├── KMDF Driver1 ├── logging.c ├── hook.c ├── hook.h ├── main.cpp ├── AsmCode.c ├── AsmCode.h ├── logging.h ├── HookManager.h ├── handlers.cpp ├── HookManager.cpp ├── MonitorAddressManager.h ├── packages.config ├── Public.h ├── Driver.h ├── search.h ├── Queue.h ├── Device.h ├── ReadMe.txt ├── KMDFDriver1.inf ├── search.cpp ├── Trace.h ├── Device.c ├── KMDF Driver1.vcxproj.filters ├── Queue.c └── KMDF Driver1.vcxproj ├── LICENSE ├── README.MD ├── KMDF Driver1.sln ├── scripts └── AutoGen.py └── .GITIGNORE /KMDF Driver1/logging.c: -------------------------------------------------------------------------------- 1 | #include "logging.h" 2 | 3 | ULONG g_LogLevel = LOG_LEVEL_INFO; -------------------------------------------------------------------------------- /KMDF Driver1/hook.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/hook.c -------------------------------------------------------------------------------- /KMDF Driver1/hook.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/hook.h -------------------------------------------------------------------------------- /KMDF Driver1/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/main.cpp -------------------------------------------------------------------------------- /KMDF Driver1/AsmCode.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/AsmCode.c -------------------------------------------------------------------------------- /KMDF Driver1/AsmCode.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/AsmCode.h -------------------------------------------------------------------------------- /KMDF Driver1/logging.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/logging.h -------------------------------------------------------------------------------- /KMDF Driver1/HookManager.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/HookManager.h -------------------------------------------------------------------------------- /KMDF Driver1/handlers.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/handlers.cpp -------------------------------------------------------------------------------- /KMDF Driver1/HookManager.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/HookManager.cpp -------------------------------------------------------------------------------- /KMDF Driver1/MonitorAddressManager.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/smallzhong/kernel_monitor/HEAD/KMDF Driver1/MonitorAddressManager.h -------------------------------------------------------------------------------- /KMDF Driver1/packages.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /KMDF Driver1/Public.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | public.h 6 | 7 | Abstract: 8 | 9 | This module contains the common declarations shared by driver 10 | and user applications. 11 | 12 | Environment: 13 | 14 | user and kernel 15 | 16 | --*/ 17 | 18 | // 19 | // Define an Interface Guid so that apps can find the device and talk to it. 20 | // 21 | 22 | DEFINE_GUID (GUID_DEVINTERFACE_KMDFDriver1, 23 | 0x4a1b7273,0xd9a3,0x4bfe,0x9d,0x5d,0xe9,0xdf,0xd6,0x7a,0x3c,0x5d); 24 | // {4a1b7273-d9a3-4bfe-9d5d-e9dfd67a3c5d} 25 | -------------------------------------------------------------------------------- /KMDF Driver1/Driver.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | driver.h 6 | 7 | Abstract: 8 | 9 | This file contains the driver definitions. 10 | 11 | Environment: 12 | 13 | Kernel-mode Driver Framework 14 | 15 | --*/ 16 | 17 | #include 18 | #include 19 | #include 20 | 21 | #include "device.h" 22 | #include "queue.h" 23 | #include "trace.h" 24 | 25 | EXTERN_C_START 26 | 27 | // 28 | // WDFDRIVER Events 29 | // 30 | 31 | DRIVER_INITIALIZE DriverEntry; 32 | EVT_WDF_DRIVER_DEVICE_ADD KMDFDriver1EvtDeviceAdd; 33 | EVT_WDF_OBJECT_CONTEXT_CLEANUP KMDFDriver1EvtDriverContextCleanup; 34 | 35 | EXTERN_C_END 36 | -------------------------------------------------------------------------------- /KMDF Driver1/search.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | //#include 14 | #include "Veil.h" 15 | 16 | namespace smallzhong { 17 | namespace search 18 | { 19 | struct KernelModuleInfo { 20 | PVOID BaseAddress; 21 | ULONG Size; 22 | 23 | KernelModuleInfo(PVOID base, ULONG size) : BaseAddress(base), Size(size) {} 24 | }; 25 | 26 | std::optional get_sys_module_info(std::string module_name); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /KMDF Driver1/Queue.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | queue.h 6 | 7 | Abstract: 8 | 9 | This file contains the queue definitions. 10 | 11 | Environment: 12 | 13 | Kernel-mode Driver Framework 14 | 15 | --*/ 16 | 17 | EXTERN_C_START 18 | 19 | // 20 | // This is the context that can be placed per queue 21 | // and would contain per queue information. 22 | // 23 | typedef struct _QUEUE_CONTEXT { 24 | 25 | ULONG PrivateDeviceData; // just a placeholder 26 | 27 | } QUEUE_CONTEXT, *PQUEUE_CONTEXT; 28 | 29 | WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(QUEUE_CONTEXT, QueueGetContext) 30 | 31 | NTSTATUS 32 | KMDFDriver1QueueInitialize( 33 | _In_ WDFDEVICE Device 34 | ); 35 | 36 | // 37 | // Events from the IoQueue object 38 | // 39 | EVT_WDF_IO_QUEUE_IO_DEVICE_CONTROL KMDFDriver1EvtIoDeviceControl; 40 | EVT_WDF_IO_QUEUE_IO_STOP KMDFDriver1EvtIoStop; 41 | 42 | EXTERN_C_END 43 | -------------------------------------------------------------------------------- /KMDF Driver1/Device.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | device.h 6 | 7 | Abstract: 8 | 9 | This file contains the device definitions. 10 | 11 | Environment: 12 | 13 | Kernel-mode Driver Framework 14 | 15 | --*/ 16 | 17 | #include "public.h" 18 | 19 | EXTERN_C_START 20 | 21 | // 22 | // The device context performs the same job as 23 | // a WDM device extension in the driver frameworks 24 | // 25 | typedef struct _DEVICE_CONTEXT 26 | { 27 | ULONG PrivateDeviceData; // just a placeholder 28 | 29 | } DEVICE_CONTEXT, *PDEVICE_CONTEXT; 30 | 31 | // 32 | // This macro will generate an inline function called DeviceGetContext 33 | // which will be used to get a pointer to the device context memory 34 | // in a type safe manner. 35 | // 36 | WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(DEVICE_CONTEXT, DeviceGetContext) 37 | 38 | // 39 | // Function to initialize the device and its callbacks 40 | // 41 | NTSTATUS 42 | KMDFDriver1CreateDevice( 43 | _Inout_ PWDFDEVICE_INIT DeviceInit 44 | ); 45 | 46 | EXTERN_C_END 47 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2025 smallzhong 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.MD: -------------------------------------------------------------------------------- 1 | # kernel_monitor 2 | 3 | + 关于本框架的详细说明请见 [https://bbs.kanxue.com/thread-286641.htm](https://bbs.kanxue.com/thread-286641.htm) 4 | + 本项目使用了 [https://github.com/smallzhong/kernelhook](https://github.com/smallzhong/kernelhook) 这个内核 inlinehook 框架。 5 | + 本项目的设计初衷是在CTF比赛中提高分析驱动程序逻辑的效率，项目的开发和测试都是在虚拟机中进行的，没有考虑过过PG等在真机中运行会遇到的问题。如果您希望用来分析外挂等带有反虚拟机、反测试模式，必须在真机中运行的程序，请自行解决过PG等问题。 6 | 7 | ## 使用流程 8 | 9 | + 使用nuget导入米松哥封装的 [Musa.Runtime](https://github.com/MiroKaku/Musa.runtime) ，开始愉快地在内核编写C++代码。 10 | 11 | + 把当前系统的 `ntoskrnl.exe` 用IDA打开，打开 `scripts\AutoGen.py` ，ctrl + h 全局修改修改里面硬编码的保存路径后运行 `AutoGen.py` 脚本，得到 `available_funcs.inc` 、 `handlers.h` 、 `handlers.c` 三个自动生成的文件，并将其导入vs项目中。 12 | 13 | + 在 `ImageLoadCallback` 回调中监控特定模块的加载，并记录其内存区域，加入监控范围。 14 | 15 | ```cpp 16 | VOID ImageLoadCallback( 17 | PUNICODE_STRING FullImageName, 18 | HANDLE ProcessId, 19 | PIMAGE_INFO ImageInfo) 20 | { 21 | 22 | if (ProcessId == 0 && FullImageName != NULL) 23 | { 24 | 25 | // 检查是否是 ACEDriver.sys 被加载 26 | if (wcsstr(FullImageName->Buffer, L"\\ACEDriver.sys")) 27 | { 28 | LOG_INFO("ACEDriver.sys" " has been loaded!\n"); 29 | LOG_INFO("Image Base: %p\n", ImageInfo->ImageBase); 30 | LOG_INFO("Image Size: %llx\n", ImageInfo->ImageSize); 31 | 32 | ADD_MONITOR_RANGE((ULONG64)ImageInfo->ImageBase, (ULONG64)ImageInfo->ImageBase + ImageInfo->ImageSize); 33 | } 34 | } 35 | } 36 | ``` 37 | 38 | + 在 DriverMain 中特定 Hook 自己感兴趣的函数。 39 | 40 | + 加载驱动，查看日志。 41 | 42 | ## TODO 43 | 44 | - [ ] 把日志模块封装一个消息队列，用另外一个线程异步地写日志。这样可以引入把日志写到文件的机制，在本机调试蓝屏了之后还能读取本地的日志查看蓝屏原因。 45 | -------------------------------------------------------------------------------- /KMDF Driver1/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | KMDFDriver1 Project Overview 3 | ======================================================================== 4 | 5 | This file contains a summary of what you will find in each of the files that make up your project. 6 | 7 | KMDFDriver1.vcxproj 8 | This is the main project file for projects generated using an Application Wizard. 9 | It contains information about the version of the product that generated the file, and 10 | information about the platforms, configurations, and project features selected with the 11 | Application Wizard. 12 | 13 | KMDFDriver1.vcxproj.filters 14 | This is the filters file for VC++ projects generated using an Application Wizard. 15 | It contains information about the association between the files in your project 16 | and the filters. This association is used in the IDE to show grouping of files with 17 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 18 | "Source Files" filter). 19 | 20 | Public.h 21 | Header file to be shared with applications. 22 | 23 | Driver.c & Driver.h 24 | DriverEntry and WDFDRIVER related functionality and callbacks. 25 | 26 | Device.c & Device.h 27 | WDFDEVICE related functionality and callbacks. 28 | 29 | Queue.c & Queue.h 30 | WDFQUEUE related functionality and callbacks. 31 | 32 | Trace.h 33 | Definitions for WPP tracing. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | 37 | Learn more about Kernel Mode Driver Framework here: 38 | 39 | http://msdn.microsoft.com/en-us/library/ff544296(v=VS.85).aspx 40 | 41 | ///////////////////////////////////////////////////////////////////////////// 42 | -------------------------------------------------------------------------------- /KMDF Driver1.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.13.35913.81 d17.13 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "KMDF Driver1", "KMDF Driver1\KMDF Driver1.vcxproj", "{28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM64 = Debug|ARM64 11 | Debug|x64 = Debug|x64 12 | Release|ARM64 = Release|ARM64 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Debug|ARM64.ActiveCfg = Debug|ARM64 17 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Debug|ARM64.Build.0 = Debug|ARM64 18 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Debug|ARM64.Deploy.0 = Debug|ARM64 19 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Debug|x64.ActiveCfg = Debug|x64 20 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Debug|x64.Build.0 = Debug|x64 21 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Debug|x64.Deploy.0 = Debug|x64 22 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Release|ARM64.ActiveCfg = Release|ARM64 23 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Release|ARM64.Build.0 = Release|ARM64 24 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Release|ARM64.Deploy.0 = Release|ARM64 25 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Release|x64.ActiveCfg = Release|x64 26 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Release|x64.Build.0 = Release|x64 27 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6}.Release|x64.Deploy.0 = Release|x64 28 | EndGlobalSection 29 | GlobalSection(SolutionProperties) = preSolution 30 | HideSolutionNode = FALSE 31 | EndGlobalSection 32 | GlobalSection(ExtensibilityGlobals) = postSolution 33 | SolutionGuid = {ED414761-847C-45ED-9903-A218577E8C0C} 34 | EndGlobalSection 35 | EndGlobal 36 | -------------------------------------------------------------------------------- /KMDF Driver1/KMDFDriver1.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; KMDFDriver1.inf 3 | ; 4 | 5 | [Version] 6 | Signature = "$WINDOWS NT$" 7 | Class = System ; TODO: specify appropriate Class 8 | ClassGuid = {4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid 9 | Provider = %ManufacturerName% 10 | CatalogFile = KMDFDriver1.cat 11 | DriverVer = ; TODO: set DriverVer in stampinf property pages 12 | PnpLockdown = 1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 13 16 | 17 | [SourceDisksNames] 18 | 1 = %DiskName%,,,"" 19 | 20 | [SourceDisksFiles] 21 | KMDFDriver1.sys = 1,, 22 | 23 | ;***************************************** 24 | ; Install Section 25 | ;***************************************** 26 | 27 | [Manufacturer] 28 | %ManufacturerName% = Standard,NT$ARCH$.10.0...16299 ; %13% support introduced in build 16299 29 | 30 | [Standard.NT$ARCH$.10.0...16299] 31 | %KMDFDriver1.DeviceDesc% = KMDFDriver1_Device, Root\KMDFDriver1 ; TODO: edit hw-id 32 | 33 | [KMDFDriver1_Device.NT] 34 | CopyFiles = File_Copy 35 | 36 | [File_Copy] 37 | KMDFDriver1.sys 38 | 39 | ;-------------- Service installation 40 | [KMDFDriver1_Device.NT.Services] 41 | AddService = KMDFDriver1,%SPSVCINST_ASSOCSERVICE%, KMDFDriver1_Service_Inst 42 | 43 | ; -------------- KMDFDriver1 driver install sections 44 | [KMDFDriver1_Service_Inst] 45 | DisplayName = %KMDFDriver1.SVCDESC% 46 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 47 | StartType = 3 ; SERVICE_DEMAND_START 48 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 49 | ServiceBinary = %13%\KMDFDriver1.sys 50 | 51 | [KMDFDriver1_Device.NT.Wdf] 52 | KmdfService = KMDFDriver1, KMDFDriver1_wdfsect 53 | 54 | [KMDFDriver1_wdfsect] 55 | KmdfLibraryVersion = $KMDFVERSION$ 56 | 57 | [Strings] 58 | SPSVCINST_ASSOCSERVICE = 0x00000002 59 | ManufacturerName = "" ;TODO: Replace with your manufacturer name 60 | DiskName = "KMDFDriver1 Installation Disk" 61 | KMDFDriver1.DeviceDesc = "KMDFDriver1 Device" 62 | KMDFDriver1.SVCDESC = "KMDFDriver1 Service" 63 | -------------------------------------------------------------------------------- /KMDF Driver1/search.cpp: -------------------------------------------------------------------------------- 1 | #include "search.h" 2 | #include "logging.h" 3 | #include "hook.h" 4 | 5 | namespace smallzhong { 6 | namespace search 7 | { 8 | bool equals_ignore_case(const std::string& a, const std::string& b) { 9 | if (a.size() != b.size()) { 10 | return false; 11 | } 12 | 13 | return std::equal(a.begin(), a.end(), b.begin(), 14 | [](char a, char b) { 15 | return std::tolower(a) == std::tolower(b); 16 | }); 17 | } 18 | 19 | std::string extractFileName(const std::string& path) { 20 | size_t pos = path.find_last_of("\\/"); 21 | if (pos != std::string::npos) { 22 | return path.substr(pos + 1); 23 | } 24 | 25 | return path; 26 | } 27 | 28 | std::optional get_sys_module_info(std::string module_to_find) 29 | { 30 | NTSTATUS status; 31 | RTL_PROCESS_MODULES info = { 0 }; 32 | ULONG required_size; 33 | 34 | status = ZwQuerySystemInformation(SystemModuleInformation, &info, sizeof(info), &required_size); 35 | if (status == STATUS_INFO_LENGTH_MISMATCH) 36 | { 37 | ULONG t_len = required_size + sizeof(RTL_PROCESS_MODULES); 38 | std::unique_ptr buffer(new BYTE[t_len]); 39 | PRTL_PROCESS_MODULES module_information = reinterpret_cast(buffer.get()); 40 | My_RtlZeroMemory(module_information, t_len); 41 | status = ZwQuerySystemInformation(SystemModuleInformation, module_information, t_len, &required_size); 42 | if (!NT_SUCCESS(status)) 43 | { 44 | return std::nullopt; 45 | } 46 | 47 | 48 | for (ULONG i = 0; i < module_information->NumberOfModules; i++) 49 | { 50 | PRTL_PROCESS_MODULE_INFORMATION cur_module = &module_information->Modules[i]; 51 | std::string cur_module_name = extractFileName(std::string(cur_module->FullPathName)); 52 | 53 | //KdPrintEx((77, 0, "%s\n", cur_module_name.c_str())); 54 | if (equals_ignore_case(cur_module_name, module_to_find)) 55 | { 56 | return std::optional({ cur_module->ImageBase, cur_module->ImageSize }); 57 | } 58 | } 59 | } 60 | 61 | return std::nullopt; 62 | } 63 | } 64 | } -------------------------------------------------------------------------------- /KMDF Driver1/Trace.h: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | Trace.h 6 | 7 | Abstract: 8 | 9 | Header file for the debug tracing related function defintions and macros. 10 | 11 | Environment: 12 | 13 | Kernel mode 14 | 15 | --*/ 16 | 17 | // 18 | // Define the tracing flags. 19 | // 20 | // Tracing GUID - cee87614-e373-439b-acdc-5453bcecccbe 21 | // 22 | 23 | #define WPP_CONTROL_GUIDS \ 24 | WPP_DEFINE_CONTROL_GUID( \ 25 | KMDFDriver1TraceGuid, (cee87614,e373,439b,acdc,5453bcecccbe), \ 26 | \ 27 | WPP_DEFINE_BIT(MYDRIVER_ALL_INFO) \ 28 | WPP_DEFINE_BIT(TRACE_DRIVER) \ 29 | WPP_DEFINE_BIT(TRACE_DEVICE) \ 30 | WPP_DEFINE_BIT(TRACE_QUEUE) \ 31 | ) 32 | 33 | #define WPP_FLAG_LEVEL_LOGGER(flag, level) \ 34 | WPP_LEVEL_LOGGER(flag) 35 | 36 | #define WPP_FLAG_LEVEL_ENABLED(flag, level) \ 37 | (WPP_LEVEL_ENABLED(flag) && \ 38 | WPP_CONTROL(WPP_BIT_ ## flag).Level >= level) 39 | 40 | #define WPP_LEVEL_FLAGS_LOGGER(lvl,flags) \ 41 | WPP_LEVEL_LOGGER(flags) 42 | 43 | #define WPP_LEVEL_FLAGS_ENABLED(lvl, flags) \ 44 | (WPP_LEVEL_ENABLED(flags) && WPP_CONTROL(WPP_BIT_ ## flags).Level >= lvl) 45 | 46 | // 47 | // WPP orders static parameters before dynamic parameters. To support the Trace function 48 | // defined below which sets FLAGS=MYDRIVER_ALL_INFO, a custom macro must be defined to 49 | // reorder the arguments to what the .tpl configuration file expects. 50 | // 51 | #define WPP_RECORDER_FLAGS_LEVEL_ARGS(flags, lvl) WPP_RECORDER_LEVEL_FLAGS_ARGS(lvl, flags) 52 | #define WPP_RECORDER_FLAGS_LEVEL_FILTER(flags, lvl) WPP_RECORDER_LEVEL_FLAGS_FILTER(lvl, flags) 53 | 54 | // 55 | // This comment block is scanned by the trace preprocessor to define our 56 | // Trace function. 57 | // 58 | // begin_wpp config 59 | // FUNC Trace{FLAGS=MYDRIVER_ALL_INFO}(LEVEL, MSG, ...); 60 | // FUNC TraceEvents(LEVEL, FLAGS, MSG, ...); 61 | // end_wpp 62 | // 63 | -------------------------------------------------------------------------------- /KMDF Driver1/Device.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | device.c - Device handling events for example driver. 6 | 7 | Abstract: 8 | 9 | This file contains the device entry points and callbacks. 10 | 11 | Environment: 12 | 13 | Kernel-mode Driver Framework 14 | 15 | --*/ 16 | 17 | #include "driver.h" 18 | #include "device.tmh" 19 | 20 | #ifdef ALLOC_PRAGMA 21 | #pragma alloc_text (PAGE, KMDFDriver1CreateDevice) 22 | #endif 23 | 24 | NTSTATUS 25 | KMDFDriver1CreateDevice( 26 | _Inout_ PWDFDEVICE_INIT DeviceInit 27 | ) 28 | /*++ 29 | 30 | Routine Description: 31 | 32 | Worker routine called to create a device and its software resources. 33 | 34 | Arguments: 35 | 36 | DeviceInit - Pointer to an opaque init structure. Memory for this 37 | structure will be freed by the framework when the WdfDeviceCreate 38 | succeeds. So don't access the structure after that point. 39 | 40 | Return Value: 41 | 42 | NTSTATUS 43 | 44 | --*/ 45 | { 46 | WDF_OBJECT_ATTRIBUTES deviceAttributes; 47 | PDEVICE_CONTEXT deviceContext; 48 | WDFDEVICE device; 49 | NTSTATUS status; 50 | 51 | PAGED_CODE(); 52 | 53 | WDF_OBJECT_ATTRIBUTES_INIT_CONTEXT_TYPE(&deviceAttributes, DEVICE_CONTEXT); 54 | 55 | status = WdfDeviceCreate(&DeviceInit, &deviceAttributes, &device); 56 | 57 | if (NT_SUCCESS(status)) { 58 | // 59 | // Get a pointer to the device context structure that we just associated 60 | // with the device object. We define this structure in the device.h 61 | // header file. DeviceGetContext is an inline function generated by 62 | // using the WDF_DECLARE_CONTEXT_TYPE_WITH_NAME macro in device.h. 63 | // This function will do the type checking and return the device context. 64 | // If you pass a wrong object handle it will return NULL and assert if 65 | // run under framework verifier mode. 66 | // 67 | deviceContext = DeviceGetContext(device); 68 | 69 | // 70 | // Initialize the context. 71 | // 72 | deviceContext->PrivateDeviceData = 0; 73 | 74 | // 75 | // Create a device interface so that applications can find and talk 76 | // to us. 77 | // 78 | status = WdfDeviceCreateDeviceInterface( 79 | device, 80 | &GUID_DEVINTERFACE_KMDFDriver1, 81 | NULL // ReferenceString 82 | ); 83 | 84 | if (NT_SUCCESS(status)) { 85 | // 86 | // Initialize the I/O Package and any Queues 87 | // 88 | status = KMDFDriver1QueueInitialize(device); 89 | } 90 | } 91 | 92 | return status; 93 | } 94 | -------------------------------------------------------------------------------- /KMDF Driver1/KMDF Driver1.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 10 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 11 | 12 | 13 | {8E41214B-6785-4CFE-B992-037D68949A14} 14 | inf;inv;inx;mof;mc; 15 | 16 | 17 | {00f0cd49-2a10-451d-9858-3cd6202aa37d} 18 | 19 | 20 | {3b7485fb-7862-4a11-a61f-9a287cae87fc} 21 | 22 | 23 | {f136e31a-d26b-4b4d-93a8-df9e79ec951b} 24 | 25 | 26 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 27 | h;hpp;hxx;hm;inl;inc;xsd 28 | 29 | 30 | 31 | 32 | 33 | 34 | AutoGeneratedFiles 35 | 36 | 37 | 38 | 39 | Driver Files 40 | 41 | 42 | 43 | 44 | AutoGeneratedFiles 45 | 46 | 47 | KernelHook 48 | 49 | 50 | KernelHook 51 | 52 | 53 | KernelHook 54 | 55 | 56 | deafultHeaders 57 | 58 | 59 | deafultHeaders 60 | 61 | 62 | deafultHeaders 63 | 64 | 65 | deafultHeaders 66 | 67 | 68 | deafultHeaders 69 | 70 | 71 | HookManager 72 | 73 | 74 | HookManager 75 | 76 | 77 | HookManager 78 | 79 | 80 | KernelHook 81 | 82 | 83 | 84 | 85 | KernelHook 86 | 87 | 88 | KernelHook 89 | 90 | 91 | KernelHook 92 | 93 | 94 | Source Files 95 | 96 | 97 | HookManager 98 | 99 | 100 | HookManager 101 | 102 | 103 | AutoGeneratedFiles 104 | 105 | 106 | KernelHook 107 | 108 | 109 | -------------------------------------------------------------------------------- /KMDF Driver1/Queue.c: -------------------------------------------------------------------------------- 1 | /*++ 2 | 3 | Module Name: 4 | 5 | queue.c 6 | 7 | Abstract: 8 | 9 | This file contains the queue entry points and callbacks. 10 | 11 | Environment: 12 | 13 | Kernel-mode Driver Framework 14 | 15 | --*/ 16 | 17 | #include "driver.h" 18 | #include "queue.tmh" 19 | 20 | #ifdef ALLOC_PRAGMA 21 | #pragma alloc_text (PAGE, KMDFDriver1QueueInitialize) 22 | #endif 23 | 24 | NTSTATUS 25 | KMDFDriver1QueueInitialize( 26 | _In_ WDFDEVICE Device 27 | ) 28 | /*++ 29 | 30 | Routine Description: 31 | 32 | The I/O dispatch callbacks for the frameworks device object 33 | are configured in this function. 34 | 35 | A single default I/O Queue is configured for parallel request 36 | processing, and a driver context memory allocation is created 37 | to hold our structure QUEUE_CONTEXT. 38 | 39 | Arguments: 40 | 41 | Device - Handle to a framework device object. 42 | 43 | Return Value: 44 | 45 | VOID 46 | 47 | --*/ 48 | { 49 | WDFQUEUE queue; 50 | NTSTATUS status; 51 | WDF_IO_QUEUE_CONFIG queueConfig; 52 | 53 | PAGED_CODE(); 54 | 55 | // 56 | // Configure a default queue so that requests that are not 57 | // configure-fowarded using WdfDeviceConfigureRequestDispatching to goto 58 | // other queues get dispatched here. 59 | // 60 | WDF_IO_QUEUE_CONFIG_INIT_DEFAULT_QUEUE( 61 | &queueConfig, 62 | WdfIoQueueDispatchParallel 63 | ); 64 | 65 | queueConfig.EvtIoDeviceControl = KMDFDriver1EvtIoDeviceControl; 66 | queueConfig.EvtIoStop = KMDFDriver1EvtIoStop; 67 | 68 | status = WdfIoQueueCreate( 69 | Device, 70 | &queueConfig, 71 | WDF_NO_OBJECT_ATTRIBUTES, 72 | &queue 73 | ); 74 | 75 | if(!NT_SUCCESS(status)) { 76 | TraceEvents(TRACE_LEVEL_ERROR, TRACE_QUEUE, "WdfIoQueueCreate failed %!STATUS!", status); 77 | return status; 78 | } 79 | 80 | return status; 81 | } 82 | 83 | VOID 84 | KMDFDriver1EvtIoDeviceControl( 85 | _In_ WDFQUEUE Queue, 86 | _In_ WDFREQUEST Request, 87 | _In_ size_t OutputBufferLength, 88 | _In_ size_t InputBufferLength, 89 | _In_ ULONG IoControlCode 90 | ) 91 | /*++ 92 | 93 | Routine Description: 94 | 95 | This event is invoked when the framework receives IRP_MJ_DEVICE_CONTROL request. 96 | 97 | Arguments: 98 | 99 | Queue - Handle to the framework queue object that is associated with the 100 | I/O request. 101 | 102 | Request - Handle to a framework request object. 103 | 104 | OutputBufferLength - Size of the output buffer in bytes 105 | 106 | InputBufferLength - Size of the input buffer in bytes 107 | 108 | IoControlCode - I/O control code. 109 | 110 | Return Value: 111 | 112 | VOID 113 | 114 | --*/ 115 | { 116 | TraceEvents(TRACE_LEVEL_INFORMATION, 117 | TRACE_QUEUE, 118 | "%!FUNC! Queue 0x%p, Request 0x%p OutputBufferLength %d InputBufferLength %d IoControlCode %d", 119 | Queue, Request, (int) OutputBufferLength, (int) InputBufferLength, IoControlCode); 120 | 121 | WdfRequestComplete(Request, STATUS_SUCCESS); 122 | 123 | return; 124 | } 125 | 126 | VOID 127 | KMDFDriver1EvtIoStop( 128 | _In_ WDFQUEUE Queue, 129 | _In_ WDFREQUEST Request, 130 | _In_ ULONG ActionFlags 131 | ) 132 | /*++ 133 | 134 | Routine Description: 135 | 136 | This event is invoked for a power-managed queue before the device leaves the working state (D0). 137 | 138 | Arguments: 139 | 140 | Queue - Handle to the framework queue object that is associated with the 141 | I/O request. 142 | 143 | Request - Handle to a framework request object. 144 | 145 | ActionFlags - A bitwise OR of one or more WDF_REQUEST_STOP_ACTION_FLAGS-typed flags 146 | that identify the reason that the callback function is being called 147 | and whether the request is cancelable. 148 | 149 | Return Value: 150 | 151 | VOID 152 | 153 | --*/ 154 | { 155 | TraceEvents(TRACE_LEVEL_INFORMATION, 156 | TRACE_QUEUE, 157 | "%!FUNC! Queue 0x%p, Request 0x%p ActionFlags %d", 158 | Queue, Request, ActionFlags); 159 | 160 | // 161 | // In most cases, the EvtIoStop callback function completes, cancels, or postpones 162 | // further processing of the I/O request. 163 | // 164 | // Typically, the driver uses the following rules: 165 | // 166 | // - If the driver owns the I/O request, it calls WdfRequestUnmarkCancelable 167 | // (if the request is cancelable) and either calls WdfRequestStopAcknowledge 168 | // with a Requeue value of TRUE, or it calls WdfRequestComplete with a 169 | // completion status value of STATUS_SUCCESS or STATUS_CANCELLED. 170 | // 171 | // Before it can call these methods safely, the driver must make sure that 172 | // its implementation of EvtIoStop has exclusive access to the request. 173 | // 174 | // In order to do that, the driver must synchronize access to the request 175 | // to prevent other threads from manipulating the request concurrently. 176 | // The synchronization method you choose will depend on your driver's design. 177 | // 178 | // For example, if the request is held in a shared context, the EvtIoStop callback 179 | // might acquire an internal driver lock, take the request from the shared context, 180 | // and then release the lock. At this point, the EvtIoStop callback owns the request 181 | // and can safely complete or requeue the request. 182 | // 183 | // - If the driver has forwarded the I/O request to an I/O target, it either calls 184 | // WdfRequestCancelSentRequest to attempt to cancel the request, or it postpones 185 | // further processing of the request and calls WdfRequestStopAcknowledge with 186 | // a Requeue value of FALSE. 187 | // 188 | // A driver might choose to take no action in EvtIoStop for requests that are 189 | // guaranteed to complete in a small amount of time. 190 | // 191 | // In this case, the framework waits until the specified request is complete 192 | // before moving the device (or system) to a lower power state or removing the device. 193 | // Potentially, this inaction can prevent a system from entering its hibernation state 194 | // or another low system power state. In extreme cases, it can cause the system 195 | // to crash with bugcheck code 9F. 196 | // 197 | 198 | return; 199 | } 200 | -------------------------------------------------------------------------------- /scripts/AutoGen.py: -------------------------------------------------------------------------------- 1 | import idaapi 2 | import idc 3 | import idautils 4 | import csv 5 | import random 6 | 7 | 8 | # FNV-1a 哈希 9 | def runtime_hash(s): 10 | hash_value = 2166136261 11 | for c in s: 12 | hash_value = (hash_value ^ ord(c)) * 16777619 13 | # 使其保持在32-bit值范围内 14 | hash_value = hash_value & 0xFFFFFFFF 15 | return hash_value 16 | 17 | 18 | def has_relative_addressing(start_ea, end_ea): 19 | """检查指定范围内是否存在相对寻址的指令""" 20 | current_ea = start_ea 21 | while current_ea < end_ea: 22 | # 获取当前指令 23 | insn = idaapi.insn_t() 24 | insn_size = idaapi.decode_insn(insn, current_ea) 25 | 26 | # 检查指令的操作数是否包含相对寻址 27 | for i in range(len(insn.ops)): 28 | if insn.ops[i].type in [idaapi.o_near, idaapi.o_mem]: 29 | return True 30 | 31 | current_ea += insn_size 32 | if insn_size == 0: 33 | break 34 | return False 35 | 36 | 37 | def has_xrefs_to_middle(start_ea, end_ea): 38 | instr_size = idc.get_item_size(start_ea) 39 | start_ea += instr_size 40 | while start_ea < end_ea: 41 | t = idautils.CodeRefsTo(start_ea, False) 42 | for i in t: 43 | return True 44 | instr_size = idc.get_item_size(start_ea) 45 | start_ea += instr_size 46 | return False 47 | 48 | 49 | def analyze_functions(): 50 | """分析所有函数并导出结果""" 51 | funcs = [] 52 | handler_declarations = [] 53 | handler_implementations = [] 54 | handler_map_entries = [] 55 | 56 | with open('D:\\github_miscellaneous\\kernel_monitor\\KMDF Driver1\\function_analysis.csv', 'w', newline='') as csvfile: 57 | writer = csv.writer(csvfile) 58 | # 写入表头 59 | writer.writerow(['Function Name', 'Size', 'Size >= 16', 'Has Relative Addressing', 'Has Xrefs to Middle']) 60 | 61 | # 遍历所有函数 62 | for func_ea in idautils.Functions(): 63 | # 获取函数对象 64 | func = idaapi.get_func(func_ea) 65 | if not func: 66 | continue 67 | 68 | # 1. 获取函数名 69 | func_name = idc.get_func_name(func_ea) 70 | 71 | # 2. 计算函数大小 72 | func_size = func.end_ea - func.start_ea 73 | size_ge_14 = func_size >= 14 # 实测12字节够了，后面的覆盖几条CC无伤大雅。 74 | if not size_ge_14: 75 | writer.writerow([ 76 | func_name, 77 | func_size, 78 | 'No', 79 | 'No', 80 | 'No', 81 | ]) 82 | continue 83 | 84 | # 计算至少16字节后的指令结束地址 85 | current_ea = func.start_ea 86 | total_size = 0 87 | analysis_end = func.start_ea 88 | while current_ea < func.end_ea and total_size < 16: 89 | instr_size = idc.get_item_size(current_ea) 90 | total_size += instr_size 91 | analysis_end = current_ea + instr_size 92 | current_ea += instr_size 93 | 94 | # 3. 检查前16字节是否有相对寻址 95 | has_relative = has_relative_addressing(func.start_ea, analysis_end) 96 | 97 | # 4. 检查是否有跳转到前16字节中间 98 | has_xrefs = has_xrefs_to_middle(func.start_ea, analysis_end) 99 | 100 | # 写入结果 101 | writer.writerow([ 102 | func_name, 103 | func_size, 104 | 'Yes' if size_ge_14 else 'No', 105 | 'Yes' if has_relative else 'No', 106 | 'Yes' if has_xrefs else 'No' 107 | ]) 108 | 109 | if size_ge_14 and not has_xrefs: 110 | random_number = 1 # random.randint(1, 12) 111 | if random_number == 1: 112 | func_hash = runtime_hash(func_name.strip()) 113 | funcs.append((func_hash, func_name)) 114 | 115 | # 生成处理程序声明 116 | handler_name = f"handler_{func_hash:08x}" 117 | handler_declaration = f"BOOLEAN {handler_name}(PGuestContext context);" 118 | handler_declarations.append(handler_declaration) 119 | 120 | # 生成处理程序实现 121 | handler_implementation = f''' 122 | BOOLEAN {handler_name}(PGuestContext context) 123 | {{ 124 | ULONG64 origin_ret_addr = *(PULONG64)(context->mRsp); 125 | if (FILTER_RET_ADDR(origin_ret_addr)) 126 | {{ 127 | LOG_INFO("Function: {func_name}\\nRCX: %llx, RDX: %llx, R8: %llx, R9: %llx\\nReturn Address: %llx\\n\\n", 128 | context->mRcx, context->mRdx, context->mR8, context->mR9, origin_ret_addr); 129 | }} 130 | return FALSE; 131 | }}''' 132 | handler_implementations.append(handler_implementation) 133 | 134 | # 生成映射表条目 135 | handler_map_entries.append(f'{{ 0x{func_hash:08x}u, {handler_name} }}') 136 | 137 | print(f"Analyzed function: {func_name}") 138 | 139 | # 写入文件 140 | with open('D:\\github_miscellaneous\\kernel_monitor\\KMDF Driver1\\available_funcs.inc', 'w') as cpp_code: 141 | funcs.sort() 142 | for i in funcs: 143 | cpp_code.write(f'/* {i[1]} */ 0x{i[0]:08x}u,\n') 144 | 145 | # 写入处理程序声明(handlers.h) 146 | with open('D:\\github_miscellaneous\\kernel_monitor\\KMDF Driver1\\handlers.h', 'w') as handlers_header: 147 | handlers_header.write('''#pragma once 148 | #include "hook.h" 149 | #include "logging.h" 150 | #include "MonitorAddressManager.h" 151 | 152 | #ifdef __cplusplus 153 | extern "C" { 154 | #endif 155 | 156 | // 运行时哈希函数声明 157 | uint32_t RuntimeHash(const char* str); 158 | 159 | // 函数处理程序声明 160 | ''') 161 | for handler_declaration in handler_declarations: 162 | handlers_header.write(handler_declaration + '\n') 163 | 164 | handlers_header.write(''' 165 | // 处理程序映射表结构 166 | typedef struct { 167 | uint32_t func_hash; 168 | PFN_GUEST_CALLBACK handler; 169 | } HandlerMapEntry; 170 | 171 | // 处理程序查找函数声明 172 | PFN_GUEST_CALLBACK find_handler_by_hash(uint32_t hash); 173 | PFN_GUEST_CALLBACK find_handler_by_name(const char* func_name); 174 | 175 | #ifdef __cplusplus 176 | } 177 | #endif 178 | ''') 179 | 180 | # 写入处理程序实现(handlers.c) 181 | with open('D:\\github_miscellaneous\\kernel_monitor\\KMDF Driver1\\handlers.c', 'w') as handlers_impl: 182 | handlers_impl.write('''#include "handlers.h" 183 | 184 | // 运行时哈希函数 (与编译期哈希使用相同算法) 185 | uint32_t RuntimeHash(const char* str) { 186 | uint32_t hash = 2166136261u; 187 | while (*str) { 188 | hash = (hash ^ (uint32_t)(*str)) * 16777619u; 189 | ++str; 190 | } 191 | return hash; 192 | } 193 | 194 | // 函数处理程序实现 195 | ''') 196 | for handler_impl in handler_implementations: 197 | handlers_impl.write(handler_impl + '\n\n') 198 | 199 | handlers_impl.write(''' 200 | // 处理程序映射表 201 | static const HandlerMapEntry g_handler_map[] = { 202 | ''') 203 | for entry in handler_map_entries: 204 | handlers_impl.write(' ' + entry + ',\n') 205 | 206 | handlers_impl.write('''}; 207 | 208 | // 通过函数名哈希查找处理程序 209 | PFN_GUEST_CALLBACK find_handler_by_hash(uint32_t hash) { 210 | for (int i = 0; i < sizeof(g_handler_map)/sizeof(g_handler_map[0]); i++) { 211 | if (g_handler_map[i].func_hash == hash) { 212 | return g_handler_map[i].handler; 213 | } 214 | } 215 | return NULL; 216 | } 217 | 218 | // 通过函数名查找处理程序 219 | PFN_GUEST_CALLBACK find_handler_by_name(const char* func_name) { 220 | uint32_t hash = RuntimeHash(func_name); 221 | return find_handler_by_hash(hash); 222 | } 223 | ''') 224 | 225 | 226 | def main(): 227 | print("Starting function analysis...") 228 | analyze_functions() 229 | print("Analysis complete. Results saved to function_analysis.csv") 230 | 231 | 232 | if __name__ == '__main__': 233 | main() 234 | -------------------------------------------------------------------------------- /.GITIGNORE: -------------------------------------------------------------------------------- 1 | *.exe 2 | **/handlers.c 3 | **/handlers.h 4 | **/available_funcs.inc 5 | **/function_analysis.csv 6 | 7 | 8 | # gitginore template for IDA Pro 9 | # website: https://www.hex-rays.com/index.shtml 10 | 11 | # IDA Pro Runtime temporary file 12 | *.id0 13 | *.id1 14 | *.id2 15 | *.nam 16 | *.til 17 | 18 | # IDA Pro 64 packaged data 19 | *.i64 20 | # IDA Pro 32 packaged data 21 | *.idb 22 | 23 | 24 | 25 | 26 | 27 | ## Ignore Visual Studio temporary files, build results, and 28 | ## files generated by popular Visual Studio add-ons. 29 | ## 30 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore 31 | 32 | # User-specific files 33 | *.rsuser 34 | *.suo 35 | *.user 36 | *.userosscache 37 | *.sln.docstates 38 | 39 | # User-specific files (MonoDevelop/Xamarin Studio) 40 | *.userprefs 41 | 42 | # Mono auto generated files 43 | mono_crash.* 44 | 45 | # Build results 46 | [Dd]ebug/ 47 | [Dd]ebugPublic/ 48 | [Rr]elease/ 49 | [Rr]eleases/ 50 | x64/ 51 | x86/ 52 | [Ww][Ii][Nn]32/ 53 | [Aa][Rr][Mm]/ 54 | [Aa][Rr][Mm]64/ 55 | bld/ 56 | [Bb]in/ 57 | [Oo]bj/ 58 | [Ll]og/ 59 | [Ll]ogs/ 60 | 61 | # Visual Studio 2015/2017 cache/options directory 62 | .vs/ 63 | # Uncomment if you have tasks that create the project's static files in wwwroot 64 | #wwwroot/ 65 | 66 | # Visual Studio 2017 auto generated files 67 | Generated\ Files/ 68 | 69 | # MSTest test Results 70 | [Tt]est[Rr]esult*/ 71 | [Bb]uild[Ll]og.* 72 | 73 | # NUnit 74 | *.VisualState.xml 75 | TestResult.xml 76 | nunit-*.xml 77 | 78 | # Build Results of an ATL Project 79 | [Dd]ebugPS/ 80 | [Rr]eleasePS/ 81 | dlldata.c 82 | 83 | # Benchmark Results 84 | BenchmarkDotNet.Artifacts/ 85 | 86 | # .NET Core 87 | project.lock.json 88 | project.fragment.lock.json 89 | artifacts/ 90 | 91 | # ASP.NET Scaffolding 92 | ScaffoldingReadMe.txt 93 | 94 | # StyleCop 95 | StyleCopReport.xml 96 | 97 | # Files built by Visual Studio 98 | *_i.c 99 | *_p.c 100 | *_h.h 101 | *.ilk 102 | *.meta 103 | *.obj 104 | *.iobj 105 | *.pch 106 | *.pdb 107 | *.ipdb 108 | *.pgc 109 | *.pgd 110 | *.rsp 111 | # but not Directory.Build.rsp, as it configures directory-level build defaults 112 | !Directory.Build.rsp 113 | *.sbr 114 | *.tlb 115 | *.tli 116 | *.tlh 117 | *.tmp 118 | *.tmp_proj 119 | *_wpftmp.csproj 120 | *.log 121 | *.tlog 122 | *.vspscc 123 | *.vssscc 124 | .builds 125 | *.pidb 126 | *.svclog 127 | *.scc 128 | 129 | # Chutzpah Test files 130 | _Chutzpah* 131 | 132 | # Visual C++ cache files 133 | ipch/ 134 | *.aps 135 | *.ncb 136 | *.opendb 137 | *.opensdf 138 | *.sdf 139 | *.cachefile 140 | *.VC.db 141 | *.VC.VC.opendb 142 | 143 | # Visual Studio profiler 144 | *.psess 145 | *.vsp 146 | *.vspx 147 | *.sap 148 | 149 | # Visual Studio Trace Files 150 | *.e2e 151 | 152 | # TFS 2012 Local Workspace 153 | $tf/ 154 | 155 | # Guidance Automation Toolkit 156 | *.gpState 157 | 158 | # ReSharper is a .NET coding add-in 159 | _ReSharper*/ 160 | *.[Rr]e[Ss]harper 161 | *.DotSettings.user 162 | 163 | # TeamCity is a build add-in 164 | _TeamCity* 165 | 166 | # DotCover is a Code Coverage Tool 167 | *.dotCover 168 | 169 | # AxoCover is a Code Coverage Tool 170 | .axoCover/* 171 | !.axoCover/settings.json 172 | 173 | # Coverlet is a free, cross platform Code Coverage Tool 174 | coverage*.json 175 | coverage*.xml 176 | coverage*.info 177 | 178 | # Visual Studio code coverage results 179 | *.coverage 180 | *.coveragexml 181 | 182 | # NCrunch 183 | _NCrunch_* 184 | .NCrunch_* 185 | .*crunch*.local.xml 186 | nCrunchTemp_* 187 | 188 | # MightyMoose 189 | *.mm.* 190 | AutoTest.Net/ 191 | 192 | # Web workbench (sass) 193 | .sass-cache/ 194 | 195 | # Installshield output folder 196 | [Ee]xpress/ 197 | 198 | # DocProject is a documentation generator add-in 199 | DocProject/buildhelp/ 200 | DocProject/Help/*.HxT 201 | DocProject/Help/*.HxC 202 | DocProject/Help/*.hhc 203 | DocProject/Help/*.hhk 204 | DocProject/Help/*.hhp 205 | DocProject/Help/Html2 206 | DocProject/Help/html 207 | 208 | # Click-Once directory 209 | publish/ 210 | 211 | # Publish Web Output 212 | *.[Pp]ublish.xml 213 | *.azurePubxml 214 | # Note: Comment the next line if you want to checkin your web deploy settings, 215 | # but database connection strings (with potential passwords) will be unencrypted 216 | *.pubxml 217 | *.publishproj 218 | 219 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 220 | # checkin your Azure Web App publish settings, but sensitive information contained 221 | # in these scripts will be unencrypted 222 | PublishScripts/ 223 | 224 | # NuGet Packages 225 | *.nupkg 226 | # NuGet Symbol Packages 227 | *.snupkg 228 | # The packages folder can be ignored because of Package Restore 229 | **/[Pp]ackages/* 230 | # except build/, which is used as an MSBuild target. 231 | !**/[Pp]ackages/build/ 232 | # Uncomment if necessary however generally it will be regenerated when needed 233 | #!**/[Pp]ackages/repositories.config 234 | # NuGet v3's project.json files produces more ignorable files 235 | *.nuget.props 236 | *.nuget.targets 237 | 238 | # Microsoft Azure Build Output 239 | csx/ 240 | *.build.csdef 241 | 242 | # Microsoft Azure Emulator 243 | ecf/ 244 | rcf/ 245 | 246 | # Windows Store app package directories and files 247 | AppPackages/ 248 | BundleArtifacts/ 249 | Package.StoreAssociation.xml 250 | _pkginfo.txt 251 | *.appx 252 | *.appxbundle 253 | *.appxupload 254 | 255 | # Visual Studio cache files 256 | # files ending in .cache can be ignored 257 | *.[Cc]ache 258 | # but keep track of directories ending in .cache 259 | !?*.[Cc]ache/ 260 | 261 | # Others 262 | ClientBin/ 263 | ~$* 264 | *~ 265 | *.dbmdl 266 | *.dbproj.schemaview 267 | *.jfm 268 | *.pfx 269 | *.publishsettings 270 | orleans.codegen.cs 271 | 272 | # Including strong name files can present a security risk 273 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 274 | #*.snk 275 | 276 | # Since there are multiple workflows, uncomment next line to ignore bower_components 277 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 278 | #bower_components/ 279 | 280 | # RIA/Silverlight projects 281 | Generated_Code/ 282 | 283 | # Backup & report files from converting an old project file 284 | # to a newer Visual Studio version. Backup files are not needed, 285 | # because we have git ;-) 286 | _UpgradeReport_Files/ 287 | Backup*/ 288 | UpgradeLog*.XML 289 | UpgradeLog*.htm 290 | ServiceFabricBackup/ 291 | *.rptproj.bak 292 | 293 | # SQL Server files 294 | *.mdf 295 | *.ldf 296 | *.ndf 297 | 298 | # Business Intelligence projects 299 | *.rdl.data 300 | *.bim.layout 301 | *.bim_*.settings 302 | *.rptproj.rsuser 303 | *- [Bb]ackup.rdl 304 | *- [Bb]ackup ([0-9]).rdl 305 | *- [Bb]ackup ([0-9][0-9]).rdl 306 | 307 | # Microsoft Fakes 308 | FakesAssemblies/ 309 | 310 | # GhostDoc plugin setting file 311 | *.GhostDoc.xml 312 | 313 | # Node.js Tools for Visual Studio 314 | .ntvs_analysis.dat 315 | node_modules/ 316 | 317 | # Visual Studio 6 build log 318 | *.plg 319 | 320 | # Visual Studio 6 workspace options file 321 | *.opt 322 | 323 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 324 | *.vbw 325 | 326 | # Visual Studio 6 auto-generated project file (contains which files were open etc.) 327 | *.vbp 328 | 329 | # Visual Studio 6 workspace and project file (working project files containing files to include in project) 330 | *.dsw 331 | *.dsp 332 | 333 | # Visual Studio 6 technical files 334 | *.ncb 335 | *.aps 336 | 337 | # Visual Studio LightSwitch build output 338 | **/*.HTMLClient/GeneratedArtifacts 339 | **/*.DesktopClient/GeneratedArtifacts 340 | **/*.DesktopClient/ModelManifest.xml 341 | **/*.Server/GeneratedArtifacts 342 | **/*.Server/ModelManifest.xml 343 | _Pvt_Extensions 344 | 345 | # Paket dependency manager 346 | .paket/paket.exe 347 | paket-files/ 348 | 349 | # FAKE - F# Make 350 | .fake/ 351 | 352 | # CodeRush personal settings 353 | .cr/personal 354 | 355 | # Python Tools for Visual Studio (PTVS) 356 | __pycache__/ 357 | *.pyc 358 | 359 | # Cake - Uncomment if you are using it 360 | # tools/** 361 | # !tools/packages.config 362 | 363 | # Tabs Studio 364 | *.tss 365 | 366 | # Telerik's JustMock configuration file 367 | *.jmconfig 368 | 369 | # BizTalk build output 370 | *.btp.cs 371 | *.btm.cs 372 | *.odx.cs 373 | *.xsd.cs 374 | 375 | # OpenCover UI analysis results 376 | OpenCover/ 377 | 378 | # Azure Stream Analytics local run output 379 | ASALocalRun/ 380 | 381 | # MSBuild Binary and Structured Log 382 | *.binlog 383 | 384 | # NVidia Nsight GPU debugger configuration file 385 | *.nvuser 386 | 387 | # MFractors (Xamarin productivity tool) working folder 388 | .mfractor/ 389 | 390 | # Local History for Visual Studio 391 | .localhistory/ 392 | 393 | # Visual Studio History (VSHistory) files 394 | .vshistory/ 395 | 396 | # BeatPulse healthcheck temp database 397 | healthchecksdb 398 | 399 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 400 | MigrationBackup/ 401 | 402 | # Ionide (cross platform F# VS Code tools) working folder 403 | .ionide/ 404 | 405 | # Fody - auto-generated XML schema 406 | FodyWeavers.xsd 407 | 408 | # VS Code files for those working on multiple tools 409 | .vscode/* 410 | !.vscode/settings.json 411 | !.vscode/tasks.json 412 | !.vscode/launch.json 413 | !.vscode/extensions.json 414 | *.code-workspace 415 | 416 | # Local History for Visual Studio Code 417 | .history/ 418 | 419 | # Windows Installer files from build outputs 420 | *.cab 421 | *.msi 422 | *.msix 423 | *.msm 424 | *.msp 425 | 426 | # JetBrains Rider 427 | *.sln.iml -------------------------------------------------------------------------------- /KMDF Driver1/KMDF Driver1.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Debug 10 | x64 11 | 12 | 13 | Release 14 | x64 15 | 16 | 17 | Debug 18 | ARM64 19 | 20 | 21 | Release 22 | ARM64 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | {28C79524-2D8D-FE0D-FEB0-27FE06BB2FB6} 60 | {497e31cb-056b-4f31-abb8-447fd55ee5a5} 61 | v4.5 62 | 12.0 63 | Debug 64 | x64 65 | KMDF_Driver1 66 | $(LatestTargetPlatformVersion) 67 | 68 | 69 | 70 | Windows10 71 | true 72 | WindowsKernelModeDriver10.0 73 | Driver 74 | KMDF 75 | Universal 76 | 77 | 78 | Windows10 79 | false 80 | WindowsKernelModeDriver10.0 81 | Driver 82 | KMDF 83 | Universal 84 | Spectre 85 | 86 | 87 | Windows10 88 | true 89 | WindowsKernelModeDriver10.0 90 | Driver 91 | KMDF 92 | Universal 93 | 94 | 95 | Windows10 96 | false 97 | WindowsKernelModeDriver10.0 98 | Driver 99 | KMDF 100 | Universal 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | DbgengKernelDebugger 112 | false 113 | 114 | 115 | DbgengKernelDebugger 116 | false 117 | 118 | 119 | DbgengKernelDebugger 120 | 121 | 122 | DbgengKernelDebugger 123 | 124 | 125 | 126 | true 127 | true 128 | trace.h 129 | true 130 | false 131 | stdcpp20 132 | /bigobj %(AdditionalOptions) 133 | 134 | 135 | sha256 136 | 137 | 138 | 139 | 140 | true 141 | true 142 | trace.h 143 | true 144 | false 145 | stdcpp20 146 | MultiThreaded 147 | /bigobj %(AdditionalOptions) 148 | 149 | 150 | sha256 151 | 152 | 153 | 154 | 155 | true 156 | true 157 | trace.h 158 | true 159 | 160 | 161 | sha256 162 | 163 | 164 | 165 | 166 | true 167 | true 168 | trace.h 169 | true 170 | 171 | 172 | sha256 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 这台计算机上缺少此项目引用的 NuGet 程序包。使用“NuGet 程序包还原”可下载这些程序包。有关更多信息，请参见 http://go.microsoft.com/fwlink/?LinkID=322105。缺少的文件是 {0}。 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | --------------------------------------------------------------------------------