怎么在Widows11中加载驱动程序

方法一:使用微软提供的DriverMonitor.exe加载

方法二:使用命令行创建服务加载

1
2
3
4
#1.创建服务
#2.启动驱动
#3.关闭驱动
#4.卸载驱动

管理员打开cmd加载驱动

1
sc create guidehacking type= kernel binpath="D:\Desktop\test\visual\studio\Hacking\Hacking\x64\Release\Hacking.sys"

使用debugView并勾选Caputure kernel

开始运行驱动

1
sc start guidedhacking

cmd停止驱动

1
sc stop guidedhacking

方法三:使用C语言程序调用系统命令加载

✅ 使用 popen() 调用 sc 命令并获取输出的完整 C 程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// 执行命令并获取其标准输出
void ExecuteCommand(const char* cmd) {
    printf("执行命令: %s\n", cmd);
    
    FILE* pipe = _popen(cmd, "r");
    if (!pipe) {
        perror("popen 失败");
        return;
    }

    char buffer[512];
    while (fgets(buffer, sizeof(buffer), pipe)) {
        printf("%s", buffer);  // 打印命令输出内容
    }

    int status = _pclose(pipe);
    if (status == -1) {
        perror("_pclose 失败");
    } else {
        printf("命令退出码: %d\n", status);
    }
}

void RegisterDriver(const char* driverName, const char* driverPath) {
    char cmd[1024];
    snprintf(cmd, sizeof(cmd),
             "sc create %s type= kernel start= demand binPath= \"%s\"",
             driverName, driverPath);
    ExecuteCommand(cmd);
}

void StartDriver(const char* driverName) {
    char cmd[512];
    snprintf(cmd, sizeof(cmd), "sc start %s", driverName);
    ExecuteCommand(cmd);
}

void StopDriver(const char* driverName) {
    char cmd[512];
    snprintf(cmd, sizeof(cmd), "sc stop %s", driverName);
    ExecuteCommand(cmd);
}

void DeleteDriver(const char* driverName) {
    char cmd[512];
    snprintf(cmd, sizeof(cmd), "sc delete %s", driverName);
    ExecuteCommand(cmd);
}

int main(int argc, char* argv[]) {
    if (argc < 3) {
        fprintf(stderr, "用法: %s <register|start|stop|delete> <驱动服务名> [驱动路径]\n", argv[0]);
        return 1;
    }

    const char* cmd = argv[1];
    const char* driverName = argv[2];

    if (strcmp(cmd, "register") == 0) {
        if (argc < 4) {
            fprintf(stderr, "注册驱动时需要提供驱动文件路径。\n");
            return 1;
        }
        RegisterDriver(driverName, argv[3]);
    }
    else if (strcmp(cmd, "start") == 0) {
        StartDriver(driverName);
    }
    else if (strcmp(cmd, "stop") == 0) {
        StopDriver(driverName);
    }
    else if (strcmp(cmd, "delete") == 0) {
        DeleteDriver(driverName);
    }
    else {
        fprintf(stderr, "未知命令: %s\n", cmd);
        return 1;
    }

    return 0;
}

✅ 运行示例

1
2
3
4
DriverPopen.exe register MyDriver C:\Drivers\MyDriver.sys
DriverPopen.exe start MyDriver
DriverPopen.exe stop MyDriver
DriverPopen.exe delete MyDriver

方法四:编写C语言程序创建服务加载

  1. main.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
// main.cpp
#include "driver_loader.h"
#include <stdio.h>
#include <string.h>
/*
    LoadDriver register HelloWorld.sys C:\Users\10\Desktop\HelloWorld.sys
    LoadDriver start HelloWorld.sys
    LoadDriver stop HelloWorld.sys
    LoadDriver unload HelloWorld.sys
*/
int main(int argc, char* argv[]) {
    if (argc < 3) {
        fprintf(stderr, "用法: %s <register|start|stop|unload> <DriverName> [DriverPath]\n", argv[0]);
        return 1;
    }

    const char* cmd = argv[1];
    const char* name = argv[2];
    DWORD ret = ERROR_INVALID_PARAMETER;

    if (strcmp(cmd, "register") == 0) {
        if (argc < 4) {
            fprintf(stderr, "注册时需指定驱动文件路径\n");
            return 1;
        }
        ret = RegisterDriver(name, argv[3]);
    }
    else if (strcmp(cmd, "start") == 0) {
        ret = StartDriver(name);
    }
    else if (strcmp(cmd, "stop") == 0) {
        ret = StopDriver(name);
    }
    else if (strcmp(cmd, "unload") == 0) {
        ret = UnloadDriver(name);
    }
    else {
        fprintf(stderr, "未知命令: %s\n", cmd);
        return 1;
    }

    return (ret == ERROR_SUCCESS) ? 0 : 1;
}

  1. error_util.h

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    // error_util.h
    #ifndef ERROR_UTIL_H
    #define ERROR_UTIL_H

    #include <windows.h>

    // 将失败的函数名和 GetLastError() 一并格式化输出到 stderr
    void PrintError(const char* funcName, DWORD error);

    #endif // ERROR_UTIL_H

  2. driver_loader.h

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    // driver_loader.h
    #ifndef DRIVER_LOADER_H
    #define DRIVER_LOADER_H

    #include <windows.h>

    // 注册(创建)驱动服务,driverPath 为 .sys 文件的绝对路径
    DWORD RegisterDriver(const char* driverName, const char* driverPath);

    // 启动驱动服务
    DWORD StartDriver(const char* driverName);

    // 停止驱动服务
    DWORD StopDriver(const char* driverName);

    // 卸载(删除)驱动服务
    DWORD UnloadDriver(const char* driverName);

    #endif // DRIVER_LOADER_H

  3. error_util.cpp

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    // error_util.cpp
    #include "error_util.h"
    #include <windows.h>
    #include <stdio.h>

    void PrintError(const char* funcName, DWORD error) {
        LPVOID msgBuf = nullptr;
        FormatMessageA(
            FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
            nullptr,
            error,
            MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
            (LPSTR)&msgBuf,
            0,
            nullptr
        );
        fprintf(stderr, "%s failed (0x%08lX): %s\n", funcName, error, msgBuf ? (char*)msgBuf : "Unknown error");
        if (msgBuf) LocalFree(msgBuf);
    }

  4. driver_loader.cpp

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    // driver_loader.cpp
    #include "driver_loader.h"
    #include "error_util.h"
    #include <windows.h>

    // Helper: 打开 SCM
    static SC_HANDLE OpenSCM(DWORD access) {
        SC_HANDLE h = OpenSCManagerA(nullptr, nullptr, access);
        if (!h) PrintError("OpenSCManager", GetLastError());
        return h;
    }

    // Helper: 打开已存在的服务
    static SC_HANDLE OpenDriverService(const char* name, DWORD access) {
        SC_HANDLE hSCM = OpenSCM(SC_MANAGER_CONNECT);
        if (!hSCM) return nullptr;
        SC_HANDLE hSvc = OpenServiceA(hSCM, name, access);
        if (!hSvc) PrintError("OpenService", GetLastError());
        CloseServiceHandle(hSCM);
        return hSvc;
    }

    DWORD RegisterDriver(const char* driverName, const char* driverPath) {
        SC_HANDLE hSCM = OpenSCM(SC_MANAGER_CREATE_SERVICE);
        if (!hSCM) return GetLastError();

        SC_HANDLE hSvc = CreateServiceA(
            hSCM,
            driverName,                // 服务名
            driverName,                // 显示名
            SERVICE_START | SERVICE_STOP | DELETE,
            SERVICE_KERNEL_DRIVER,     // 驱动类型
            SERVICE_DEMAND_START,      // 手动启动
            SERVICE_ERROR_NORMAL,
            driverPath,                // .sys 文件路径
            nullptr, nullptr, nullptr, nullptr, nullptr
        );
        if (!hSvc) {
            DWORD err = GetLastError();
            PrintError("CreateService", err);
            CloseServiceHandle(hSCM);
            return err;
        }

        CloseServiceHandle(hSvc);
        CloseServiceHandle(hSCM);
        return ERROR_SUCCESS;
    }

    DWORD StartDriver(const char* driverName) {
        SC_HANDLE hSvc = OpenDriverService(driverName, SERVICE_START);
        if (!hSvc) return GetLastError();

        if (!StartServiceA(hSvc, 0, nullptr)) {
            DWORD err = GetLastError();
            PrintError("StartService", err);
            CloseServiceHandle(hSvc);
            return err;
        }

        CloseServiceHandle(hSvc);
        return ERROR_SUCCESS;
    }

    DWORD StopDriver(const char* driverName) {
        SC_HANDLE hSvc = OpenDriverService(driverName, SERVICE_STOP | SERVICE_QUERY_STATUS);
        if (!hSvc) return GetLastError();

        SERVICE_STATUS status = {};
        if (!ControlService(hSvc, SERVICE_CONTROL_STOP, &status)) {
            DWORD err = GetLastError();
            PrintError("ControlService(STOP)", err);
            CloseServiceHandle(hSvc);
            return err;
        }

        CloseServiceHandle(hSvc);
        return ERROR_SUCCESS;
    }

    DWORD UnloadDriver(const char* driverName) {
        SC_HANDLE hSvc = OpenDriverService(driverName, DELETE);
        if (!hSvc) return GetLastError();

        if (!DeleteService(hSvc)) {
            DWORD err = GetLastError();
            PrintError("DeleteService", err);
            CloseServiceHandle(hSvc);
            return err;
        }

        CloseServiceHandle(hSvc);
        return ERROR_SUCCESS;
    }

方法五:使用其他工具加载

  1. 驱动加载 DriverKit
  2. [原创]编写驱动加载程序
  3. KmdManager驱动加载调试工具