18,356
社区成员
发帖
与我相关
我的任务
分享TDI查询本地地址的问题
我在做tdihook,在IRP_MJ_CREATE分发函数中想得到本机地址,我是参照tdifw做的,在TdiCreateComplete中用IoCallDriver下发查询irp时蓝屏了,大神快来相救,高分跪送!
typedef struct _QueryContext
{
PDEVICE_OBJECT device;
PIRP irp;
} QueryContext;
NTSTATUS Dispatch(PDeviceObject device, PIRP irp)
{
switch(stack->MajorFunction)
{
case IRP_MJ_CREATE:
status = TDICreate(device, irp);
break;
.......
}
status = HookedDispatch[stack->MajorFunction](device, irp);//调用hook住的函数。
return status;
}
NTSTATUS TDICreate(PDEVICE_OBJECT device, PIRP irp)
{
NTSTATUS status = STATUS_SUCCESS;
FILE_FULL_EA_INFORMATION *ea = (FILE_FULL_EA_INFORMATION *)irp->AssociatedIrp.SystemBuffer;
if(ea)
{
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
if(ea->EaNameLength == TDI_TRANSPORT_ADDRESS_LENGTH && memcmp(ea->EaName, TdiTransportAddress, TDI_TRANSPORT_ADDRESS_LENGTH) == 0)
{
PIRP query_irp = NULL;
QueryContext *qc = NULL;
query_irp = TdiBuildInternalDeviceControlIrp(TDI_QUERY_INFORMATION, device, stack->FileObject, NULL, NULL);
qc = MyMalloc(sizeof(QueryContext));
if(!qc)
{
DbgPrint("TDI Create: Allocate qc failed\n");
return status;
}
if(!query_irp)
{
DbgPrint("TDI Create: build query irp failed\n");
return status;
}
//设置完成函数信息
qc->device = device;
qc->irp = query_irp;
stack->Context = qc;
stack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)TdiCreateComplete;
stack->Control = SL_INVOKE_ON_ERROR|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_CANCEL; }
}
return status;
}
//完成函数,执行到IoCallDriver蓝屏
NTSTATUS TdiCreateComplete(PDEVICE_OBJECT device, PIRP irp, PVOID context)
{
//这里的device为空,所以我从context里传过来,得到的device是udp设备,我调过的,因为我是打开的浏览器,浏览器先查找域名,用DNS协议,所以是UDP的
NTSTATUS status = STATUS_SUCCESS;
TDI_ADDRESS_INFO *tai = NULL;
PMDL mdl = NULL;
UINT length = TDI_ADDRESS_LENGTH_OSI_TSAP + sizeof(TDI_ADDRESS_INFO) - 1;
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
QueryContext *qc = (QueryContext *)context;
PDEVICE_OBJECT devobj = qc->device;
PIRP query_irp = (PIRP)qc->irp;
if(device);
if(!qc)
return status;
if(!devobj)
return status;
if(!query_irp)
return status;
if(stack);
do
{
tai = ExAllocatePoolWithTag(NonPagedPool, length, 'TATG');
if(!tai)
{
DbgPrint("TDI Create: Allocate TDI_ADDRESS_INFO failed.\n");
break;
}
mdl = IoAllocateMdl(tai, length, FALSE, FALSE, NULL);
if(!mdl)
{
DbgPrint("TDI Create: Allocate Mdl failed.\n");
break;
}
MmBuildMdlForNonPagedPool(mdl);
TdiBuildQueryInformation(query_irp, devobj, stack->FileObject, TdiQueryAddrComplete, tai, TDI_QUERY_ADDRESS_INFO, mdl);
if(devobj && query_irp->CurrentLocation > 1)
{
if(IoGetCurrentIrpStackLocation(query_irp) && IoGetNextIrpStackLocation(query_irp))
{
status = IoCallDriver(devobj, query_irp);//蓝了
irp->IoStatus.Status = status;
return status;
}
}
}while(FALSE);
if(tai)
ExFreePoolWithTag(tai, 'TATG');
if(mdl)
IoFreeMdl(mdl);
if(query_irp)
IoCompleteRequest(query_irp, IO_NO_INCREMENT);
return status;
}
typedef struct _QueryContext
{
PDEVICE_OBJECT device;
PIRP irp;
} QueryContext;
NTSTATUS Dispatch(PDeviceObject device, PIRP irp)
{
switch(stack->MajorFunction)
{
case IRP_MJ_CREATE:
status = TDICreate(device, irp);
break;
.......
}
status = HookedDispatch[stack->MajorFunction](device, irp);//调用hook住的函数。
return status;
}
NTSTATUS TDICreate(PDEVICE_OBJECT device, PIRP irp)
{
NTSTATUS status = STATUS_SUCCESS;
FILE_FULL_EA_INFORMATION *ea = (FILE_FULL_EA_INFORMATION *)irp->AssociatedIrp.SystemBuffer;
if(ea)
{
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
if(ea->EaNameLength == TDI_TRANSPORT_ADDRESS_LENGTH && memcmp(ea->EaName, TdiTransportAddress, TDI_TRANSPORT_ADDRESS_LENGTH) == 0)
{
PIRP query_irp = NULL;
QueryContext *qc = NULL;
query_irp = TdiBuildInternalDeviceControlIrp(TDI_QUERY_INFORMATION, device, stack->FileObject, NULL, NULL);
qc = MyMalloc(sizeof(QueryContext));
if(!qc)
{
DbgPrint("TDI Create: Allocate qc failed\n");
return status;
}
if(!query_irp)
{
DbgPrint("TDI Create: build query irp failed\n");
return status;
}
//设置完成函数信息
qc->device = device;
qc->irp = query_irp;
stack->Context = qc;
stack->CompletionRoutine = (PIO_COMPLETION_ROUTINE)TdiCreateComplete;
stack->Control = SL_INVOKE_ON_ERROR|SL_INVOKE_ON_SUCCESS|SL_INVOKE_ON_CANCEL; }
}
return status;
}
//完成函数,执行到IoCallDriver蓝屏
NTSTATUS TdiCreateComplete(PDEVICE_OBJECT device, PIRP irp, PVOID context)
{
//这里的device为空,所以我从context里传过来,得到的device是udp设备,我调过的,因为我是打开的浏览器,浏览器先查找域名,用DNS协议,所以是UDP的
NTSTATUS status = STATUS_SUCCESS;
TDI_ADDRESS_INFO *tai = NULL;
PMDL mdl = NULL;
UINT length = TDI_ADDRESS_LENGTH_OSI_TSAP + sizeof(TDI_ADDRESS_INFO) - 1;
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
QueryContext *qc = (QueryContext *)context;
PDEVICE_OBJECT devobj = qc->device;
PIRP query_irp = (PIRP)qc->irp;
if(device);
if(!qc)
return status;
if(!devobj)
return status;
if(!query_irp)
return status;
if(stack);
do
{
tai = ExAllocatePoolWithTag(NonPagedPool, length, 'TATG');
if(!tai)
{
DbgPrint("TDI Create: Allocate TDI_ADDRESS_INFO failed.\n");
break;
}
mdl = IoAllocateMdl(tai, length, FALSE, FALSE, NULL);
if(!mdl)
{
DbgPrint("TDI Create: Allocate Mdl failed.\n");
break;
}
MmBuildMdlForNonPagedPool(mdl);
TdiBuildQueryInformation(query_irp, devobj, stack->FileObject, TdiQueryAddrComplete, tai, TDI_QUERY_ADDRESS_INFO, mdl);
if(devobj && query_irp->CurrentLocation > 1)
{
if(IoGetCurrentIrpStackLocation(query_irp) && IoGetNextIrpStackLocation(query_irp))
{
status = IoCallDriver(devobj, query_irp);//蓝了
irp->IoStatus.Status = status;
return status;
}
}
}while(FALSE);
if(tai)
ExFreePoolWithTag(tai, 'TATG');
if(mdl)
IoFreeMdl(mdl);
if(query_irp)
IoCompleteRequest(query_irp, IO_NO_INCREMENT);
return status;
}
...全文
请发表友善的回复…
发表回复
blessbygod 2010-03-23
- 打赏
- 举报
[Quote=引用 3 楼 cnzdgs 的回复:]
把TdiBuildInternalDeviceControlIrp放在完成例程里面。
[/Quote]
我不用TDI了,不过还是谢谢你。
把TdiBuildInternalDeviceControlIrp放在完成例程里面。
[/Quote]
我不用TDI了,不过还是谢谢你。
cnzdgs 2010-03-23
- 打赏
- 举报
把TdiBuildInternalDeviceControlIrp放在完成例程里面。
liumenghappy 2010-03-22
- 打赏
- 举报
不懂网络,帮顶吧
blessbygod 2010-03-22
- 打赏
- 举报
顶啊,帮顶也有分!
对话框和按访问扫描信息对话框中显示检测到的病毒的源 IP 地址。 - 阻挡(按访问扫描)。 使用此功能可以阻挡在共享文件夹中放置了含有已感染病毒文件的远程计 算机的进一步访问。您可以指定阻挡这些...
