-
-
[原创]ring0 head inline hook lib
-
发表于:
2010-8-31 12:48
7316
-
[原创]ring0 head inline hook lib
没啥子技术含量,参考了海风月影的ring3inline hook lib库,主要是简化你的编程工作量,有了此库,你不需要使用一大堆的内联汇编来写那个裸函数,也不需要为了堆栈破坏问题而蓝屏,目前只支持32系统……
来看看到底挂钩一个函数有多简单!你可以专注的编写过滤逻辑而完全不需要理会挂钩过程
typedef NTSTATUS ( __stdcall *DZwCreateFile)(
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
ULONG ShareAccess,
ULONG CreateDisposition,
ULONG CreateOptions,
PVOID EaBuffer,
ULONG EaLength
);
NTSTATUS Detour_NtCreateFile(DZwCreateFile Fun,
PHANDLE FileHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER AllocationSize,
ULONG FileAttributes,
__in ULONG ShareAccess,
__in ULONG CreateDisposition,
__in ULONG CreateOptions,
__in_opt PVOID EaBuffer,
__in ULONG EaLength
)
{
KdPrint(("NtCreateFileRoutine Called! ProcessId:%d FilePath:%ws\n",PsGetCurrentProcessId(),ObjectAttributes->ObjectName->Buffer));
return Fun(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,
EaBuffer,EaLength);
}
安装钩子只要一个函数就可完全搞定
BOOLEAN __stdcall InstallHook(PVOID FuncAddr,PVOID NewAddr,BOOLEAN IsStubPaged,HOOK_INFO* Info);
[课程]FART 脱壳王!加量不加价!FART作者讲授!
