枚举IoTimer

  1 /***************************************************************************************
  2 * AUTHOR : yifi
  3 * DATE   : 2015-11-5
  4 * MODULE : EnumIoTimer.C
  5 * 
  6 * Command: 
  7 *    Source of IOCTRL Sample Driver
  8 *
  9 * Description:
 10 *        Demonstrates communications between USER and KERNEL.
 11 *
 12 ****************************************************************************************
 13 * Copyright (C) 2010 yifi.
 14 ****************************************************************************************/
 15 
 16 //#######################################################################################
 17 //# I N C L U D E S
 18 //#######################################################################################
 19 
 20 #ifndef CXX_ENUMIOTIMER_H
 21 #    include "EnumIoTimer.h"
 22 #endif
 23 
 24 
 25 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegisterPath)
 26 {
 27 
 28     DriverObject->DriverUnload = UnloadDriver;
 29 
 30     EnumIoTimer();
 31     return STATUS_SUCCESS;
 32 }
 33 
 34 
 35 BOOLEAN EnumIoTimer()
 36 {
 37     PLIST_ENTRY IoTimerQueueHead = 0;
 38     PUCHAR IoInitializeTimer = 0;
 39     KIRQL OldIrql;
 40     PUCHAR StartSearchAddress = NULL;
 41     PUCHAR EndSearchAddress = NULL;
 42     PUCHAR i = NULL;
 43     INT32 iOffset = 0;
 44     UCHAR v1 = 0, v2 = 0, v3 = 0;
 45 
 46     IoInitializeTimer = (PUCHAR)GetExportVariableAddressFormNtosExportTableByVariableName(L"IoInitializeTimer");
 47     if (IoInitializeTimer == NULL)
 48     {
 49         return FALSE;
 50     }
 51     StartSearchAddress = IoInitializeTimer;
 52     EndSearchAddress = StartSearchAddress + 0x500;
 53 
 54 #ifdef _WIN64
 55     for (i = StartSearchAddress;i<EndSearchAddress;i++)
 56     {
 57         if (MmIsAddressValid(i) && MmIsAddressValid(i + 1) && MmIsAddressValid(i + 2))
 58         {
 59             v1 = *i;
 60             v2 = *(i + 1);
 61             v3 = *(i + 2);
 62             if (v1 == 0x48 && v2 == 0x8d && v3 == 0x0d)
 63             {
 64                 memcpy(&iOffset, i + 3, 4);
 65                 IoTimerQueueHead = (PLIST_ENTRY)(iOffset + (ULONG64)i + 7);
 66                 break;
 67             }
 68 
 69         }
 70     }
 71 
 72 #else
 73 
 74     for (i = StartSearchAddress; i < EndSearchAddress; i++)
 75     {
 76         v1 = *i;
 77         if (v1 == 0xb9)
 78         {
 79             IoTimerQueueHead = (PLIST_ENTRY)*(PULONG32)(i + 1);
 80             break;
 81         }
 82     }
 83 #endif
 84 
 85     if (IoTimerQueueHead == NULL)
 86     {
 87         return FALSE;
 88     }
 89 
 90     DbgPrint("获得了\r\n");
 91     OldIrql = KeRaiseIrqlToDpcLevel();
 92 
 93     if (IoTimerQueueHead && MmIsAddressValid((PVOID)IoTimerQueueHead))
 94     {
 95         PLIST_ENTRY NextEntry = IoTimerQueueHead->Flink;
 96         while (MmIsAddressValid(NextEntry) && NextEntry != (PLIST_ENTRY)IoTimerQueueHead)
 97         {
 98             PIO_TIMER Timer = CONTAINING_RECORD(NextEntry, IO_TIMER, TimerList);
 99 
100             if (Timer && MmIsAddressValid(Timer))
101             {
102                 DbgPrint("Timer 对象: %p\r\n", Timer);
103             }
104             NextEntry = NextEntry->Flink;
105 
106         }
107     }
108     KeLowerIrql(OldIrql);
109     return TRUE;
110 }
111 
112 VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
113 {
114     return;
115 }
116 
117 
118 
119 PVOID
120 GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName)
121 {
122     UNICODE_STRING uniVariableName;
123     PVOID VariableAddress = NULL;
124 
125     if (wzVariableName && wcslen(wzVariableName) > 0)
126     {
127         RtlInitUnicodeString(&uniVariableName, wzVariableName);
128 
129         //从Ntos模块的导出表中获得一个导出变量的地址
130         VariableAddress = MmGetSystemRoutineAddress(&uniVariableName);
131     }
132 
133     return VariableAddress;
134 }

 1 /***************************************************************************************
 2 * AUTHOR : yifi
 3 * DATE   : 2015-11-5
 4 * MODULE : EnumIoTimer.H
 5 *
 6 * IOCTRL Sample Driver
 7 *
 8 * Description:
 9 *        Demonstrates communications between USER and KERNEL.
10 *
11 ****************************************************************************************
12 * Copyright (C) 2010 yifi.
13 ****************************************************************************************/
14 
15 #ifndef CXX_ENUMIOTIMER_H
16 #define CXX_ENUMIOTIMER_H
17 
18 #include <ntifs.h>
19 
20 
21 typedef struct _IO_TIMER_WIN7_X64
22 {
23     INT16        Type;
24     INT16        TimerFlag;
25     LONG32        Unknown;
26     LIST_ENTRY    TimerList;
27     PVOID        TimerRoutine;
28     PVOID        Context;
29     PVOID        DeviceObject;
30 }IO_TIMER_WIN7_X64, *PIO_TIMER_WIN7_X64;
31 
32 
33 typedef struct _IO_TIMER_WINXP_X86
34 {
35     INT16        Type;
36     INT16        TimerFlag;
37     LIST_ENTRY    TimerList;
38     PVOID        TimerRoutine;
39     PVOID        Context;
40     PVOID        DeviceObject;
41 } IO_TIMER_WINXP_X86, *PIO_TIMER_WINXP_X86;
42 
43 #ifdef _WIN64
44 #define PIO_TIMER PIO_TIMER_WIN7_X64
45 #define IO_TIMER  IO_TIMER_WIN7_X64
46 #else
47 #define PIO_TIMER PIO_TIMER_WINXP_X86
48 #define IO_TIMER  IO_TIMER_WINXP_X86
49 #endif
50 
51 
52 
53 VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
54 BOOLEAN EnumIoTimer();
55 PVOID GetExportVariableAddressFormNtosExportTableByVariableName(WCHAR *wzVariableName);
56 
57 #endif