static status_t DevDoLoadDriver(const wchar_t *name, driver_t **driver)
{
if (_wcsicmp(name, L"ramfs") == 0)
*driver = &rd_driver;
else if (_wcsicmp(name, L"portfs") == 0)
*driver = &port_driver;
else if (_wcsicmp(name, L"devfs") == 0)
*driver = &devfs_driver;
else if (_wcsicmp(name, L"vfs") == 0)
*driver = &vfs_driver;
else if (_wcsicmp(name, L"tarfs") == 0)
*driver = &tarfs_driver;
#ifdef WIN32
else if (_wcsicmp(name, L"win32fs") == 0)
*driver = &win32fs_driver;
#endif
else
{
wchar_t temp[50];
module_t *mod;
driver_t *drv;
bool (*DrvInit)(driver_t *drv);
swprintf(temp, L"%s.drv", name);
mod = PeLoad(&proc_idle, temp, 0);
if (mod == NULL)
{
*driver = NULL;
return errno;
}
FOREACH(drv, drv)
if (drv->mod == mod)
{
*driver = drv;
return 0;
}
drv = malloc(sizeof(driver_t));
if (drv == NULL)
{
PeUnload(&proc_idle, mod);
*driver = NULL;
return errno;
}
drv->mod = mod;
drv->add_device = NULL;
drv->mount_fs = NULL;
DrvInit = (void*) mod->entry;
if (DrvInit == NULL || !DrvInit(drv))
{
PeUnload(&proc_idle, mod);
free(drv);
*driver = NULL;
return errno;
}
LIST_ADD(drv, drv);
*driver = drv;
}
return 0;
}
NTSTATUS ReLoadKbdclass(PDRIVER_OBJECT DriverObject,PKBDCLASSDISPATCHBAKUP KbdclassDispatchBakUp,int Type)
{
PDRIVER_OBJECT PKbdclassDriverObject = NULL;
PUCHAR i;
WIN_VER_DETAIL WinVer;
BOOL bInit = FALSE;
PUCHAR KbdclassDriverEntry;
PUCHAR ulJmpAddress,ulAddress;
ULONG ulDispatch;
ULONG ulDriverEntryToDispatchCodeOffset;
ULONG ulOffset;
BOOL bIsReLoadSuccess = FALSE;
UNICODE_STRING UnicodeModule;
HANDLE hSection;
ULONG ulModuleBase;
//获取driverobject
if (GetDriverObject(L"\\Driver\\Kbdclass",&PKbdclassDriverObject) == STATUS_SUCCESS)
{
PKbdclassDriverObjectBakup = PKbdclassDriverObject;
ulKbdclassModuleBase = PKbdclassDriverObject->DriverStart;
ulKbdclassModuleSize = PKbdclassDriverObject->DriverSize;
//reload
if (PeLoad(
L"\\SystemRoot\\system32\\drivers\\Kbdclass.sys",
&ulReLoadKbdclassModuleBase,
DriverObject,
ulKbdclassModuleBase
))
{
bIsReLoadSuccess = TRUE;
}
if (!bIsReLoadSuccess)
{
return STATUS_UNSUCCESSFUL;
}
if (GetDriverEntryPoint(ulReLoadKbdclassModuleBase,&KbdclassDriverEntry))
{
/*
IRP_MJ_CREATE 0xF875FDD0 - 0xF875FDD0 C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_CLOSE 0xF875FFE0 - 0xF875FFE0 C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_READ C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_FLUSH_BUFFERS 0xF875FD4A - 0xF875FD4A C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_DEVICE_CONTROL
IRP_MJ_INTERNAL_DEVICE_CONTROL 0xF8761386 - 0xF8761386 C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_CLEANUP 0xF875FD06 - 0xF875FD06 C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_POWER 0xF8762180 - 0xF8762180 C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_SYSTEM_CONTROL 0xF8761842 - 0xF8761842 C:\WINDOWS\system32\DRIVERS\kbdclass.sys
IRP_MJ_PNP_POWER 0xF876078A - 0xF876078A C:\WINDOWS\system32\DRIVERS\kbdclass.sys
*/
/*
8105e610 8bff mov edi,edi
8105e612 55 push ebp
8105e613 8bec mov ebp,esp
8105e615 a12c4095f8 mov eax,dword ptr ds:[F895402Ch]
8105e61a 85c0 test eax,eax
8105e61c b940bb0000 mov ecx,0BB40h
8105e621 7404 je 8105e627
8105e623 3bc1 cmp eax,ecx
8105e625 7523 jne 8105e64a
8105e627 8b15ec3e95f8 mov edx,dword ptr ds:[0F8953EECh]
8105e62d b82c4095f8 mov eax,0F895402Ch
8105e632 c1e808 shr eax,8
8105e635 3302 xor eax,dword ptr [edx]
8105e637 25ffff0000 and eax,0FFFFh
8105e63c a32c4095f8 mov dword ptr ds:[F895402Ch],eax
8105e641 7507 jne 8105e64a
8105e643 8bc1 mov eax,ecx
8105e645 a32c4095f8 mov dword ptr ds:[F895402Ch],eax
8105e64a f7d0 not eax
8105e64c a3284095f8 mov dword ptr ds:[F8954028h],eax
8105e651 5d pop ebp
8105e652 e9d9f9ffff jmp 8105e030 <-----获取这里的地址 即driverentry(xp)
*/
for (i=(ULONG)KbdclassDriverEntry;i < (ULONG)KbdclassDriverEntry+0x1000;i++)
{
if (*i == 0xe9)
{
ulJmpAddress = *(PULONG)(i+1)+(ULONG)(i+5);
if (MmIsAddressValidEx(ulJmpAddress))
{
if (DebugOn)
KdPrint(("i:%08x,DriverEntry:%08x\n",i,ulJmpAddress));
bInit = TRUE;
break;
}
}
}
if (!bInit)
{
return;
}
WinVer = GetWindowsVersion();
switch (WinVer)
{
case WINDOWS_VERSION_XP:
ulDriverEntryToDispatchCodeOffset = 0x2c2; //硬编码了,xp
break;
case WINDOWS_VERSION_7_7000:
ulDriverEntryToDispatchCodeOffset = 0x27C; //硬编码了,win7 7000
break;
case WINDOWS_VERSION_7_7600_UP:
ulDriverEntryToDispatchCodeOffset = 0x2BE; //硬编码了,win7 7600 UP
break;
case WINDOWS_VERSION_2K3_SP1_SP2:
ulDriverEntryToDispatchCodeOffset = 0x2c2; //硬编码了,2003
//ulOffset = (ULONG)PKbdclassDriverObject->DriverStart - 0x10000;
break;
}
ulDispatch = ulJmpAddress + ulDriverEntryToDispatchCodeOffset;
if (DebugOn)
KdPrint(("ulAddress:%08x\r\n",ulDispatch));
ulReal_KBDCLASS_IRP_MJ_CREATE = *(PULONG)(ulDispatch+3);
ulReal_KBDCLASS_IRP_MJ_CLOSE = *(PULONG)(ulDispatch+0xA);
ulReal_KBDCLASS_IRP_MJ_READ = *(PULONG)(ulDispatch+0x11);
ulReal_KBDCLASS_IRP_MJ_FLUSH_BUFFERS = *(PULONG)(ulDispatch+0x18);
ulReal_KBDCLASS_IRP_MJ_DEVICE_CONTROL = *(PULONG)(ulDispatch+0x1F);
ulReal_KBDCLASS_IRP_MJ_INTERNAL_DEVICE_CONTROL = *(PULONG)(ulDispatch+0x26);
ulReal_KBDCLASS_IRP_MJ_CLEANUP = *(PULONG)(ulDispatch+0x30);
ulReal_KBDCLASS_IRP_MJ_PNP_POWER = *(PULONG)(ulDispatch+0x3A);
ulReal_KBDCLASS_IRP_MJ_POWER = *(PULONG)(ulDispatch+0x44);
ulReal_KBDCLASS_IRP_MJ_SYSTEM_CONTROL = *(PULONG)(ulDispatch+0x4E);
if (DebugOn)
KdPrint(("%08x\r\n"
"%08x\r\n"
"%08x\r\n"
"%08x\r\n"
"%08x\r\n"
"%08x\r\n"
"%08x\r\n"
"%08x\r\n"
"%08x\r\n"
"%08x\r\n",
ulReal_KBDCLASS_IRP_MJ_CREATE,
ulReal_KBDCLASS_IRP_MJ_CLOSE,
ulReal_KBDCLASS_IRP_MJ_READ,
ulReal_KBDCLASS_IRP_MJ_FLUSH_BUFFERS,
ulReal_KBDCLASS_IRP_MJ_DEVICE_CONTROL,
ulReal_KBDCLASS_IRP_MJ_INTERNAL_DEVICE_CONTROL,
ulReal_KBDCLASS_IRP_MJ_CLEANUP,
ulReal_KBDCLASS_IRP_MJ_POWER,
ulReal_KBDCLASS_IRP_MJ_SYSTEM_CONTROL,
ulReal_KBDCLASS_IRP_MJ_PNP_POWER
));
if (Type == 1)
{
//填充结构
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,0,ulReal_KBDCLASS_IRP_MJ_CREATE,L"IRP_MJ_CREATE",IRP_MJ_CREATE);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,1,ulReal_KBDCLASS_IRP_MJ_CLOSE,L"IRP_MJ_CLOSE",IRP_MJ_CLOSE);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,2,ulReal_KBDCLASS_IRP_MJ_READ,L"IRP_MJ_READ",IRP_MJ_READ);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,3,ulReal_KBDCLASS_IRP_MJ_FLUSH_BUFFERS,L"IRP_MJ_FLUSH_BUFFERS",IRP_MJ_FLUSH_BUFFERS);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,4,ulReal_KBDCLASS_IRP_MJ_DEVICE_CONTROL,L"IRP_MJ_DEVICE_CONTROL",IRP_MJ_DEVICE_CONTROL);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,5,ulReal_KBDCLASS_IRP_MJ_INTERNAL_DEVICE_CONTROL,L"IRP_MJ_INTERNAL_DEVICE_CONTROL",IRP_MJ_INTERNAL_DEVICE_CONTROL);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,6,ulReal_KBDCLASS_IRP_MJ_CLEANUP,L"IRP_MJ_CLEANUP",IRP_MJ_CLEANUP);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,7,ulReal_KBDCLASS_IRP_MJ_POWER,L"IRP_MJ_POWER",IRP_MJ_POWER);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,8,ulReal_KBDCLASS_IRP_MJ_SYSTEM_CONTROL,L"IRP_MJ_SYSTEM_CONTROL",IRP_MJ_SYSTEM_CONTROL);
FixFixKbdclass(KbdclassDispatchBakUp,PKbdclassDriverObjectBakup,9,ulReal_KBDCLASS_IRP_MJ_PNP_POWER,L"IRP_MJ_PNP_POWER",IRP_MJ_PNP_POWER);
KbdclassDispatchBakUp->ulCount = 10;
return STATUS_SUCCESS;
}
//所有调用都走reload
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_CREATE] = ulReal_KBDCLASS_IRP_MJ_CREATE - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_CLOSE] = ulReal_KBDCLASS_IRP_MJ_CLOSE - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_READ] = ulReal_KBDCLASS_IRP_MJ_READ - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_FLUSH_BUFFERS] = ulReal_KBDCLASS_IRP_MJ_FLUSH_BUFFERS - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ulReal_KBDCLASS_IRP_MJ_DEVICE_CONTROL - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL] = ulReal_KBDCLASS_IRP_MJ_INTERNAL_DEVICE_CONTROL - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_CLEANUP] = ulReal_KBDCLASS_IRP_MJ_CLEANUP - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_POWER] = ulReal_KBDCLASS_IRP_MJ_POWER - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_SYSTEM_CONTROL] = ulReal_KBDCLASS_IRP_MJ_SYSTEM_CONTROL - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
PKbdclassDriverObjectBakup->MajorFunction[IRP_MJ_PNP_POWER] = ulReal_KBDCLASS_IRP_MJ_PNP_POWER - ulKbdclassModuleBase + ulReLoadKbdclassModuleBase;
}
}
return STATUS_SUCCESS;
}
