NTKERN.VXD的一些东东

作者:陆麟
转载请征得作者同意.
1999.9.30

NTKERN.VXD乃是WIN98提供NT类服务的核心驱动程序.它输出了几个VXD服务.尽管有头文件,但是却没有文档.这里告诉大家一个诀窍,很多服务和NT下ZwXXX例程具有相同的参数,乃是VXD版的ZwXXX.
例如NtKernCreateFile就是ZwCreateFile的翻版.它也具有11个参数.
下面是NTKERN.VXD的VXD服务列表.
NTKERN_Service       _NTKERN_Get_Version, LOCAL
NTKERN_StdCall_Service   _NtKernCreateFile, 11, VxD_CODE
NTKERN_StdCall_Service   _NtKernClose, 1, VxD_CODE
NTKERN_StdCall_Service   _NtKernReadFile, 9, VxD_CODE
NTKERN_StdCall_Service   _NtKernWriteFile, 9, VxD_CODE
NTKERN_StdCall_Service   _NtKernDeviceIoControl, 10, VxD_CODE
NTKERN_Service       _NtKernGetWorkerThread, VxD_CODE
NTKERN_StdCall_Service   _NtKernLoadDriver, 1, VxD_CODE
NTKERN_StdCall_Service   _NtKernQueueWorkItem, 2, VxD_CODE
NTKERN_Service       _NtKernPhysicalDeviceObjectToDevNode, VxD_CODE
NTKERN_StdCall_Service   _NtKernSetPhysicalCacheTypeRange, 4, VxD_CODE
NTKERN_Service       _NtKernWin9XLoadDriver, VxD_CODE
NTKERN_StdCall_Service   _NtKernCancelIoFile, 2, VxD_CODE
NTKERN_Service       _NtKernGetVPICDHandleFromInterruptObj, VXD_CODE
NTKERN_StdCall_Service   _NtKernInternalDeviceIoControl, 10, VxD_CODE
上述服务里,部分是未公开的.如果大家参悟透了,NT下也有很多东西可迎刃而解.我想,文件IO应该没什么问题,但是其他东西就难搞了.在这里,我在网络上仅看到了_NtKernLoadDriver的接口.他和ZwLoadDriver具有相同的参数,用来从VXD加载KMD.(ZwLoadDriver本身又是个未公开的内核函数)具体接口如下:
NTSTATUS __stdcall ZwLoadDriver( PUNICODE_STRING ServiceKeyPath ).
大家有兴趣就试试.:)