游戏安全反外挂-驱动的认识
在游戏外挂和反外挂的对抗中
驱动有其重要的作用
但是随着Windows 系统的升级 很多东西出现了局限性,不过我们还是需要了解学习一下
其最基础的知识
创建驱动设备对象的符号链接
//环境设置:
//属性页->C / C+±>警告等级 : 等级3 / W3
//属性页->C / C+±>将警告视为错误 : 否 / WX -
//属性页->Inf2Cat->Run Inf2Cat : 否
//属性页->Driver Settings->Target Os Version : 设置版本 Windows 7 Windows 10任选
//属性页->Driver Settings->Target PlatForm : Desktop
//属性页->StampInf->Endable ArchiteCture : 否
//KdPrint类似于 控制台的printf
//DriverEntry类似于 C / C++里的main
#include
#pragma code_seg(“PAGE”)
//创建驱动设备对象
NTSTATUS CreateDevice(PDRIVER_OBJECT driver)
{
NTSTATUS status;
UNICODE_STRING uzDriverName;
PDEVICE_OBJECT device;
RtlInitUnicodeString(&uzDriverName, L"\DEVICE\uzDriverName001");
//创建驱动设备
status = IoCreateDevice(driver, sizeof(driver->DriverExtension), &uzDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &device);
if (status == STATUS_SUCCESS)
{
KdPrint((“yjx:驱动设备对象 %wZ 创建成功,OK -----------\n”, &uzDriverName));
//为设备对象绑定一个符号链接
UNICODE_STRING uzSymbolName; //符号链接名字
RtlInitUnicodeString(&uzSymbolName, L"\??\uzDriverName001"); //CreateFile
status = IoCreateSymbolicLink(&uzSymbolName, &uzDriverName);
if (status==STATUS_SUCCESS)
{
KdPrint(("yjx:创建符号链接 %wZ 成功 ", &uzSymbolName));
}
else
{
KdPrint(("yjx:创建符号链接 %wZ 失败 ", &uzSymbolName));
}
}
else
{
KdPrint((“yjx:驱动设备对象 %wZ 创建失败,准备删除Device -----------\n”, &uzDriverName));
IoDeleteDevice(device);
}
return status;
}
//驱动卸载例程
void UnLoad(PDRIVER_OBJECT driver)
{
NTSTATUS status = 0;
IoDeleteDevice(driver->DeviceObject); //删除设备对象,如果此处不删除 卸载不干净 再次用IoCreateDevice创建同名驱动 会蓝屏
//删除符号链接
UNICODE_STRING uzSymbolName; //符号链接名字
RtlInitUnicodeString(&uzSymbolName, L"\??\uzDriverName001");
status=IoDeleteSymbolicLink(&uzSymbolName);
if (!status) //if(status == STATUS_SUCCESS)
{
KdPrint(("yjx:删除符号链接 %wZ 成功 ",&uzSymbolName));
}
else
{
KdPrint(("yjx:删除符号链接 %wZ 失败 ", &uzSymbolName));
}
KdPrint((“yjx:驱动卸载成功\n”));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver,PVOID szReg) //main
{
KdPrint((“yjx:进入了我们的驱动 \n”)); //printf
driver->DriverUnload = UnLoad;
NTSTATUS status=CreateDevice(driver);//创建了设备对象
return STATUS_SUCCESS;
}
IRP 派遣函数
driver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceIrpCtl;//DeviceIoControl
driver->MajorFunction[IRP_MJ_CREATE] = DeviceIrpCtl; //CreateFile
driver->MajorFunction[IRP_MJ_CLOSE] = DeviceIrpCtl;//卸载驱动 CloseHandle
NTSTATUS DeviceIrpCtl(PDEVICE_OBJECT device,PIRP pirp)
{
KdPrint((“yjx:进入派遣函数”));
PIO_STACK_LOCATION irpStackL;
ULONG CtlCode;
ULONG InputBuffLength;
irpStackL=IoGetCurrentIrpStackLocation(pirp); //获取应用层传来的参数
switch(irpStackL->MajorFunction)
{
IRP_MJ_DEVICE_CONTROL;IRP_MJ_CREATE;IRP_MJ_CLOSE;}
pirp->IoStatus.Status = STATUS_SUCCESS;
pirp->IoStatus.Information = 4;//返回给DeviceIoControl中的 倒数第二个参数lpBytesReturned
IoCompleteRequest(pirp, IO_NO_INCREMENT);//调用方已完成所有I/O请求处理操作 并且不增加优先级
KdPrint((“yjx:离开派遣函数”));
return STATUS_SUCCESS;
}
//打开驱动设备
void CIoControlIrpDlg::OnBnClickedCreate()
{
// TODO: 在此添加控件通知处理程序代码
DeviceHandle = CreateFileW(
L"\??\uzDriverName001",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
}
void CIoControlIrpDlg::OnBnClickedButtonClose()
{
// TODO: 在此添加控件通知处理程序代码
if (DeviceHandle)
{
CloseHandle(DeviceHandle);
DeviceHandle = NULL;
}
}
R3应用层与R0驱动层简单通信
#define IO_IS_OK_TEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED,FILE_ANY_ACCESS) //测试
//WriteFile ReadFile
BOOL DeviceIoControl(
HANDLE hDevice, // 设备驱动的句柄 由CreateFile获取
DWORD dwIoControlCode, // 操作控制码
LPVOID lpInBuffer, // 输入缓冲区指针 要传入驱动的 参数
DWORD nInBufferSize, // 输入缓冲区大小
LPVOID lpOutBuffer, // 输出缓冲区指针
DWORD nOutBufferSize, // 输出缓冲区大小
LPDWORD lpBytesReturned, // 存放返回的字节数的指针
LPOVERLAPPED lpOverlapped // 异步结构指针,同步或者异步
);
BOOL WINAPI IoControlIsOK()
{
DWORD nTypeCode = IO_IS_OK_TEST;
ULONG64 BufferInData = 0;;
DWORD NumberOfBytesRead = 0;
BOOL IsOK = DeviceIoControl(
GetDeviceHandle(), //CreateFile函数打开的设备句柄
nTypeCode,//自定义的控制码
&BufferInData,//输入缓冲区
sizeof(BufferInData),//输入缓冲区大小
&BufferInData,输出缓冲区
sizeof(BufferInData),//输出缓冲区的大小
&NumberOfBytesRead,//实际返回的字节数,对应驱动程序中pIrp->IoStatus.Information。
NULL); 重叠操作结构指针。同步设为NULL,DeviceIoControl将进行阻塞调用;否则,应在编程时按异步操作设计
DbgPrintA(“yjx:IsOK=%d,NumberOfBytesRead=%d BufferInData=%d”, IsOK, NumberOfBytesRead, BufferInData);
return NumberOfBytesRead;
}
#include
#define IO_IS_OK_TEST CTL_CODE(FILE_DEVICE_UNKNOWN, 0x803, METHOD_BUFFERED,FILE_ANY_ACCESS) //测试
void CMFCIRPCTRLDlg::OnBnClickedButtonIoCtl()
{
// TODO: 在此添加控件通知处理程序代码
INT64 InBuf[3] = { 0x123456,0x123456789ABCDEF,0x888888ABC }; //输入缓冲区
INT64 OutBuf[6] = { 0 };
DWORD dwSize = 0;
DeviceIoControl(
DeviceHandle,
IO_IS_OK_TEST,
InBuf,//输入缓冲区指针
sizeof(InBuf),//2*8,//输入缓冲区大小
OutBuf,//输出缓冲区
sizeof(OutBuf), //输出缓冲区大小 6*8 =48
&dwSize,//返回 字节数 pIrp->IoStatus.Information //IRP.IOStatus.InforMation
NULL //同步异步
);
CString csStr;
csStr.Format(L"yjx:EXE:%llx,%llx,%llx,%llx,%llx,%llx dwSize=%llx …OK\n", OutBuf[0], OutBuf[1], OutBuf[2], OutBuf[3], OutBuf[4], OutBuf[5], dwSize);
OutputDebugStringW(csStr);
}
//驱动层 获取用户层参数
Irp->AssociatedIrp.SystemBuffer;
driver->Flags |= DO_BUFFERED_IO; //IO访问方式 重要 对应 METHOD_BUFFERED
inBufLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outBufLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
下一篇:PYTHON 学习笔记