IoCreateDevice:用于创建一个设备对象
RtlInitUnicodeString:初始化一个类型为Unicode_String的变量,参数二需要加L""
IoCreateSymbolicLink:创建一个符号连接到设备对象
IoDeleteDevice:销毁一个设备对象
IoDeleteSymbolicLink:销毁一个符号连接
ObReferenceObjectByName:通过驱动名字取得此驱动的对象
(因为此API没有文档化,故调用前需作此声明)
NTKERNELAPINTSTATUS
ObReferenceObjectByName (
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID *Object
);
MmIsAddressValid:检测一个地址是否有效
ObDereferenceObject:使一个对象打开计数减一
(打开了一个东西,一定要记住关闭)
_LDR_DATA_TABLE_ENTRY:DriverObject->DriverSection的数据结构,存放所有驱动链表信息等等
typedef struct _LDR_DATA_TABLE_ENTRY{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
WORD LoadCount;
WORD TlsIndex;
union{
LIST_ENTRY HashLinks;
struct{
PVOID SectionPointer;
ULONG CheckSum;
};
};
union{
struct{
ULONG TimeDateStamp;
}
struct{
PVOID LoadedImports;
};
};
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;