部分代码
#include "my_sys_fun.h"
#ifdef __cplusplus
extern "C"
{
#endif
//驱动加载函数
NTSTATUS DriverEntry(PDRIVER_OBJECT pPDriverObj, PUNICODE_STRING pPuniStr);
//驱动卸载函数
VOID UnLoadDriver(_In_ PDRIVER_OBJECT pPDriverObj);
#ifdef __cplusplus
}
#endif
NTSTATUS RegistryCallback(IN PVOID CallbackContext,
IN PVOID Argument1,
IN PVOID Argument2)
{
//KdPrint(("RegistryCallback Success\r\n"));
return STATUS_SUCCESS;
}
#define REGISTRY_POOL_TAG ‘pRE‘
typedef struct _CAPTURE_REGISTRY_MANAGER
{
PDEVICE_OBJECT deviceObject;
BOOLEAN bReady;
LARGE_INTEGER registryCallbackCookie;
LIST_ENTRY lQueuedRegistryEvents;
KTIMER connectionCheckerTimer;
KDPC connectionCheckerFunction;
KSPIN_LOCK lQueuedRegistryEventsSpinLock;
ULONG lastContactTime;
} CAPTURE_REGISTRY_MANAGER, *PCAPTURE_REGISTRY_MANAGER;
typedef struct _REGISTRY_EVENT {
REG_NOTIFY_CLASS eventType;
TIME_FIELDS time;
HANDLE processId;
ULONG dataType;
ULONG dataLengthB;
ULONG registryPathLengthB;
/* Contains path and optionally data */
UCHAR registryData[];
} REGISTRY_EVENT, *PREGISTRY_EVENT;
typedef struct _REGISTRY_EVENT_PACKET {
LIST_ENTRY Link;
PREGISTRY_EVENT pRegistryEvent;
} REGISTRY_EVENT_PACKET, *PREGISTRY_EVENT_PACKET;
PCAPTURE_REGISTRY_MANAGER pRegistryManager;
PDEVICE_OBJECT gpDeviceObject;
#pragma INITCODE
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT pPDriverObj, _In_ PUNICODE_STRING pRegistryPath)
{
//指定卸载函数
pPDriverObj->DriverUnload = (PDRIVER_UNLOAD)UnLoadDriver;
KdPrint(("挂载\r\n"));
NTSTATUS status;
UNICODE_STRING uszDriverString;
PDEVICE_OBJECT pDeviceObject;
RtlInitUnicodeString(&uszDriverString, L"\\DEVICE\\DnfProtectRemove");
status = IoCreateDevice(
pPDriverObj,
sizeof(CAPTURE_REGISTRY_MANAGER),
&uszDriverString,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDeviceObject
);
if (!NT_SUCCESS(status))
{
DbgPrint("RegistryMonitor: ERROR IoCreateDevice -> %08x\n", status);
return status;
}
gpDeviceObject = pDeviceObject;
/* Get the registr manager from the extension of the device */
pRegistryManager = (PCAPTURE_REGISTRY_MANAGER)gpDeviceObject->DeviceExtension;
pRegistryManager->bReady = TRUE;
KeInitializeSpinLock(&pRegistryManager->lQueuedRegistryEventsSpinLock);
InitializeListHead(&pRegistryManager->lQueuedRegistryEvents);
KdPrint(("RegistryCallback = 0x%08X\r\n", RegistryCallback));
KdPrint(("pRegistryManager = 0x%08X\r\n", pRegistryManager));
KdPrint(("&pRegistryManager->registryCallbackCookie = 0x%08X\r\n", &pRegistryManager->registryCallbackCookie));
KdPrint(("pRegistryManager->registryCallbackCookie = 0x%08X\r\n", pRegistryManager->registryCallbackCookie));
status = CmRegisterCallback(RegistryCallback, pRegistryManager, &pRegistryManager->registryCallbackCookie);
if (!NT_SUCCESS(status))
{
KdPrint(("RegistryMonitor: ERROR CmRegisterCallback - %08x\n", status));
return status;
}
KdPrint(("&gpDeviceObject->DeviceExtension = 0x%08X\r\n", &gpDeviceObject->DeviceExtension));
KdPrint(("gpDeviceObject->DeviceExtension = 0x%08X\r\n", gpDeviceObject->DeviceExtension));
KdPrint(("&pRegistryManager = 0x%08X\r\n", &pRegistryManager));
//0xD
return STATUS_SUCCESS;
}
/**
*卸载驱动
**/
#pragma PAGECODE
VOID UnLoadDriver(_In_ PDRIVER_OBJECT pPDriverObj)
{
if (pRegistryManager->bReady == TRUE)
{
CmUnRegisterCallback(pRegistryManager->registryCallbackCookie);
pRegistryManager->bReady = FALSE;
}
while (!IsListEmpty(&pRegistryManager->lQueuedRegistryEvents))
{
PLIST_ENTRY head = ExInterlockedRemoveHeadList(&pRegistryManager->lQueuedRegistryEvents, &pRegistryManager->lQueuedRegistryEventsSpinLock);
PREGISTRY_EVENT_PACKET pRegistryEventPacket = CONTAINING_RECORD(head, REGISTRY_EVENT_PACKET, Link);
ExFreePoolWithTag(pRegistryEventPacket->pRegistryEvent, REGISTRY_POOL_TAG);
ExFreePoolWithTag(pRegistryEventPacket, REGISTRY_POOL_TAG);
}
if (pPDriverObj->DeviceObject != NULL)
{
IoDeleteDevice(pPDriverObj->DeviceObject);
}
KdPrint(("卸载\r\n"));
}
jpg 改 rar