編寫內核驅動加載工具
一丶加載內核驅動的常用API介紹.
加載內核驅動,使用我們的ring3下的API即可完成.
API分別是:
OpenSCManager 打開設備(服務)管理器
CreateService 創建服務(或者設備,根據參數不同而不同)
OpenService 打開設備或者服務.
StartService 啟動服務,啟動設備.
ControlService 控制設備或者服務的狀態.
CloseServiceHandle 關閉服務或者設備的句柄
DeleteService 卸載服務
參數介紹:
1.打開設備管理器
SC_HANDLE OpenSCManager( LPCTSTR lpMachineName, // 機器名稱.可以制定計算機,如不指定,給NULL則是打開自己. LPCTSTR lpDatabaseName, // 打開設備管理器數據庫的名稱,如果為NULL則使用默認的. DWORD dwDesiredAccess // 打開的權限. );
返回值:
成功: 返回設備管理器的句柄
失敗: 返回NULL
2.創建設備或者服務.
SC_HANDLE CreateService(
SC_HANDLE hSCManager, //設備管理器句柄,通過OpenScManger返回 LPCTSTR lpServiceName, // 服務或者設備啟動的名稱 LPCTSTR lpDisplayName, // 服務或者的顯示名稱 DWORD dwDesiredAccess, // 訪問服務或者設備的權限 DWORD dwServiceType, // 創建的服務或者設備的類型,如果是內核驅動,則通過這里給 DWORD dwStartType, // 服務或者設備何時啟動 DWORD dwErrorControl, // 服務或者設備如果啟動出錯,則指定一下應用程序應該怎么做,(重啟,或者重新長還是.) LPCTSTR lpBinaryPathName, // 服務或者設備的文件路徑,必須給. LPCTSTR lpLoadOrderGroup, // 服務或者設備排租. LPDWORD lpdwTagId, // 可以通過注冊表來啟動服務. LPCTSTR lpDependencies, // array of dependency names LPCTSTR lpServiceStartName, // 服務的啟動名稱. LPCTSTR lpPassword // 密碼;
返回值:
成功: 返回創建服務或者設備的句柄.
失敗: 返回NULL
3.打開服務或者設備.
SC_HANDLE OpenService( SC_HANDLE hSCManager, // 設備管理器的句柄,通過OpenScManger返回. LPCTSTR lpServiceName, // 服務或者設備的名稱. DWORD dwDesiredAccess // 打開服務或者設備的權限. );
返回值:
成功: 返回服務或者設備的句柄.
失敗: 返回NULL
4.啟動服務或者設備.
BOOL StartService( SC_HANDLE hService, // 服務或者設備句柄 DWORD dwNumServiceArgs, // 二維數組的個數. LPCTSTR* lpServiceArgVectors // 二維數組.其中每組存儲一個服務名稱.如果是內核驅動則都給NULL即可. );
返回值:
成功: 返回非零值
失敗: 返回零值.
5.控制服務或者設備.
BOOL ControlService( SC_HANDLE hService, // 服務或者設備句柄,通過OpenService或者CreateService返回. DWORD dwControl, //控制代碼. 如果給SERVICE_CONTROL_PAUSE那么服務就會暫停 LPSERVICE_STATUS lpServiceStatus // 服務的狀態.是一個結構體,操作系統幫你填好.
結構體:
typedef struct _SERVICE_STATUS { DWORD dwServiceType; //服務的類型 DWORD dwCurrentState; //服務的當前狀態,暫停狀態還是停止狀態.... DWORD dwControlsAccepted; //服務的控制碼. DWORD dwWin32ExitCode; //服務錯誤或者停止返回的錯誤馱 DWORD dwServiceSpecificExitCode; //服務啟動的是否返回的錯誤代碼. DWORD dwCheckPoint; //服務開啟的是否的用於統計的次數.到達100則啟動完成.一般進度條使用 DWORD dwWaitHint; } SERVICE_STATUS, *LPSERVICE_STATUS//給定一個期望值.時間.然后按照時間一點一點的啟動.
6.關閉服務句柄.
BOOL CloseServiceHandle( SC_HANDLE hSCObject // 服務或者設備的句柄 );
7.卸載服務
BOOL DeleteService( SC_HANDLE hService // handle to service);
二丶詳細代碼
上面是簡單的API介紹.下面則貼出完整的代碼.
請注意我這里使用的是MFC編寫的. 但是其每個函數不會互相依賴.如果你是拷貝代碼.則之間誒拷貝過去就可以使用.
1.安裝內核驅動代碼
m_CreateService = CreateService( m_ScHand, 服務或者設備名稱, //例如: MySystem.sys 服務或者設備的名稱, SC_MANAGER_ALL_ACCESS, SERVICE_KERNEL_DRIVER,//安裝的屬性,我這里給的是內核的.所以安裝的是內核. SERVICE_DEMAND_START, SERVICE_ERROR_SEVERE, m_EdtPathName, NULL, NULL, NULL, NULL, NULL); if (m_CreateService == NULL) { ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT("Sorry Install Drive Fail"), TEXT("Error"), NULL); return; } ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT("InStall Drive Sucess"), TEXT("Sucess"), NULL);
2.卸載代碼
m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (m_ScHand == NULL) { ::MessageBox(NULL, TEXT("Sorry OpenScManger Fail\r\n"), TEXT("Error"), MB_ICONEXCLAMATION); return; } //open Service m_CreateService = OpenService(m_ScHand, m_ServiceName, SERVICE_STOP | DELETE); if (m_CreateService == NULL) { ::MessageBox(NULL, TEXT("Sorry Install Drive Fail"), TEXT("Error"), NULL); return; } BOOL bRet = FALSE; bRet = DeleteService(m_CreateService); if (!bRet) { ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT("Sorry UnInstall Drive Fail"), TEXT("Error"), NULL); return; } DeleteService(m_CreateService); ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT("UnInstall Drive Sucess"), TEXT("Sucess"), NULL);
3.啟動內核驅動的代碼
m_ScHand = NULL; m_CreateService = NULL; m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (m_ScHand == NULL) { ::MessageBox(NULL, TEXT("Sorry OpenScManger Fail\r\n"), TEXT("Error"), MB_ICONEXCLAMATION); return; } //open Service m_CreateService = OpenService(m_ScHand, m_ServiceName, SERVICE_START); if (m_CreateService == NULL) { ::MessageBox(NULL, TEXT("Sorry Start Drive Fail"), TEXT("Error"), NULL); return; } UpdateData(TRUE); BOOL bRet = StartService(m_CreateService,0,NULL); //重要的地方. if (bRet == NULL) { ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT("Sorry Start Service Fail\r\n"), TEXT("Error"), IDOK); return; } ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT(" Start Service Sucess\r\n"), TEXT("Sucess"), IDOK);
4..暫停內核驅動.
m_ScHand = NULL; m_CreateService = NULL; UpdateData(TRUE); m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); SERVICE_STATUS svcsta = { 0 }; if (m_ScHand != NULL){ SC_HANDLE hService = OpenService(m_ScHand, m_ServiceName, SERVICE_STOP); if (hService != NULL) { if (ControlService(m_CreateService, SERVICE_CONTROL_STOP, &svcsta)) { CloseServiceHandle(m_CreateService); CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT(" Stop Service Sucess\r\n"), TEXT("Sucess"), IDOK); return ; } CloseServiceHandle(m_CreateService); CloseServiceHandle(m_ScHand); ::MessageBox(NULL, TEXT(" Stop Service Fail\r\n"), TEXT("Error"), IDOK); return ; } CloseServiceHandle(m_ScHand); return ; } else { ::MessageBox(NULL, TEXT(" Stop Service Fail\r\n"), TEXT("Fail"), IDOK); return ; } return;
完整測試代碼:

// InstallDriver.cpp : 定義應用程序的入口點。 // #include "stdafx.h" #include "InstallDriver.h" #include "../../publicstruct.h" SC_HANDLE m_ScHand; SC_HANDLE m_CreateService; CBinString m_ServiceName; CBinString m_EdtPathName; //安裝驅動 BOOL InstallDriver(CBinString ServiecName,CBinString ServicePathName) { m_EdtPathName = ServicePathName; m_ServiceName = ServiecName; m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (m_ScHand == NULL) { //::MessageBox(NULL, TEXT("Open ScManger Fail"), TEXT("Error"), NULL); //OutputDebugString(TEXT("打開服務管理器失敗")); return FALSE; } m_CreateService = CreateService( m_ScHand, m_ServiceName.c_str(), m_ServiceName.c_str(), SC_MANAGER_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_SEVERE, m_EdtPathName.c_str(), NULL, NULL, NULL, NULL, NULL); if (m_CreateService == NULL) { ::CloseServiceHandle(m_CreateService); //OutputDebugString(TEXT("調用CreateService失敗")); return FALSE; } ::CloseServiceHandle(m_CreateService); return TRUE; } BOOL StartDriver(CBinString ServiceName) { // TODO: Add your control notification handler code here SC_HANDLE m_CreateService = NULL; if (m_ScHand == NULL) { //OutputDebugString(TEXT("啟動驅動: SCM為NULL打開失敗")); return FALSE; } //open Service m_CreateService = OpenService(m_ScHand, m_ServiceName.c_str(), SERVICE_START); if (m_CreateService == NULL) { //OutputDebugString(TEXT("啟動驅動: OpenService服務失敗")); return FALSE; } BOOL bRet = StartService(m_CreateService, 0, NULL); if (bRet == NULL) { ::CloseServiceHandle(m_CreateService); //OutputDebugString(TEXT("啟動驅動: StartService失敗")); return FALSE; } ::CloseServiceHandle(m_CreateService); return TRUE; } BOOL StopDriver(CBinString ServiceName) { // TODO: Add your control notification handler code here SERVICE_STATUS svcsta = { 0 }; if (m_ScHand != NULL) { SC_HANDLE hService = OpenService(m_ScHand, m_ServiceName.c_str(), SERVICE_STOP); if (hService != NULL) { if (ControlService(hService, SERVICE_CONTROL_STOP, &svcsta)) { CloseServiceHandle(hService); return TRUE; } CloseServiceHandle(hService); return FALSE; } return FALSE; } else { return FALSE; } return FALSE; } BOOL UninstallDriver(CBinString ServiceName) { // TODO: Add your control notification handler code here if (m_ScHand == NULL) { return FALSE; } //open Service m_CreateService = OpenService(m_ScHand, m_ServiceName.c_str(), SERVICE_STOP | DELETE); if (m_CreateService == NULL) { return FALSE; } BOOL bRet = FALSE; bRet = DeleteService(m_CreateService); if (!bRet) { ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); return FALSE; } DeleteService(m_CreateService); ::CloseServiceHandle(m_CreateService); ::CloseServiceHandle(m_ScHand); return TRUE; } void LoadDriver(CBinString ServiceName,CBinString ServicePathName) { /* 1.安裝 2.啟動 3.停止 4.卸載. */ BOOL bRet = FALSE; bRet = InstallDriver(ServiceName, ServicePathName); if (!bRet) { // OutputDebugString(TEXT("安裝驅動失敗")); } bRet = StartDriver(ServiceName); if (!bRet) { //OutputDebugString(TEXT("啟動驅動失敗")); return; } Sleep(3000); bRet = StopDriver(ServiceName); if (!bRet) { //OutputDebugString(TEXT("停止驅動失敗")); return; } Sleep(1000); bRet = UninstallDriver(ServiceName); if (!bRet) { //OutputDebugString(TEXT("刪除驅動失敗")); return; } } int APIENTRY wWinMain(_In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPWSTR lpCmdLine, _In_ int nCmdShow) { CBinString ServiceName; CBinString ServicePathName; TCHAR szBuffer[MAX_PATH] = { 0 }; GetCurrentDirectory(sizeof(TCHAR) * MAX_PATH, szBuffer); OutputDebugString(szBuffer); ServiceName = TEXT("PassRegister"); //注: 不能有后綴名 ServicePathName = szBuffer; ServicePathName += TEXT("\\"); ServicePathName.append(ServiceName);//注意必須是路徑加文件名 D;\\xx.exe/sys/dll ServicePathName.append(TEXT(".sys")); OutputDebugString(ServicePathName.c_str()); LoadDriver(ServiceName, ServicePathName); return 0; }
完整的工程代碼資料下載:
鏈接:https://pan.baidu.com/s/1kWoHJZD 密碼:osy7
原創不易,轉載請注明出處.