-
-
[求助]delphi hook ZwCreateFile 蓝屏
-
发表于:
2014-6-23 15:28
4657
-
[求助]delphi hook ZwCreateFile 蓝屏
用EASYSYS 可以 编译成功 下载地址
http://bbs.pediy.com/showthread.php?t=75863
尝试了各种办法 还是蓝屏 我是 菜鸟 哈哈 帮我看看
unit wxCreateFile;
interface
uses
nt_status, ntoskrnl, native, ntddk;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath:
PUnicodeString): NTSTATUS; stdcall;
type
TZwCreateFile = function(FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES;
IoStatusBlock: PIO_STATUS_BLOCK;
AllocationSize: PLARGE_INTEGER; FileAttributes: ULONG; ShareAccess: ULONG; CreateDisposition: ULONG; CreateOptions:
ULONG; EaBuffer: PVOID; EaLength: ULONG): NTSTATUS; stdcall;
var
POldCreateFile: PLong; //保存NTDebugActiveProcess函数在SSDT表中的指针。
OldCreateFileAdd: PLong; //保存原来的NTDebugActiveProcess函数的地址。
OldZwCreateFile: TZwCreateFile;
implementation
function MzwCreateFile(FileHandle: PHANDLE; DesiredAccess: ACCESS_MASK; ObjectAttributes: POBJECT_ATTRIBUTES;
IoStatusBlock: PIO_STATUS_BLOCK;
AllocationSize: PLARGE_INTEGER; FileAttributes: ULONG; ShareAccess: ULONG; CreateDisposition: ULONG; CreateOptions:
ULONG; EaBuffer: PVOID; EaLength: ULONG): NTSTATUS; stdcall;
var
nt_Status: NTSTATUS;
begin
nt_Status := OldZwCreateFile(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,
AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength);
Result := nt_Status;
end;
procedure DriverUnload(DriverObject: PDriverObject); stdcall;
begin
asm //关中断
cli
mov eax,cr0
and eax,not $10000
mov cr0,eax
end;
POldCreateFile^ := ULong(OldCreateFileAdd); //恢复SSDT
asm //开中断
mov eax,cr0
or eax,$10000
mov cr0,eax
sti
end;
//DbgPrint('DriverUnload(DriverObject:0x%.8X)',[DriverObject]);
//DbgPrint('DriverUnload(-)',[]);
end;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath:
PUnicodeString): NTSTATUS; stdcall;
begin
DriverObject^.DriverUnload := @DriverUnload;
POldCreateFile := Pointer(ULONG(KeServiceDescriptorTable.ServiceTableBase) + $25
* 4);
OldCreateFileAdd := Pointer(POldCreateFile^);
asm //关中断
cli
mov eax,cr0
and eax,not $10000
mov cr0,eax
end;
POldCreateFile^ := ULong(@MzwCreateFile);
asm //开中断
mov eax,cr0
or eax,$10000
mov cr0,eax
sti
end;
Result := STATUS_SUCCESS;
end;
end.
按照 http://bbs.pediy.com/showthread.php?t=50052 的办法修改的
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
