SoftICE可以本地调试,但现在开发商已经不再更新了,没法调试新的系统环境;WinDbg不能本地调试,现在流行用虚拟机来双机调试;dbgview我不了解。
对于WDM驱动 VS2012有向导可以新建WDM项目 如图 这点说明不用自己配置 文件目录 C/C++ 选项 LINK 选项 等一系列的参数 比以前方便了不少新建以后是空项目 放入《windows驱动开发技术详解》中第一章的WDM代码
分别是: HelloWDM.h
#if __cplusplus extern "C" { #endif #include <wdm.h>#ifdef __cplusplus } #endif typedef struct _DEVICE_EXTERSION { PDEVICE_OBJECT fdo PDEVICE_OBJECT NextStatckDevice UNICODE_STRING ustrDeviceName //设备名 UNICODE_STRING ustrSymLinkName //符号链接名 }DEVICE_EXTENSION, *PDEVICE_EXTENSION #define PAGEDCODE code_seg("PAGE") #define LOCKEDCODE code_seg() #define INITCODE code_set("INIT") #define PAGEDDATA data_set("PAGE") #define LOCKEDDATA data_set() #define INITDATA data_set("INIT") #define arraysize(p) (sizeof(p)/sizeof((p)[0])) NTSTATUS HelloWDMAddDevice(IN PDRIVER_OBJECT DriverObject, IN PDEVICE_OBJECT PhysicalDeviceObject)NTSTATUS HelloWDMPnp(IN PDEVICE_OBJECT fdo, IN PIRP Irp)NTSTATUS HelloWDMDispatchRoutine(IN PDEVICE_OBJECT fdo, IN PIRP Irp)void HelloWDMUnload(IN PDRIVER_OBJECT DriverObject)NTSTATUS DefaultPnpHandler(PDEVICE_EXTENSION pdx, PIRP Irp)NTSTATUS HandleRemoveDevice(PDEVICE_EXTENSION pdx, PIRP Irp) extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
HelloWDM.cpp
#include "HelloWDM.h" #pragma INITCODE extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath) { KdPrint(("Entry DriverEntry\n")) pDriverObject->DriverExtension->AddDevice = HelloWDMAddDevice pDriverObject->MajorFunction[IRP_MJ_PNP] = HelloWDMPnp pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = pDriverObject->MajorFunction[IRP_MJ_CREATE] = pDriverObject->MajorFunction[IRP_MJ_READ] = pDriverObject->MajorFunction[IRP_MJ_WRITE] = HelloWDMDispatchRoutine pDriverObject->DriverUnload = HelloWDMUnload KdPrint(("Leave DriverEntry\n")) return STATUS_SUCCESS} #pragma PAGECODE NTSTATUS HelloWDMAddDevice(IN PDRIVER_OBJECT DriverObject, IN PDEVICE_OBJECT PhysicalDeviceObject) { PAGED_CODE() KdPrint(("Enter HelloWDMAddDevice\n")) NTSTATUS status PDEVICE_OBJECT fdo UNICODE_STRING devName RtlInitUnicodeString(&devName, L"\\Device\\MyWDMDevice") status = IoCreateDevice(DriverObject, sizeof(DEVICE_EXTENSION), &(UNICODE_STRING)devName, FILE_DEVICE_UNKNOWN, 0, FALSE, &fdo) if(!NT_SUCCESS(status)) return status PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION)fdo->DeviceExtension pdx->fdo = fdo pdx->NextStatckDevice = IoAttachDeviceToDeviceStack(fdo, PhysicalDeviceObject) UNICODE_STRING symLinkName RtlInitUnicodeString(&symLinkName, L"\\DosDevices\\HelloWDM") pdx->ustrDeviceName = devName pdx->ustrSymLinkName = symLinkName status = IoCreateSymbolicLink(&(UNICODE_STRING)symLinkName, &(UNICODE_STRING)devName) if(!NT_SUCCESS(status)) { IoDeleteSymbolicLink(&pdx->ustrSymLinkName) status = IoCreateSymbolicLink(&symLinkName, &devName) if(!NT_SUCCESS(status)) { return status } } fdo->Flags |= DO_BUFFERED_IO | DO_POWER_PAGABLE fdo->Flags &= ~DO_DEVICE_INITIALIZING KdPrint(("Leave HelloWDMAddDevice\n")) return STATUS_SUCCESS} #pragma PAGEDCODE NTSTATUS HelloWDMPnp(IN PDEVICE_OBJECT fdo, IN PIRP Irp) { PAGED_CODE() KdPrint(("Enter HelloWDMPnp\n")) NTSTATUS status = STATUS_SUCCESS PDEVICE_EXTENSION pdx = (PDEVICE_EXTENSION) fdo->DeviceExtension PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp) static NTSTATUS (*fcntab[])(PDEVICE_EXTENSION pdx, PIRP Irp)= { DefaultPnpHandler, DefaultPnpHandler, HandleRemoveDevice, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, DefaultPnpHandler, } ULONG fcn = stack->MinorFunction if(fcn >= arraysize(fcntab)) { status = DefaultPnpHandler(pdx, Irp) return status } status = (*fcntab[fcn])(pdx, Irp) KdPrint(("Leave HelloWDMPnp\n")) return status} #pragma PAGEDCODE NTSTATUS DefaultPnpHandler(PDEVICE_EXTENSION pdx, PIRP Irp) { PAGED_CODE() KdPrint(("Enter DefaultPnpHandler\n")) IoSkipCurrentIrpStackLocation(Irp) KdPrint(("Leave DefaultPnpHandler\n")) return IoCallDriver(pdx->NextStatckDevice, Irp)} #pragma PAGEDCODE NTSTATUS HandleRemoveDevice(PDEVICE_EXTENSION pdx, PIRP Irp) { PAGED_CODE() KdPrint(("Enter HandlerRemoveDevice\n")) Irp->IoStatus.Status = STATUS_SUCCESS NTSTATUS status = DefaultPnpHandler(pdx, Irp) IoDeleteSymbolicLink(&(UNICODE_STRING)pdx->ustrSymLinkName) if(pdx->NextStatckDevice) IoDetachDevice(pdx->NextStatckDevice) IoDeleteDevice(pdx->fdo) KdPrint(("Leave HandlerRemoveDevice\n")) return status} #pragma PAGEDCODE NTSTATUS HelloWDMDispatchRoutine(IN PDEVICE_OBJECT fdo, IN PIRP Irp) { PAGED_CODE() KdPrint(("Enter HelloWDMDispatchRoutine\n")) Irp->IoStatus.Status = STATUS_SUCCESS Irp->IoStatus.Information = 0 IoCompleteRequest(Irp, IO_NO_INCREMENT) KdPrint(("Leave HelloWdmDispatchRoutine\n")) return STATUS_SUCCESS} #pragma PAGEDCODE void HelloWDMUnload(IN PDRIVER_OBJECT DriverObject) { PAGED_CODE() KdPrint(("Enter HelloWDMUnload\n")) KdPrint(("Leave HelloWDMUnload\n"))}
代码放置后工程目录如图:
项目默认是vista的debug版本 修改为 win7 debug
先我HOOK了 NtQuerySystemInformationh 函数的11号枚举驱动模块功能实验证明TP没有使用NtQuerySystemInformation的11功能……白写了半天 呜呜呜
最后无赖直接遍历内核模块链表,把KDCOM.dll的链表给断链(具体参考隐藏驱动模块)。
最后成功了!WinDbg正常通讯调试了。当然稳定点的做法应该还可以修改基址为装载个假的KDCOM镜像基址,让TP清零假的,麻烦没写能过就行。
最后把以上全部处理后就可以使用WinDbg+VM双机调试TP游戏了……(不过有个小问题存在就是KdPrint等其他打印函数都无法打印信息到WinDbg
单是在虚拟机中开启DbgView可以正常看到打印信息,暂时也不知道为何?怀疑是不是和KdPitchDebugger有关,资料上说0是正常 1不正常但实验证明
KdPitchDebugger为1 TP会视为调试疯狂调用KdDisableDebugger 具体是不是不清楚哈反正DbgView能看到就行了)
正高兴中结果在Client.exe 这个登录客户端输入帐号密码登录后TP进度条出现了,刚好就在出现DNF.EXE的时候瞬间卡主了
WinDbg断下来了,无法在运行起来
Single step exception - code 80000004 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
001b:109575ca 68e188a97b push 7BA988E1h //这个地址是个无效地址啥子都没有不管如何修改这里的汇编代码都会立即断在同样的位置
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)