反汇编驱动常用结构体

typedef struct _DEVICE_OBJECT {
CSHORT Type; 0x00
USHORT Size; 0x02
LONG ReferenceCount; 0x04
struct _DRIVER_OBJECT *DriverObject; 0x08
struct _DEVICE_OBJECT *NextDevice; 0x0c
struct _DEVICE_OBJECT *AttachedDevice; 0x10
struct _IRP *CurrentIrp; 0x14
PIO_TIMER Timer; 0x18
ULONG Flags; 0x1c // See above: DO_...
ULONG Characteristics; 0x20 // See ntioapi: FILE_...
PVPB Vpb;0x24
PVOID DeviceExtension; 0x28 -----------------//经常用的哦
DEVICE_TYPE DeviceType;0x2c
CCHAR StackSize;0x30
union {
LIST_ENTRY ListEntry;
WAIT_CONTEXT_BLOCK Wcb;
} Queue; 0x31
ULONG AlignmentRequirement;
KDEVICE_QUEUE DeviceQueue;
KDPC Dpc;




typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
PWSTR Buffer;
#endif // MIDL_PASS
} UNICODE_STRING;
所以UNICODE_STRING占8个字节
typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;
两个指针LIST_ENTRY长度为8个字节
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};0x00

ULONG_PTR Information;0x04
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;


typedef struct _IRP {
CSHORT Type; 0x00
USHORT Size; 0x02
PMDL MdlAddress;0x04
ULONG Flags;0x08
union {
struct _IRP *MasterIrp;
LONG IrpCount;
PVOID SystemBuffer;
} AssociatedIrp; 0x0c
LIST_ENTRY ThreadListEntry;0x10
IO_STATUS_BLOCK IoStatus;0x18 --- 如果是0x1C 就是Information
KPROCESSOR_MODE RequestorMode;0x20
BOOLEAN PendingReturned;0x21
CHAR StackCount;0x22
CHAR CurrentLocation;0x23
BOOLEAN Cancel;0x24
KIRQL CancelIrql;0x25
CCHAR ApcEnvironment;0x26
UCHAR AllocationFlags;0x27
PIO_STATUS_BLOCK UserIosb;0x28
PKEVENT UserEvent;0x2c
union
{
struct
{
PIO_APC_ROUTINE UserApcRoutine;
PVOID UserApcContext;
} AsynchronousParameters;
LARGE_INTEGER AllocationSize;
} Overlay;0x30

PDRIVER_CANCEL CancelRoutine;0x38
PVOID UserBuffer;0x3c
union
{
struct //0x40
{
union //0x40
{
KDEVICE_QUEUE_ENTRY DeviceQueueEntry; //0x40
struct
{
PVOID DriverContext[4];//0x40
} ;
} ;
PETHREAD Thread;0x50
PCHAR AuxiliaryBuffer;0x54
struct //0x58
{
LIST_ENTRY ListEntry;//0x58
union//0x60 -------常用 就是CurrentStackLocation
{
struct _IO_STACK_LOCATION *CurrentStackLocation;//0x60
ULONG PacketType;//0x60
};
};
PFILE_OBJECT originalFileObject;//0x64
} Overlay;//struct

KAPC Apc;//0x40
PVOID CompletionKey;//0x40
} Tail;0x40
} IRP, *PIRP;

typedef struct _IO_STACK_LOCATION {
UCHAR MajorFunction;0x00
UCHAR MinorFunction;0x01
UCHAR Flags;0x02
UCHAR Control;0x03

//
// The following user parameters are based on the service that is being
// invoked. Drivers and file systems can determine which set to use based
// on the above major and minor function codes.
//

union {

//
// System service parameters for: NtCreateFile
//

struct {
PIO_SECURITY_CONTEXT SecurityContext;
ULONG Options;
USHORT POINTER_ALIGNMENT FileAttributes;
USHORT ShareAccess;
ULONG POINTER_ALIGNMENT EaLength;
} Create;


//
// System service parameters for: NtReadFile
//

struct {
ULONG Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
} Read;

//
// System service parameters for: NtWriteFile
//

struct {
ULONG Length;
ULONG POINTER_ALIGNMENT Key;
LARGE_INTEGER ByteOffset;
} Write;


//
// System service parameters for: NtQueryInformationFile
//

struct {
ULONG Length;
FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
} QueryFile;

//
// System service parameters for: NtSetInformationFile
//

struct {
ULONG Length;
FILE_INFORMATION_CLASS POINTER_ALIGNMENT FileInformationClass;
PFILE_OBJECT FileObject;
union {
struct {
BOOLEAN ReplaceIfExists;
BOOLEAN AdvanceOnly;
};
ULONG ClusterCount;
HANDLE DeleteHandle;
};
} SetFile;


//
// System service parameters for: NtQueryVolumeInformationFile
//

struct {
ULONG Length;
FS_INFORMATION_CLASS POINTER_ALIGNMENT FsInformationClass;
} QueryVolume;


//
// System service parameters for: NtFlushBuffersFile
//
// No extra user-supplied parameters.
//


//
// System service parameters for: NtDeviceIoControlFile
//
// Note that the user's output buffer is stored in the UserBuffer field
// and the user's input buffer is stored in the SystemBuffer field.
//

struct {
ULONG OutputBufferLength;
ULONG POINTER_ALIGNMENT InputBufferLength;
ULONG POINTER_ALIGNMENT IoControlCode;
PVOID Type3InputBuffer;
} DeviceIoControl;

// end_wdm
//
// System service parameters for: NtQuerySecurityObject
//

struct {
SECURITY_INFORMATION SecurityInformation;
ULONG POINTER_ALIGNMENT Length;
} QuerySecurity;

//
// System service parameters for: NtSetSecurityObject
//

struct {
SECURITY_INFORMATION SecurityInformation;
PSECURITY_DESCRIPTOR SecurityDescriptor;
} SetSecurity;

// begin_wdm
//
// Non-system service parameters.
//
// Parameters for MountVolume
//

struct {
PVPB Vpb;
PDEVICE_OBJECT DeviceObject;
} MountVolume;

//
// Parameters for VerifyVolume
//

struct {
PVPB Vpb;
PDEVICE_OBJECT DeviceObject;
} VerifyVolume;

//
// Parameters for Scsi with internal device contorl.
//

struct {
struct _SCSI_REQUEST_BLOCK *Srb;
} Scsi;


//
// Parameters for IRP_MN_QUERY_DEVICE_RELATIONS
//

struct {
DEVICE_RELATION_TYPE Type;
} QueryDeviceRelations;

//
// Parameters for IRP_MN_QUERY_INTERFACE
//

struct {
CONST GUID *InterfaceType;
USHORT Size;
USHORT Version;
PINTERFACE Interface;
PVOID InterfaceSpecificData;
} QueryInterface;

// end_ntifs

//
// Parameters for IRP_MN_QUERY_CAPABILITIES
//

struct {
PDEVICE_CAPABILITIES Capabilities;
} DeviceCapabilities;

//
// Parameters for IRP_MN_FILTER_RESOURCE_REQUIREMENTS
//

struct {
PIO_RESOURCE_REQUIREMENTS_LIST IoResourceRequirementList;
} FilterResourceRequirements;

//
// Parameters for IRP_MN_READ_CONFIG and IRP_MN_WRITE_CONFIG
//

struct {
ULONG WhichSpace;
PVOID Buffer;
ULONG Offset;
ULONG POINTER_ALIGNMENT Length;
} ReadWriteConfig;

//
// Parameters for IRP_MN_SET_LOCK
//

struct {
BOOLEAN Lock;
} SetLock;

//
// Parameters for IRP_MN_QUERY_ID
//

struct {
BUS_QUERY_ID_TYPE IdType;
} QueryId;

//
// Parameters for IRP_MN_QUERY_DEVICE_TEXT
//

struct {
DEVICE_TEXT_TYPE DeviceTextType;
LCID POINTER_ALIGNMENT LocaleId;
} QueryDeviceText;

//
// Parameters for IRP_MN_DEVICE_USAGE_NOTIFICATION
//

struct {
BOOLEAN InPath;
BOOLEAN Reserved[3];
DEVICE_USAGE_NOTIFICATION_TYPE POINTER_ALIGNMENT Type;
} UsageNotification;

//
// Parameters for IRP_MN_WAIT_WAKE
//

struct {
SYSTEM_POWER_STATE PowerState;
} WaitWake;

//
// Parameter for IRP_MN_POWER_SEQUENCE
//

struct {
PPOWER_SEQUENCE PowerSequence;
} PowerSequence;

//
// Parameters for IRP_MN_SET_POWER and IRP_MN_QUERY_POWER
//

struct {
ULONG SystemContext; \\0x04
POWER_STATE_TYPE POINTER_ALIGNMENT Type; \\0x08
POWER_STATE POINTER_ALIGNMENT State;
POWER_ACTION POINTER_ALIGNMENT ShutdownType;
} Power;

//
// Parameters for StartDevice
//

struct {
PCM_RESOURCE_LIST AllocatedResources;
PCM_RESOURCE_LIST AllocatedResourcesTranslated;
} StartDevice;

// begin_ntifs
//
// Parameters for Cleanup
//
// No extra parameters supplied
//

//
// WMI Irps
//

struct {
ULONG_PTR ProviderId;
PVOID DataPath;
ULONG BufferSize;
PVOID Buffer;
} WMI;

//
// Others - driver-specific
//

struct {
PVOID Argument1;
PVOID Argument2;
PVOID Argument3;
PVOID Argument4;
} Others;

} Parameters;0x04

//
// Save a pointer to this device driver's device object for this request
// so it can be passed to the completion routine if needed.
//

PDEVICE_OBJECT DeviceObject;0x14

//
// The following location contains a pointer to the file object for this
//

PFILE_OBJECT FileObject;0x18

//
// The following routine is invoked depending on the flags in the above
// flags field.
//

PIO_COMPLETION_ROUTINE CompletionRoutine;0x1c

//
// The following is used to store the address of the context parameter
// that should be passed to the CompletionRoutine.
//

PVOID Context;0x20

} IO_STACK_LOCATION, *PIO_STACK_LOCATION;

typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
}LIST_ENTRY,*PLIST_ENTRY;
//
// Doubly-linked list manipulation routines. Implemented as macros
// but logically these are procedures.
//

//
// VOID
// InitializeListHead(
// PLIST_ENTRY ListHead
// );
//

#define InitializeListHead(ListHead) (\
(ListHead)->Flink = (ListHead)->Blink = (ListHead))

//
// BOOLEAN
// IsListEmpty(
// PLIST_ENTRY ListHead
// );
//

#define IsListEmpty(ListHead) \
((ListHead)->Flink == (ListHead))

//
// PLIST_ENTRY
// RemoveHeadList(
// PLIST_ENTRY ListHead
// );
//

#define RemoveHeadList(ListHead) \
(ListHead)->Flink;\
{RemoveEntryList((ListHead)->Flink)}

//
// PLIST_ENTRY
// RemoveTailList(
// PLIST_ENTRY ListHead
// );
//

#define RemoveTailList(ListHead) \
(ListHead)->Blink;\
{RemoveEntryList((ListHead)->Blink)}

//
// VOID
// RemoveEntryList(
// PLIST_ENTRY Entry
// );
//

#define RemoveEntryList(Entry) {\
PLIST_ENTRY _EX_Blink;\
PLIST_ENTRY _EX_Flink;\
_EX_Flink = (Entry)->Flink;\
_EX_Blink = (Entry)->Blink;\
_EX_Blink->Flink = _EX_Flink;\
_EX_Flink->Blink = _EX_Blink;\
}

//
// VOID
// InsertTailList(
// PLIST_ENTRY ListHead,
// PLIST_ENTRY Entry
// );
//

#define InsertTailList(ListHead,Entry) {\
PLIST_ENTRY _EX_Blink;\
PLIST_ENTRY _EX_ListHead;\
_EX_ListHead = (ListHead);\
_EX_Blink = _EX_ListHead->Blink;\
(Entry)->Flink = _EX_ListHead;\
(Entry)->Blink = _EX_Blink;\
_EX_Blink->Flink = (Entry);\
_EX_ListHead->Blink = (Entry);\
}

//
// VOID
// InsertHeadList(
// PLIST_ENTRY ListHead,
// PLIST_ENTRY Entry
// );
//

#define InsertHeadList(ListHead,Entry) {\
PLIST_ENTRY _EX_Flink;\
PLIST_ENTRY _EX_ListHead;\
_EX_ListHead = (ListHead);\
_EX_Flink = _EX_ListHead->Flink;\
(Entry)->Flink = _EX_Flink;\
(Entry)->Blink = _EX_ListHead;\
_EX_Flink->Blink = (Entry);\
_EX_ListHead->Flink = (Entry);\
}
typedef struct _DRIVER_OBJECT {
CSHORT Type;0x00
CSHORT Size;0x02
PDEVICE_OBJECT DeviceObject;0x04
ULONG Flags;0x08

PVOID DriverStart;0x0c
ULONG DriverSize;0x10
PVOID DriverSection;0x14
PDRIVER_EXTENSION DriverExtension;0x18

UNICODE_STRING DriverName;0x1c

PUNICODE_STRING HardwareDatabase;0x24

PFAST_IO_DISPATCH FastIoDispatch;0x28

PDRIVER_INITIALIZE DriverInit;0x2c
PDRIVER_STARTIO DriverStartIo;0x30
PDRIVER_UNLOAD DriverUnload;0x34
PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1];0x38

} DRIVER_OBJECT;



文章来自: 本站原创
Tags:
评论: 0 | 查看次数: 7902