本文转载自:http://hi.baidu.com/sysinternal/blog/item/f2b877084535c532e92488cc.html
用PsCreateSystemThread来在内核中创建线程。读书笔记而已,高手飘过好 了~~~~~
先用KmdManager加载驱动,然后在DebugView中查看。。。。
SysThread.c部分代码
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING regPath
)
{
PDEVICE_OBJECT pDeviceObject = NULL;
NTSTATUS ntStatus;
UNICODE_STRING uniNtNameString, uniWin32NameString;
RtlInitUnicodeString( &uniNtNameString, NT_DEVICE_NAME );
ntStatus = IoCreateDevice (
pDriverObject,
sizeof(SYSTHREAD_DEVICE_EXTENSION), // DeviceExtensionSize
&uniNtNameString,
FILE_DEVICE_UNKNOWN, //
0, // No standard device characteristics
FALSE, // not exclusive device
&pDeviceObject
);
if( !NT_SUCCESS(ntStatus) ) {
return ntStatus;
}
// 派遣函数
pDriverObject->MajorFunction[IRP_MJ_CREATE] = SysThreadOpen;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = SysThreadClose;
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = SysThreadDeviceIoControl;
pDriverObject->DriverUnload = SysThreadUnload;
pDeviceObject->Flags |= DO_BUFFERED_IO;
RtlInitUnicodeString( &uniWin32NameString, DOS_DEVICE_NAME );
ntStatus = IoCreateSymbolicLink( &uniWin32NameString, &uniNtNameString );
if (!NT_SUCCESS(ntStatus)){
IoDeleteDevice( pDriverObject->DeviceObject );
}
return ntStatus;
}
///
///
void
SysThreadUnload(
IN PDRIVER_OBJECT pDriverObject
)
{
PDEVICE_OBJECT pDeviceObject;
UNICODE_STRING uniWin32NameString;
pDeviceObject = pDriverObject->DeviceObject;
RtlInitUnicodeString( &uniWin32NameString, DOS_DEVICE_NAME );
IoDeleteSymbolicLink( &uniWin32NameString );
IoDeleteDevice( pDriverObject->DeviceObject );
}
///
///
NTSTATUS
SysThreadOpen(
IN PDEVICE_OBJECT pDeviceObject,
IN PIRP pIrp
)
{
KdPrint((" SysThreadOpen() was Called.... \n"));
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
///
///
NTSTATUS
SysThreadClose(
IN PDEVICE_OBJECT pDeviceObject,
IN PIRP pIrp
)
{
KdPrint((" SysThreadClose() was Called.... \n"));
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
///
///
NTSTATUS
SysThreadDeviceIoControl(
IN PDEVICE_OBJECT pDeviceObject,
IN PIRP pIrp
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION pIrpStack;
PSYSTHREAD_DEVICE_EXTENSION pdx;
ULONG dwControlCode;
pdx = (PSYSTHREAD_DEVICE_EXTENSION) pDeviceObject->DeviceExtension;
pIrpStack = IoGetCurrentIrpStackLocation( pIrp );
dwControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
switch(dwControlCode)
{
case IOCTL_SYSTHREAD_START:
StartThread(pdx); //线程开始
break;
case IOCTL_SYSTHREAD_STOP:
StopThread(pdx); //线程结束
break;
default:
break;
}
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return ntStatus;
}
///
///
NTSTATUS StartThread(PSYSTHREAD_DEVICE_EXTENSION pdx)
{
NTSTATUS status;
HANDLE hthread;
//初始化event对象
KeInitializeEvent(&pdx->evKill,
SynchronizationEvent, // auto reset
FALSE // initial state : FALSE ==> non-signaled
);
//创建ThreadProc
status = PsCreateSystemThread(&hthread,
THREAD_ALL_ACCESS,
NULL,
NULL,
NULL,
(PKSTART_ROUTINE) ThreadProc,
pdx
);
if( !NT_SUCCESS(status))
{
KdPrint(("Fail Start ThreadProc()!\n"));
return status;
}
ObReferenceObjectByHandle( hthread,
THREAD_ALL_ACCESS,
NULL,
KernelMode,
(PVOID *) &pdx->thread,
NULL
);
ZwClose(hthread);
return STATUS_SUCCESS;
}
///
///
VOID StopThread(PSYSTHREAD_DEVICE_EXTENSION pdx)
{
KeSetEvent(&pdx->evKill, 0, FALSE); //通过KeSetEvent事件结束线程
KeWaitForSingleObject(pdx->thread, Executive, KernelMode, FALSE, NULL);
ObDereferenceObject(pdx->thread);
}
///
///
VOID ThreadProc(PSYSTHREAD_DEVICE_EXTENSION pdx)
{
NTSTATUS status;
int cnt = 0;
LARGE_INTEGER timeout;
timeout.QuadPart = -1 * 10000000; // 1 second
//通过设置超时,每隔一秒打印一句话
while(1)
{
status = KeWaitForSingleObject(&pdx->evKill, Executive, KernelMode, FALSE, &timeout);
if( status == STATUS_TIMEOUT )
KdPrint(("^_^ ThreadProc()运行了%d秒!\n", cnt++));
else
break;
}
KdPrint(("^_^ ThreadProc()停止!\n"));
PsTerminateSystemThread(STATUS_SUCCESS);
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
