VS2019遍历DPC定时器源码
VS2019遍历DPC定时器源码
#include <ntddk.h>
#include <windef.h>
/*---------------------------------自定义函数声明------------------------------------*/
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject); //前置说明 卸载例程
ULONG QueryTimerTableListHead();
ULONG GetDpcTimerInformation_XP();
/*---------------------------------驱动入口函数驱动卸载函数实现------------------------------------*/
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unloaded...\n");
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
DbgPrint("Loaded...\n");
GetDpcTimerInformation_XP();
return STATUS_SUCCESS;
}
/*---------------------------------自定义函数实现------------------------------------*/
ULONG GetDpcTimerInformation_XP()
{
ULONGNumberOfTimerTable = NULL;
ULONGi;
ULONGulCount = 0;
PLIST_ENTRYpList = NULL;
PLIST_ENTRY pNextList = NULL;
PKTIMERpTimer = NULL;
NumberOfTimerTable = 0x100;
pList = (PLIST_ENTRY)QueryTimerTableListHead(); //取得链表头
if (pList == NULL)
{
KdPrint(("timer table failed\n"));
return 0;
}
for (i = 0; i < NumberOfTimerTable; i++, pList++) //NumberOfTimerTable 个list
{
if (!MmIsAddressValid((PVOID)&pList))
{
KdPrint(("pList Failed\r\n"));
return NULL;
}
if (!MmIsAddressValid((PVOID)pList->Blink) ||
!MmIsAddressValid((PVOID)pList->Flink))
{
KdPrint(("Blink Failed\r\n"));
continue;
}
for (pNextList = pList->Blink; pNextList != pList; pNextList = pNextList->Blink) //遍历blink链
{
if (!MmIsAddressValid(pNextList))
{
break;
}
pTimer = CONTAINING_RECORD(pNextList, KTIMER, TimerListEntry); //得到结构首
//检查pTimer以及各成员
if (!MmIsAddressValid((PVOID)pTimer))
{
break;
}
if (!MmIsAddressValid((PVOID)pTimer->Dpc))
{
break;
}
if (MmIsAddressValid((PVOID)pTimer) &&
MmIsAddressValid((PVOID)pTimer->Dpc) &&
MmIsAddressValid((PVOID)pTimer->Dpc->DeferredRoutine) &&
MmIsAddressValid((PVOID)&pTimer->Period))
{
DbgPrint("定时器对象:%08x 函数入口:%08x\n", pTimer, pTimer->Dpc->DeferredRoutine);
ulCount++;
}
if (!MmIsAddressValid(pNextList->Blink))
{
break;
}
}
}
return ulCount;
}
ULONG QueryTimerTableListHead()
{
UNICODE_STRING UnicodeTimerHead;
ULONG ulTimerTable;
PUCHAR i;
ULONG ulTimerTableListHead;
RtlInitUnicodeString(&UnicodeTimerHead, (PWCHAR)L"KeUpdateSystemTime");
ulTimerTable = (ULONG)MmGetSystemRoutineAddress(&UnicodeTimerHead);
if (ulTimerTable == 0) return 0;
for (i = ulTimerTable; i < ulTimerTable + 200; i++)
{
if (*i == 0x8d)
{
ulTimerTableListHead = *(PULONG)(i + 3);
if (MmIsAddressValid(ulTimerTableListHead))
{
DbgPrint("ulTimerTableListHead%08x", ulTimerTableListHead);
return ulTimerTableListHead;
}
}
}
return NULL;
}
页:
[1]