为什么我写的驱动运行之后电脑CPU占用率直接100%?我写的过TP保护的驱动在虚拟机下运行完全正常,为什么拿到
为什么我写的驱动运行之后电脑CPU占用率直接100%?
我写的过TP保护的驱动在虚拟机下运行完全正常,为什么拿到物理机上面直接CPU占用率100%?
什么情况?
[解决办法]
那没法,驱动编起来就这点不方便
双机调试
[解决办法]
[解决办法][解决办法]#include "DDK_ShenMing.h"
///////------------函数声明区域-------------------
int InitialDDK(PDRIVER_OBJECT pDriverObject);
int DDK_Unload(PDRIVER_OBJECT p);
NTSTATUS DispatchRoutine(PDEVICE_OBJECT pDevObj,PIRP pIrp);
void Hook();
void Unhook();
//声明函数指针
typedef NTSTATUS (_stdcall *NTTERNIMATEPROCESS)(HANDLE ProcessHandle,NTSTATUS ExitStatus); //定义一个函数指针
NTTERNIMATEPROCESS ImitateNTerminateProcess;//定义一个函数
extern PServiceDescriptorTable KeServiceDescriptorTable; //导出 KeServiceDescriptorTable
NTSTATUS MyNtTerminateProcess(HANDLE ProcessHandle,NTSTATUS ExitStatus);//自己的假冒函数
///////-------------函数声明结束-------------------
#pragma code_seg("INIT")
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING B)
{
KdPrint(("-----进入了驱动主函数。------\n"));
InitialDDK(pDriverObject);
Hook();
pDriverObject->DriverUnload=DDK_Unload;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CREATE]=DispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=DispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ]=DispatchRoutine;
return STATUS_SUCCESS;
}
#pragma code_seg("PAGE")
int InitialDDK(PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
UNICODE_STRING DevName,SysName;
RtlInitUnicodeString(&DevName,L"\\Device\\MyDevice");
RtlInitUnicodeString(&SysName,L"\\??\\1111");
status=IoCreateDevice(pDriverObject,0,&DevName,FILE_DEVICE_UNKNOWN,0,TRUE,&pDevObj);
if( status<0) //如果创建设备失败
{
Initial_Status=CREATE_FAILD;
return 0;
}
pDevObj->Flags |=DO_BUFFERED_IO;
status=IoCreateSymbolicLink(&SysName,&DevName);
if(status<0)
{
IoDeleteDevice(pDevObj);
Initial_Status=CREATE_FAILD;
return 0;
}
Initial_Status=CREATE_SUCCESS;
return 1;
}
#pragma code_seg("PAGE")
int DDK_Unload(PDRIVER_OBJECT p)
{
KdPrint(("-----驱动被卸载了------\n"));
if(Initial_Status==CREATE_SUCCESS)
{
PDEVICE_OBJECT pDevObj;
UNICODE_STRING SysName;
RtlInitUnicodeString(&SysName,L"\\??\\1111");
pDevObj=p->DeviceObject;
IoDeleteDevice(pDevObj);
IoDeleteSymbolicLink(&SysName);
if(IS_HOOH==HOOK_SUCCESS)
Unhook();
}
return 1;
}
#pragma code_seg("PAGE")
NTSTATUS DispatchRoutine(PDEVICE_OBJECT pDevObj,PIRP pIrp)
{
ULONG mf,CTL_code;
PIO_STACK_LOCATION stack=IoGetCurrentIrpStackLocation(pIrp);
mf=stack->MajorFunction;
CTL_code=stack->Parameters.DeviceIoControl.IoControlCode;
switch(mf)
{
case IRP_MJ_DEVICE_CONTROL:
{
switch(CTL_code) //判断控制码
{
case hook_code:
{
void *hProcess=(void*)(pIrp->AssociatedIrp.SystemBuffer);
}
case Unkook_code:
{
Unhook();
}
default: break;
}
}//IRP_MJ_DEVICE_CONTROL
case IRP_MJ_CREATE:
{
KdPrint(("调用了IRP_MJ_CREATE事件\n"));
}
default: break;
}
pIrp->IoStatus.Information=4;
pIrp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(pIrp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
#pragma code_seg("PAGE")
void Hook()
{
if(IS_HOOH != HOOK_SUCCESS)
{
ULONG Addr;
Addr=(ULONG)(KeServiceDescriptorTable->ServiceTableBase) + 257*4;
NT_Address= *((ULONG*)Addr);
if( *((ULONG*)Addr)==NT_Address ) //如果读取地址正确
{
KdPrint(("---成功的读取了SSDT地址:%x ---\n",NT_Address));
IS_HOOH=HOOK_SUCCESS;//如果地址保存在变量中,就OK。
ImitateNTerminateProcess=(NTTERNIMATEPROCESS)NT_Address;//真的函数指向了RealNTerminateProcess
CloseProtect(); //去掉内存保护
*((ULONG *)Addr)=(ULONG)MyNtTerminateProcess;//替换为我们的函数
OpenProtect (); //恢复内存保护
return ;
}
else
{
KdPrint(("读取SSDT时出错了\n"));
return ;
}
}
}
#pragma code_seg("PAGE")
void Unhook()
{
if(IS_HOOH==HOOK_SUCCESS)//如果hook的地址是真正的地址。
{
ULONG Addr;
Addr=(ULONG)(KeServiceDescriptorTable->ServiceTableBase) + 257*4;
CloseProtect();
*((ULONG*)Addr)=NT_Address;
OpenProtect ();
IS_HOOH=HOOK_UNHOOK; //设置为已经取消了HOOK
KdPrint(("SSDT HOOK取消成功\n"));
}
}
#pragma code_seg("PAGE")
NTSTATUS MyNtTerminateProcess(HANDLE ProcessHandle,NTSTATUS ExitStatus)//假冒函数
{
NTSTATUS status=0;
PEPROCESS process; //接受通过ProcessHandle返回的进程
char *pName; //接受进程的进程名
char *ProcessName="TestPass.exe"; //要保护的进程名字
status=ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,0,KernelMode,&process,NULL); //获取进程
if(status==STATUS_SUCCESS)
{
int Ix=0;
int n;
pName = (char*)PsGetProcessImageFileName(process); //获取进程名
KdPrint(("得到的进程名:%s保护的进程:TestPass.exe\n",pName));
KdPrint(("进程句柄:%x\n",process));
ObfDereferenceObject(process);
for(n=0;(pName[n]!='\0') && (ProcessName[n]!='\0');n++)
{
if(pName[n]!=ProcessName[n])
Ix++;
}
if(Ix<1);
{
KdPrint(("是我们要保护的进程……\n"));
KdPrint((" ACESS Process Name:%s--\n",(PTSTR)((ULONG)process+0x174)));
return STATUS_ACCESS_DENIED;
}
}
else
{
KdPrint(("没有执行保护!\n"));
return (NTSTATUS)ImitateNTerminateProcess(ProcessHandle,ExitStatus);
}
}
我的也是,驱动运行后就CPU 50%多了。
