Соотв-но интересен интерфейс сопряжения между этим драйвером и ядром
Например таблицы ф-ций driver verifierа в ядре имеют примерно такой формат:
struct THUNK_ITEM{ const char *func_name; PVOID verifier_thunk; PVOID unknown; ULONG index; PVOID *original_func;};Здесь интерес представляют три поля
- verifier_thunk - это собственно указатель на ф-цию, производящую разнообразные проверки параметров, уровень Irql и так далее
- original_func - указатель на указатель на оригинальную ф-цию, перехват которой осуществлен driver verifier
- index - просто некое уникальное число
struct ddi_wrappers{ DWORD version; // равен 4, что проверяется в ф-ции ViXdvBindXdvDDIWrappers DWORD tab_size; PVOID wrappers[tab_size];};Соотв-но связь между указателем на ф-цию верификации в wrappers и набором THUNK_ITEM в ядре происходит по полю THUNK_ITEM.index
Например ф-ция валидации ExCreateCallback лежит по индексу 24 в массиве wrappers. Она же имеет index 24 в VfXdvThunks
Список ф-ций из VerifierExt.sys:
[001] CmRegisterCallback
[002] CmRegisterCallbackEx
[003] CmUnRegisterCallback
[008] ExAcquireFastMutex
[010] ExAcquireResourceExclusiveLite
[011] ExAcquireResourceSharedLite
[016] ExAcquireSharedStarveExclusive
[017] ExAcquireSharedWaitForExclusive
[018] ExAllocatePoolWithQuotaTag_internal
[019] ExAllocatePoolWithQuota_internal
[020] ExAllocatePoolWithTagPriority_internal
[021] ExAllocatePoolWithTag_internal
[022] ExAllocatePool_internal
[023] ExConvertExclusiveToSharedLite
[024] ExCreateCallback
[027] ExDeletePagedLookasideList
[028] ExDeleteResourceLite
[037] ExInitializePagedLookasideList_internal
[041] ExIsProcessorFeaturePresent
[044] ExRaiseAccessViolation
[045] ExRaiseDatatypeMisalignment
[046] ExRaiseStatus
[047] ExRegisterCallback
[060] ExSetTimerResolution
[061] ExTryToAcquireFastMutex
[062] ExUnregisterCallback
[063] ExUuidCreate
[116] IoAllocateController
[121] IoAttachDevice
[125] IoBuildDeviceIoControlRequest_internal
[128] IoCheckShareAccess
[129] IoConnectInterrupt
[131] IoCreateController
[132] IoCreateDevice
[133] IoCreateFile
[134] IoCreateNotificationEvent
[135] IoCreateSymbolicLink
[136] IoCreateSynchronizationEvent
[137] IoCreateUnprotectedSymbolicLink
[138] IoDeleteController
[139] IoDeleteDevice
[140] IoDeleteSymbolicLink
[141] IoDetachDevice
[142] IoDisconnectInterrupt
[144] IoFreeController
[147] IoGetConfigurationInformation
[151] IoGetDeviceObjectPointer
[154] IoGetDeviceToVerify
[155] IoGetDmaAdapter
[156] IoGetFileObjectGenericMapping
[157] IoGetInitialStack
[160] IoInitializeTimer
[163] IoIsWdmVersionAvailable
[166] IoRaiseHardError
[167] IoRaiseInformationalHardError
[168] IoReadPartitionTable
[171] IoRegisterDeviceInterface
[172] IoRegisterDriverReinitialization
[175] IoRegisterShutdownNotification
[180] IoRemoveShareAccess
[187] IoSetDeviceInterfaceState
[189] IoSetPartitionInformation
[191] IoSetShareAccess
[193] IoStartNextPacket
[196] IoUnregisterShutdownNotification
[197] IoUpdateShareAccess
[199] IoWMIAllocateInstanceIds
[200] IoWMIRegistrationControl
[202] IoWritePartitionTable
[206] KeAcquireGuardedMutex
[207] KeAcquireGuardedMutexUnsafe
[216] KeCancelTimer
[217] KeClearEvent
[218] KeDelayExecutionThread
[219] KeDeregisterNmiCallback
[220] KeEnterCriticalRegion
[221] KeEnterGuardedRegion
[223] KeInitializeDeviceQueue
[228] KeInitializeSemaphore
[229] KeInitializeTimer
[230] KeInitializeTimerEx
[231] KeInsertByKeyDeviceQueue
[232] KeInsertDeviceQueue
[236] KeLeaveCriticalRegion
[237] KeLeaveGuardedRegion
[238] KePulseEvent
[239] KeQueryActiveProcessors
[242] KeRaiseIrqlToDpcLevel
[243] KeReadStateEvent
[246] KeReadStateTimer
[247] KeRegisterNmiCallback
[248] KeReleaseGuardedMutex
[249] KeReleaseGuardedMutexUnsafe
[255] KeReleaseMutex
[259] KeRemoveByKeyDeviceQueue
[260] KeRemoveDeviceQueue
[261] KeRemoveEntryDeviceQueue
[264] KeResetEvent
[266] KeSaveFloatingPointState
[267] KeSetEvent
[270] KeSetTimer
[271] KeSetTimerEx
[274] KeTryToAcquireGuardedMutex
[279] KefAcquireSpinLockAtDpcLevel
[280] KefReleaseSpinLockFromDpcLevel
[281] KfAcquireSpinLock
[284] KfReleaseSpinLock
[288] MmAllocateNonCachedMemory
[289] MmAllocatePagesForMdl
[290] MmAllocatePagesForMdlEx
[294] MmFreeContiguousMemory
[295] MmFreeNonCachedMemory
[296] MmFreePagesFromMdl
[299] MmLockPagableDataSection
[300] MmLockPagableSectionByHandle
[305] MmPageEntireDriver
[310] MmResetDriverPaging
[311] MmSecureVirtualMemory
[312] MmUnlockPagableImageSection
[316] MmUnsecureVirtualMemory
[322] ObGetObjectSecurity
[323] ObReferenceObjectByHandle
[327] ObReleaseObjectSecurity
[333] PoFxActivateComponent
[334] PoFxCompleteDevicePowerNotRequired
[335] PoFxCompleteIdleCondition
[336] PoFxCompleteIdleState
[337] PoFxIdleComponent
[338] PoFxNotifySurprisePowerOn
[339] PoFxPowerControl
[340] PoFxRegisterDevice
[341] PoFxReportDevicePoweredOn
[342] PoFxSetComponentLatency
[343] PoFxSetComponentResidency
[344] PoFxSetComponentWake
[345] PoFxSetDeviceIdleTimeout
[346] PoFxStartDevicePowerManagement
[347] PoFxUnregisterDevice
[349] ProbeForRead
[350] ProbeForWrite
[352] PsCreateSystemThread
[356] PsGetVersion
[363] PsSetCreateProcessNotifyRoutine
[365] PsSetCreateThreadNotifyRoutine
[366] PsSetLoadImageNotifyRoutine
[367] PsTerminateSystemThread
[370] RtlDeleteRegistryValue
[381] SDV_AllocateAdapterChannel
[382] SDV_AllocateCommonBuffer
[383] SDV_BuildMdlFromScatterGatherList
[384] SDV_BuildScatterGatherList
[386] SDV_FlushAdapterBuffers
[387] SDV_FreeAdapterChannel
[388] SDV_FreeCommonBuffer
[389] SDV_FreeMapRegisters
[390] SDV_GetDmaAlignment
[391] SDV_GetScatterGatherList
[392] SDV_MapTransfer
[393] SDV_PutDmaAdapter
[394] SDV_PutScatterGatherList
[395] SDV_ReadDmaCounter
[408] ZwClose
[416] ZwCreateKey
[424] ZwDeleteKey
[430] ZwEnumerateKey
[432] ZwEnumerateValueKey
[434] ZwFlushKey
[448] ZwOpenKey
[475] ZwQueryKey
[480] ZwQueryValueKey
[502] ZwSetValueKey
Комментариев нет:
Отправить комментарий