使用DebugView比我想象的要容易。几个小时之后,结果发现64位内核驱动程序是责备...傻我......呃!
您如何解决此问题?
由于我的个人内核签名证书已过期,并且第一次获得一个证书是一件痛苦的事情,他们甚至不再销售它们。
任何人都可以这一次重新签署修改后的64位sys文件吗?如果您需要二进制比较等,我可以提供我之前签名的原始驱动程序。
status = ZwDuplicateObject(hProcess,(HANDLE)SysHandle[i].Handle,ZwCurrentProcess(),&ObjectHandle,0, 0, DUPLICATE_SAME_ATTRIBUTES |DUPLICATE_SAME_ACCESS);
DbgPrint("status:%d sourceProcess:%p SourceHandle:%d CurrentProcess:%d returnedObjectHandle:%d.\n", RtlNtStatusToDosError(status),hProcess, (HANDLE)SysHandle[i].Handle,PsGetCurrentProcessId(),&ObjectHandle);
//On_32bit status:0 sourceProcess:80002CB8 SourceHandle:68 CurrentProcess:3984 returnedObjectHandle:-340903132.
//On_64bit status:0 sourceProcess:FFFFFFFF800001BC SourceHandle:108 CurrentProcess:1996 returnedObjectHandle:221378472.
status = ObReferenceObjectByHandle(ObjectHandle, FILE_ANY_ACCESS, *IoFileObjectType, UserMode, (PVOID*)&FileObject, &objHandle);
DbgPrint("status %d.\n", RtlNtStatusToDosError(status));
//On_64bit status=STATUS_INVALID_HANDLE (error 6 here only on 64 bit on 32 it is 0 as expected) !!!???