查看驱动对象IRP请求处理函数

最近在学Windows的文件过滤,其实也就是过滤驱动的那一套

想象一下一个场景就是,一个安全软件对文件的写入有文件过滤保护,攻击者想要逆向过滤的规则,那么应该如何做呢?

首先我们先要下载一个软件,叫DeviceTree

驱动开发辅助工具WinObj、DebugView、DeviceTree - 科创网

1730207791400

在 WinDbg 中使用以下命令访问 MajorFunction Table

1
kd> dt nt!_DRIVER_OBJECT <驱动对象地址>

而这个驱动对象地址,就是在这个DeviceTree软件里面,可以看到右边的信息中有Driver Object,这个就是驱动对象地址

可以看到以下信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
0: kd> dt nt!_DRIVER_OBJECT 0xfffffa801ae42e70
+0x000 Type : 0n4
+0x002 Size : 0n336
+0x008 DeviceObject : 0xfffffa80`1ae5c060 _DEVICE_OBJECT
+0x010 Flags : 0x12
+0x018 DriverStart : 0xfffff880`05644000 Void
+0x020 DriverSize : 0xf000
+0x028 DriverSection : 0xfffffa80`1a62f160 Void
+0x030 DriverExtension : 0xfffffa80`1ae42fc0 _DRIVER_EXTENSION
+0x038 DriverName : _UNICODE_STRING "\Driver\kbdclass"
+0x048 HardwareDatabase : 0xfffff800`04358568 _UNICODE_STRING "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM"
+0x050 FastIoDispatch : (null)
+0x058 DriverInit : 0xfffff880`0564fecc long kbdclass!GsDriverEntry+0
+0x060 DriverStartIo : (null)
+0x068 DriverUnload : (null)
+0x070 MajorFunction : [28] 0xfffff880`05645dd4 long kbdclass!KeyboardClassCreate+0

可以看到有一个成员是 MajorFunction,这是一个数组,这就是IRP注册函数表

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
0: kd> dps 0xfffffa801ae42e70+0x70
fffffa80`1ae42ee0 fffff880`05645dd4 kbdclass!KeyboardClassCreate
fffffa80`1ae42ee8 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42ef0 fffff880`0564617c kbdclass!KeyboardClassClose
fffffa80`1ae42ef8 fffff880`05646804 kbdclass!KeyboardClassRead
fffffa80`1ae42f00 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f08 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f10 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f18 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f20 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f28 fffff880`05645ce0 kbdclass!KeyboardClassFlush
fffffa80`1ae42f30 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f38 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f40 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f48 fffff800`03e45ae8 nt!IopInvalidDeviceRequest
fffffa80`1ae42f50 fffff880`0564ca40 kbdclass!KeyboardClassDeviceControl
fffffa80`1ae42f58 fffff880`0564c2b4 kbdclass!KeyboardClassPassThrough