关于驱动问题的请教 [文字模式]
- 看雪安全论坛
查看完整版本 :
HETTON小弟在这里发过帖请教过,也感谢各位对我的帮助,致使我解决问题.我这个驱动我相信很多牛人已经看到过,经测试在虚拟机中完全无问题,但是一在真机中运行,再装QQ管家,就会蓝屏,或者装完重启了蓝屏,我这里的源码有没有牛人能帮忙看看哪里有无问题,在此拜谢
#include &ntifs.h&
#include &ntstrsafe.h&
#include &ntddk.h&
#include &string.h&
#define REGISTRY_POOL_TAG 'pRE'
LARGE_INTEGER g_CallbackC
ANSI_STRING
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2);
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath,PVOID pRegistryObject);
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
DbgPrint(&[RegRoutine]Loading!\n&);
DriverObject-&DriverUnload = UnloadD
st = CmRegisterCallback(RegistryCallback,NULL,&g_CallbackCookie);
if ( !NT_SUCCESS(st) )
DbgPrint(&[RegRoutine]CmRegisterCallback Failed!\n&);
DbgPrint(&[RegRoutine]RegistryCallback Addr:0x%08X\n&,RegistryCallback);
DbgPrint(&[RegRoutine]Cookie.LowPart:0x%08X Cookie.HighPart:0x%08X\n&,g_CallbackCookie.LowPart,g_CallbackCookie.HighPart);
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
CmUnRegisterCallback(g_CallbackCookie);
DbgPrint(&[RegRoutine]UnLoading!\n&);
RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2 )
BOOLEAN exception = FALSE;
BOOLEAN registryEventIsValid = FALSE;
UNICODE_STRING registryP
UCHAR* registryData = NULL;
ULONG registryDataLength = 0;
ULONG registryDataType = 0;
registryPath.Length = 0;
registryPath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, 'ConT');
if(registryPath.Buffer == NULL)
DbgPrint(&[RegRoutine]Allocate registryPath failed!\n&);
return STATUS_SUCCESS;
type = (REG_NOTIFY_CLASS)Argument1;
switch(type)
case RegNtDeleteValueKey:
PREG_DELETE_VALUE_KEY_INFORMATION deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(deleteValueKey-&ValueName))
registryEventIsValid = GetRegistryObjectCompleteName(&registryPath, NULL, deleteValueKey-&Object);
if((registryEventIsValid) && (deleteValueKey-&ValueName-&Length & 0))
RtlUnicodeStringToAnsiString(&astr,&registryPath,TRUE);
DbgPrint(&[RegDeletedKey]KeyName:%s!\n&,astr.Buffer);
RtlFreeAnsiString(&astr);
RtlUnicodeStringToAnsiString(&astr,deleteValueKey-&ValueName,TRUE);
DbgPrint(&[RegDelValue]ValueName:%s!\n&,astr.Buffer);
if (!_stricmp(astr.Buffer,&Start Page&) )
DbgPrint(&[RegDelValue]Forbin!\n&);
DbgPrint(&[RegDelValue]ForbinKeyName:%s!\n&,deleteValueKey-&ValueName);
RtlFreeAnsiString(&astr);
return STATUS_INVALID_PARAMETER;
RtlFreeAnsiString(&astr);
case RegNtPreSetValueKey:
PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(setValueKey-&ValueName) )
registryEventIsValid = GetRegistryObjectCompleteName(&registryPath, NULL, setValueKey-&Object);
if((registryEventIsValid) && (setValueKey-&ValueName-&Length & 0))
RtlUnicodeStringToAnsiString(&astr,&registryPath,TRUE);
DbgPrint(&[RegSetKey]KeyName:%s!\n&,astr.Buffer);
RtlFreeAnsiString(&astr);
registryDataType = setValueKey-&T
registryDataLength = setValueKey-&DataS
registryData = ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG);
RtlUnicodeStringToAnsiString(&astr,setValueKey-&ValueName,TRUE);
DbgPrint(&[RegSetValue]ValueName:%s!\n&,astr.Buffer);
if(registryData != NULL)
if (!_stricmp(astr.Buffer,&Start Page&) )
DbgPrint(&[RegSetValue]Forbin!\n&);
DbgPrint(&[RegSetValue]ForbinKeyName:%s!\n&,astr.Buffer);
RtlFreeAnsiString(&astr);
return STATUS_INVALID_PARAMETER;
RtlFreeAnsiString(&astr);
except( EXCEPTION_EXECUTE_HANDLER )
DbgPrint(&[RegRoutine]Catch a Expection!\n&);
exception = TRUE;
registryEventIsValid = FALSE;
if(registryEventIsValid)
if(registryData != NULL)
ExFreePoolWithTag(registryData, REGISTRY_POOL_TAG);
if(registryPath.Buffer != NULL)
ExFreePoolWithTag(registryPath.Buffer, 'ConT');
return STATUS_SUCCESS;
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath, PVOID pRegistryObject)
BOOLEAN foundCompleteName = FALSE;
BOOLEAN partial = FALSE;
ULONG returnedL
PUNICODE_STRING pObjectName = NULL;
//判断object的有效性
if( (!MmIsAddressValid(pRegistryObject)) || (pRegistryObject == NULL) )
DbgPrint(&[RegRoutine]pRegistryObject Invalid!\n&);
return FALSE;
if(pPartialRegistryPath != NULL)
if( (((pPartialRegistryPath-&Buffer[0] == '\\') || (pPartialRegistryPath-&Buffer[0] == '%')) ||
((pPartialRegistryPath-&Buffer[0] == 'T') && (pPartialRegistryPath-&Buffer[1] == 'R') &&
(pPartialRegistryPath-&Buffer[2] == 'Y') && (pPartialRegistryPath-&Buffer[3] == '\\'))) )
RtlUnicodeStringCopy(pRegistryPath, pPartialRegistryPath);
partial = TRUE;
foundCompleteName = TRUE;
if(!foundCompleteName)
//使用ObQueryNameString来得到object对应的名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, 0, &returnedLength );
//第一次传的buffer长度为0，ObQueryNameString返回的结果必定是缓冲区大小不足
if(status == STATUS_INFO_LENGTH_MISMATCH)
pObjectName = ExAllocatePoolWithTag(NonPagedPool, returnedLength, 'ConT'); //申请内存
if( pObjectName == NULL ) //申请内存失败则返回FALSE
DbgPrint(&[RegRoutine]AllocatePool Failed!\n&);
return FALSE;
//查询名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, returnedLength, &returnedLength );
if(NT_SUCCESS(status))
RtlUnicodeStringCopy(pRegistryPath, pObjectName);
//拷贝名称
foundCompleteName = TRUE;
ExFreePoolWithTag(pObjectName, 'ConT');
//无论查询是否成功都应该释放内存
return foundCompleteN
yurnero蓝屏应该生成蓝屏的转储文件，使用windbg打开，会很明确的提示是哪个驱动导致的蓝屏以及蓝屏时的堆栈信息；如果本地有驱动的符号表，windbg会直接找到导致蓝屏的那一行代码
HETTON我看了4个蓝屏的DUMP的文件,指向了5行不同的代码,很疑惑,但是我感觉没有错,其中有一个是指向了RtlFreeAnsiString(&astr);
HETTON有没有人可以解此难题,望指教
kaizhiyu这个很复杂
实力现在还不够
HETTON让我自己很无奈的是在虚拟机上测试完好,一到真机,就会蓝屏,是不是和其他软件冲突,我是装了QQ管家才这样的
HETTON我的这段代码上有无任何问题,希望可以指教
HETTON木有大神知道么
zhouws把DbgPrint全部注释掉看看
HETTON打印语句也会有关系么?
卡不死哈哈！！！！
HETTON啊啊,求大神指导啊!
HETTONcase RegNtPreSetValueKey:
PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(setValueKey-&ValueName) )
registryEventIsValid = GetRegistryObjectCompleteName(&registryPath, NULL, setValueKey-&Object);
if((registryEventIsValid) && (setValueKey-&ValueName-&Length & 0))
RtlUnicodeStringToAnsiString(&astr,&registryPath,TRUE);
DbgPrint(&[RegSetKey]KeyName:%s!\n&,astr.Buffer);
RtlFreeAnsiString(&astr);
registryDataType = setValueKey-&T
registryDataLength = setValueKey-&DataS
registryData = ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG);
RtlUnicodeStringToAnsiString(&astr,setValueKey-&ValueName,TRUE);
DbgPrint(&[RegSetValue]ValueName:%s!\n&,astr.Buffer);
if(registryData != NULL)
if (!_stricmp(astr.Buffer,&Start Page&) )
DbgPrint(&[RegSetValue]Forbin!\n&);
DbgPrint(&[RegSetValue]ForbinKeyName:%s!\n&,astr.Buffer);
RtlFreeAnsiString(&astr);
return STATUS_INVALID_PARAMETER;
RtlFreeAnsiString(&astr);
用了WINDBG分析了核心转储的DUMP文件,指向了这个CASE情况中
registryDataType = setValueKey-&T
有问题,有大神能指教错在哪么
zhouws跟你说了，你还不愿意照着做一下。看了你之前发的帖子，有人也指出这个问题了，你却还没领悟
lovelydayDbgPrint(&[RegSetValue]ValueName:%s!\n&,astr.Buffer);
这里有问题，Buffer不一定有0结尾。估计还有，没仔细看。
貌似前面有个哥们说过注释掉DbgPrint。
HETTON把Dbgprint都注释掉了,情况还是一样
HETTON我一装QQ管家,只要一安装到这个QQ管家的TsFlMgr.sys这个驱动,就蓝屏
HETTON或者是一重启就蓝屏
HETTON83a07b3c 840a020c b320b27c 83a07be8 0000002c nt!CmpGetValueKeyFromCache+0x9e
83a07ba8 a07c38 83a07be8 83a07be4 nt!CmpFindValueByNameFromCache+0xa2
83a07c1c 94cd8 0eda8 nt!CmQueryValueKey+0x350
83a07cd0 8d368 000002 nt!NtQueryValueKey+0x312
WARNING: Stack unwind information not available. Following frames may be wrong.
83a07d14 83e68 000002 TsFltMgr+0x442b
83a07d14 77a270b4 0ee6c
nt!KiFastCallEntry+0x12a
00 x77a270b4
每次都是在QQ管家的这个驱动这里出错,是不是说QQ管家保护了电脑不让加载驱动?
zhouws首先你要自己学会分析下dump,至少你把windbg的dump分析发上来让大家看下。
另外0截断那个问题，不止是dbgprint有，
if (!_stricmp(astr.Buffer,&Start Page&) )
这里也有问题。你自己检查下。
HETTONKERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck.
Usually the exception address pinpoints
the driver/function that caused the problem.
Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x.
This means a hard
coded breakpoint or assertion was hit, but this system was booted
This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.
This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 83f74359, The address that the exception occurred at
Arg3: 83a07a54, Trap Frame
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
nt!ExAllocatePoolWithTag+34f
word ptr [esi+2],ax
TRAP_FRAME:
83a07a54 -- (.trap 0xffffffff83a07a54)
eax= ebx= ecx= edx=000001ff esi= edi=000001ff
eip=83f74359 esp=83a07ac8 ebp=83a07b14 iopl=0
nv up ei pl nz na pe nc
nt!ExAllocatePoolWithTag+0x34f:
word ptr [esi+2],ax
Resetting default scope
DEFAULT_BUCKET_ID:
WIN7_DRIVER_FAULT
BUGCHECK_STR:
PROCESS_NAME:
QQPCMgr.exe
CURRENT_IRQL:
LAST_CONTROL_TRANSFER:
from 83f0901c to 83f32e9c
STACK_TEXT:
83a075c4 83f8e cf74359 nt!KeBugCheckEx+0x1e
83a079e4 83e92e66 83a07a00 a07a54 nt!KiDispatchException+0x1ac
83a07a4c 83e92e1a 83a07b14 83f74359 badb0d00 nt!CommonDispatchException+0x4a
83a07ae0 8409e56e a6dfc52c cec3e5c0
nt!KiExceptionExit+0x192
83a07b14 34 61564d43 nt!HvpGetCellPaged+0x15e
83a07b3c 840a020c b320b27c 83a07be8 0000002c nt!CmpGetValueKeyFromCache+0x9e
83a07ba8 a07c38 83a07be8 83a07be4 nt!CmpFindValueByNameFromCache+0xa2
83a07c1c 94cd8 0eda8 nt!CmQueryValueKey+0x350
83a07cd0 8d368 000002 nt!NtQueryValueKey+0x312
WARNING: Stack unwind information not available. Following frames may be wrong.
83a07d14 83e68 000002 TsFltMgr+0x442b
83a07d14 77a270b4 0ee6c
nt!KiFastCallEntry+0x12a
00 x77a270b4
STACK_COMMAND:
FOLLOWUP_IP:
TsFltMgr+442b
ecx,dword ptr [esp+0Ch]
SYMBOL_STACK_INDEX:
SYMBOL_NAME:
TsFltMgr+442b
FOLLOWUP_NAME:
MachineOwner
MODULE_NAME: TsFltMgr
IMAGE_NAME:
TsFltMgr.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID:
0x8E_TsFltMgr+442b
BUCKET_ID:
0x8E_TsFltMgr+442b
Followup: MachineOwner
zhouwsKERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck.
Usually the exception address pinpoints
the driver/function that caused the pr...
有难度，目测不出来
HETTON应该是QQ管家的驱动过滤把
HETTON有没有大神帮忙能看下这个错误分析.是QQ管家的那个驱动和我的驱动冲突了么
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Debugging Details:
------------------
BUGCHECK_STR:
POOL_ADDRESS:
DEFAULT_BUCKET_ID:
WIN7_DRIVER_FAULT
PROCESS_NAME:
QQVCRTP.exe
CURRENT_IRQL:
EXCEPTION_RECORD:
adfe3a5c -- (.exr 0xffffffffadfe3a5c)
ExceptionAddress: 8449e03e (nt!RtlUnicodeStringToAnsiString+0x)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags:
NumberParameters: 2
Parameter[0]:
Parameter[1]:
Attempt to write to address
TRAP_FRAME:
adfe3ab0 -- (.trap 0xffffffffadfe3ab0)
eax= ebx= ecx= edx= esi=8ff64018 edi=
eip=8449e03e esp=adfe3b24 ebp=adfe3b58 iopl=0
nv up ei pl zr na pe nc
nt!RtlUnicodeStringToAnsiString+0xb3:
byte ptr [ecx+eax],bl
Resetting default scope
LAST_CONTROL_TRANSFER:
from 84357bf9 to 842cae30
STACK_TEXT:
adfe3050 adfe3044 nt!ExpFindAndRemoveTagBigPages+0x1fd
adfea76 00000 adfe3b58 nt!ExFreePoolWithTag+0x13f
adfe9 add36 842b13c0 nt!ExFreePool+0xf
adfe30a0 842add36 842b13c0 adfe312c 842b13d0 nt!RtlUnicodeStringToAnsiString+0xf9
adfe30a4 842b13c0 adfe312c 842b13d0 88e780da nt!_NLG_Return2
adfe30d0 842b148c 84361a48 adfe3b48 fffffffe nt!_local_unwind4+0x80
adfe30e4 842f6dba adfe3b58 00000 nt!_EH4_LocalUnwind+0x10
adfe2 adfe31e0 adfe3b48 adfe3230 nt!_except_handler4+0x14f
adfed4 adfe31e0 adfe3b48 adfe3230 nt!ExecuteHandler2+0x26
adfe315c 842effe8 adfe31e0 adfe3b48 adfe3230 nt!ExecuteHandler+0x24
adfe7b3 adfe3b94 8ff627b3
nt!RtlUnwind+0x126
adfe352c 8ff00 00000 BrowserSafe!_EH4_GlobalUnwind+0x15 [d:\5359\minkernel\crts\crtw32\misc\i386\exsup4.asm @ 498]
adfe2 fffffffe adfe3b94 adfe3640 BrowserSafe!_except_handler4+0xe7 [d:\5359\minkernel\crts\crtw32\misc\i386\chandler4.c @ 397]
adfed4 adfe3a5c adfe3b94 adfe3640 nt!ExecuteHandler2+0x26
adfe359c 842e3348 adfe3a5c adfe3b94 adfe3640 nt!ExecuteHandler+0x24
adfeebfec adfe3a5c adfe7 nt!RtlDispatchException+0xb6
adfe3a40 84275e66 adfe3a5c
adfe3ab0 nt!KiDispatchException+0x17c
adfe3aa8 84275e1a adfe3b58 8449e03e badb0d00 nt!CommonDispatchException+0x4a
adfe3b58 8ff018 00001 nt!KiExceptionExit+0x192
adfe3ba4 844d4c7d 00001 adfe3c48 BrowserSafe!RegistryCallback+0x122 [c:\users\yn\desktop\my software\????cmregistercallback?????????? 1/2 ???×??á±í 1/4 à??u??ú????×?\operatereg\protectreg.c @ 106]
adfe3c18 00001 adfe3c48
nt!CmpCallCallBacks+0x156
adfe3cd0 8d7e4 07dcdb64
nt!NtSetValueKey+0x2e5
WARNING: Stack unwind information not available. Following frames may be wrong.
adfe3d14 dcdb64
TsFltMgr+0x336b
adfe3d14 777c70b4
nt!KiFastCallEntry+0x12a
07dcdb38 00 x777c70b4
STACK_COMMAND:
FOLLOWUP_IP:
BrowserSafe!_EH4_GlobalUnwind+15 [d:\5359\minkernel\crts\crtw32\misc\i386\exsup4.asm @ 498]
8ff627b3 5f
FAULTING_SOURCE_LINE:
d:\5359\minkernel\crts\crtw32\misc\i386\exsup4.asm
FAULTING_SOURCE_FILE:
d:\5359\minkernel\crts\crtw32\misc\i386\exsup4.asm
FAULTING_SOURCE_LINE_NUMBER:
FAULTING_SOURCE_CODE:
No source found for 'd:\5359\minkernel\crts\crtw32\misc\i386\exsup4.asm'
SYMBOL_STACK_INDEX:
SYMBOL_NAME:
BrowserSafe!_EH4_GlobalUnwind+15
FOLLOWUP_NAME:
MachineOwner
MODULE_NAME: BrowserSafe
IMAGE_NAME:
BrowserSafe.sys
DEBUG_FLR_IMAGE_TIMESTAMP:
FAILURE_BUCKET_ID:
0x19_22_BrowserSafe!_EH4_GlobalUnwind+15
BUCKET_ID:
0x19_22_BrowserSafe!_EH4_GlobalUnwind+15
Followup: MachineOwner
HETTON请问各位大神我的这个CMregistrycallback的注册表保护驱动和QQ管家的IE主页保护是一个原理么,就是case presetvaluekey 这个情况加上就蓝屏
yxhbboy请问各位大神我的这个CMregistrycallback的注册表保护驱动和QQ管家的IE主页保护是一个原理么,就是case presetvaluekey 这个情况加上就蓝屏
你写的编码方式和企鹅的编码方式不同，同时操作注册表的时候会有问题。你全部改成unicode吧。
HETTON这段代码用windbg分析错误,它指向了我红色的这一行,不明白是哪里出错了
#include &ntifs.h&
#include &ntstrsafe.h&
#include &ntddk.h&
#include &string.h&
#define REGISTRY_POOL_TAG 'pRE'
LARGE_INTEGER g_CallbackC
ANSI_STRING
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2);
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath,PVOID pRegistryObject);
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
DbgPrint(&[RegRoutine]Loading!\n&);
DriverObject-&DriverUnload = UnloadD
st = CmRegisterCallback(RegistryCallback,NULL,&g_CallbackCookie);
if ( !NT_SUCCESS(st) )
DbgPrint(&[RegRoutine]CmRegisterCallback Failed!\n&);
//DbgPrint(&[RegRoutine]RegistryCallback Addr:0x%08X\n&,RegistryCallback);
//DbgPrint(&[RegRoutine]Cookie.LowPart:0x%08X Cookie.HighPart:0x%08X\n&,g_CallbackCookie.LowPart,g_CallbackCookie.HighPart);
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
CmUnRegisterCallback(g_CallbackCookie);
DbgPrint(&[RegRoutine]UnLoading!\n&);
RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2 )
BOOLEAN exception = FALSE;
BOOLEAN registryEventIsValid = FALSE;
UNICODE_STRING registryP
UCHAR* registryData = NULL;
ULONG registryDataLength = 0;
ULONG registryDataType = 0;
registryPath.Length = 0;
registryPath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
registryPath.Buffer = ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, 'ConT');
if(registryPath.Buffer == NULL)
DbgPrint(&[RegRoutine]Allocate registryPath failed!\n&);
return STATUS_SUCCESS;
type = (REG_NOTIFY_CLASS)Argument1;
switch(type)
case RegNtDeleteValueKey:
PREG_DELETE_VALUE_KEY_INFORMATION deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(deleteValueKey-&ValueName))
registryEventIsValid = GetRegistryObjectCompleteName(&registryPath, NULL, deleteValueKey-&Object);
if((registryEventIsValid) && (deleteValueKey-&ValueName-&Length & 0))
//RtlUnicodeStringToAnsiString(&astr,&registryPath,TRUE);
//DbgPrint(&[RegDeletedKey]KeyName:%s!\n&,astr.Buffer);
//RtlFreeAnsiString(&astr);
RtlUnicodeStringToAnsiString(&astr,deleteValueKey-&ValueName,TRUE);
// DbgPrint(&[RegDelValue]ValueName:%s!\n&,astr.Buffer);
if (!strncmp(astr.Buffer,&Start Page&,deleteValueKey-&ValueName-&MaximumLength) )
DbgPrint(&[RegDelValue]Forbin!\n&);
RtlFreeAnsiString(&astr);
return STATUS_INVALID_PARAMETER;
RtlFreeAnsiString(&astr);
case RegNtPreSetValueKey:
PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(setValueKey-&ValueName) )
registryEventIsValid = GetRegistryObjectCompleteName(&registryPath, NULL, setValueKey-&Object);
if((registryEventIsValid) && (setValueKey-&ValueName-&Length & 0))
//RtlUnicodeStringToAnsiString(&astr,&registryPath,TRUE);
//DbgPrint(&[RegSetKey]KeyName:%s!\n&,astr.Buffer);
//RtlFreeAnsiString(&astr);
registryDataType = setValueKey-&T
registryDataLength = setValueKey-&DataS
registryData = ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG);
//RtlFreeAnsiString(&astr);
RtlUnicodeStringToAnsiString(&astr,setValueKey-&ValueName,TRUE);
//DbgPrint(&[RegSetValue]ValueName:%d!\n&,setValueKey-&ValueName-&MaximumLength);
if (!strncmp(astr.Buffer,&Start Page&,setValueKey-&ValueName-&MaximumLength) )
DbgPrint(&[RegSetValue]Forbin!\n&);
//DbgPrint(&[RegSetValue]ForbinKeyName:%s!\n&,astr.Buffer);
RtlFreeAnsiString(&astr);
return STATUS_INVALID_PARAMETER;
RtlFreeAnsiString(&astr);
except( EXCEPTION_EXECUTE_HANDLER )
DbgPrint(&[RegRoutine]Catch a Expection!\n&);
exception = TRUE;
registryEventIsValid = FALSE;
if(registryEventIsValid)
if(registryData != NULL)
ExFreePoolWithTag(registryData, REGISTRY_POOL_TAG);
if(registryPath.Buffer != NULL)
ExFreePoolWithTag(registryPath.Buffer, 'ConT');
return STATUS_SUCCESS;
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath, PVOID pRegistryObject)
BOOLEAN foundCompleteName = FALSE;
BOOLEAN partial = FALSE;
ULONG returnedL
PUNICODE_STRING pObjectName = NULL;
//判断object的有效性
if( (!MmIsAddressValid(pRegistryObject)) || (pRegistryObject == NULL) )
DbgPrint(&[RegRoutine]pRegistryObject Invalid!\n&);
return FALSE;
if(pPartialRegistryPath != NULL)
if( (((pPartialRegistryPath-&Buffer[0] == '\\') || (pPartialRegistryPath-&Buffer[0] == '%')) ||
((pPartialRegistryPath-&Buffer[0] == 'T') && (pPartialRegistryPath-&Buffer[1] == 'R') &&
(pPartialRegistryPath-&Buffer[2] == 'Y') && (pPartialRegistryPath-&Buffer[3] == '\\'))) )
RtlUnicodeStringCopy(pRegistryPath, pPartialRegistryPath);
partial = TRUE;
foundCompleteName = TRUE;
if(!foundCompleteName)
//使用ObQueryNameString来得到object对应的名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, 0, &returnedLength );
//第一次传的buffer长度为0，ObQueryNameString返回的结果必定是缓冲区大小不足
if(status == STATUS_INFO_LENGTH_MISMATCH)
pObjectName = ExAllocatePoolWithTag(NonPagedPool, returnedLength, 'ConT'); //申请内存
if( pObjectName == NULL ) //申请内存失败则返回FALSE
DbgPrint(&[RegRoutine]AllocatePool Failed!\n&);
return FALSE;
//查询名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, returnedLength, &returnedLength );
if(NT_SUCCESS(status))
RtlUnicodeStringCopy(pRegistryPath, pObjectName); //拷贝名称
foundCompleteName = TRUE;
ExFreePoolWithTag(pObjectName, 'ConT'); //无论查询是否成功都应该释放内存
return foundCompleteN
HETTON就是指向了我这个大括号这一行
HETTONwindbg分析的dump文件他指向了} 这一行,不知道哪里有问题,还有这个代码if (!strncmp(astr.Buffer,&Start Page&,setValueKey-&ValueName-&MaximumLength) )
这样写可以吗
iceway让我自己很无奈的是在虚拟机上测试完好,一到真机,就会蓝屏,是不是和其他软件冲突,我是装了QQ管家才这样的
怎么跟QQ管家有关系了？是你自己的问题吧 应该是在 释放内存的时候破坏了堆结构 要么就是重复释放了 好好检查
HETTON希望能在代码里指出错误.谢谢!
iceway结贴吧 QQ管家锁定主页不是改注册表的 和360一个破样 具体自己研究
#include &ntifs.h&
#include &ntstrsafe.h&
#include &ntddk.h&
#include &string.h&
#define REGISTRY_POOL_TAG 'pRE'
LARGE_INTEGER g_CallbackC
ANSI_STRING
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
NTSTATUS RegistryCallback(IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2);
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath,PVOID pRegistryObject);
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
DbgPrint(&[RegRoutine]Loading!\n&);
DriverObject-&DriverUnload = UnloadD
st = CmRegisterCallback(RegistryCallback,NULL,&g_CallbackCookie);
if ( !NT_SUCCESS(st) )
DbgPrint(&[RegRoutine]CmRegisterCallback Failed!\n&);
//DbgPrint(&[RegRoutine]RegistryCallback Addr:0x%08X\n&,RegistryCallback);
//DbgPrint(&[RegRoutine]Cookie.LowPart:0x%08X Cookie.HighPart:0x%08X\n&,g_CallbackCookie.LowPart,g_CallbackCookie.HighPart);
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
CmUnRegisterCallback(g_CallbackCookie);
DbgPrint(&[RegRoutine]UnLoading!\n&);
RegistryCallback( IN PVOID CallbackContext, IN PVOID Argument1, IN PVOID Argument2 )
BOOLEAN exception = FALSE;
BOOLEAN registryEventIsValid = FALSE;
UNICODE_STRING registryP
UCHAR* registryData = NULL;
ULONG registryDataLength = 0;
ULONG registryDataType = 0;
UNICODE_STRING ustrStratP
NTSTATUS status = STATUS_SUCCESS;
registryPath.Length = 0;
registryPath.MaximumLength = NTSTRSAFE_UNICODE_STRING_MAX_CCH * sizeof(WCHAR);
registryPath.Buffer = (PWCH)ExAllocatePoolWithTag(NonPagedPool, registryPath.MaximumLength, 'ConT');
//////////////////////////////////////////////////////////////////////////
RtlInitUnicodeString(&ustrStratPage, L&Start Page&);
//////////////////////////////////////////////////////////////////////////
if(registryPath.Buffer == NULL)
DbgPrint(&[RegRoutine]Allocate registryPath failed!\n&);
status = STATUS_SUCCESS;
type = (ULONG)Argument1;
switch(type)
case RegNtDeleteValueKey:
PREG_DELETE_VALUE_KEY_INFORMATION deleteValueKey = (PREG_DELETE_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(deleteValueKey-&ValueName))
registryEventIsValid = GetRegistryObjectCompleteName(&registryPath, NULL, deleteValueKey-&Object);
if((registryEventIsValid) && (deleteValueKey-&ValueName-&Length & 0))
//RtlUnicodeStringToAnsiString(&astr,&registryPath,TRUE);
//DbgPrint(&[RegDeletedKey]KeyName:%s!\n&,astr.Buffer);
//RtlFreeAnsiString(&astr);
//RtlUnicodeStringToAnsiString(&astr,deleteValueKey-&ValueName,TRUE);
// DbgPrint(&[RegDelValue]ValueName:%s!\n&,astr.Buffer);
if (/*!strncmp(astr.Buffer,&Start Page&,deleteValueKey-&ValueName-&MaximumLength) */
0 == RtlCompareUnicodeString(deleteValueKey-&ValueName, &ustrStratPage, TRUE))
DbgPrint(&[RegDelValue]Forbin!\n&);
status = STATUS_CALLBACK_BYPASS;
//RtlFreeAnsiString(&astr);
case RegNtPreSetValueKey:
PREG_SET_VALUE_KEY_INFORMATION setValueKey = (PREG_SET_VALUE_KEY_INFORMATION)Argument2;
if( MmIsAddressValid(setValueKey-&ValueName) )
registryEventIsValid = GetRegistryObjectCompleteName(&registryPath, NULL, setValueKey-&Object);
if((registryEventIsValid) && (setValueKey-&ValueName-&Length & 0))
//RtlUnicodeStringToAnsiString(&astr,&registryPath,TRUE);
//DbgPrint(&[RegSetKey]KeyName:%s!\n&,astr.Buffer);
//RtlFreeAnsiString(&astr);
registryDataType = setValueKey-&T
registryDataLength = setValueKey-&DataS
registryData = (UCHAR*)ExAllocatePoolWithTag(NonPagedPool, registryDataLength, REGISTRY_POOL_TAG);
//RtlFreeAnsiString(&astr);
//RtlUnicodeStringToAnsiString(&astr,setValueKey-&ValueName,TRUE);
//DbgPrint(&[RegSetValue]ValueName:%d!\n&,setValueKey-&ValueName-&MaximumLength);
if (/*!strncmp(astr.Buffer,&Start Page&,setValueKey-&ValueName-&MaximumLength)*/
0 == RtlCompareUnicodeString(&ustrStratPage, setValueKey-&ValueName, TRUE))
DbgPrint(&[RegSetValue]Forbin!\n&);
//DbgPrint(&[RegSetValue]ForbinKeyName:%s!\n&,astr.Buffer);
//RtlFreeAnsiString(&astr);
//return STATUS_INVALID_PARAMETER;
status = STATUS_CALLBACK_BYPASS;
//RtlFreeAnsiString(&astr);
except( EXCEPTION_EXECUTE_HANDLER )
DbgPrint(&[RegRoutine]Catch a Expection!\n&);
exception = TRUE;
registryEventIsValid = FALSE;
if(registryData != NULL)
ExFreePoolWithTag(registryData, REGISTRY_POOL_TAG);
registryData = NULL;
if(registryPath.Buffer != NULL)
ExFreePoolWithTag(registryPath.Buffer, 'ConT');
registryPath.Buffer = NULL;
BOOLEAN GetRegistryObjectCompleteName(PUNICODE_STRING pRegistryPath, PUNICODE_STRING pPartialRegistryPath, PVOID pRegistryObject)
BOOLEAN foundCompleteName = FALSE;
BOOLEAN partial = FALSE;
ULONG returnedL
PUNICODE_STRING pObjectName = NULL;
//判断object的有效性
if( (!MmIsAddressValid(pRegistryObject)) || (pRegistryObject == NULL) )
DbgPrint(&[RegRoutine]pRegistryObject Invalid!\n&);
return FALSE;
if(pPartialRegistryPath != NULL)
if( (((pPartialRegistryPath-&Buffer[0] == '\\') || (pPartialRegistryPath-&Buffer[0] == '%')) ||
((pPartialRegistryPath-&Buffer[0] == 'T') && (pPartialRegistryPath-&Buffer[1] == 'R') &&
(pPartialRegistryPath-&Buffer[2] == 'Y') && (pPartialRegistryPath-&Buffer[3] == '\\'))) )
RtlUnicodeStringCopy(pRegistryPath, pPartialRegistryPath);
partial = TRUE;
foundCompleteName = TRUE;
if(!foundCompleteName)
//使用ObQueryNameString来得到object对应的名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, 0, &returnedLength );
//第一次传的buffer长度为0，ObQueryNameString返回的结果必定是缓冲区大小不足
if(status == STATUS_INFO_LENGTH_MISMATCH)
pObjectName = (PUNICODE_STRING)ExAllocatePoolWithTag(NonPagedPool, returnedLength, 'ConT'); //申请内存
if( pObjectName == NULL ) //申请内存失败则返回FALSE
DbgPrint(&[RegRoutine]AllocatePool Failed!\n&);
return FALSE;
//查询名称
status = ObQueryNameString(pRegistryObject, (POBJECT_NAME_INFORMATION)pObjectName, returnedLength, &returnedLength );
if(NT_SUCCESS(status))
RtlUnicodeStringCopy(pRegistryPath, pObjectName);
//拷贝名称
foundCompleteName = TRUE;
ExFreePoolWithTag(pObjectName, 'ConT');
//无论查询是否成功都应该释放内存
return foundCompleteN