#ifndef _PROTECT_XUETR_H_
#define _PROTECT_XUETR_H_
#include <ntddk.h>
#include <windef.h>
extern POBJECT_TYPE *IoDriverObjectType; //这地方已经声明类型了
NTKERNELAPI
NTSTATUS
ObReferenceObjectByName(
IN PUNICODE_STRING ObjectName,
IN ULONG Attributes,
IN PACCESS_STATE PassedAccessState OPTIONAL,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
OUT PVOID *Object
);
#include "ProtectXuetr.h"
NTSTATUS HideDriverByName()
{
RtlInitUnicodeString( &stDriverDirectory, L"\\Driver");
InitializeObjectAttributes( &stObjectAttributes, &stDriverDirectory,
OBJ_CASE_INSENSITIVE|OBJ_KERNEL_HANDLE, NULL, NULL );
//通过 \\Driver\\PCHunter32 得到驱动的目录对象 POBJECT_DIRECTORY
Status = ObReferenceObjectByName( //其中ObReferenceObjectByName这个函数调用一直返回不成功
&stDriverDirectory, //c00000024
OBJ_CASE_INSENSITIVE,
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
(PVOID*)&pObjectDirectory);
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
return;
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
__asm {
int 3
}
//准备摘除PCHunter32的驱动对象目录
status = HideDriverByName();
if (NT_SUCCESS(status))
{
DbgPrint("Hide PCHunter32 success\r\n");
}
DriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
帮我看看吧,大神们,谢谢
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
hzqst
