获取中断描述符表IDT的信息

<pre name="code" class="cpp">//GetIDT.h文件

#ifndef _WIN32_WINNT		// Allow use of features specific to Windows XP or later.                   
#define _WIN32_WINNT 0x0501	// Change this to the appropriate value to target other versions of Windows.
#endif						

#ifdef __cplusplus
extern "C" 
{

#endif

#include <ntddk.h>
#include <ntddstor.h>
#include <mountdev.h>
#include <ntddvol.h>


#ifdef __cplusplus
}
#endif

//***************************************************************************************************************

//GetIDT.cpp文件

#include "GetIDT.h"
//#include <stdio.h> 

//IDT表的最大项数为256
#define MAX_IDT_ENTRIES    0XFF

#define MAKELONG(a, b)\
	((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))

//SIDT返回的数据格式
typedef struct
{
	unsigned short IDTLimit;        //IDT表项的个数
	unsigned short LowIDTBase;      //地址低16位
	unsigned short HiIDTBase;       //地址高16位
}IDTINFO, *PIDTINFO;

#pragma pack(1)
typedef struct
{
	unsigned short LowOffset;				//地址低16位
	unsigned short Selector;				//段选择字
	unsigned char  unused_lo;				//保留
	unsigned char  segment_type:4;			//中断门类型
	unsigned char  system_segment_flag:1;   //为0是中断门
	unsigned char  DPL:2;                   //特权级
	unsigned char  P:1;                     //现在是否是使用中断     
	unsigned short HiOffset;                //地址高16位
}IDTENTRY, *PIDTENTRY;
#pragma pack()

//卸载例程
void GetIDTUnload(IN PDRIVER_OBJECT DriverObject);

//创建和关闭例程
NTSTATUS GetIDTCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

//默认处理例程
NTSTATUS GetIDTDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

//获取IDT表的例程函数
NTSTATUS Fun_GetIDT();


#ifdef __cplusplus
//驱动入口函数
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath);
#endif


NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
{
	//设备名称
	UNICODE_STRING DeviceName;
	//设备连接符
	UNICODE_STRING Win32Device;
	//设备对象
	PDEVICE_OBJECT DeviceObject = NULL;

	NTSTATUS status;
	unsigned i;

	//DeviceName-设备对象名称
	RtlInitUnicodeString(&DeviceName,L"\\Device\\GetIDT0");

	//Win32Device-连接符
	RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\GetIDT0");

	for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
	{
		//设置默认的处理例程函数
		DriverObject->MajorFunction[i] = GetIDTDefaultHandler;
	}
	
	//设置创建处理例程函数
	DriverObject->MajorFunction[IRP_MJ_CREATE] = GetIDTCreateClose;
	//设置关闭处理例程函数
	DriverObject->MajorFunction[IRP_MJ_CLOSE] = GetIDTCreateClose;
	
	//设置卸载处理例程函数
	DriverObject->DriverUnload = GetIDTUnload;

	//创建设备对象
	status = IoCreateDevice(DriverObject,
							0,
							&DeviceName,
							FILE_DEVICE_UNKNOWN,  //设备类型
							0,
							FALSE,
							&DeviceObject);
	if (!NT_SUCCESS(status))
		return status;
	if (!DeviceObject)
		return STATUS_UNEXPECTED_IO_ERROR;

	//设置缓冲区通信方式
	DeviceObject->Flags |= DO_DIRECT_IO;

	//设置字对齐
	DeviceObject->AlignmentRequirement = FILE_WORD_ALIGNMENT;

	//创建连接符
	status = IoCreateSymbolicLink(&Win32Device, &DeviceName);

	//设备初始化完成
	DeviceObject->Flags &= ~DO_DEVICE_INITIALIZING;

	//获取IDT表
	Fun_GetIDT();

	return STATUS_SUCCESS;
}

//获取IDT表的例程函数
NTSTATUS Fun_GetIDT()
{
	IDTINFO idtInfo;
	PIDTENTRY pIdtEntry;

	//获取IDT表的基地址
	__asm sidt idtInfo
	pIdtEntry = (PIDTENTRY)MAKELONG(idtInfo.LowIDTBase, idtInfo.HiIDTBase);

	for (unsigned long i = 0; i < MAX_IDT_ENTRIES; i++)
	{
		//char szBuffer[255];
		PIDTENTRY pTmpIdtEntry = &pIdtEntry[i];

		//获取IDT表的每项的地址
		unsigned long lgAddr = MAKELONG(pTmpIdtEntry->LowOffset, pTmpIdtEntry->HiOffset);
        //_snprintf(szBuffer, 253, "中断号:%d,地址:%08X\r\n", i, lgAddr);

		//显示
		KdPrint(("中断号:%04d,地址:%08X\r\n", i, lgAddr));
	}

	return STATUS_SUCCESS;
}

//卸载例程
void GetIDTUnload(IN PDRIVER_OBJECT DriverObject)
{
	UNICODE_STRING Win32Device;
	RtlInitUnicodeString(&Win32Device,L"\\DosDevices\\GetIDT0");
	IoDeleteSymbolicLink(&Win32Device);
	IoDeleteDevice(DriverObject->DeviceObject);
}

//创建关闭例程
NTSTATUS GetIDTCreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
	Irp->IoStatus.Status = STATUS_SUCCESS;
	Irp->IoStatus.Information = 0;
	IoCompleteRequest(Irp, IO_NO_INCREMENT);
	return STATUS_SUCCESS;
}

//默认处理例程
NTSTATUS GetIDTDefaultHandler(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
	Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
	Irp->IoStatus.Information = 0;
	IoCompleteRequest(Irp, IO_NO_INCREMENT);
	return Irp->IoStatus.Status;
}


 
 


你可能感兴趣的:(Win32,安全,内核,黑客,IDT)