void DebugPrintInit(char* _DriverName)
{
HANDLE threadHandle;
NTSTATUS status;
// Copy the driver's name out of INIT code segment
DriverNameLen = 1 + ANSIstrlen(_DriverName);
DriverName = (char*)ExAllocatePool(NonPagedPool,DriverNameLen);
if( DriverName==NULL) return;
RtlCopyMemory( DriverName, _DriverName, DriverNameLen);
/////////////////////////////////////////////////////////////////////////
// Prepare for thread start
ExitNow = FALSE;
KeInitializeEvent(&ThreadEvent, SynchronizationEvent, FALSE);
KeInitializeEvent(&ThreadExiting, SynchronizationEvent, FALSE);
// Initialise event list
KeInitializeSpinLock(&EventListLock);
InitializeListHead(&EventList);
/////////////////////////////////////////////////////////////////////////
// Start system thread to write events to DebugPrint driver
status = PsCreateSystemThread( &threadHandle, THREAD_ALL_ACCESS, NULL, NULL, NULL,
DebugPrintSystemThread, NULL);
if( !NT_SUCCESS(status))
return;
/////////////////////////////////////////////////////////////////////////
// Save a pointer to thread and close handle.
status = ObReferenceObjectByHandle( threadHandle, THREAD_ALL_ACCESS, NULL, KernelMode,
&ThreadObjectPointer, NULL);
if( NT_SUCCESS(status))
ZwClose(threadHandle);
else
{
// Uh oh... force thread to exit
ExitNow = TRUE;
KeSetEvent( &ThreadEvent, 0, FALSE);
return;
}
DebugPrintStarted = TRUE;
// Send event that we've started logging
DebugPrintMsg("DebugPrint logging started");
}
void DebugPrintMsg(char* Msg)
{
LARGE_INTEGER Now;
TIME_FIELDS NowTF;
USHORT MsgLen;
ULONG EventDataLen, len;
PDEBUGPRINT_EVENT pEvent;
if( !DebugPrintStarted || DriverName==NULL) return;
// Get current time
KeQuerySystemTime(&Now);
// LARGE_INTEGER NowLocal;
// ExSystemTimeToLocalTime( &Now, &NowLocal); // NT only
// RtlTimeToTimeFields( &NowLocal, &NowTF);
RtlTimeToTimeFields( &Now, &NowTF);
// Get size of Msg and complete event
MsgLen = ANSIstrlen(Msg)+1;
EventDataLen = sizeof(TIME_FIELDS) + DriverNameLen + MsgLen;
len = sizeof(LIST_ENTRY)+sizeof(ULONG)+EventDataLen;
// Allocate event buffer
pEvent = (PDEBUGPRINT_EVENT)ExAllocatePool(NonPagedPool,len);
if( pEvent!=NULL)
{
PUCHAR buffer = (PUCHAR)pEvent->EventData;
// Copy event info to buffer
RtlCopyMemory( buffer, &NowTF, sizeof(TIME_FIELDS));
buffer += sizeof(TIME_FIELDS);
RtlCopyMemory( buffer, DriverName, DriverNameLen);
buffer += DriverNameLen;
RtlCopyMemory( buffer, Msg, MsgLen);
// Insert event into event list for processing by system thread
pEvent->Len = EventDataLen;
ExInterlockedInsertTailList(&EventList,&pEvent->ListEntry,&EventListLock);
}
}
//生成链表节点
void DebugPrintMsg(PEVENT event)
{
ULONG TimeLen;
ULONG EventDataLen;
ULONG ProcessIdLen;
ULONG ProcessNameLen;
ULONG addr1Len;
ULONG addr2Len;
ULONG addr3Len;
ULONG addr4Len;
ULONG OperationLen;
ULONG PortLen;
ULONG ResultLen;
ULONG len;
LARGE_INTEGER Now,NowLocal;
TIME_FIELDS NowTF;
PDEBUGPRINT_EVENT pEvent;
PUCHAR buffer;
if(DebugPrintStarted==FALSE || ExitNow==TRUE) return;
if(event==NULL)return;
KeQuerySystemTime(&Now);
RtlTimeToTimeFields(&Now,&NowTF);
//得到事件总体长度
TimeLen=sizeof(TIME_FIELDS);
ProcessIdLen=ANSIstrlen(event->ProcessID)+1;
ProcessNameLen=ANSIstrlen(event->ProcessName)+1;
addr1Len=ANSIstrlen(event->addr1)+1;
addr2Len=ANSIstrlen(event->addr2)+1;
addr3Len=ANSIstrlen(event->addr3)+1;
addr4Len=ANSIstrlen(event->addr4)+1;
OperationLen=ANSIstrlen(event->Operation)+1;
PortLen=ANSIstrlen(event->port)+1;
ResultLen=ANSIstrlen(event->SuccOrFail)+1;
EventDataLen=TimeLen+ProcessIdLen+ProcessNameLen+addr1Len+addr2Len+addr3Len+addr4Len+OperationLen+PortLen+ResultLen;
len=sizeof(LIST_ENTRY)+sizeof(ULONG)+EventDataLen;
//分配事件缓冲区
pEvent=(PDEBUGPRINT_EVENT)ExAllocatePool(NonPagedPool,len);
if(pEvent!=NULL)
{
buffer=(PUCHAR)pEvent->EventData;
RtlCopyMemory(buffer,&NowTF,TimeLen);
buffer+=TimeLen;
RtlCopyMemory(buffer,event->ProcessID,ProcessIdLen);
buffer+=ProcessIdLen;
RtlCopyMemory(buffer,event->ProcessName,ProcessNameLen);
buffer+=ProcessNameLen;
RtlCopyMemory(buffer,event->addr1,addr1Len);
buffer+=addr1Len;
RtlCopyMemory(buffer,event->addr2,addr2Len);
buffer+=addr2Len;
RtlCopyMemory(buffer,event->addr3,addr3Len);
buffer+=addr3Len;
RtlCopyMemory(buffer,event->addr4,addr4Len);
buffer+=addr4Len;
RtlCopyMemory(buffer,event->Operation,OperationLen);
buffer+=OperationLen;
RtlCopyMemory(buffer,event->port,PortLen);
buffer+=PortLen;
RtlCopyMemory(buffer,event->SuccOrFail,ResultLen);
pEvent->Len=EventDataLen;
ExInterlockedInsertTailList(&EventList,&pEvent->ListEntry,&EventListLock);
}
}