabel[6] = ‘k‘;
bootSector->bsLabel[7] = ‘ ‘;
bootSector->bsLabel[8] = ‘ ‘;
bootSector->bsLabel[9] = ‘ ‘;
bootSector->bsLabel[10] = ‘ ‘;
bootSector->bsFileSystemType[0] = ‘F‘;
bootSector->bsFileSystemType[1] = ‘A‘;
bootSector->bsFileSystemType[2] = ‘T‘;
bootSector->bsFileSystemType[3] = ‘1‘;
bootSector->bsFileSystemType[4] = ‘?‘;
bootSector->bsFileSystemType[5] = ‘ ‘;
bootSector->bsFileSystemType[6] = ‘ ‘;
bootSector->bsFileSystemType[7] = ‘ ‘;
bootSector->bsFileSystemType[4] = ( fatType == 16 ) ? ‘6‘ : ‘2‘;
bootSector->bsSig2[0] = 0x55;
bootSector->bsSig2[1] = 0xAA;
firstFatSector = (PUCHAR)(bootSector + 1);
firstFatSector[0] = (UCHAR)devExt->DiskGeometry.MediaType;
firstFatSector[1] = 0xFF;
firstFatSector[2] = 0xFF;
if (fatType == 16) {
firstFatSector[3] = 0xFF;
}
rootDir = (PDIR_ENTRY)(bootSector + 1 + fatSectorCnt);
rootDir->deName[0] = ‘M‘;
rootDir->deName[1] = ‘S‘;
rootDir->deName[2] = ‘-‘;
rootDir->deName[3] = ‘R‘;
rootDir->deName[4] = ‘A‘;
rootDir->deName[5] = ‘M‘;
rootDir->deName[6] = ‘D‘;
rootDir->deName[7] = ‘R‘;
rootDir->deExtension[0] = ‘I‘;
rootDir->deExtension[1] = ‘V‘;
rootDir->deExtension[2] = ‘E‘;
rootDir->deAttributes = DIR_ATTR_VOLUME;
return STATUS_SUCCESS;
}
这里我们使用的内存来虚拟磁盘,所以对磁盘的读写等操作最后都映射到内存,以下是3种请求的处理函数部分:
VOID
RamDiskEvtIoRead(
IN WDFQUEUE Queue,
IN WDFREQUEST Request,
IN size_t Length
)
{
PDEVICE_EXTENSION devExt = QueueGetExtension(Queue)->DeviceExtension;
NTSTATUS Status = STATUS_INVALID_PARAMETER;
WDF_REQUEST_PARAMETERS Parameters;
LARGE_INTEGER ByteOffset;
WDFMEMORY hMemory;
_Analysis_assume_(Length > 0);
WDF_REQUEST_PARAMETERS_INIT(&Parameters);
WdfRequestGetParameters(Request, &Parameters);
ByteOffset.QuadPart = Parameters.Parameters.Read.DeviceOffset;
if (RamDiskCheckParameters(devExt, ByteOffset, Length)) {
Status = WdfRequestRetrieveOutputMemory(Request, &hMemory);
if(NT_SUCCESS(Status)){
Status = WdfMemoryCopyFromBuffer(hMemory, // Destination
0, // Offset into the destination
devExt->DiskImage + ByteOffset.LowPart, // source
Length);
}
}
WdfRequestCompleteWithInformation(Request, Status, (ULONG_PTR)Length);
}
VOID
RamDiskEvtIoWrite(
IN WDFQUEUE Queue,
IN WDFREQUEST Request,
IN size_t Length
)
{
PDEVICE_EXTENSION devExt = QueueGetExtension(Queue)->DeviceExtension;
NTSTATUS Status = STATUS_INVALID_PARAMETER;
WDF_REQUEST_PARAMETERS Parameters;
LARGE_INTEGER ByteOffset;
WDFMEMORY hMemory;
_Analysis_assume_(Length > 0);
WDF_REQUEST_PARAMETERS_INIT(&Parameters);
WdfRequestGetParameters(Request, &Parameters);
ByteOffset.QuadPart = Parameters.Parameters.Write.DeviceOffset;
if (RamDiskCheckParameters(devExt, ByteOffset, Length)) {
Status = WdfRequestRetrieveInputMemory(Request, &hMemory);
if(NT_SUCCESS(Status)){
Status = WdfMemoryCopyToBuffer(hMemory, // Source
0, // offset in Source memory where the copy has to start
devExt->DiskImage + ByteOffset.LowPart, // destination
Length);
}
}
WdfRequestCompleteWithInformation(Request, Status, (ULONG_PTR)Length);
}
VOID
RamDiskEvtIoDeviceControl(
IN WDFQUEUE Queue,
IN WDFREQUEST Request,
IN size_t OutputBufferLength,
IN size_t InputBufferLength,
IN ULONG IoControlCode
)
{
NTSTATUS Status = STATUS_INVALID_DEVICE_REQUEST;
ULONG_PTR information = 0;
size_t bufSize;
PDEVICE_EXTENSION devExt = QueueGetExtension(Queue)->DeviceExtension;
UNREFERENCED_PARAMETER(OutputBufferLength);
UNREFERENCED_PARAMETER(InputBufferLength);
switch (IoControlCode) {
case IOCTL_DISK_GET_PARTITION_INFO: {
PPARTITION_INFORMATION outputBuffer;
PBOOT_SECTOR bootSector = (PBOOT_SECTOR) devExt->DiskImage;
information = sizeof(PARTITION_INFORMATION);
Status = WdfRequestRetrieveOutputBuffer(Request, sizeof(PARTITION_INFORMATION), &outputBuffer, &bufSize);
if(NT_SUCCESS(Status) ) {
outputBuffer->PartitionType =
(bootSector->bsFileSystemType[4] == ‘6‘) ? PARTITION_FAT_16 : PARTITION_FAT_12;
outputBuffer->BootIndicator = FALSE;
outputBuffer->RecognizedPartition = TRUE;
outputBuffer->RewritePartition = FALSE;
outputBuffer->StartingOffset.QuadPart = 0;
outputBuffer->PartitionLength.QuadPart = devExt->DiskRegInfo.DiskSize;
outputBuffer->HiddenSectors = (ULONG) (1L);
outputBuffer->PartitionNumber = (ULONG) (-1L);
Status = STATUS_SUCCESS;
}
}
break;
case IOCTL_DISK_GET_DRIVE_GEOMETRY: {
PDISK_GEOMETRY outputBuffer;
information = sizeof(DISK_GEOMETRY);
Status = WdfRequestRetrieveOutputBuffer(Request, sizeof(DISK_GEOMETRY), &outputBuffer, &bufSize);
if(NT_SUCCESS(Status) ) {
RtlCopyMemory(outputBuffer, &(devExt->DiskGeometry), sizeof(DISK_GEOMETRY));
Status = STATUS_SUCCESS;
}
}
break;
case IOCTL_DISK_CHECK_VERIFY:
case IOCTL_DISK_IS_WRITABLE:
Status = STATUS_SUCCESS;
break;
}
WdfRequestCompleteWithInformation(Request, Status, information);
}
设备的清除回调函数比较简单,主要进行释放分配的内存操作:
VOID
RamDiskEvtDeviceContextCleanup(
IN WDFOBJECT Device
)
{
PDEVICE_EXTENSION pDeviceExtension = DeviceGetExtension(Device);
PAGED_CODE();
if(pDeviceExtension->DiskImage) {
ExFreePool(pDeviceExtension->DiskImage);
}
}
从注册表中读取配置参数的代码如下:
VOID
RamDiskQueryDiskRegParameters(
_In_ PWSTR RegistryPath,
_In_ PDISK_INFO DiskRegInfo
)
{
RTL_QUERY_REGISTRY_TABLE rtlQueryRegTbl[5 + 1]; // Need 1 for NULL
NTSTATUS Status;
DISK_INFO defDiskRegInfo;
PAGED_CODE();
ASSERT(RegistryPath != NULL);
defDiskRegInfo.DiskSize = DEFAULT_DISK_SIZE;
defDiskRegInfo.RootDirEntries = DEFAULT_ROOT_DIR_ENTRIES;
defDiskRegInfo.SectorsPerCluster = DEFAULT_SECTORS_PER_CLUSTER;
RtlInitUnicodeString(&defDiskRegInfo.DriveLetter, DEFAULT_DRIVE_LETTER);
RtlZeroMemory(rtlQueryRegTbl, sizeof(rtlQueryRegTbl));
rtlQueryRegTbl[0].Flags = RTL_QUERY_REGISTRY_SUBKEY;
rtlQueryRegTbl[0].Name = L"Parameters";
rtlQueryRegTbl[0].EntryContext = NULL;
rtlQueryRegTbl[0].DefaultType = (ULONG_PTR)NULL;
rtlQueryRegTbl[0].DefaultData = NULL;
rtlQueryRegTbl[0].DefaultLength = (ULONG_PTR)NULL;
rtlQueryRegTbl[1].Flags = RTL_QUERY_REGISTRY_DIRECT;
rtlQueryRegTbl[1].Name = L"DiskSize";
rtlQueryRegTbl[1].EntryContext = &DiskRegInfo->DiskSize;
rtlQueryRegTbl[1].DefaultType = REG_DWORD;
rtlQueryRegTbl[1].DefaultData = &defDiskRegInfo.DiskSize;
rtlQueryRegTbl[1].DefaultLength = sizeof(ULONG);
rtlQueryRegTbl[2].Flags = RTL_QUERY_REGISTRY_DIRECT;
rtlQueryRegTbl[2].Name = L"RootDirEntries";
rtlQueryRegTbl[2].EntryContext = &DiskRegInfo->RootDirEntries;
rtlQueryRegTbl[2].DefaultType = REG_DWORD;
rtlQueryRegTbl[2].DefaultData = &defDiskRegInfo.RootDirEntries;
rtlQueryRegTbl[2].DefaultLength = sizeof(ULONG);
rtlQueryRegTbl[3].Flags = RTL_QUERY_REGISTRY_DIRECT;
rtlQueryRegTbl[3].Name = L"SectorsPerCluster";
rtlQueryRegTbl[3].EntryContext = &DiskRegInfo->SectorsPerCluster;
rtlQueryRegTbl[3].DefaultType = REG_DWORD;
rtlQueryRegTbl[3].DefaultData = &defDiskRegInfo.SectorsPerCluster;
rtlQueryRegTbl[3].DefaultLength = sizeof(ULONG);
rtlQueryRegTbl[4].Flags = RTL_QUERY_REGISTRY_DIRECT;
rtlQueryRegTbl[4].Name = L"DriveLetter";
rtlQueryRegTbl[4].EntryContext = &DiskRegInfo->DriveLetter;
rtlQueryRegTbl[4].DefaultType = REG_SZ;
rtlQueryRegTbl[4].DefaultData = defDiskRegInfo.DriveLetter.Buffer;
rtlQueryRegTbl[4].DefaultLength = 0;
Status = RtlQueryRegistryValues(
RTL_REGISTRY_ABSOLUTE | RTL_REGISTRY_OPTIONAL,
RegistryPath,
rtlQueryRegTbl,
NULL,
NULL
);
if (NT_SUCCESS(Status) == FALSE) {
DiskRegInfo->DiskSize = defDiskRegInfo.DiskSize;
DiskRegInfo->RootDirEntries = defDiskRegInfo.RootDirEntries;
DiskRegInfo->SectorsPerCluster = defDiskRegInfo.SectorsPerCluster;
RtlCopyUnicodeString(&DiskRegInfo->DriveLetter, &defDiskRegInfo.DriveLetter);
}
KdPrint(("DiskSize = 0x%lx\n", DiskRegInfo->DiskSize));
KdPrint(("RootDirEntries = 0x%lx\n", DiskRegInfo->RootDirEntries));
KdPrint(("SectorsPerCluster = 0x%lx\n", DiskRegInfo->SectorsPerCluster));
KdPrint(("DriveLetter = %wZ\n", &(DiskRegInfo->DriveLetter)));
return;
}
磁盘虚拟的驱动代码在这里作为WDF编程方式的总结案例,它的应用场景也是非常诱人的,实现数据隐藏、Sandbox、网吧无盘系统...这个代码使用内存作为磁盘存储介质,其实这个介质还可以是文件、注册表、网络文件等,实现功能而定了。
最后分享几个网站
收录一些Undocumented Kernel Data Structure的网站 http://www.nirsoft.net/kernel_struct/vista/index.html
张银奎先生关于软件调试内容的网站 http://advdbg.org/default.aspx
时间: 2024-10-28 19:40:35