最近看了别人写的hook SSDT函数的例子，自己练习一下，写了hook ZwDeleteFile这个函数的代码，代码如下，icesword显示SSDT中的ZwDeleteFile函数已经被我的驱动HOOK，但是我删除文件的时候，为什么文件还会被我删除掉？
代码如下：

#include "ntddk.h"

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
        unsigned int *ServiceTableBase;
        unsigned int *ServiceCounterTableBase; //Used only in checked build
        unsigned int NumberOfServices;
        unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport)  ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]

PMDL  g_pmdlSystemCall;
PVOID *MappedSystemCallTable;

#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )  \
       _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

#define UNHOOK_SYSCALL(_Function, _Hook, _Orig )  \
       InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)

NTSYSAPI
NTSTATUS
NTAPI
ZwDeleteFile(IN POBJECT_ATTRIBUTES ObjectAttributes);

//定义ZwDeleteFile的原型

typedef NTSTATUS (*REALZWDELETEFILE)(IN POBJECT_ATTRIBUTES  ObjectAttributes);

//定义一个原函数指针
REALZWDELETEFILE RealZwDeleteFile;

NTSTATUS HookZwDeleteFile(IN POBJECT_ATTRIBUTES  ObjectAttributes)
{
                NTSTATUS rc=1;

                ANSI_STRING ansiFileName,ansiDirName,HideDirFile;
                UNICODE_STRING uniFileName;

                //初始化要防删除的文件名，这里是HIDEFILE.EXEe
                RtlInitAnsiString(&HideDirFile,"HIDEFILE.EXE");
            RtlInitUnicodeString(&uniFileName,(PCWSTR)ObjectAttributes->ObjectName);
            
            RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
            RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);
            RtlUpperString(&ansiFileName,&ansiDirName);
                  
            if(RtlCompareMemory(ansiFileName.Buffer,HideDirFile.Buffer,HideDirFile.Length ) == HideDirFile.Length)
            {
                       
            }
            else
            {
                        // 执行真正的ZwDeleteFile函数
                        //rc = ((REALZWDELETEFILE)(RealZwDeleteFile))(ObjectAttributes);
            }

            RtlFreeAnsiString(&ansiDirName);
            RtlFreeAnsiString(&ansiFileName);
            return(rc);
}

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
   UNHOOK_SYSCALL( ZwDeleteFile, RealZwDeleteFile, HookZwDeleteFile );
   // Unlock and Free MDL
   if(g_pmdlSystemCall)
   {
      MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
      IoFreeMdl(g_pmdlSystemCall);
   }
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,IN PUNICODE_STRING theRegistryPath)
{
   theDriverObject->DriverUnload  = OnUnload;

        //保存真正的ZwDeleteFile函数地址
        RealZwDeleteFile=(REALZWDELETEFILE)(SYSTEMSERVICE(ZwDeleteFile));

   g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
   if(!g_pmdlSystemCall)
      return STATUS_UNSUCCESSFUL;

   MmBuildMdlForNonPagedPool(g_pmdlSystemCall);

   // Change the flags of the MDL
   g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;

   MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);

   // hook system calls
   HOOK_SYSCALL( ZwDeleteFile, HookZwDeleteFile, RealZwDeleteFile );
                              
   return STATUS_SUCCESS;
}

[课程]Android-CTF解题方法汇总！