inline hook NtCreateFile 前五个字节 测试没问题 可以正常保护文件
但是hook之后10个小时左右的时候 电脑会死机。。。测试了好几天了 每次都是这样 兄弟们帮忙看下什么情况。代码发在下面
//先是两个函数
int DetermineProcessName(char *szName)//判断当前调用的进程
{
int nEProcess;
nEProcess=(int)PsGetCurrentProcess();
if(nEProcess==0)return 0;
if(MmIsAddressValid(szName)&&MmIsAddressValid((PVOID)(nEProcess+EPROCESS_IMAGE_NAME)))//eprocess+0x174 XP系统 EPROCESS_IMAGE_NAME = 174
{
if(strcmp((char*)(nEProcess+EPROCESS_IMAGE_NAME),szName)==0)
{
return 1;
}
}
return 0;
}
int EProcessIsMineA(PEPROCESS pProcess)//判断EProcess是否在白名单
{
ULONG i;
char *pName;
if(pProcess==NULL||!MmIsAddressValid(pProcess))
{
return 0;
}
pName = (char*)((int)pProcess + EPROCESS_IMAGE_NAME);
if(MmIsAddressValid(pName))
{
for(i=0;i<ulNum;i++)
{
if(!strcmp(ulName[i],pName))
{
return 1;
}
}
}
return 0;
}
//自己的NtCreateFile
NTSTATUS MyNtCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength
)
{
WCHAR *pFileName;
WCHAR ch = L'\\';
ULONG i;
if(DetermineProcessName("explorer.exe"))//判断是不是系统调用
{
return ((NTCREATEFILE)OldNtCreateFile)(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
}
if(EProcessIsMineA(PsGetCurrentProcess()))//判断是不是自己的进程调用
{
return ((NTCREATEFILE)OldNtCreateFile)(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
}
if(MmIsAddressValid(ObjectAttributes))
{
if(MmIsAddressValid(ObjectAttributes->ObjectName))
{
if(MmIsAddressValid((ObjectAttributes->ObjectName)->Buffer))
{
pFileName = wcsrchr((ObjectAttributes->ObjectName)->Buffer,ch) + 1;//文件路径中获取文件名字
if(MmIsAddressValid(pFileName))
{
for(i=0;i<ulNum;i++)//判断打开的文件是不是要保护的文件
{
if(!wcscmp(ulNameW[i], pFileName))//ulNameW[i]
{
return 0xC0000024;
}
}
}
}
}
}
return ((NTCREATEFILE)OldNtCreateFile)(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,
AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength);
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)