游戏逆向之驱动层与用户层通讯

驱动层代码：

#pragma once
#include <ntifs.h>

#define add_code CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)

/*
更多游戏逆向视频www.yxfzedu.com
*/
NTSTATUS myDriver_DispatchRoutine(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp);
void registerIrp(PDRIVER_OBJECT driver) {
	KdPrint(("开始注册派遗函数"));
	//注册派遗函数
	driver->MajorFunction[IRP_MJ_CREATE] = myDriver_DispatchRoutine;
	//注册派遗函数
	driver->MajorFunction[IRP_MJ_CLOSE] = myDriver_DispatchRoutine;
	//注册派遗函数
	driver->MajorFunction[IRP_MJ_READ] = myDriver_DispatchRoutine;
	//注册派遗函数
	driver->MajorFunction[IRP_MJ_WRITE] = myDriver_DispatchRoutine;
	//注册派遗函数
	driver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = myDriver_DispatchRoutine;

}

NTSTATUS myDriver_DispatchRoutine(IN PDEVICE_OBJECT pDevobj, IN PIRP pIrp)
{
	//获取当前IRP的堆栈
	PIO_STACK_LOCATION irpsp = IoGetCurrentIrpStackLocation(pIrp);

	switch (irpsp->MajorFunction)
	{
	case IRP_MJ_CREATE:
		break;
	case IRP_MJ_CLOSE:
		break;
	case IRP_MJ_READ:
		break;
	case IRP_MJ_WRITE:
		break;
	case  IRP_MJ_DEVICE_CONTROL:
	{
		ULONG code = irpsp->Parameters.DeviceIoControl.IoControlCode;
		switch (code)
		{
		case add_code:
		{
			int a, b, c;
			int * inputBuffer = pIrp->AssociatedIrp.SystemBuffer;
			/*__asm {
				mov eax, inputBuffer;
				mov ebx, [eax];
				mov a, ebx;
				mov ebx, [eax + 4];
				mov b, ebx;
			}*/
			a = *(int*)inputBuffer;
			b = *(int*)(inputBuffer+1);
			KdPrint(("inputBuffer=%x", inputBuffer));
			KdPrint(("inputBuffer+1=%x", inputBuffer + 1));
			KdPrint(("a=%d,b = %d", a, b));
			c = a + b;
			int * outputBuffer = pIrp->AssociatedIrp.SystemBuffer;
			/*__asm {
				mov eax, c;
				mov ebx, outputBuffer;
				mov [ebx], eax;
			}*/
			*outputBuffer = c;
			KdPrint(("c=%d",c));
			pIrp->IoStatus.Information = 4;//返回数据的大小
			break;
		}
		}
	}
		
	default:
		break;
	}

	//完成IRP请求
	pIrp->IoStatus.Information = 4;//设置操作的字节
	pIrp->IoStatus.Status = STATUS_SUCCESS;
	IoCompleteRequest(pIrp,IO_NO_INCREMENT);//指示完成此IRP
	//成功返回
	return STATUS_SUCCESS;
}

　　

用户层代码：

#include "pch.h"
#include <iostream>
#include <Windows.h>
#include <winioctl.h>
#define add_code CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)


/*
游戏逆向www.yxfzedu.com
*/
int add(HANDLE hDevice, int a, int b);
int main()
{

	//\\??\\aabc_symbolicName
	HANDLE hDevice = CreateFile(L"\\\\.\\aabc_symbolicName",GENERIC_READ | GENERIC_WRITE,0,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
	printf("hDevice: %d \n", hDevice);
	if (hDevice == INVALID_HANDLE_VALUE) {
		printf("获取设备句柄失败 错误码： \n", GetLastError());
		getchar();
		return 0;
	}

	int a = 2;
	int b = 3;
	int c = add(hDevice,a,b);
	printf("c=%d \n",c);
	getchar();
	return 1;
}

int add(HANDLE hDevice,int a,int b) {

	int param[2];
	param[0] = a;
	param[1] = b;
	ULONG ReturnLength;
	int result;
	BOOL flag = DeviceIoControl(hDevice, add_code,&param,8,&result,4, &ReturnLength,NULL);
	
	if (flag) {
		printf("%d \n", result);
	}
	return result;
}

　　更多游戏逆向视频www.yxfzedu.com