Windows Driver Model
如何在User Mode開啟"\Device\"下的驅動程式(非Symbolic Link)
同事Lucas最近又開始假認真了!因此,我又要開始陪他玩了,他最近在研究是否有機會可以直接開啟\Device\底下的驅動程式,而不需要透過Symbolic Link的方式開啟,雖然一般使用者都會使用CreateFile()並且傳入Symbolic Link("\\.\")作為開啟裝置的路徑,但是,如果使用者想要在User Mode開啟\Device\底下的驅動程式,是否有機會呢?答案是可行的,可以參考如下網址:
1. 37052
2. aa365247(v=vs.85)
3. the-definitive-guide-on-win32-to-nt
程式碼如下所示:
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")
void WINAPI RtlInitUnicodeString( PUNICODE_STRING target, LPCWSTR source )
{
if((target->Buffer = (LPWSTR)source)){
target->Length = wcslen(source) * sizeof(WCHAR);
target->MaximumLength = target->Length + sizeof(WCHAR);
}
else{
target->Length = target->MaximumLength = 0;
}
}
int __cdecl main(int argc, CHAR* argv[])
{
typedef NTSTATUS (__stdcall *NT_OPEN_FILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions);
NT_OPEN_FILE NtOpenFileStruct;
PVOID Info;
HMODULE hModule = LoadLibrary("ntdll.dll");
NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile");
if(NtOpenFileStruct == NULL){
return -1;
}
HANDLE hCF = CreateFile("\\Device\\CNG", MAXIMUM_ALLOWED, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
printf("CreateFile(\"\\Device\\CNG\"): (handle:0x%X, err:0x%x)\n", hCF, GetLastError());
if(hCF != (HANDLE)-1){
CloseHandle(hCF);
}
UNICODE_STRING filename;
RtlInitUnicodeString(&filename, L"\\Device\\CNG");
OBJECT_ATTRIBUTES obja;
obja.Attributes = 0x40;
obja.ObjectName = &filename;
obja.Length = 0x18;
obja.RootDirectory = NULL;
obja.SecurityDescriptor = NULL;
obja.SecurityQualityOfService = NULL;
IO_STATUS_BLOCK iostatusblock;
HANDLE hCNG = NULL;
NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
printf("NtOpenFileStruct(\"\\Device\\CNG\"): (status:0x%x)\n", stat);
if(stat == 0){
CloseHandle(hCNG);
}
return 0;
}
結果
