精华内容
下载资源
问答
  • Invoke-Phant0m:Windows事件日志杀手
  • 实用文案 0 操作成功完成 1 函数不正确 2 系统找不到指定的文件 3 系统找不到指定的路径 4 系统无法打开文件 5 拒绝访问 6 句柄无效 7 存储控制块被损坏 8 存储空间不足无法处理此命令 9 存储控制块地址无效 10 环境...
  • WINDOWS事件函数声明

    2020-01-20 17:37:03
    Public Enum NextWindowType NextWindow = 2 FirstWindow = 0 LastWindow = 1 PreWindow = 3 End Enum Public Structure RECT Dim Left As Integer Dim Top As Integer Dim Right ...

     

    Public Enum NextWindowType
        NextWindow = 2
        FirstWindow = 0
        LastWindow = 1
        PreWindow = 3
    End Enum
    
    Public Structure RECT
        Dim Left As Integer
        Dim Top As Integer
        Dim Right As Integer
        Dim Bottom As Integer
    End Structure
    
    
    
    
    
    Public Class _Windows
    
        Public Const WM_CLOSE = &H10
        Public Const GWL_STYLE = (-16)
        Public Const WS_VISIBLE = &H10000000
    
    
        Private Declare Function _GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Integer, ByVal nIndex As Integer) As Integer
        Private Declare Function _SetParent Lib "user32" Alias "SetParent" (ByVal hWndChild As Integer, ByVal hWndNewParent As Integer) As Integer
        Private Declare Function _MoveWindow Lib "user32" Alias "MoveWindow" (ByVal hwnd As Integer, ByVal x As Integer, ByVal y As Integer, ByVal nWidth As Integer, ByVal nHeight As Integer, ByVal bRepaint As Integer) As Integer
        Private Declare Function _SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Integer, ByVal nIndex As Integer, ByVal dwNewLong As Integer) As Integer
    
    
        Private Declare Function _GetForegroundWindow Lib "user32" Alias "GetForegroundWindow" () As Int32
        Private Declare Function _SetForegroundWindow Lib "user32" Alias "SetForegroundWindow" (ByVal hwnd As Int32) As Int32
        Private Declare Function _GetWindowRect Lib "user32" Alias "GetWindowRect" (ByVal hwnd As Int32, ByRef lpRect As RECT) As Boolean  'BYREF BOOLEAN否则错误
        Private Declare Function _FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Int32
        Private Declare Function _GetWindowText Lib "user32" Alias "GetWindowTextA" (ByVal hwnd As Int32, ByVal lpString As String, ByVal cch As Int32) As Int32
        Private Declare Function _GetNextWindow Lib "user32" Alias "GetWindow" (ByVal hwnd As Int32, ByVal wFlag As Int32) As Int32
        Private Declare Function _ShowWindow Lib "user32" Alias "ShowWindow" (ByVal hwnd As Int32, ByVal nCmdShow As Int32) As Int32
        Private Declare Function _WindowFromPoint Lib "user32" Alias "WindowFromPoint" (ByVal xPoint As Int32, ByVal yPoint As Int32) As Int32
        Private Declare Function _SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Int32, ByVal wMsg As Int32, ByVal wParam As Int32, lParam As Int32) As Int32
        Private Declare Function _PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Int32, ByVal wMsg As Int32, ByVal wParam As Int32, ByVal lParam As Int32) As Int32
        Private Declare Function _GetClassName Lib "user32" Alias "GetClassNameA" (ByVal hwnd As Int32, ByVal lpClassName As String, ByVal nMaxCount As Int32) As Int32
    
    
    
    
    
        Public Sub MoveWindow(ByVal hwnd As Integer, ByVal x As Integer, ByVal y As Integer, ByVal nWidth As Integer, ByVal nHeight As Integer, ByVal bRepaint As Integer)
            _MoveWindow(hwnd, x, y, nWidth, nHeight, bRepaint)
        End Sub
    
        ' Public Declare Function GetTopWindow Lib "user32" Alias "GetTopWindow" (ByVal hwnd As Int32) As Int32
    
        Public Function FindWindowWithName(windowname As String) As IntPtr
            Return _FindWindow(vbNullString, windowname)
        End Function
    
        Public Function FindWindowWithClass(windowclass As String) As IntPtr
            Return _FindWindow(windowclass, vbNullString)
        End Function
    
        Public Function GetFrantWindow() As IntPtr
            Return _GetForegroundWindow()
        End Function
    
        Public Function GetWindowText(windowHandle As IntPtr) As String
            Dim s As String = Space(30)
            _GetWindowText(windowHandle, s, 30)
            Return s
        End Function
    
    
        Public Function GetNextWindow(windowHandle As IntPtr, nextWindowType As NextWindowType) As IntPtr
            Return _GetNextWindow(windowHandle, nextWindowType)
        End Function
    
        Public Function SetWindowFrant(windowHandle As IntPtr)
            _SetForegroundWindow(windowHandle)
        End Function
    
        Public Function GetWindowClassName(windowHandle As IntPtr) As String
            Dim s As String = Space(30)
            _GetClassName(windowHandle, s, 30)
            Return s
    
        End Function
    
        Public Function GetWindowRegion(windowHandle As IntPtr) As RECT
            Dim rect As RECT
            _GetWindowRect(windowHandle, rect)
            Return rect
        End Function
    
    
    
    
    End Class
    
    Imports System.Runtime.InteropServices
    Imports System.Text
    
    Module Module1
    
        <DllImport("user32.dll", SetLastError:=True)>
        Public Function FindWindow(lpClassName As String, lpWindowName As String) As IntPtr
        End Function
    
        '根据类名和窗口标题查找句柄
    
    
    
    
        <DllImport("user32.dll", SetLastError:=True)>
        Public Function FindWindowEx(parentHandle As IntPtr, childAfter As IntPtr, className As String, windowTitle As String) As IntPtr
        End Function
    
        '根据父句柄,前一个句柄,类名和窗口标题查找句柄,这几个信息可以通过VS自带的spy++查询。
    
    
    
    
        <DllImport("user32.dll", EntryPoint:="GetDesktopWindow", CharSet:=CharSet.Auto, SetLastError:=True)>
        Public Function GetDesktopWindow() As IntPtr
        End Function
    
        '返回桌面窗口句柄,被我用来当前一个函数的父句柄。
    
    
    
    
        <DllImport("user32.dll")>
        Public Function GetWindowText(hWnd As IntPtr, lpString As StringBuilder, nMaxCount As Integer) As Integer
        End Function
    
        '获取指定窗口的标题,WinForm里的控件都是window,但在我们讨论的情况下window就只是窗口了。需要结合StringBuider类使用,不熟悉的可以去预习下。
    
    
        <DllImport("User32.dll")>
        Public Function GetClassName(hWnd As Integer, lpClassName As StringBuilder, nMaxCount As Integer) As Integer
        End Function
    
        '获取指定窗口的类名,也是用到StringBuider类。
    
    
        <DllImport("USER32.DLL")>
        Public Function SetForegroundWindow(hWnd As IntPtr) As Boolean
        End Function
    
        '将一个窗口显示到最前端。
    
    
    
    
        <DllImport("user32.dll", CharSet:=CharSet.Auto, ExactSpelling:=True)>
        Public Function GetForegroundWindow() As IntPtr
        End Function
    
        '返回最前端窗口的句柄。
    
    
    
    
    
        <DllImport("user32.dll", EntryPoint:="PostMessage")>
        Public Function PostMessage(hwnd As IntPtr, msg As UInteger, wparam As Integer, lparam As Integer) As IntPtr
        End Function
    
    
    
        '发送文本
        Public Sub sendText(hwnd As IntPtr, strText As [String])
            Dim charCByte As Byte() = UnicodeEncoding.GetEncoding("GBK").GetBytes(strText)
            For i As Integer = 0 To charCByte.Length - 1
                SendMessage(hwnd, WM_CHAR, CInt(charCByte(i)), 0)
            Next
    
        End Sub
    
    
    
    
        '获取窗口位置
        <DllImport("user32.dll")>
        Public Function GetWindowRect(hWnd As IntPtr, ByRef lpRect As RECT) As <MarshalAs(UnmanagedType.Bool)> Boolean
        End Function
    
    
    
    
    
        <StructLayout(LayoutKind.Sequential)>
        Public Structure RECT
            Public Left As Integer
            '最左坐标
            Public Top As Integer
            '最上坐标
            Public Right As Integer
            '最右坐标
            Public Bottom As Integer
            '最下坐标
        End Structure
    
    
        '按钮事件,wParam代表键值,具体可以查;lParam代表点击的点击次数、组合键等信息,msdn上有张表介绍各个位的作用,不过我没用过。
    
        '发送字符,每次发送一个char,wParam代表char的值转换成int类型就行,lParam为0。
    
        '鼠标点击事件,wParam代表组合键,没有的话为0;lParam代表点击的位置,低字为x坐标,高字为y坐标,即x+(y<<16),这个坐标是相对于屏幕而言的。
    
        '对于鼠标滚轮事件,wParam高字代表滚动距离,向上为正,向下为负,低字代表组合键,没有的话为0;lParam代表点击的位置,低字为x坐标,高字为y坐标,即x+(y<<16),这个坐标是相对于窗口而言的。
    
        '由于只有窗口句柄,使用滚轮事件,发送字符和按钮事件时,需要获取相应区域的焦点,我是用鼠标点击事件做的。
    
        '按下按钮
    
        Public Const WM_KEYDOWN As Integer = &H100
    
        '放开按钮
    
        Public Const WM_KEYUP As Integer = &H101
    
        '发送字符
    
        Public Const WM_CHAR As Integer = &H102
    
        '应用程序发送此消息来设置一个窗口的文本   
    
        Public Const WM_SETTEXT As Integer = &HC
    
        '当一个窗口或应用程序要关闭时发送一个信号   
    
        Public Const WM_CLOSE As Integer = &H10
    
        '当用户选择结束对话框或程序自己调用ExitWindows函数   
    
        Public Const WM_QUERYENDSESSION As Integer = &H11
    
        '用来结束程序运行,会关闭窗口所属的整个程序
    
        Public Const WM_QUIT As Integer = &H12
    
        '按下鼠标左键   
    
        Public Const WM_LBUTTONDOWN As Integer = &H201
    
        '释放鼠标左键   
    
        Public Const WM_LBUTTONUP As Integer = &H202
    
        '双击鼠标左键   
    
        Public Const WM_LBUTTONDBLCLK As Integer = &H203
    
        '使用鼠标滚轮
    
        Public Const WM_MOUSEWHEEL As Integer = &H20A
    
    
        <DllImport("user32.dll", EntryPoint:="SendMessage")>
        Public Function SendMessage(hWnd As IntPtr, Msg As UInteger, wParam As Integer, lParam As Integer) As Integer
        End Function
    
    End Module
    

     

    展开全文
  • Windows 事件初探

    2008-11-02 21:02:00
    今天学了Win32 汇编当中的事件.就跟着例子写了个Win32的小程序.把代码记下来.做为留念. #include "counter.h"#include "resource.h"static BYTE dwOptionPause=0; //标志位,是否暂停.1 非暂停.static BYTE ...

    今天学了Win32 汇编当中的事件.就跟着例子写了个Win32的小程序.把代码记下来.做为留念.

     

    #include "counter.h"

    #include "resource.h"

    static BYTE dwOptionPause=0; //标志位,是否暂停.1 非暂停.
    static BYTE dwOptionStop=1; //非开始.

    static int i=1;
    HWND hWndDlg;
    HANDLE hEvent;
    HANDLE hThread;
    DWORD WINAPI counter(LPVOID lParam)
    {
     while (i)
     {
      SetDlgItemInt(hWndDlg,IDC_EDIT1,i,true);
      i++;
      WaitForSingleObject(hEvent,INFINITE);
     }


     return 0;
    }
    INT_PTR CALLBACK WindowProc(HWND hWnd,UINT uMsg,WPARAM wParam ,LPARAM lParam)
    {

     switch(uMsg)
     {
     case WM_COMMAND:
      {
        switch (LOWORD(wParam))
        {
        case IDOK:
         {
          if (dwOptionStop)
          {
           SetEvent(hEvent);//设置为有信号状态.
           hThread = CreateThread(NULL,0,counter,NULL,0,NULL);//创建线程.
           EnableWindow(GetDlgItem(hWndDlg,IDCANCEL),true);
           SetDlgItemText(hWnd,IDOK,_T("停止"));
           dwOptionStop=0;
          }
          else
          {
           SetDlgItemText(hWnd,IDOK,_T("计数"));
           EnableWindow(GetDlgItem(hWndDlg,IDCANCEL),false);//禁用.
           CloseHandle(hThread);
           ResetEvent(hEvent);
           dwOptionStop=1;
          }

         }
         break;
        case IDCANCEL:
         {

          if (dwOptionPause)//处于暂停状态.
          {
           SetEvent(hEvent);//置为有信号状态.
           dwOptionPause =0;
          }
          else
          {
           ResetEvent(hEvent);//置为无信号状态.
           dwOptionPause=1;
          }
         }
         break;
        default:
         return DefWindowProc(hWnd,uMsg,wParam,lParam);
        }


      }
      break;
     case WM_INITDIALOG:
      {
       hEvent = CreateEvent(NULL,TRUE,FALSE,NULL);//创建事件对象.
       EnableWindow(GetDlgItem(hWnd,IDCANCEL),false);
       hWndDlg = hWnd;
      }
      break;
     default:
      DefWindowProc(hWnd,uMsg,wParam,lParam);
     }
    return 0;
    }

    int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
    {

     LPCWSTR lpTemplate = MAKEINTRESOURCE(IDD_DIALOG_MAIN);
     return DialogBoxParam(hInstance,lpTemplate,NULL,WindowProc,NULL);
    }

     

    展开全文
  • 监控windows事件

    2019-10-05 07:50:18
    我用了一个下午完成了对于Windows事件的监控,这个程序可以套用任何已知事件id的监控上,例如程序监控的是:318的事件。 然后调用我自己写的控制台程序,发送短信息:monitor Const ForAppending = 8i=0Set objFSO...

    我用了一个下午完成了对于Windows的事件的监控,这个程序可以套用任何已知事件id的监控上,例如程序监控的是:318的事件。

    然后调用我自己写的控制台程序,发送短信息:monitor

    Const ForAppending = 8
    i=0
    Set objFSO = CreateObject("Scripting.FileSystemObject")
    objFSO.DeleteFile("d:\powershell\monitor.txt")
    Set objTextFile = objFSO.OpenTextFile _
        ("d:\powershell\monitor.txt", ForAppending, True)

    Const CONVERT_TO_LOCAL_TIME = True
    Set dtmStartDate = CreateObject("WbemScripting.SWbemDateTime")
    Set dtmEndDate = CreateObject("WbemScripting.SWbemDateTime")

    DateToCheck = Date
    dtmEndDate.SetVarDate Date, True
    dtmStartDate.SetVarDate DateToCheck, CONVERT_TO_LOCAL_TIME
    dtmEndDate.SetVarDate DateToCheck + 1, CONVERT_TO_LOCAL_TIME
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:" _
        & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
    Set colEvents = objWMIService.ExecQuery _
    ("Select * from Win32_NTLogEvent Where EventCode = '318' and TimeWritten >='" & DateToCheck & "'")
        objTextFile.WriteLine( "count:  " & i)
    For each objEvent in colEvents
        i=i+1
        objTextFile.WriteLine( objEvent.Category)
        objTextFile.WriteLine( "Computername: " & objEvent.ComputerName)
        objTextFile.WriteLine( "Event code: " & objEvent.EventCode)
        objTextFile.WriteLine( "message:  " & objEvent.Message)
        objTextFile.WriteLine( "event type:  " & objEvent.Type)
        objTextFile.WriteLine( "TimeWritten:  " & objEvent.TimeWritten)
        objTextFile.WriteLine( "count:  " & i)
    Next
    set ws=wscript.createobject("wscript.shell")
    if(i>0) then
      ws.run "cmd /c monitor.exe B 外呼系统的Com+错误请及时处理"
    end if

    objTextFile.Close

    转载于:https://www.cnblogs.com/GoodLzp/archive/2009/05/13/1456211.html

    展开全文
  • <div><p>在WIN7下ÿ...扫描 空间回收\Windows事件 时会提示函数错误 环境是Win 7 x64 SP1与最新版DISM++(.100)</p><p>该提问来源于开源项目:Chuyu-Team/Dism-Multi-language</p></div>
  • 0x00 函数 ObReferenceObjectByHandle //通过句柄获取...windows.h> #include <stdio.h> #define IOCTL_CREATE_EVENT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x999, METHOD_BUFFERED , FILE_READ_DATA | FILE...

    0x00 函数

    ObReferenceObjectByHandle  //通过句柄获取内核资源

    ObDereferenceObject //释放资源

     

    0x01 代码

    桌面程序

    #include <windows.h>

    #include <stdio.h>

     

    #define IOCTL_CREATE_EVENT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x999, METHOD_BUFFERED , FILE_READ_DATA | FILE_WRITE_DATA)

     

    HANDLE customEvent = NULL;

    HANDLE handle = NULL;

     

    DWORD WINAPI ThreadProc(_In_ LPVOID lpParameter)

    {

        for (int i = 0; i < 10; i++)

        {

            Sleep(1500);

            printf("\nThreadProc %d", i);

            SetEvent(customEvent);

        }

     

        printf("\nThreadProc end");

     

        //Sleep(4000); 

     

       

        CloseHandle(customEvent);

        CloseHandle(handle);

        return 0;

    }

     

    int main(int argc, char* grav[])

    {

        HANDLE thread = NULL;

        LPCWSTR eventNanme = L"CustomEvent";

     

        DWORD BytesReturned = 0;

     

        printf("CreateFile\n");

     

        system("pause");

     

        handle = CreateFile(L"\\\\.\\EventDriver", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

     

        if (handle == INVALID_HANDLE_VALUE)

     

        {

            printf("handle INVALID_HANDLE_VALUE:%d\n", GetLastError());

            system("pause");

     

            return 0;

        }

     

        printf("CreateEvent\n");

        customEvent = CreateEvent(NULL, FALSE, FALSE, eventNanme);

     

        printf("main -> customEvent:%p \n", customEvent);

     

        if (customEvent == INVALID_HANDLE_VALUE)

        {

            CloseHandle(handle);

            printf("customEvent  INVALID_HANDLE_VALUE\n");

            system("pause");

            return 0;

        }

     

        printf("DeviceIoControl\n");

     

        system("pause");

       if (DeviceIoControl(handle, IOCTL_CREATE_EVENT, &customEvent, sizeof(HANDLE), NULL, 0, &BytesReturned, NULL))

        {

            if (BytesReturned)

            {

                printf("DeviceIoControl -> CreateThread");

                //创建线程

                thread = CreateThread(NULL, 0, ThreadProc, NULL, 0, NULL);

                if (thread == INVALID_HANDLE_VALUE)

                {

                    CloseHandle(handle);

                    CloseHandle(customEvent);

     

                    printf("CreateThread failed\n");

                    system("pause");

                    return 0;

                }

     

                printf("CreateThread success\n");

                CloseHandle(thread);

           

            }

            else

            {

                printf("DeviceIoControl BytesReturned -> FALSE ");

            }

        }

        else

        {

            printf("DeviceIoControl failed\n");

        }

     

        printf("main success\n");

     

        system("pause");

     

        return 0;

    }

     

    驱动程序

    #include <Ntddk.h>

    #include <wdm.h>

     

    #define IOCTL_CREATE_EVENT CTL_CODE(FILE_DEVICE_UNKNOWN, 0x999, METHOD_BUFFERED , FILE_READ_DATA | FILE_WRITE_DATA)

     

    KSTART_ROUTINE KstartRoutine1;

     

     

     

    VOID DriverUnload(PDRIVER_OBJECT DriverObject)

    {

        if (DriverObject->DeviceObject)

        {

            DbgPrint("DriverUnload->IoDeleteDevice");

     

            IoDeleteDevice(DriverObject->DeviceObject);

     

            UNICODE_STRING SysmbolicLinkNmae = { 0 };

     

            RtlInitUnicodeString(&SysmbolicLinkNmae, L"\\??\\EventDriver");

     

            IoDeleteSymbolicLink(&SysmbolicLinkNmae);

        }

     

        DbgPrint("DriverUnload");

    }

     

    void KstartRoutine(PVOID StartContext)

    {

        PKEVENT pkEvent = (PKEVENT) StartContext;

        LARGE_INTEGER Timeout = { 0 };

        Timeout.QuadPart = -10 * 1000 * 1000 * 3; //5 -> 单位为100纳秒,*10 = 微秒,*10*1000 = 毫秒,*10*1000*1000 =

     

        NTSTATUS status = STATUS_SUCCESS;

     

        int i = 0;

     

        while(TRUE)

        {

       

       

            DbgPrint("pkEvent %p | KstartRoutine -> KeWaitForSingleObject Start", pkEvent);

     

            status = KeWaitForSingleObject(pkEvent, Executive, KernelMode, FALSE, &Timeout);  //等待

     

            i++;

     

            if (status != STATUS_SUCCESS)

            {

                DbgPrint("pkEvent %p | KstartRoutine -> KeWaitForSingleObject Timeout index:%d ", pkEvent,i);

                break;

            }

     

            DbgPrint("pkEvent %p | KstartRoutine -> KeWaitForSingleObject End, index:%d ", pkEvent, i);

     

     

        }

     

        DbgPrint("pkEvent %p | KstartRoutine End", pkEvent);

        ObDereferenceObject(pkEvent);  //释放资源

        PsTerminateSystemThread(0);

    }

     

    NTSTATUS MyDispatchControl(PDEVICE_OBJECT DeviceObjct, PIRP Irp)

     

    {

        NTSTATUS status = STATUS_SUCCESS;

        HANDLE customEvent = NULL;

        HANDLE thread = NULL;

        PKEVENT pkEvent = NULL;

        PIO_STACK_LOCATION  IrpSp = IoGetCurrentIrpStackLocation(Irp); //获取堆信息

     

        DbgPrint("MyDispatchControl");

     

        //IrpSp->Parameters.DeviceIoControl.IoControlCode -> 用户层传入的指定代码

     

        switch (IrpSp->Parameters.DeviceIoControl.IoControlCode)

     

        {

        case IOCTL_CREATE_EVENT:

     

            Irp->IoStatus.Information = TRUE;    //返回给R3的附加信息

     

            if (IrpSp->Parameters.DeviceIoControl.InputBufferLength != sizeof(HANDLE))

            {

                Irp->IoStatus.Information = FALSE;    //返回给R3的附加信息

                break;

            }

           RtlCopyMemory(&customEvent, Irp->AssociatedIrp.SystemBuffer, sizeof(HANDLE));        //获取句柄

     

            DbgPrint("MyDispatchControl ->  customEvent : %p", customEvent);

     

            status = ObReferenceObjectByHandle(customEvent, EVENT_MODIFY_STATE, *ExEventObjectType, KernelMode, &pkEvent, NULL);   //根据句柄获取内核对象

     

            if (!NT_SUCCESS(status))

            {

                DbgPrint("MyDispatchControl -> ObReferenceObjectByHandle failed: %x", status);

                Irp->IoStatus.Information = FALSE;    //返回给R3的附加信息

                break;

            }

     

           

     

            DbgPrint("MyDispatchControl -> ObReferenceObjectByHandle ststus: %x pkEvent:%p ", status, pkEvent);

     

           //创建线程

            status = PsCreateSystemThread(&thread, GENERIC_ALL, NULL, NULL, NULL, KstartRoutine, pkEvent);

     

            if (!NT_SUCCESS(status))

            {

                DbgPrint("MyDispatchControl -> PsCreateSystemThread failed");

                Irp->IoStatus.Information = FALSE;    //返回给R3的附加信息

                break;

            }

     

            DbgPrint("MyDispatchControl -> PsCreateSystemThread %p", thread);

            ZwClose(thread);

     

            break;

     

        default:

     

            DbgPrint("MyDispatchControl::switch->default");

     

            break;

        }

     

        Irp->IoStatus.Status = status; //irp完成状态

     

        IofCompleteRequest(Irp, IO_NO_INCREMENT); //当驱动程序完成给定IRP的所有处理时调用,代表IRP处理完成

     

        return status;

    }

     

    NTSTATUS MyDispatchCreate(PDEVICE_OBJECT DeviceObjct, PIRP Irp)

     

    {

        NTSTATUS status = STATUS_SUCCESS;

     

        DbgPrint("MyDispatchCreate");

     

        Irp->IoStatus.Information = 0; //返回给R3的附加信息

     

        Irp->IoStatus.Status = status; //irp完成状态

     

        IofCompleteRequest(Irp, IO_NO_INCREMENT); //当驱动程序完成给定IRP的所有处理时调用,代表IRP处理完成

     

        return status;

    }

     

    NTSTATUS MyDispatchCleanUp(PDEVICE_OBJECT DeviceObjct, PIRP Irp)

     

    {

        NTSTATUS status = STATUS_SUCCESS;

     

        DbgPrint("MyDispatchCleanUp");

     

        Irp->IoStatus.Information = 0; //返回给R3的附加信息

     

        Irp->IoStatus.Status = status; //irp完成状态

     

        IofCompleteRequest(Irp, IO_NO_INCREMENT); //当驱动程序完成给定IRP的所有处理时调用,代表IRP处理完成

     

        return status;

    }

     

    NTSTATUS MyDispatchClose(PDEVICE_OBJECT DeviceObjct, PIRP Irp)

     

    {

        NTSTATUS status = STATUS_SUCCESS;

     

        DbgPrint("MyDispatchClose");

     

        Irp->IoStatus.Information = 0; //返回给R3的附加信息

     

        Irp->IoStatus.Status = status; //irp完成状态

     

        IofCompleteRequest(Irp, IO_NO_INCREMENT); //当驱动程序完成给定IRP的所有处理时调用,代表IRP处理完成

     

        return status;

    }

     

    NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)

    {

        NTSTATUS status = STATUS_SUCCESS;

     

        DbgPrint("DriverEntry");

     

        //驱动卸载

     

        DriverObject->DriverUnload = DriverUnload;

     

        //创建设备

     

        PDEVICE_OBJECT DeviceObjet = NULL;

     

        UNICODE_STRING DeviceName = { 0 };

     

        RtlInitUnicodeString(&DeviceName, L"\\Device\\EventDriver");

     

        status = IoCreateDevice(DriverObject, 400, &DeviceName, FILE_DEVICE_UNKNOWN, 0, TRUE, &DeviceObjet);

     

        if (!NT_SUCCESS(status))

     

        {

            DbgPrint("DriverEntry->IoCreateDevice failed");

     

            return status;

        }

     

        DeviceObjet->Flags |= DO_BUFFERED_IO//未设置此标志,Irp->AssociatedIrp.SystemBufferNULL,注意是|= 不要直接=,会消除其它标志位

     

        //创建符号链接

     

        UNICODE_STRING SysmbolicLinkNmae = { 0 };

     

        RtlInitUnicodeString(&SysmbolicLinkNmae, L"\\??\\EventDriver");

     

        status = IoCreateSymbolicLink(&SysmbolicLinkNmae, &DeviceName);

     

        if (!NT_SUCCESS(status))

     

        {

            DbgPrint("DriverEntry->IoCreateSymbolicLink failed");

     

            IoDeleteDevice(DeviceObjet);

     

            return status;

        }

     

        DriverObject->MajorFunction[IRP_MJ_CREATE] = MyDispatchCreate; //CreateFile

        DriverObject->MajorFunction[IRP_MJ_CLEANUP] = MyDispatchCleanUp;  //CloseHandle

        DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyDispatchClose;  //CloseHandle

        DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyDispatchControl;    //CustomCode

     

        DbgPrint("DriverEntry Success");

     

        return status;

    }

     

    0x02 分析

    资源释放:

    驱动程序通过ObDereferenceObject(pkEvent);释放资源

    桌面程序通过CloseHandle(customEvent);释放资源

    如果在驱动程序调用KeWaitForSingleObject(pkEvent, Executive, KernelMode, FALSE, &Timeout);前释放了pkEvent,并且桌面程序也是释放了customEvent则这个事件无人使用,系统会处理该资源,之后调用KeWaitForSingleObject() 由于事件已经被系统销毁,则参数1属于无效内容.此时操作系统会出现意想不到的问题.

    切记要在句柄或内核资源使用结束后,再去释放,否则提前释放会导致问题.

     

    展开全文
  • Windows触发事件ID说明

    2020-07-08 13:44:20
    Windows事件和计划任务操作 事件ID 说明 0 操作成功完成。 1 函数不正确。 2 系统找不到指定的文件。 3 系统找不到指定的路径。 4 系统无法打开文件。 5 拒绝访问。 6 句柄无效。 7 存储控制...
  • Windows事件ID及解释大全

    千次阅读 2019-12-10 21:23:40
    0 操作成功完成。  1 函数不正确。  2 系统找不到指定的文件。  3 系统找不到指定的路径。  4 系统无法打开文件。  5 拒绝访问。  6 句柄无效。  7 存储控制块被损坏。  8 存储空间不足,无法处理此...
  • winEvHook := SetWinEventHook(EVENT_SYSTEM_FOREGROUND, EVENT_SYSTEM_FOREGROUND, 0 , ActiveWinEventHook, 0, 0, WINEVENT_OUTOFCONTEXT|WINEVENT_SKIPOWNPROCESS ) log.Println("Windows Event Hook: ") log....
  • 一、控制面板 ...事件代码: 3005 ...事件消息: 发生了未处理的异常。...事件时间: 2011-11-05 12:00:03 ...事件时间(UTC): 2011-11-05 04:00:03 ...事件 ID: f3824ee946ca43ed8e67ba...事件详细信息代码: 0   应用程
  • windows NT事件日志说明

    千次阅读 2008-01-20 09:21:00
    windows NT事件日志说明 windows NT事件日志说明原作者:NtWak0翻译整理:补天-苏樱概要以下内容是关于WINDOWS NT事件日志的非常好的、深入的文章。 日志通常用审计机或某种工具来管理。这篇文章也包含:当一个用户被...
  • Windows Event 事件ID介绍

    千次阅读 2012-10-29 17:26:10
    Windows ID事件及解释(XP、2000、2003)【转】 (范围:0~5073)代码 错误信息解释 0 操作成功完成。 1 函数不正确。 2 系统找不到指定的文件。 3 系统找不到指定的路径。 4 系统无法...
  • windows 事件 错误 代码 分析

    千次阅读 2009-09-17 09:37:00
    网上查到了一些日志代码对照表以下是日志代码对照表: 代码 含意 0 0x00000000 作业完成。 1 0x00000001 不正确的函数。 2 0x00000002 系统找不到指定的档案。 3 0x00000003 系统找不到指定的路径。 4 0x00000004 ...
  • 1 #include <stdio.h>...Windows.h> 3 #include <process.h> 4 5 using namespace std; 6 7 HANDLE sem_add, sem_subtract; 8 9 int val(0); 10 11 unsigned ...
  • 0 操作成功完成。 1 函数不正确。 2 系统找不到指定的文件。 3 系统找不到指定的路径。 4 系统无法打开文件。 5 拒绝访问。 6 句柄无效。 7 存储控制块被损坏。 8 存储空间不足,无法处理此命令。 9 存储控制块地址...
  • WPF捕捉Windows关机事件

    2014-06-26 10:06:00
    1 private const int SC_SCREENSAVE = 0xF140; 2 private const int WM_QUERYENDSESSION = 0x0011; 3 private bool IsScreenSave = false; 4 private bool IsWindowStopClosing =...
  • 如何根据Windows事件查看器信息去解决实际碰到的问题,以下是我根据网上的讨论和实践,总结出来的一些经验。事件查看器中看到不断出现下面的错误日志。事件类型:错误事件来源:TermServDevices事件种类:无事件 ID:...
  • Windows 窗体中的事件顺序(WinForm) 引用MSDN,以便以后查看 引用:https://msdn.microsoft.com/zh-cn/library/86faxx0d.aspx 应用程序启动和关闭事件 Form和Control类公开一组与应用程序...
  • 前段时间想体验Google Plus的视频群聊功能,发现每次安装Google语音插件都不成功,(yukon12345:我是CSDN装chrome拿下载积分时...“Google 更新安装失败,错误代码为:0xa043071f”,首先可以确定并不是网络问题因为使
  • windows NT事件日志说明 (转)[@more@]windows NT事件日志说明原作者:NtWak0XML:NAMESPACE PREFIX = MailTO />翻译整理:补天-苏樱概要以下内容是关于window...
  • WINDOWS事件查看器中,服务器启动后有报错: 错误应用程序名称: httpd.exe,版本: 2.4.17.0,时间戳: 0x561e1e32 错误模块名称: ntdll.dll,版本: 6.1.7601.18798,时间戳: 0x5507b3e0 异常代码: 0xc0000005 错误...
  • 1、根据日志提示实际上是说NETWORK SERVICE没有权限激活CLSID为{61738644-F196-11D0-9953-00C04FD919C1}的应用程序,可以使用组件服务管理工具修改此安全权限 2、运行regedit,在注册表中找出C...
  • 1:定义一个数组bool keys[256]; 2: 在消息响应函数是里设置这两个: case WM_KEYDOWN: // Is A Key Being Held Down? { keys[wParam] = TRUE;... return 0; // Jump Back }
  • http://msdn.microsoft.com/en-us/library/86faxx0d.aspx   Application Startup and Shutdown Events   ControlHandleCreated ControlBindingContextChanged FormLoad ControlVisibleCha
  • [20170227]windows下模糊查询oracle事件的脚本.txt $ cat ooerr.bat @@echo off rem disp oracle error rem /bin/grep ^10[0-9][0-9][0-9] $ORACLE_HOME/rdbms/mesg/oraus.msg ...
  • createevent 等同级别的函数仅...system error code也仅列举了0-499,其他的编号的也可以进去找。 WaitForSingleObject http://msdn.microsoft.com/en-us/library/windows/desktop/ms687032(v=vs.85).aspx ev...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 1,287
精华内容 514
关键字:

windows事件0