-
-
[求助]hook ZwCreateFile后office、rar等软件打不开
-
发表于:
2010-9-28 13:40
4212
-
[求助]hook ZwCreateFile后office、rar等软件打不开
hook ZwCreateFile后office、rar和vs2003等软件打不开,而一些小软件不受影响,例如记事本,上网等,不知道为什么。用Dbgview查看了一下,运行office、rar和vs2003并没有拦截。代码如下
NTSTATUS NewZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
)
{
NTSTATUS nStatus = STATUS_SUCCESS;
UNICODE_STRING yyo;
ANSI_STRING tbb;
RtlUnicodeStringToAnsiString(&tbb,ObjectAttributes->ObjectName,TRUE);
if((strstr(tbb.Buffer,"共享")!=NULL)&((CreateDisposition == FILE_CREATE)||(CreateDisposition == FILE_OPEN_IF)||(CreateDisposition==FILE_OVERWRITE_IF)))
{
DbgPrint("符合规则\n");
DbgPrint("%s\n",tbb.Buffer);
return STATUS_OBJECT_NAME_NOT_FOUND; //返回失败
}
else
{
//DbgPrint("不符合规则\n");
nStatus=((_ZWCREATEFILE)( Old_ZwCreateFile))(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength );//不然给原函数执行
}
return STATUS_SUCCESS;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
