NT式驱动程序的基本结构

NT式驱动程序的基本结构
1、驱动程序入口(DriverEntry)
  主要对驱动程序进行初始化操作，是由系统进程调用的，打开Windows任务 管理 器
里面的名为System的进程即为系统进程。
  驱动加载时，系统进程启动新的线程，调用执行体组件中的对象管理器，创建一个
驱动对象，驱动对象是一个DRIVER_OBJECT的结构体，另外，系统进程调用执行体组
件中的配置管理程序，查询此驱动程序对应的注册表中的项。
  该函数有两个参数，一个是系统进程创建的驱动对象，另一个是设备服务键的键名。
  设备服务键一般为HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services
  DriverEntry一般设置卸载例程函数和IRP派遣函数，还有一部分创建设备对象

2、创建设备对象
NTSTATUS
  IoCreateDevice(
    IN PDRIVER_OBJECT  DriverObject,
    IN ULONG  DeviceExtensionSize,//指定设备扩展的大小，I/O管理器会根据这个大小在内存中
                                  //创建设备扩展，并与驱动对象关联
    IN PUNICODE_STRING  DeviceName  OPTIONAL,//设备对象名
    IN DEVICE_TYPE  DeviceType,
    IN ULONG  DeviceCharacteristics,
    IN BOOLEAN  Exclusive,
    OUT PDEVICE_OBJECT  *DeviceObject
    );
    
   
Parameters
DriverObject
Pointer to the driver object for the caller. Each driver receives a pointer to its driver object in a parameter to its DriverEntry routine. WDM function and filter drivers also receive a driver object pointer in their AddDevice routines.
DeviceExtensionSize
Specifies the driver-determined number of bytes to be allocated for the device extension of the device object. The internal structure of the device extension is driver-defined.
DeviceName
Optionally points to a buffer containing a null-terminated Unicode string that names the device object. The string must be a full path name. WDM filter and function drivers do not name their device objects. For more information, see Named Device Objects.
Note If a device name is not supplied (that is, DeviceName is NULL), the device object created by IoCreateDevice will not (and cannot) have a discretionary access control list (DACL) associated with it. For additional information, see Security Descriptors.

DeviceType
Specifies one of the system-defined FILE_DEVICE_XXX constants that indicate the type of device (such as FILE_DEVICE_DISK, FILE_DEVICE_KEYBOARD, etc.) or a vendor-defined value for a new type of device. For more information, see Specifying Device Types.
DeviceCharacteristics
Specifies one or more system-defined constants, ORed together, that provide additional information about the driver's device. For a list of possible device characteristics, see DEVICE_OBJECT. For more information about how to specify device characteristics, see Specifying Device Characteristics. Most drivers specify FILE_DEVICE_SECURE_OPEN for this parameter.
Exclusive
Specifies if the device object represents an exclusive device. Most drivers set this value to FALSE. For more information about exclusive access, see Specifying Exclusive Access to Device Objects.

DeviceObject
Pointer to a variable that receives a pointer to the newly created DEVICE_OBJECT structure. The DEVICE_OBJECT structure is allocated from nonpaged pool.

Return Value
IoCreateDevice returns STATUS_SUCCESS on success, or the appropriate NTSTATUS error code on failure. A partial list of the failure codes returned by this function include:

STATUS_INSUFFICIENT_RESOURCES

3、符号链接
NTSTATUS
  IoCreateSymbolicLink(
    IN PUNICODE_STRING  SymbolicLinkName,
    IN PUNICODE_STRING  DeviceName
    );

在内核模式下，符号链接是使用\??\开头的，如C:盘就是\??\C:，在用户模式下是以\\.\开头的

4、删除符号链接
NTSTATUS
  IoDeleteSymbolicLink(
    IN PUNICODE_STRING  SymbolicLinkName
    );


5、删除设备
VOID
  IoDeleteDevice(
    IN PDEVICE_OBJECT  DeviceObject
    );