運用的技術跟應用程式層大體一致,倒是互斥的問題幹擾我很久。已開始使用的是 FastMutex,但是它會提升 IRQL 到 APC_LEVEL,顯然寫檔案的服務函數都只能跑在 PASSIVE_LEVEL 下,最後只好使用了 Event 。
範例程式碼說明:
GetCurrentTimeString() 詳見前文:Windows 驅動中擷取系統目前時間,產生格式字串
GetCurrentProcessName() 詳見前文:Windows 驅動:擷取當前進程名
範例程式碼:
#include <stdarg.h>
//
// Enable log event: for synchronization
//
static KEVENT gs_eventEnableKeLog;
//----------------------------------------------------------------------
//
// initialization interface
//
//----------------------------------------------------------------------
//
// initialize the global data structures, when the driver is loading.
// (Call in DriverEntry())
//
NTSTATUS
Dbg_LoadInit()
{
// Initialize the event
KeInitializeEvent(&gs_eventEnableKeLog, SynchronizationEvent, TRUE);
return STATUS_SUCCESS;
}
static void WaitForWriteMutex()
{
// Wait for enable log event
KeWaitForSingleObject(&gs_eventEnableKeLog, Executive, KernelMode, TRUE, 0);
KeClearEvent(&gs_eventEnableKeLog);
}
static void ReleaseWriteMutex()
{
// Set enable log event
KeSetEvent(&gs_eventEnableKeLog, 0, FALSE);
}
//----------------------------------------------------------------------
//
// DbgKeLog
//
// Trace to file.
//
//----------------------------------------------------------------------
BOOLEAN
DbgKeLog(LPCSTR lpszLog, ...)
{
if (KeGetCurrentIrql() > PASSIVE_LEVEL)
{
TOKdPrint(("TKeHook: KeLog: IRQL too hight.../n"));
return FALSE;
}
WaitForWriteMutex();
__try
{
IO_STATUS_BLOCK IoStatus;
OBJECT_ATTRIBUTES objectAttributes;
NTSTATUS status;
HANDLE FileHandle;
UNICODE_STRING fileName;
static WCHAR s_szLogFile[] = L"//??//C://KeLog.log";
LPCWSTR lpszLogFile = s_szLogFile;
PAGED_CODE();
if (lpszLogFile == NULL)
lpszLogFile = s_szLogFile;
//get a handle to the log file object
fileName.Buffer = NULL;
fileName.Length = 0;
fileName.MaximumLength = (wcslen(lpszLogFile) + 1) * sizeof(WCHAR);
fileName.Buffer = ExAllocatePool(PagedPool, fileName.MaximumLength);
if (!fileName.Buffer)
{
ReleaseWriteMutex();
TOKdPrint(("TKeHook: KeLog: ExAllocatePool Failed.../n"));
return FALSE;
}
RtlZeroMemory(fileName.Buffer, fileName.MaximumLength);
status = RtlAppendUnicodeToString(&fileName, (PWSTR)lpszLogFile);
InitializeObjectAttributes (&objectAttributes,
(PUNICODE_STRING)&fileName,
OBJ_CASE_INSENSITIVE,
NULL,
NULL );
status = ZwCreateFile(&FileHandle,
FILE_APPEND_DATA,
&objectAttributes,
&IoStatus,
0,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_WRITE,
FILE_OPEN_IF,
FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0
);
if(NT_SUCCESS(status))
{
static CHAR szBuffer[1024];
PCHAR pszBuffer = szBuffer;
ULONG ulBufSize;
int nSize;
va_list pArglist;
// add process name and time string
sprintf(szBuffer, "[%s][%16s:%d] "
, GetCurrentTimeString()
, GetCurrentProcessName()
, (ULONG)PsGetCurrentProcessId()
);
pszBuffer = szBuffer + strlen(szBuffer);
va_start(pArglist, lpszLog);
// The last argument to wvsprintf points to the arguments
nSize = _vsnprintf( pszBuffer, 1024 - 32, lpszLog, pArglist);
// The va_end macro just zeroes out pArgList for no good reason
va_end(pArglist);
if (nSize > 0)
{
//
pszBuffer[nSize] = 0;
}
else
{
pszBuffer[0] = 0;
}
ulBufSize = strlen(szBuffer);
ZwWriteFile(FileHandle,
NULL,
NULL,
NULL,
&IoStatus,
szBuffer,
ulBufSize,
NULL,
NULL
);
ZwClose(FileHandle);
}
if (fileName.Buffer)
ExFreePool (fileName.Buffer);
ReleaseWriteMutex();
return TRUE;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ReleaseWriteMutex();
TOKdPrint(("TKeHook: DbgKeLog() except: %0xd !!/n", GetExceptionCode()));
return FALSE;
}
}
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
