小菜近来学习SSDT Shadow HOOK的时候，有个疑问，替换SSDT Shadow表之前为什么要先Attach一下？新的地址还是系统空间的地址，没用到用户空间的地址，这样Attch有什么用意呢？哪位给我讲解一下哈

代码来源http://bbs.pediy.com/showthread.php?t=65931&highlight=SSDT+%E6%81%A2%E5%A4%8D+%E5%A4%8D

  DriverObject->MajorFunction[IRP_MJ_CREATE] = HideProcess_Create;
  DriverObject->MajorFunction[IRP_MJ_CLOSE] = HideProcess_Close;
  DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HideProcess_IoControl;

  DriverObject->DriverUnload=UnloadDriver;

  status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc);
  if (!NT_SUCCESS( status ))
  {
  DbgPrint("PsLookupProcessByProcessId() error\n");
  return status;
  }
  KeAttachProcess(crsEProc);

  __try
  {
    if ((KeServiceDescriptorTableShadow!=NULL) \
      && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) \
      && (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0) \
      && (NtUserWindowFromPoint_callnumber!=0))
    {
    g_OriginalNtUserFindWindowEx     = (NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber];
    g_OriginalNtUserQueryWindow=(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber];            
    g_OriginalNtUserBuildHwndList=(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber];
        g_OriginalNtUserGetForegroundWindow=(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber];
        g_OriginalNtUserWindowFromPoint = (NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber];  
    }
    else
    KeServiceDescriptorTableShadow=NULL;
   

    _asm
    {
    CLI                    //dissable interrupt
    MOV    EAX, CR0        //move CR0 register into EAX
    AND EAX, NOT 10000H //disable WP bit
    MOV    CR0, EAX        //write register back
    }
    if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0))
    {
    (NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber]) = MyNtUserFindWindowEx;
        (NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber]  = MyNtUserQueryWindow;
    (NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber] = MyNtUserBuildHwndList;
        (NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber] = MyNtUserGetForegroundWindow;
        (NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber] = MyNtUserWindowFromPoint;
    }

    _asm
    {
    MOV    EAX, CR0        //move CR0 register into EAX
    OR     EAX, 10000H        //enable WP bit     
    MOV    CR0, EAX        //write register back        
    STI                    //enable interrupt
    }
  }
  __finally
  {
      KeDetachProcess();
  }

  return status ;
}

[课程]Android-CTF解题方法汇总！