查看驱动对象IRP请求处理函数

最近在学Windows的文件过滤,其实也就是过滤驱动的那一套

想象一下一个场景就是,一个安全软件对文件的写入有文件过滤保护,攻击者想要逆向过滤的规则,那么应该如何做呢?

首先我们先要下载一个软件,叫DeviceTree

驱动开发辅助工具WinObj、DebugView、DeviceTree - 科创网

1730207791400

在 WinDbg 中使用以下命令访问 MajorFunction Table 

1
kd> dt nt!_DRIVER_OBJECT <驱动对象地址>

而这个驱动对象地址,就是在这个DeviceTree软件里面,可以看到右边的信息中有Driver Object,这个就是驱动对象地址

可以看到以下信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0: kd> dt nt!_DRIVER_OBJECT 0xfffffa801ae42e70
   +0x000 Type             : 0n4
   +0x002 Size             : 0n336
   +0x008 DeviceObject     : 0xfffffa80`1ae5c060 _DEVICE_OBJECT
   +0x010 Flags            : 0x12
   +0x018 DriverStart      : 0xfffff880`05644000 Void
   +0x020 DriverSize       : 0xf000
   +0x028 DriverSection    : 0xfffffa80`1a62f160 Void
   +0x030 DriverExtension  : 0xfffffa80`1ae42fc0 _DRIVER_EXTENSION
   +0x038 DriverName       : _UNICODE_STRING "\Driver\kbdclass"
   +0x048 HardwareDatabase : 0xfffff800`04358568 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
   +0x050 FastIoDispatch   : (null) 
   +0x058 DriverInit       : 0xfffff880`0564fecc     long  kbdclass!GsDriverEntry+0
   +0x060 DriverStartIo    : (null) 
   +0x068 DriverUnload     : (null) 
   +0x070 MajorFunction    : [28] 0xfffff880`05645dd4     long  kbdclass!KeyboardClassCreate+0

可以看到有一个成员是 MajorFunction,这是一个数组,这就是IRP注册函数表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
0: kd> dps 0xfffffa801ae42e70+0x70
fffffa80`1ae42ee0  fffff880`05645dd4 kbdclass!KeyboardClassCreate
fffffa80`1ae42ee8  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42ef0  fffff880`0564617c kbdclass!KeyboardClassClose
fffffa80`1ae42ef8  fffff880`05646804 kbdclass!KeyboardClassRead
fffffa80`1ae42f00  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f08  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f10  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f18  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f20  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f28  fffff880`05645ce0 kbdclass!KeyboardClassFlush
fffffa80`1ae42f30  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f38  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f40  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f48  fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f50  fffff880`0564ca40 kbdclass!KeyboardClassDeviceControl
fffffa80`1ae42f58  fffff880`0564c2b4 kbdclass!KeyboardClassPassThrough