編寫內核驅動加載工具


           編寫內核驅動加載工具

一丶加載內核驅動的常用API介紹.

加載內核驅動,使用我們的ring3下的API即可完成.

API分別是:

OpenSCManager  打開設備(服務)管理器

CreateService  創建服務(或者設備,根據參數不同而不同)

OpenService     打開設備或者服務.

StartService           啟動服務,啟動設備.

ControlService       控制設備或者服務的狀態.

CloseServiceHandle 關閉服務或者設備的句柄

DeleteService       卸載服務

參數介紹:

1.打開設備管理器

SC_HANDLE OpenSCManager(
  LPCTSTR lpMachineName,   // 機器名稱.可以制定計算機,如不指定,給NULL則是打開自己.
  LPCTSTR lpDatabaseName,  // 打開設備管理器數據庫的名稱,如果為NULL則使用默認的.
  DWORD dwDesiredAccess    // 打開的權限.
);

返回值:

  成功: 返回設備管理器的句柄

  失敗: 返回NULL

 

2.創建設備或者服務.

SC_HANDLE CreateService( 
SC_HANDLE hSCManager, //設備管理器句柄,通過OpenScManger返回 LPCTSTR lpServiceName, // 服務或者設備啟動的名稱 LPCTSTR lpDisplayName, // 服務或者的顯示名稱 DWORD dwDesiredAccess, // 訪問服務或者設備的權限 DWORD dwServiceType, // 創建的服務或者設備的類型,如果是內核驅動,則通過這里給 DWORD dwStartType, // 服務或者設備何時啟動 DWORD dwErrorControl, // 服務或者設備如果啟動出錯,則指定一下應用程序應該怎么做,(重啟,或者重新長還是.) LPCTSTR lpBinaryPathName, // 服務或者設備的文件路徑,必須給. LPCTSTR lpLoadOrderGroup, // 服務或者設備排租. LPDWORD lpdwTagId, // 可以通過注冊表來啟動服務. LPCTSTR lpDependencies, // array of dependency names LPCTSTR lpServiceStartName, // 服務的啟動名稱. LPCTSTR lpPassword // 密碼;

返回值:

  成功: 返回創建服務或者設備的句柄.

  失敗: 返回NULL

3.打開服務或者設備.

SC_HANDLE OpenService(
  SC_HANDLE hSCManager,  // 設備管理器的句柄,通過OpenScManger返回.
  LPCTSTR lpServiceName, // 服務或者設備的名稱.
  DWORD dwDesiredAccess  // 打開服務或者設備的權限.
);

返回值:

  成功: 返回服務或者設備的句柄.

  失敗: 返回NULL

4.啟動服務或者設備.

BOOL StartService(
  SC_HANDLE hService,            // 服務或者設備句柄
  DWORD dwNumServiceArgs,        // 二維數組的個數.
  LPCTSTR* lpServiceArgVectors   // 二維數組.其中每組存儲一個服務名稱.如果是內核驅動則都給NULL即可.
);

返回值:

  成功: 返回非零值

  失敗: 返回零值.

5.控制服務或者設備.

BOOL ControlService(
  SC_HANDLE hService,               // 服務或者設備句柄,通過OpenService或者CreateService返回.
  DWORD dwControl,                  //控制代碼. 如果給SERVICE_CONTROL_PAUSE那么服務就會暫停
  LPSERVICE_STATUS lpServiceStatus  // 服務的狀態.是一個結構體,操作系統幫你填好.

結構體:

typedef struct _SERVICE_STATUS { 
  DWORD dwServiceType;     //服務的類型
  DWORD dwCurrentState;    //服務的當前狀態,暫停狀態還是停止狀態....
  DWORD dwControlsAccepted;    //服務的控制碼.
  DWORD dwWin32ExitCode;    //服務錯誤或者停止返回的錯誤馱
  DWORD dwServiceSpecificExitCode; //服務啟動的是否返回的錯誤代碼.
  DWORD dwCheckPoint;      //服務開啟的是否的用於統計的次數.到達100則啟動完成.一般進度條使用
  DWORD dwWaitHint; 
} SERVICE_STATUS, *LPSERVICE_STATUS//給定一個期望值.時間.然后按照時間一點一點的啟動.

6.關閉服務句柄.

BOOL CloseServiceHandle(
  SC_HANDLE hSCObject   // 服務或者設備的句柄
);

 7.卸載服務

BOOL DeleteService(  SC_HANDLE hService   // handle to service);

 

二丶詳細代碼

上面是簡單的API介紹.下面則貼出完整的代碼.

請注意我這里使用的是MFC編寫的. 但是其每個函數不會互相依賴.如果你是拷貝代碼.則之間誒拷貝過去就可以使用.

1.安裝內核驅動代碼

 m_CreateService = CreateService(
        m_ScHand, 
        服務或者設備名稱,   //例如: MySystem.sys
        服務或者設備的名稱,
        SC_MANAGER_ALL_ACCESS,
        SERVICE_KERNEL_DRIVER,//安裝的屬性,我這里給的是內核的.所以安裝的是內核.
        SERVICE_DEMAND_START,
        SERVICE_ERROR_SEVERE,
        m_EdtPathName,
        NULL,
        NULL,
        NULL,
        NULL,
        NULL);
    if (m_CreateService == NULL)
    {
        ::CloseServiceHandle(m_CreateService);
        ::CloseServiceHandle(m_ScHand);
        ::MessageBox(NULL, TEXT("Sorry Install Drive Fail"), TEXT("Error"), NULL);
        return;
    }
    ::CloseServiceHandle(m_CreateService);
    ::CloseServiceHandle(m_ScHand);
    ::MessageBox(NULL, TEXT("InStall Drive Sucess"), TEXT("Sucess"), NULL);

2.卸載代碼

     m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (m_ScHand == NULL)
    {
        ::MessageBox(NULL, TEXT("Sorry OpenScManger Fail\r\n"), TEXT("Error"), MB_ICONEXCLAMATION);
        return;
    }
    //open Service
    m_CreateService = OpenService(m_ScHand, m_ServiceName, SERVICE_STOP | DELETE);
    if (m_CreateService == NULL)
    {
        ::MessageBox(NULL, TEXT("Sorry Install Drive Fail"), TEXT("Error"), NULL);
        return;
    }
    BOOL bRet = FALSE;
          bRet = DeleteService(m_CreateService);
         if (!bRet)
         {
             ::CloseServiceHandle(m_CreateService);
             ::CloseServiceHandle(m_ScHand);
             ::MessageBox(NULL, TEXT("Sorry UnInstall Drive Fail"), TEXT("Error"), NULL);
             return;
         }
        

  
     DeleteService(m_CreateService);
    ::CloseServiceHandle(m_CreateService);
    ::CloseServiceHandle(m_ScHand);
    ::MessageBox(NULL, TEXT("UnInstall Drive Sucess"), TEXT("Sucess"), NULL);

3.啟動內核驅動的代碼

  m_ScHand = NULL;
    m_CreateService = NULL;
    m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (m_ScHand == NULL)
    {
        ::MessageBox(NULL, TEXT("Sorry OpenScManger Fail\r\n"), TEXT("Error"), MB_ICONEXCLAMATION);
        return;
    }
    //open Service
    m_CreateService = OpenService(m_ScHand, m_ServiceName, SERVICE_START);
    if (m_CreateService == NULL)
    {
        ::MessageBox(NULL, TEXT("Sorry Start Drive Fail"), TEXT("Error"), NULL);
        return;
    }

    UpdateData(TRUE);
    BOOL bRet = StartService(m_CreateService,0,NULL); //重要的地方.

    if (bRet == NULL)
    {
        ::CloseServiceHandle(m_CreateService);
        ::CloseServiceHandle(m_ScHand);
        ::MessageBox(NULL, TEXT("Sorry Start Service Fail\r\n"), TEXT("Error"), IDOK);
        return;
    }

    ::CloseServiceHandle(m_CreateService);
    ::CloseServiceHandle(m_ScHand);
    ::MessageBox(NULL, TEXT(" Start Service Sucess\r\n"), TEXT("Sucess"), IDOK);

4..暫停內核驅動.

m_ScHand = NULL;
    m_CreateService = NULL;
    UpdateData(TRUE);
    m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);  
    SERVICE_STATUS svcsta = { 0 };  
    if (m_ScHand != NULL){  
        SC_HANDLE hService = OpenService(m_ScHand, m_ServiceName, SERVICE_STOP);  
        if (hService != NULL)
        {  
            if (ControlService(m_CreateService, SERVICE_CONTROL_STOP, &svcsta))  
            {  
                CloseServiceHandle(m_CreateService);  
                CloseServiceHandle(m_ScHand);  
                ::MessageBox(NULL, TEXT(" Stop Service Sucess\r\n"), TEXT("Sucess"), IDOK);
                return ;  
            }  
            CloseServiceHandle(m_CreateService);  
            CloseServiceHandle(m_ScHand);  
            ::MessageBox(NULL, TEXT(" Stop Service Fail\r\n"), TEXT("Error"), IDOK);
            return ;  
        }  
        CloseServiceHandle(m_ScHand);  
        return ;  
    }  
    else 
    {
        ::MessageBox(NULL, TEXT(" Stop Service Fail\r\n"), TEXT("Fail"), IDOK);
        return ;  
    }
    return;
    

 

 

完整測試代碼:

// InstallDriver.cpp : 定義應用程序的入口點。
//

#include "stdafx.h"
#include "InstallDriver.h"
#include "../../publicstruct.h"

SC_HANDLE m_ScHand;
SC_HANDLE m_CreateService;
CBinString m_ServiceName;
CBinString m_EdtPathName;

//安裝驅動


BOOL InstallDriver(CBinString ServiecName,CBinString ServicePathName)
{
    
 
    m_EdtPathName = ServicePathName;
    m_ServiceName = ServiecName; 
    m_ScHand = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (m_ScHand == NULL)
    {
        //::MessageBox(NULL, TEXT("Open ScManger Fail"), TEXT("Error"), NULL);
        //OutputDebugString(TEXT("打開服務管理器失敗"));
        return FALSE;
    }
    m_CreateService = CreateService(
        m_ScHand,
        m_ServiceName.c_str(),
        m_ServiceName.c_str(),
        SC_MANAGER_ALL_ACCESS,
        SERVICE_KERNEL_DRIVER,
        SERVICE_DEMAND_START,
        SERVICE_ERROR_SEVERE,
        m_EdtPathName.c_str(),
        NULL,
        NULL,
        NULL,
        NULL,
        NULL);
    if (m_CreateService == NULL)
    {
        ::CloseServiceHandle(m_CreateService);
       
        //OutputDebugString(TEXT("調用CreateService失敗"));

        return FALSE;
    }
    ::CloseServiceHandle(m_CreateService);

    return TRUE;
}


BOOL StartDriver(CBinString ServiceName)
{
    // TODO: Add your control notification handler code here
   
    SC_HANDLE m_CreateService = NULL;
    if (m_ScHand == NULL)
    {
        //OutputDebugString(TEXT("啟動驅動: SCM為NULL打開失敗"));
        return FALSE;
    }
    //open Service
    m_CreateService = OpenService(m_ScHand, m_ServiceName.c_str(), SERVICE_START);
    if (m_CreateService == NULL)
    {
       
        //OutputDebugString(TEXT("啟動驅動: OpenService服務失敗"));

        return FALSE;

    }

   
    BOOL bRet = StartService(m_CreateService, 0, NULL);

    if (bRet == NULL)
    {
        ::CloseServiceHandle(m_CreateService);
       
        //OutputDebugString(TEXT("啟動驅動: StartService失敗"));

        return FALSE;
    }

    ::CloseServiceHandle(m_CreateService);
   
   
    return TRUE;
}

BOOL StopDriver(CBinString ServiceName)
{
    // TODO: Add your control notification handler code here
  
   
   
 
    SERVICE_STATUS svcsta = { 0 };
    if (m_ScHand != NULL) {
        SC_HANDLE hService = OpenService(m_ScHand, m_ServiceName.c_str(), SERVICE_STOP);
        if (hService != NULL)
        {
            if (ControlService(hService, SERVICE_CONTROL_STOP, &svcsta))
            {
                CloseServiceHandle(hService);
               
                
                return TRUE;
            }
            CloseServiceHandle(hService);
            return FALSE; 
        }
      
        return FALSE;
    }
    else
    {
       
        return FALSE;
    }
    return FALSE;


}

BOOL UninstallDriver(CBinString ServiceName)
{
    // TODO: Add your control notification handler code here
  
    if (m_ScHand == NULL)
    {
       
        return FALSE;
    }
    //open Service
    m_CreateService = OpenService(m_ScHand, m_ServiceName.c_str(), SERVICE_STOP | DELETE);
    if (m_CreateService == NULL)
    {
      
        return FALSE;
    }
    BOOL bRet = FALSE;
    bRet = DeleteService(m_CreateService);
    if (!bRet)
    {
        ::CloseServiceHandle(m_CreateService);
        ::CloseServiceHandle(m_ScHand);
       
        return FALSE;
    }



    DeleteService(m_CreateService);
    ::CloseServiceHandle(m_CreateService);
    ::CloseServiceHandle(m_ScHand);
    return TRUE;

}


void LoadDriver(CBinString ServiceName,CBinString ServicePathName)
{
    /*
    1.安裝
    2.啟動
    3.停止
    4.卸載.
    */
    BOOL bRet = FALSE;
    bRet =  InstallDriver(ServiceName, ServicePathName);
    if (!bRet)
    {
       // OutputDebugString(TEXT("安裝驅動失敗"));
       
    }
    bRet =  StartDriver(ServiceName);

    if (!bRet)
    {
        //OutputDebugString(TEXT("啟動驅動失敗"));
        return;
    }

    Sleep(3000);

    bRet = StopDriver(ServiceName);

    if (!bRet)
    {
        //OutputDebugString(TEXT("停止驅動失敗"));
        return;
    }

    Sleep(1000);
    bRet = UninstallDriver(ServiceName);
    if (!bRet)
    {
        //OutputDebugString(TEXT("刪除驅動失敗"));
        return;
    }
}

int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
                     _In_opt_ HINSTANCE hPrevInstance,
                     _In_ LPWSTR    lpCmdLine,
                     _In_ int       nCmdShow)
{
   

    CBinString ServiceName;
    CBinString ServicePathName;
    TCHAR szBuffer[MAX_PATH] = { 0 };
    GetCurrentDirectory(sizeof(TCHAR) * MAX_PATH, szBuffer);
    OutputDebugString(szBuffer);
    ServiceName = TEXT("PassRegister"); //注: 不能有后綴名

    ServicePathName = szBuffer;
    ServicePathName += TEXT("\\");
    ServicePathName.append(ServiceName);//注意必須是路徑加文件名 D;\\xx.exe/sys/dll
    ServicePathName.append(TEXT(".sys"));

    OutputDebugString(ServicePathName.c_str());
    
   

    LoadDriver(ServiceName, ServicePathName);
    return 0;
}
測試代碼.可拷貝

 

完整的工程代碼資料下載:

  鏈接:https://pan.baidu.com/s/1kWoHJZD 密碼:osy7

 

原創不易,轉載請注明出處.


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM