///整个源码如下

///
/// @file first.c
/// @author crazy_chu
/// @date2008-11-1
///

#include <ntddk.h>
#include <stdio.h>

#define MAKELONG(a, b) ((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))

// set this to the max int you want to hook
#define MAX_IDT_ENTRIES 0xFF
ULONG Old_ISR_Pointer,OldCr0;

#define NT_INT_TIMER 0x93
// the starting interrupt for patching
// to 'skip' some troublesome interrupts
// at the beginning of the table (TODO, find out why)
#define START_IDT_OFFSET 0x00

unsigned long g_i_count[MAX_IDT_ENTRIES];
unsigned long old_ISR_pointers[MAX_IDT_ENTRIES];   // better save the old one!!

char * idt_detour_tablebase;
  

///////////////////////////////////////////////////
// IDT structures
///////////////////////////////////////////////////
#pragma pack(1)

// entry in the IDT, this is sometimes called
// an "interrupt gate"
typedef struct
{
   unsigned short LowOffset;
   unsigned short selector;
   unsigned char unused_lo;
   unsigned char segment_type:4;   //0x0E is an interrupt gate
   unsigned char system_segment_flag:1;
   unsigned char DPL:2;   // descriptor privilege level
   unsigned char P:1; /* present */
   unsigned short HiOffset;
} IDTENTRY;

/* sidt returns idt in this format */
typedef struct
{
   unsigned short IDTLimit;
   unsigned short LowIDTbase;
   unsigned short HiIDTbase;
} IDTINFO;

#pragma pack()

VOID DriverUnload(PDRIVER_OBJECT pDriverObj)
{
IDTINFO   idt_info;
IDTENTRY* idt_entry;

_asm sidt idt_info

idt_entry = (IDTENTRY*)MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
//
_asm
{
   cli;
   //
   mov eax, cr0;
   mov OldCr0,eax;
   and eax,not 10000;
   mov cr0,eax;
}
idt_entry[NT_INT_TIMER].LowOffset = (USHORT)Old_ISR_Pointer;
idt_entry[NT_INT_TIMER].HiOffset = (USHORT)((ULONG)Old_ISR_Pointer >> 16);
_asm
{
   mov eax,OldCr0;
   mov cr0,eax;
   //
   sti;
}

}

VOID My_interrupt_Proc()
{
   DbgPrint("在我的函数知道了中断了\n");
   _asm iret
//_asm  jmp Old_ISR_Pointer;
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
   IDTINFO     idt_info;     // this structure is obtained by calling STORE IDT (sidt)
   IDTENTRY*   idt_entries;   // and then this pointer is obtained from idt_info

   IDTENTRY*   idt_entry;
   IDTENTRY*   i;
   unsigned long    addr;
   unsigned long   count;
   char _t[255];

   //退出地址就跑去OnUnload
   theDriverObject->DriverUnload   = DriverUnload;
   _asm sidt idt_info

idt_entry = (IDTENTRY*)MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);

//
Old_ISR_Pointer = MAKELONG(idt_entry[NT_INT_TIMER].LowOffset,idt_entry[NT_INT_TIMER].HiOffset);
//
_asm
{
   cli;
   //
   mov eax, cr0;
   mov OldCr0,eax;
   and eax,not 10000;
   mov cr0,eax;
}
idt_entry[NT_INT_TIMER].LowOffset = (USHORT)My_interrupt_Proc;
idt_entry[NT_INT_TIMER].HiOffset = (USHORT)((ULONG)My_interrupt_Proc >> 16);
_asm
{
   mov eax,OldCr0;
   mov cr0,eax;
   //
   sti;
}

// 请视情况返回DriverEntry例程执行结果
return STATUS_SUCCESS;
}

下载地址

http://bbs.pediy.com/attachment.php?attachmentid=75718&stc=1&d=1358621131

上传的附件：

• first.rar （63.81kb，19次下载）

来看看代码，关注一下

你hook的是神马函数？貌似是NT-timer  ？？？
你得搞清楚这个函数是否能跳过，比如缺页中断是一定不能跳过的，
然后，一定要保存好寄存器，哪怕是单纯的调用了DbgPrint函数，只是这样调用下也会改变上下文
，你这样很危险，未知的蓝屏多啊多