#include <ntddk.h>
#include <WinDef.h>
ULONG CroValue;
BYTE OriginalByte2[5]={0};
BYTE JmpAddr2[5]={0xE9,0,0,0,0};
extern POBJECT_TYPE *PsProcessType;
NTKERNELAPI NTSTATUS ZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
NTSTATUS NewMyZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
);
//打开页面包含
VOID EnablePageProtect()
{
_asm
{
__asm
{
push eax
mov eax,CroValue
mov cr0,eax
pop eax
}
}
}
//关闭页面包含
VOID DisablePageProtect()
{
__asm
{
push eax
mov eax,cr0
mov CroValue,eax
and eax,0fffeffffh
mov cr0,eax
pop eax
}
}
_declspec(naked) NTSTATUS OriginalZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
mov eax,ZwSetInformationFile
add eax,5
jmp eax
}
}
NTSTATUS NewMyZwSetInformationFile(
IN HANDLE FileHandle,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PVOID FileInformation,
IN ULONG Length,
IN FILE_INFORMATION_CLASS FileInformationClass
)
{
NTSTATUS status;
status=OriginalZwSetInformationFile(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
if (status==STATUS_SUCCESS)
{
DbgPrint("ZwSetInformationFile进来了");
}
return status;
}
VOID InlineHookWith()
{
KIRQL Kirql;
RtlCopyMemory(OriginalByte2,(BYTE *)ZwSetInformationFile,5);
*(ULONG *)(JmpAddr2+1)=(ULONG)NewMyZwSetInformationFile-((ULONG)ZwSetInformationFile+5);
DisablePageProtect();
Kirql=KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE *)ZwSetInformationFile,JmpAddr2,5);
KeLowerIrql(Kirql);
EnablePageProtect();
}
VOID UnInlineHook()
{
KIRQL Kirql;
DisablePageProtect();
Kirql=KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE *)ZwSetInformationFile,OriginalByte2,5);
KeLowerIrql(Kirql);
EnablePageProtect();
}
VOID OnUnload( IN PDRIVER_OBJECT pDriverObject )
{
UnInlineHook();
DbgPrint("My Driver Unloaded!");
}
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath )
{
DbgPrint("My Driver Loaded!");
pDriverObject->DriverUnload = OnUnload;
InlineHookWith();
return STATUS_SUCCESS;
}
windbg 调试代码走到
status=OriginalZwSetInformationFile(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
就蓝屏了
不知道是哪里错了,这段代码是根据别人的代码改的,求大牛帮忙解决一下...
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课