内核中线程的创建与销毁

本文转载自：http://hi.baidu.com/sysinternal/blog/item/f2b877084535c532e92488cc.html

用PsCreateSystemThread来在内核中创建线程。读书笔记而已，高手飘过好 了~~~~~

先用KmdManager加载驱动，然后在DebugView中查看。。。。

SysThread.c部分代码

NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING regPath
)
{
PDEVICE_OBJECT pDeviceObject = NULL;
NTSTATUS ntStatus;
UNICODE_STRING uniNtNameString, uniWin32NameString;


RtlInitUnicodeString( &uniNtNameString, NT_DEVICE_NAME );
ntStatus = IoCreateDevice (
            pDriverObject,
                           sizeof(SYSTHREAD_DEVICE_EXTENSION), // DeviceExtensionSize
                           &uniNtNameString,
                           FILE_DEVICE_UNKNOWN,         //
                           0,              // No standard device characteristics
                           FALSE,             // not exclusive device
                           &pDeviceObject
                           );
if( !NT_SUCCESS(ntStatus) ) {
         return ntStatus;
}

// 派遣函数
pDriverObject->MajorFunction[IRP_MJ_CREATE] = SysThreadOpen;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = SysThreadClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = SysThreadDeviceIoControl;
pDriverObject->DriverUnload = SysThreadUnload;

pDeviceObject->Flags |= DO_BUFFERED_IO;


RtlInitUnicodeString( &uniWin32NameString, DOS_DEVICE_NAME );
ntStatus = IoCreateSymbolicLink( &uniWin32NameString, &uniNtNameString );
if (!NT_SUCCESS(ntStatus)){
         IoDeleteDevice( pDriverObject->DeviceObject );
}

return ntStatus;
}
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////

void
SysThreadUnload(
IN PDRIVER_OBJECT pDriverObject
)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING uniWin32NameString;

pDeviceObject = pDriverObject->DeviceObject;

RtlInitUnicodeString( &uniWin32NameString, DOS_DEVICE_NAME );
IoDeleteSymbolicLink( &uniWin32NameString );
IoDeleteDevice( pDriverObject->DeviceObject );
}
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////

NTSTATUS
SysThreadOpen(
IN PDEVICE_OBJECT pDeviceObject,
IN PIRP pIrp
)
{
KdPrint((" SysThreadOpen() was Called.... \n"));
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}

///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////

NTSTATUS
SysThreadClose(
IN PDEVICE_OBJECT pDeviceObject,
IN PIRP pIrp
)
{
KdPrint((" SysThreadClose() was Called.... \n"));
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////

NTSTATUS
SysThreadDeviceIoControl(
IN PDEVICE_OBJECT pDeviceObject,
IN PIRP pIrp
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;
PSYSTHREAD_DEVICE_EXTENSION pdx;
ULONG dwControlCode;

pdx = (PSYSTHREAD_DEVICE_EXTENSION) pDeviceObject->DeviceExtension;
pIrpStack = IoGetCurrentIrpStackLocation( pIrp );
dwControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;

switch(dwControlCode)
{
         case IOCTL_SYSTHREAD_START:
          StartThread(pdx);          //线程开始
          break;

         case IOCTL_SYSTHREAD_STOP:
          StopThread(pdx);          //线程结束
          break;

         default:
         break;
}

pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );

return ntStatus;
}

///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
NTSTATUS StartThread(PSYSTHREAD_DEVICE_EXTENSION pdx)
{
NTSTATUS status;
HANDLE hthread;
           //初始化event对象
KeInitializeEvent(&pdx->evKill,
             SynchronizationEvent, // auto reset
             FALSE                   // initial state : FALSE ==> non-signaled
             );
           //创建ThreadProc
status = PsCreateSystemThread(&hthread,
                                         THREAD_ALL_ACCESS,
                 NULL,
                 NULL,
                 NULL,
                 (PKSTART_ROUTINE) ThreadProc,
                 pdx
                );
if( !NT_SUCCESS(status))
{
               KdPrint(("Fail Start ThreadProc()!\n"));
               return status;
}
ObReferenceObjectByHandle(         hthread,
               THREAD_ALL_ACCESS,
               NULL,
               KernelMode,
               (PVOID *) &pdx->thread,
               NULL
               );

ZwClose(hthread);
return STATUS_SUCCESS;

}
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////

VOID StopThread(PSYSTHREAD_DEVICE_EXTENSION pdx)
{
KeSetEvent(&pdx->evKill, 0, FALSE); //通过KeSetEvent事件结束线程
           KeWaitForSingleObject(pdx->thread, Executive, KernelMode, FALSE, NULL);
ObDereferenceObject(pdx->thread);
}
///////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
VOID ThreadProc(PSYSTHREAD_DEVICE_EXTENSION pdx)
{
NTSTATUS status;
int cnt = 0;

LARGE_INTEGER timeout;
timeout.QuadPart = -1 * 10000000; // 1 second
           //通过设置超时，每隔一秒打印一句话
while(1)
{
         status = KeWaitForSingleObject(&pdx->evKill, Executive, KernelMode, FALSE, &timeout);
         if( status == STATUS_TIMEOUT )
          KdPrint(("^_^ ThreadProc()运行了%d秒!\n", cnt++));
         else
          break;
}
           KdPrint(("^_^ ThreadProc()停止!\n"));
PsTerminateSystemThread(STATUS_SUCCESS);
}