1.驱动输出函数

1. KdPrint函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include<ntifs.h>

void DriverUnload(PDRIVER_OBJECT DriverObject)
{
    KdPrint("qi:进入卸载例程DriverObject=%p");
}
NTSTATUS
    DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
)
{
    DriverObject;
    RegistryPath;
    KdPrint("qi;进入 DriverEntry入口点DriverObject=%p\n");
    return 0;
}

2. DbgPrintEx函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <ntifs.h>

#pragma warning (disable : 4100)

NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
	DbgPrintEx("qi:goodbye!");
	return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
	pDriverObject->DriverUnload = UnloadDriver;
	DbgPrintEx(0, 0, "Message!");
	DebugMessage("qi:Welcome to the first  Driver!");

	return STATUS_SUCCESS;
}

3. DbgPrint函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#include <ntddk.h>

NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject)
{
    DbgPrint("qi:Unloaded Successfully!");
    return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
    DriverObject->DriverUnload = UnloadDriver;
    DbgPrint("qi:Loaded Successfully!");
    return STATUS_SUCCESS;
}

2.打印其他信息

打印DriverObject地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include<ntifs.h>

void DriverUnload(PDRIVER_OBJECT DriverObject)
{
    KdPrint(("qi:进入卸载例程DriverObject=%p",DriverObject));
}
NTSTATUS
    DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
)
{
    DriverObject;
    RegistryPath;
    KdPrint(("qi;进入 DriverEntry入口点DriverObject=%p\n",DriverObject));
    return 0;
}

代码打印行号

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include<ntifs.h>

void DriverUnload(PDRIVER_OBJECT DriverObject)
{
    KdPrint(("qi:进入卸载例程DriverObject=%p 行号=%d", DriverObject,__LINE__));
}
NTSTATUS
    DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
)
{
    DriverObject;
    RegistryPath;
    KdPrint(("qi;进入 DriverEntry入口点DriverObject=%p\n 行号=%d", DriverObject,__LINE__));
    return 0;
}

代码打印RegistryPath

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#include<ntifs.h>

//卸载驱动时会被调用
void DriverUnload(PDRIVER_OBJECT DriverObject)
{
    KdPrint(("qi:进入卸载例程DriverObject=%p 行号=%d", DriverObject, __LINE__));
}

//加载驱动时 会被调用
NTSTATUS
DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
)
{
    DriverObject;
    RegistryPath;
    KdPrint(("qi;进入 DriverEntry入口点DriverObject=%p\n 行号=%d", DriverObject, __LINE__));//Debug
    //KdPrint(("qi: RegistryPath=%s\n", RegistryPath->Buffer));//多字节字符集
    KdPrint(("qi: RegistryPath=%ws\n", RegistryPath->Buffer));//Unicode 宽字符
    return 0;
}

3. 重新定义DbgPrintEx函数为DebugMessage

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <ntifs.h>

#pragma warning (disable : 4100)
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__);

NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
	DebugMessage("qi: goodbye!");
	return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
	pDriverObject->DriverUnload = UnloadDriver;
	DbgPrintEx(0, 0, "Message!");
	DebugMessage("qi:Welcome to the first  Driver!");

	return STATUS_SUCCESS;
}

4.设置只有Debug模式下输出消息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#include <ntifs.h>

#pragma warning (disable : 4100)

#ifdef DBG
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__)
#else
#define DebugMessage(x, ...)
#endif

NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject)
{
    DebugMessage("qi: goodbye!");
    return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
    pDriverObject->DriverUnload = UnloadDriver;
    DebugMessage("qi:Welcome to the first  Driver!");

    return STATUS_SUCCESS;
}

5. 内核中多种初始化字符串的方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
#include<ntifs.h>
#include <ntstrsafe.h>

#pragma warning (disable : 4100)

#ifdef DBG
#define DebugMessage(x, ...) DbgPrintEx(0, 0, x, __VA_ARGS__)
#else
#define DebugMessage(x, ...)
#endif

//卸载驱动时会被调用
void DriverUnload(PDRIVER_OBJECT DriverObject)
{
    KdPrint("qi:进入卸载例程DriverObject=%p 行号=%d", DriverObject, __LINE__);
}

//加载驱动时 会被调用
NTSTATUS
DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
)
{
    DriverObject->DriverUnload=DriverUnload;
    RegistryPath;
    KdPrint("qi;进入 DriverEntry入口点DriverObject=%p\n 行号=%d", DriverObject, __LINE__);//Debug
    //KdPrint(("qi: RegistryPath=%s\n", RegistryPath->Buffer));//多字节字符集
    KdPrint("qi: RegistryPath=%ws\n", RegistryPath->Buffer);//Unicode 宽字符

    	// 定义内核字符串
	ANSI_STRING ansi;
	UNICODE_STRING unicode;
	UNICODE_STRING str;

	// 定义普通字符串
	char* char_string = "hello lyshark";
	wchar_t* wchar_string = L"hello lyshark";

	// 初始化字符串的多种方式
	RtlInitAnsiString(&ansi, char_string);
	RtlInitUnicodeString(&unicode, wchar_string);
	RtlUnicodeStringInit(&str, L"hello lyshark");

	// 改变原始字符串(乱码位置,此处仅用于演示赋值方式)
	char_string[0] = (char)'A';         // char类型每个占用1字节
	char_string[1] = (char)'B';

	wchar_string[0] = (WCHAR)'A';        // wchar类型每个占用2字节
	wchar_string[2] = (WCHAR)'B';

	// 输出字符串 %Z
	DbgPrint("输出ANSI: %Z \n", &ansi);
	DbgPrint("输出WCHAR: %Z \n", &unicode);
	DbgPrint("输出字符串: %wZ \n", &str);

    return 0;
}

Debug模式下生成的代码加载后如果蓝屏,使用Release编译就不会蓝屏。

6.重新定义DbgPrint为Log.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <ntddk.h>

//#define Log(X) DbgPrint("qi:"X##)//不支持%d与%s等变量
//#define Log(fmt, ...) DbgPrint("qi: " fmt, __VA_ARGS__)
#define Log(...) DbgPrint("qi: " __VA_ARGS__)

NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject)
{
    Log("Unloaded Successfully!");
    return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
    DriverObject->DriverUnload = UnloadDriver;
    Log("Loaded Successfully!");
    return STATUS_SUCCESS;
}