KeRegisterBugCheckReasonCallback.C

/*
文本就命名为：KeRegisterBugCheckReasonCallback.C吧！
made by correy
made at 2013.04.24
QQ:112426112
Email:kouleguan at hotmail dot com
Homepage:http://correy.webs.com
*/
#include <ntddk.h>
#define _In_
#define _Inout_
KBUGCHECK_REASON_CALLBACK_RECORD CallbackRecord; //The structure must be in resident memory, such as nonpaged pool.
DRIVER_UNLOAD Unload;
VOID Unload(__in PDRIVER_OBJECT DriverObject)
{
    BOOLEAN b = 0;
    b = KeDeregisterBugCheckReasonCallback(&CallbackRecord);
    if (b == 0)
    {
        DbgPrint("the specified callback is not registered.\n");
    }
}
KBUGCHECK_REASON_CALLBACK_ROUTINE BugCheckSecondaryDumpDataCallback;
VOID BugCheckSecondaryDumpDataCallback(_In_     KBUGCHECK_CALLBACK_REASON Reason,
                                       _In_     struct _KBUGCHECK_REASON_CALLBACK_RECORD *Record,
                                       _Inout_  PVOID ReasonSpecificData,
                                       _In_     ULONG ReasonSpecificDataLength)
{
    //此时正在初始化磁盘，准备生成dump，但是还没有开始。
    //ReasonSpecificDataLength == 0x30
    //Reason == 2 (KbCallbackSecondaryDumpData) 即 KeRegisterBugCheckReasonCallback的第二个参数。
    //Record->Component = "correy" 即 KeRegisterBugCheckReasonCallback的最后一个参数。
    //等等，不说了。
    DbgPrint("发生蓝屏了，停下来看看吧!\n");
    KdBreakPoint();//总是停止在这里，上面下断点也停不了，难道是因为蓝屏了？
}
DRIVER_INITIALIZE DriverEntry;
NTSTATUS DriverEntry( __in struct _DRIVER_OBJECT  * DriverObject, __in PUNICODE_STRING  RegistryPath)
{
    NTSTATUS status = STATUS_UNSUCCESSFUL;
    BOOLEAN b = 0;
    KdBreakPoint();//#define KdBreakPoint() DbgBreakPoint()
    DriverObject->DriverUnload = Unload;    
    KeInitializeCallbackRecord(&CallbackRecord);
    //这一这个函数可以注册3种类型的，还有KbCallbackDumpIo和KbCallbackAddPages（server 2008及以后使用）。
    b = KeRegisterBugCheckReasonCallback(&CallbackRecord, BugCheckSecondaryDumpDataCallback, KbCallbackSecondaryDumpData, "correy");
    if (b == 0)
    {
        DbgPrint("KeRegisterBugCheckReasonCallback fail!\n");   
    }
    return 0;//STATUS_SUCCESS
}