include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
include \masm32\include\w2k\w2kundoc.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac
.data
realaddr dd 0
CR0Reg dd 0
Messaga1 db "OpenProcess",0
Messaga2 db "Driver loaded", 0
.code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID
pushad
invoke DbgPrint, addr Messaga2
mov edi, KeServiceDescriptorTable
mov edi, [edi]
mov eax, [edi+(07ah*4)] ;edi+07ah*4 - NtOpenProcess
mov realaddr, eax
include C:\RadASM\masm32\include\w2k\ntstatus.inc
include C:\RadASM\masm32\include\w2k\ntddk.inc
include C:\RadASM\masm32\include\w2k\ntoskrnl.inc
include C:\RadASM\masm32\include\w2k\w2kundoc.inc
includelib C:\RadASM\masm32\lib\w2k\ntoskrnl.lib
include C:\RadASM\\masm32\Macros\Strings.mac
.data
realaddr dd 0
CR0Reg dd 0
Messaga1 db "OpenProcess",0
Messaga2 db "Driver loaded", 0
.code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID
pushad
invoke DbgPrint, addr Messaga2
mov edi, KeServiceDescriptorTable
mov edi, [edi]
mov eax, [edi+(07ah*4)] ;edi+07ah*4 - NtOpenProcess
mov realaddr, eax
include C:\RadASM\masm32\include\w2k\ntstatus.inc
include C:\RadASM\masm32\include\w2k\ntddk.inc
include C:\RadASM\masm32\include\w2k\ntoskrnl.inc
include C:\RadASM\masm32\include\w2k\w2kundoc.inc
includelib C:\RadASM\masm32\lib\w2k\ntoskrnl.lib
include C:\RadASM\\masm32\Macros\Strings.mac
.data
P_addr dd 0
realaddr dd 0
CR0Reg dd 0
Messaga1 db "OpenProcess",0
Messaga2 db "Driver loaded", 0
.code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID
pushad
invoke DbgPrint, addr Messaga2
mov edi, dword ptr KeServiceDescriptorTable
mov edi, [edi]
lea eax, [edi+(07ah*4)]
mov P_addr, eax ;保存地址指针
push [edi+(07ah*4)]
pop realaddr ;保存原来的地址
cli
mov eax, CR0
mov CR0Reg, eax
and eax,0fffeffffh
mov cr0, eax
mov eax,P_addr
mov [eax], dword ptr offset hookproc
mov eax, CR0Reg
mov CR0, eax
sti