//从hookport.sys学到的hook方法,主要是KiFastCallEntry地址的获取及hook的地方思路 //DRIVER.CPP #include "Driver.h" #define MAX_POOL_EXA 0x1000 /************************************************************************ 全局结构变量 *************************************************************************/ #define FUNCINDEX 0xDB extern "C" typedef struct _SERVICE_DESCRIPTOR_TABLE { PVOID ServiceTableBase; PULONG ServiceCounterTableBase; ULONG NumberOfService; ULONG ParamTableBase; }SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE; extern "C" PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable; #define Unprotect() / __asm cli / __asm mov eax,cr0 / __asm and eax,0x0FFFEFFFF / __asm mov cr0,eax #define Protect() / __asm mov eax,cr0 / __asm or eax, not 0FFFEFFFFh / __asm mov cr0,eax / __asm sti ULONG g_OldServiceAddress=0; ULONG g_hookkifasthandle=0x680286449; PVOID g_pJmpBuff=NULL; ULONG g_KiFaseCallEntryEntryAddress=0; ULONG g_OldKiFastCallEntryAddress=0; CHAR TagsToHookKiFastCallEntry[]={0x2b,0xe1,0xc1,0xe9,0x02}; CHAR g_jmp[]={0xe9,0x90,0x90,0x90,0x90}; /************************************************************************ 函数声明 *************************************************************************/ extern "C" NTSTATUS ZwSetEvent( __in HANDLE EventHandle, __out_opt PLONG PreviousState ); /************************************************************************ * 函数名称:MySleep * 功能描述:传入时间,暂停指定时间 * 参数列表: * 返回 值:无 *************************************************************************/ VOID MySleep(ULONG dwMilliseconds) { KTIMER Timer; LARGE_INTEGER DueTime; DueTime.QuadPart=dwMilliseconds*(-1000); KeInitializeTimerEx(&Timer, SynchronizationTimer); KeSetTimer(&Timer,DueTime,0); KeWaitForSingleObject(&Timer,UserRequest,0,TRUE,0); } /************************************************************************ * 函数名称:RealKiFastCallEntry * 功能描述:这里添加各种过滤规则,暂未添加规则,只是简单打印 * 参数列表:这3个参数暂且不知道什么意思,需要看wrk * 返回 值:NTSTATUS *************************************************************************/ ULONG RealKiFastCallEntry(ULONG arg1,ULONG arg2,ULONG arg3