驱动开发:内核封装WSK网络通信接口

本章LyShark将带大家学习如何在内核中使用标准的Socket套接字通信接口,我们都知道Windows应用层下可直接调用WinSocket来实现网络通信,但在内核模式下应用层API接口无法使用,内核模式下有一套专有的WSK通信接口,我们对WSK进行封装,让其与应用层调用规范保持一致,并实现内核与内核直接通过Socket通信的案例。

当然在早期如果需要实现网络通信一般都会采用TDI框架,但在新版本Windows10系统上虽然依然可以使用TDI接口,但是LyShark并不推荐使用,因为微软已经对接口搁置了,为了使WSK通信更加易用,我们需要封装内核层中的通信API,新建LySocket.hpp头文件,该文件中封装了WSK通信API接口,其封装格式与应用层接口保持了高度一致,当需要在内核中使用Socket通信时可直接引入本文件。

我们需要使用WDM驱动程序,并配置以下参数。

  • 配置属性 -> 连接器 -> 输入-> 附加依赖 -> $(DDK_LIB_PATH)\Netio.lib
  • 配置属性 -> C/C++ -> 常规 -> 设置 警告等级2级 (警告视为错误关闭)

配置好以后,我们就开始吧,先来看看服务端如何实现!

对于服务端来说,驱动通信必须保证服务端开启多线程来处理异步请求,不然驱动加载后系统会处于等待状态,而一旦等待则系统将会卡死,那么对于服务端DriverEntry入口说我们不能让其等待,必须使用PsCreateSystemThread来启用系统线程,该函数属于WDM的一部分,官方定义如下;

NTSTATUS PsCreateSystemThread(
[out] PHANDLE ThreadHandle,
[in] ULONG DesiredAccess,
[in, optional] POBJECT_ATTRIBUTES ObjectAttributes,
[in, optional] HANDLE ProcessHandle,
[out, optional] PCLIENT_ID ClientId,
[in] PKSTART_ROUTINE StartRoutine,
[in, optional] PVOID StartContext
);

我们使用PsCreateSystemThread函数开辟线程TcpListenWorker在线程内部执行如下流程启动驱动服务端,由于我们自己封装实现了标准接口组,所以使用起来几乎与应用层无任何差异了。

  • CreateSocket 创建套接字
  • Bind 绑定套接字
  • Accept 等待接收请求
  • Receive 用于接收返回值
  • Send 用于发送返回值
// 署名权
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: me@lyshark.com

#include "LySocket.hpp"

PETHREAD m_EThread = NULL;

// 线程函数
// PowerBy: LySHark
VOID TcpListenWorker(PVOID Context)
{
WSK_SOCKET* paccept_socket = NULL;
SOCKADDR_IN LocalAddress = { 0 };
SOCKADDR_IN RemoteAddress = { 0 };
NTSTATUS status = STATUS_UNSUCCESSFUL;

// 创建套接字
PWSK_SOCKET TcpSocket = CreateSocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, WSK_FLAG_LISTEN_SOCKET);
if (TcpSocket == NULL)
{
return;
}

// 设置绑定地址
LocalAddress.sin_family = AF_INET;
LocalAddress.sin_addr.s_addr = INADDR_ANY;
LocalAddress.sin_port = HTON_SHORT(8888);

status = Bind(TcpSocket, (PSOCKADDR)&LocalAddress);
if (!NT_SUCCESS(status))
{
return;
}

// 循环接收
while (1)
{
CHAR* read_buffer = (CHAR*)ExAllocatePoolWithTag(NonPagedPool, 2048, "read");
paccept_socket = Accept(TcpSocket, (PSOCKADDR)&LocalAddress, (PSOCKADDR)&RemoteAddress);
if (paccept_socket == NULL)
{
continue;
}

// 接收数据
memset(read_buffer, 0, 2048);
int read_len = Receive(paccept_socket, read_buffer, 2048, 0);
if (read_len != 0)
{
DbgPrint("[内核A] => %s \n", read_buffer);

// 发送数据
char send_buffer[2048] = "Hi, lyshark.com B";
Send(paccept_socket, send_buffer, strlen(send_buffer), 0);

// 接收确认包
memset(read_buffer, 0, 2048);
Receive(paccept_socket, read_buffer, 2, 0);
}

// 清理堆
if (read_buffer != NULL)
{
ExFreePool(read_buffer);
}

// 关闭当前套接字
if (paccept_socket)
{
CloseSocket(paccept_socket);
}
}

if (TcpSocket)
{
CloseSocket(TcpSocket);
}
PsTerminateSystemThread(STATUS_SUCCESS);
return;
}

// 关闭套接字
VOID UnDriver(PDRIVER_OBJECT driver)
{
WSKCleanup();
KeWaitForSingleObject(m_EThread, Executive, KernelMode, FALSE, NULL);
if (m_EThread != NULL)
{
ObDereferenceObject(m_EThread);
}
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint("hello lyshark.com \n");

// 初始化
WSKStartup();

HANDLE hThread = NULL;
NTSTATUS status = STATUS_UNSUCCESSFUL;

// 创建系统线程
status = PsCreateSystemThread(&hThread, THREAD_ALL_ACCESS, NULL, NULL, NULL, TcpListenWorker, NULL);
if (!NT_SUCCESS(status))
{
return status;
}

// 获取线程EProcess结构
status = ObReferenceObjectByHandle(hThread, THREAD_ALL_ACCESS, NULL, KernelMode, (PVOID*)&m_EThread, NULL);
if (NT_SUCCESS(status) == FALSE)
{
return status;
}

ZwClose(hThread);
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}

对于客户端来说,只需要创建套接字并连接到指定地址即可,这个过程大体上可以总结为如下;

  • CreateSocket 创建套接字
  • Bind 绑定套接字
  • Connect 链接服务端驱动
  • Send 发送数据到服务端
  • Receive 接收数据到服务端
// 署名权
// right to sign one's name on a piece of work
// PowerBy: LyShark
// Email: me@lyshark.com

#include "LySocket.hpp"

VOID UnDriver(PDRIVER_OBJECT driver)
{
// 卸载并关闭Socket库
WSKCleanup();
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint("hello lyshark.com \n");
// 初始化
WSKStartup();

NTSTATUS status = STATUS_SUCCESS;
SOCKADDR_IN LocalAddress = { 0, };
SOCKADDR_IN RemoteAddress = { 0, };

// 创建套接字
PWSK_SOCKET TcpSocket = CreateSocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, WSK_FLAG_CONNECTION_SOCKET);
if (TcpSocket == NULL)
{
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}

LocalAddress.sin_family = AF_INET;
LocalAddress.sin_addr.s_addr = INADDR_ANY;
status = Bind(TcpSocket, (PSOCKADDR)&LocalAddress);

// 绑定失败则关闭驱动
if (!NT_SUCCESS(status))
{
CloseSocket(TcpSocket);

Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}

// 初始化服务端地址与端口信息
ULONG address[4] = { 127, 0, 0, 1 };

RemoteAddress.sin_family = AF_INET;
RemoteAddress.sin_addr.s_addr = change_uint(address[0], address[1], address[2], address[3]);
RemoteAddress.sin_port = HTON_SHORT(8888);

status = Connect(TcpSocket, (PSOCKADDR)&RemoteAddress);

// 连接服务端,如果失败则关闭驱动
if (!NT_SUCCESS(status))
{
CloseSocket(TcpSocket);
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}

// 发送数据
char send_buffer[2048] = "hello lyshark.com A";
Send(TcpSocket, send_buffer, strlen(send_buffer), 0);

// 接收数据
CHAR* read_buffer = (CHAR*)ExAllocatePoolWithTag(NonPagedPool, 2048, "read");

memset(read_buffer, 0, 1024);
Receive(TcpSocket, read_buffer, 2048, 0);
DbgPrint("[内核B] => %s \n", read_buffer);

// 发送确认包
Send(TcpSocket, "ok", 2, 0);

// 释放内存
ExFreePool(read_buffer);
CloseSocket(TcpSocket);
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}

编译两个驱动程序,首先运行server.sys驱动,运行后该驱动会在后台等待客户端连接,接着运行client.sys屏幕上可输出如下提示,说明通信已经建立了。