-
-
inline hook疑问
-
发表于: 2010-12-16 22:55
-
源代码如下:
MyNtGetContextThread proc ThreadHandle,ThreadContext
ret
MyNtGetContextThread endp
OldNtGetContextThread proc ThreadHandle,ThreadContext
nop
nop
mov eax,NtGetContextThread_Addr
add eax,5
jmp eax
OldNtGetContextThread endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pRegistryPath:PUNICODE_STRING
pushad
cli
mov eax, cr0
and eax,0fffeffffh
mov cr0, eax
invoke KeRaiseIrqlToDpcLevel
mov oldIrql,eax
invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("NtGetContextThread")
mov NtGetContextThread_Addr,eax
mov ecx,5
mov esi,eax
mov edi,offset OldNtGetContextThread
rep movsb
mov edx,offset MyNtGetContextThread
sub edx,eax
sub edx,5
mov byte ptr [eax],0e9h
xchg [eax+1],edx
invoke KeLowerIrql,oldIrql
mov eax, cr0
or eax,10000h
mov cr0, eax
sti
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload
assume eax:nothing
popad
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry
我想知道为什么蓝
MyNtGetContextThread proc ThreadHandle,ThreadContext
ret
MyNtGetContextThread endp
OldNtGetContextThread proc ThreadHandle,ThreadContext
nop
nop
mov eax,NtGetContextThread_Addr
add eax,5
jmp eax
OldNtGetContextThread endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pRegistryPath:PUNICODE_STRING
pushad
cli
mov eax, cr0
and eax,0fffeffffh
mov cr0, eax
invoke KeRaiseIrqlToDpcLevel
mov oldIrql,eax
invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("NtGetContextThread")
mov NtGetContextThread_Addr,eax
mov ecx,5
mov esi,eax
mov edi,offset OldNtGetContextThread
rep movsb
mov edx,offset MyNtGetContextThread
sub edx,eax
sub edx,5
mov byte ptr [eax],0e9h
xchg [eax+1],edx
invoke KeLowerIrql,oldIrql
mov eax, cr0
or eax,10000h
mov cr0, eax
sti
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload
assume eax:nothing
popad
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry
我想知道为什么蓝
|
|
|---|---|
|
|
没提升Irql????
|
|
|
|
|
|
还是蓝
|
|
|
|
|
|
这个我也不知道
|
