Windows Driver Model
如何在User Mode開啟"\Device\"下的驅動程式(非Symbolic Link)
同事Lucas最近又開始假認真了!因此,我又要開始陪他玩了,他最近在研究是否有機會可以直接開啟\Device\底下的驅動程式,而不需要透過Symbolic Link的方式開啟,雖然一般使用者都會使用CreateFile()並且傳入Symbolic Link("\\.\")作為開啟裝置的路徑,但是,如果使用者想要在User Mode開啟\Device\底下的驅動程式,是否有機會呢?答案是可行的,可以參考如下網址:
1. 37052
2. aa365247(v=vs.85)
3. the-definitive-guide-on-win32-to-nt
程式碼如下所示:
#include <windows.h> #include <winternl.h> #include <stdio.h> #pragma comment(lib, "ntdll.lib") void WINAPI RtlInitUnicodeString( PUNICODE_STRING target, LPCWSTR source ) { if((target->Buffer = (LPWSTR)source)){ target->Length = wcslen(source) * sizeof(WCHAR); target->MaximumLength = target->Length + sizeof(WCHAR); } else{ target->Length = target->MaximumLength = 0; } } int __cdecl main(int argc, CHAR* argv[]) { typedef NTSTATUS (__stdcall *NT_OPEN_FILE)(PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, ULONG ShareAccess, ULONG OpenOptions); NT_OPEN_FILE NtOpenFileStruct; PVOID Info; HMODULE hModule = LoadLibrary("ntdll.dll"); NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile"); if(NtOpenFileStruct == NULL){ return -1; } HANDLE hCF = CreateFile("\\Device\\CNG", MAXIMUM_ALLOWED, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); printf("CreateFile(\"\\Device\\CNG\"): (handle:0x%X, err:0x%x)\n", hCF, GetLastError()); if(hCF != (HANDLE)-1){ CloseHandle(hCF); } UNICODE_STRING filename; RtlInitUnicodeString(&filename, L"\\Device\\CNG"); OBJECT_ATTRIBUTES obja; obja.Attributes = 0x40; obja.ObjectName = &filename; obja.Length = 0x18; obja.RootDirectory = NULL; obja.SecurityDescriptor = NULL; obja.SecurityQualityOfService = NULL; IO_STATUS_BLOCK iostatusblock; HANDLE hCNG = NULL; NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20); printf("NtOpenFileStruct(\"\\Device\\CNG\"): (status:0x%x)\n", stat); if(stat == 0){ CloseHandle(hCNG); } return 0; }
結果