查看驱动对象IRP请求处理函数
最近在学Windows的文件过滤,其实也就是过滤驱动的那一套
想象一下一个场景就是,一个安全软件对文件的写入有文件过滤保护,攻击者想要逆向过滤的规则,那么应该如何做呢?
首先我们先要下载一个软件,叫DeviceTree
驱动开发辅助工具WinObj、DebugView、DeviceTree - 科创网
在 WinDbg 中使用以下命令访问 MajorFunction Table
1
| kd> dt nt!_DRIVER_OBJECT <驱动对象地址>
|
而这个驱动对象地址,就是在这个DeviceTree软件里面,可以看到右边的信息中有Driver Object,这个就是驱动对象地址
可以看到以下信息
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
| 0: kd> dt nt!_DRIVER_OBJECT 0xfffffa801ae42e70 +0x000 Type : 0n4 +0x002 Size : 0n336 +0x008 DeviceObject : 0xfffffa80`1ae5c060 _DEVICE_OBJECT +0x010 Flags : 0x12 +0x018 DriverStart : 0xfffff880`05644000 Void +0x020 DriverSize : 0xf000 +0x028 DriverSection : 0xfffffa80`1a62f160 Void +0x030 DriverExtension : 0xfffffa80`1ae42fc0 _DRIVER_EXTENSION +0x038 DriverName : _UNICODE_STRING "\Driver\kbdclass" +0x048 HardwareDatabase : 0xfffff800`04358568 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" +0x050 FastIoDispatch : (null) +0x058 DriverInit : 0xfffff880`0564fecc long kbdclass!GsDriverEntry+0 +0x060 DriverStartIo : (null) +0x068 DriverUnload : (null) +0x070 MajorFunction : [28] 0xfffff880`05645dd4 long kbdclass!KeyboardClassCreate+0
|
可以看到有一个成员是 MajorFunction
,这是一个数组,这就是IRP注册函数表
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
| 0: kd> dps 0xfffffa801ae42e70+0x70 fffffa80`1ae42ee0 fffff880`05645dd4 kbdclass!KeyboardClassCreate fffffa80`1ae42ee8 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42ef0 fffff880`0564617c kbdclass!KeyboardClassClose fffffa80`1ae42ef8 fffff880`05646804 kbdclass!KeyboardClassRead fffffa80`1ae42f00 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f08 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f10 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f18 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f20 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f28 fffff880`05645ce0 kbdclass!KeyboardClassFlush fffffa80`1ae42f30 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f38 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f40 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f48 fffff800`03e45ae8 nt!IopInvalidDeviceRequest fffffa80`1ae42f50 fffff880`0564ca40 kbdclass!KeyboardClassDeviceControl fffffa80`1ae42f58 fffff880`0564c2b4 kbdclass!KeyboardClassPassThrough
|