-
-
[求助]delphi ddk修改INLINE问题
-
发表于:
2007-11-18 03:44
6409
-
菜鸟架到。。。大家别BS。。。
没有蓝屏信息,蓝屏代码8E。。DEBUG信息全一个地址。。如0xE15F84EC
大家帮个忙吧。。新手上路,难免撞车
unit driver;
interface
uses DDDK;
type
POBJECT_ATTRIBUTES = ^OBJECT_ATTRIBUTES;
PCLIENT_ID =^ulong;
ACCESS_MASK = cardinal;
phandle = ^thandle;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath:PUnicodeString): NTSTATUS; stdcall;
var
POldOpenProcess : pLong;
OldOpenProcessAdd : pLong;
JmpAddress : uLong;
implementation
function MyNtOpenProcess(ProcessHandle:phandle;DesiredAccess: ACCESS_MASK;ObjectAttributes: POBJECT_ATTRIBUTES;ClientId:PCLIENT_ID):NTSTATUS;CDECL;
begin
asm
push 0C4h
push 804daa88h
jmp [JmpAddress]
end; //xp..vm..
dbgprint('MyNtOpenProcess=0x%X',[]);
end;
procedure DriverUnload(DriverObject: PDriverObject); stdcall;
begin
asm
cli
mov eax,cr0
and eax,not $10000
mov cr0,eax
end;
POldOpenProcess^ := ULong(OldOpenProcessAdd);
asm
mov eax,cr0
or eax,$10000
mov cr0,eax
sti
end;
end;
function _DriverEntry(DriverObject: PDriverObject; RegistryPath:PUnicodeString): NTSTATUS; stdcall;
begin
DriverObject^.DriverUnload := @DriverUnload;
POldOpenProcess := Pointer(ULONG(KeServiceDescriptorTable.ServiceTableBase) + $7a * 4); //0x7a xpsp2 ntopenprocess
dbgprint('POldOpenProcess=0x%X',[]);
OldOpenProcessAdd := pointer($805c0b78); //Pointer(POldOpenProcess^)
dbgprint('OldOpenProcessAdd=0x%X',[]);
JmpAddress := ulong(OldOpenProcessAdd)+10;
dbgprint('JmpAddress=0x%X',[]);
asm
cli
mov eax,cr0
and eax,not $10000
mov cr0,eax
end;
POldOpenProcess^ := ULong(@MyNtOpenProcess);//加了这行就蓝
dbgprint('POldOpenProcess=0x%X',[]);
asm
mov eax,cr0
or eax,$10000
mov cr0,eax
sti
end;
Result := STATUS_SUCCESS;
end;
end.
[课程]FART 脱壳王!加量不加价!FART作者讲授!
