叙述驱动开发：判断自身是否加载成功2023/3/26 20:46:10

Jacqueline季 · 发表于 2023-3-26 20:46:07

在驱动开发中我们有时需要得到驱动自身是否被加载成功的状态，这个功能看似没啥用际上在某些特殊场景中还是需要的，如下代码现了判断当前驱动是否加载成功，如果加载成功,则输出该驱动的详细路径信息。[url]http://www.yxfzedu.com/调试驱动[/url]的相关知识也可以到网站具体了解一下，有专业的客服人员为您全面解读，相信会有一个好的合作！[align=center]http://resources.yxfzedu.com/images/other_images/niumo_video.png[/align]

该功能现的核心函数是NQSI这是一个微软未公开的函数，也没有文档化，不过我们仍然可以通过动态指针的方式调用到它，该函数可以查询到很多系统信息状态，首先需要定义一个指针。

1

2

3

4

5

NTSTATUS(
*
NTQUERYSYSTEMINFORMATION)(

INULONGSIC,

OUTPVOIDSI,

INULONG_PTRSIL,

OUTPULONG_PTRRLOPTIONAL);

其次还需要一个SYSTEM_MODULE_INFORMATION该结构内可以得到模块入口信息模块称等，调用NQSI数据会被格式化为SYSTEM_MODULE_INFORMATION方便调用。

1

2

3

4

5

6

7

8

9

_SYSTEM_MODULE_INFORMATION{

HANDLES;

PVOIDMB;

PVOIDB;

ULONGS;

ULONGF;

USHORTLOI;

USHORTIOI;

USHORTLC;

USHORTPL;

CHARIN[
6
];

}SYSTEM_MODULE_INFORMATION,
*
PSYSTEM_MODULE_INFORMATION;

比较后是SYSTEM_INFORMATION_CLASS该结构同样是一个未文档化的结构体，本此代码中需要用到的枚举类型是SMI其他类型也放这里后期做参考用。

1

2

3

4

5

6

7

8

9

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

0

1

1

1

1

1

1

1

1

1

1

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

0

1

2

3

4

5

6

7

8

9

0

2

3

4

5

6

7

8

9

0

_SYSTEM_INFORMATION_CLASS

{

SBI
=
00
,

SPI
=

,

SPI
=

,

STODI
=

,

SPI
=

,

SPI
=

,

SCCI
=

,

SDI
=

,

SPPI
=

,

SFI
=

,

SCTI
=
0
,

SMI
=
0
,

SLI
=
0
,

SSTI
=
0
,

SPPI
=
0
,

SNPPI
=
0
,

SHI
=
0
,

SOI
=
1
,

SPFI
=
2
,

SVII
=
3
,

SVBI
=
4
,

SFCI
=
5
,

SPTI
=
6
,

SII
=
7
,

SDBI
=
8
,

SFMI
=
9
,

SLGDI
=

,

SUGDI
=

,

STAI
=

,

SSMI
=

,

SMMI
=

,

SPTI
=

,

SO0
=
0
,

SEI
=
1
,

SCDSI
=
2
,

SKDI
=
3
,

SCSI
=
4
,

SRQI
=
5
,

SESTI
=
6
,

SPS
=
7
,

SVADI
=
8
,

SVRDI
=
9
,

SPII
=

,

SLDI
=

,

SCTZI
=

,

SLI
=

,

STSN
=

,

SSC
=

,

SSD
=
0
,

SSI
=
1
,

SRSI
=
2
,

SVI
=
3
,

SVTE
=
4
,

SSPI
=
5
,

SLGDISS
=
6
,

SNPM
=
7
,

SPI
=
8
,

SEPI
=
9
,

SRSDA
=

,

SCPP
=

,

SNAM
=

,

SPPI
=

,

SEBI
=

,

SEPI
=

,

SEHI
=
0
,

SLDWI
=
1
,

SBPI
=
2
,

SSPTI
=
3
,

SSMVI
=
4
,

SHI
=
5
,

SOSM
=
6
,

SWTH
=
7
,

SWTI
=
8
,

SLPI
=
9
,

SW64SIO
=

,

SRFTIH
=

,

SFTI
=

,

SMIE
=

,

SVTI
=

,

SSI
=

,

SMLI
=
0
,

SFCIE
=
1
,

STPCII
=
2
,

SPICTI
=
3
,

SVCI
=
4
,

SPPIE
=
5
,

SRTI
=
6
,

SSPI
=
7
,

SPII
=
8
,

SEPI
=
9
,

SBEI
=

,

SHI
=

,

SVIE
=

,

STZI
=

,

SIFEOI
=

,

SCI
=

,

SPPI
=
0
,

SVFI
=
1
,

SSPI
=
2
,

SSDI
=
3
,

SPPD
=
4
,

SNPNI
=
5
,

SDTZI
=
6
,

SCII
=
7
,

SPMUI
=
8
,

SPBS
=
9
,

SVAI
=

,

SLPAGI
=

,

SPCTI
=

,

SSI
=

,

SRAS
=

,

SASV
=

,

SVBI
=
0
,

SCQI
=
1
,

SNBI
=
2
,

SEPT
=
3
,

SLPII
=
4
,

SBEI
=
5
,

SVCI
=
6
,

SPPIE
=
7
,

SSPIE
=
8
,

SNDI
=
9
,

SAAI
=

,

SBPI
=

,

SQPCI
=

,

SSBPI
=

,

SBGI
=

,

SSPMI
=

,

SBPI
=
0
,

SPPCA
=
1
,

SCPMI
=
2
,

SEITI
=
3
,

SCI
=
4
,

SPBI
=
5
,

STNI
=
6
,

SHPCI
=
7
,

SDDI
=
8
,

SDDEI
=
9
,

SMTI
=

,

SMCI
=

,

SBLI
=

,

SPPIE
=

,

SS0
=

,

SSBPI
=

,

SPFIE
=
0
,

SSBI
=
1
,

SEITRI
=
2
,

SPWELI
=
3
,

SFPI
=
4
,

SKDIE
=
5
,

SBMI
=
6
,

SSRI
=
7
,

SECI
=
8
,

SODCI
=
9
,

SPFI
=

,

SRRI
=

,

MSIC
=

,

}SYSTEM_INFORMATION_CLASS;

1通过MGSRA得到动态的地址。
2动态调用_NQSI得到参数。
3判断自身是否被加载，如果是输出路径。

1

2

3

4

5

6

7

8

9

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

0

1

1

1

1

1

1

1

1

1

1

1

2

3

4

#

#

#

NTSTATUS(
*
NTQUERYSYSTEMINFORMATION)(

INULONGSIC,

OUTPVOIDSI,

INULONG_PTRSIL,

OUTPULONG_PTRRLOPTIONAL);

_SYSTEM_MODULE_INFORMATION{

HANDLES;

PVOIDMB;

PVOIDB;

ULONGS;

ULONGF;

USHORTLOI;

USHORTIOI;

USHORTLC;

USHORTPL;

CHARIN[
6
];

}SYSTEM_MODULE_INFORMATION,
*
PSYSTEM_MODULE_INFORMATION;

_SYSTEM_INFORMATION_CLASS

{

SBI
=
00
,

SPI
=

,

SPI
=

,

STODI
=

,

SPI
=

,

SPI
=

,

SCCI
=

,

SDI
=

,

SPPI
=

,

SFI
=

,

SCTI
=
0
,

SMI
=
0
,

SLI
=
0
,

}SYSTEM_INFORMATION_CLASS;

判断当前D是否加载成功

B:LS

ULONGJLD()

{

NTQUERYSYSTEMINFORMATION_NQSI
=
NULL;

UNICODE_STRINGNQSI_N;

PSYSTEM_MODULE_INFORMATIONME;

ULONG_PTRRL,BA,EA;

ULONGMN,I;

NTSTATUSS;

PVOID
B
;

RIUS(NQSI_N,L
"NQSI"
);

_NQSI
=
(NTQUERYSYSTEMINFORMATION)MGSRA(NQSI_N);

(_NQSI
=
=
NULL)

{

DP(
"获取NQSI函数失败！\"
);

1
;

}

RL
=
0
;

S
=
_NQSI(SMI,NULL,
0
,RL);

(S
0
S!
=
STATUS_INFO_LENGTH_MISMATCH)

{

DP(
"NQSI调用失败！错误码是：%\"
,S);

1
;

}

B
=
EAPWT(NPP,RL,
''
);

(
B
=
=
NULL)

{

DP(
"分配内存失败！\"
);

1
;

}

S
=
_NQSI(SMI,
B
,RL,RL);

(S
0
)

{

DP(
"NQSI调用失败%\"
,S);

1
;

}

MN
=
*
(ULONG
*
)
B
;

ME
=
(PSYSTEM_MODULE_INFORMATION)((ULONG_PTR)
B
+
8
);

(I
=
0
;IMN;
+
+
I)

{

BA
=
(ULONG_PTR)ME
-
B;

EA
=
BA
+
ME
-
S;

(BA
=
(ULONG_PTR)JLD(ULONG_PTR)JLD
=
EA)

{

DP(
"模块称是：%\"
,ME
-
IN);

2
;

}

+
+
ME;

}

0
;

}

VOIDUD(PDRIVER_OBJECT)

{

DP(
"驱动卸载成功\"
);

}

NTSTATUSDE(INPDRIVER_OBJECTD,PUNICODE_STRINGRP)

{

DP(
"\"
);

ULONG
=
JLD();

DP(
"驱动状态:%\"
,);

D
-
DU
=
UD;

STATUS_SUCCESS;

}

代码运行效果如下所示：

		自动登录	找回密码
密码			立即注册

叙述驱动开发：判断自身是否加载成功2023/3/26 20:46:10

浏览过的版块