#include <wdm.h>
//0x78 bytes (sizeof)
#define MY_FIX_CODE CTL_CODE(FILE_DEVICE_UNKNOWN,0x888,METHOD_BUFFERED,FILE_READ_ACCESS)
#define MY_START_CODE CTL_CODE(FILE_DEVICE_UNKNOWN,0x886,METHOD_BUFFERED,FILE_WRITE_ACCESS|FILE_READ_ACCESS)
#define MY_HOOK_CODE CTL_CODE(FILE_DEVICE_UNKNOWN,0x885,METHOD_BUFFERED,FILE_WRITE_ACCESS)
#define MY_GETINFO_CODE CTL_CODE(FILE_DEVICE_UNKNOWN,0x880,METHOD_BUFFERED,FILE_WRITE_ACCESS|FILE_READ_ACCESS)
NTSTATUS MyDeviceControl(PDEVICE_OBJECT pdv, PIRP pirp);
VOID FixPdePte(ULONG addr);
ULONG g_funcaddr = 0;
ULONG oldAddr = 0;
UCHAR oldcode[2] = {
0x8b,0xff };
ULONG oldPDE = 0;
ULONG oldPTE = 0;
typedef struct _LDR_DATA_TABLE_ENTRY
{
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x8
struct _LIST_ENTRY InInitializationOrderLinks; //0x10
VOID* DllBase; //0x18
VOID* EntryPoint; //0x1c
ULONG SizeOfImage; //0x20
struct _UNICODE_STRING FullDllName; //0x24
struct _UNICODE_STRING BaseDllName; //0x2c
ULONG Flags; //0x34
USHORT LoadCount; //0x38
USHORT TlsIndex; //0x3a
union
{
struct _LIST_ENTRY HashLinks; //0x3c
struct
{
VOID* SectionPointer; //0x3c
ULONG CheckSum; //0x40
};
};
union
{
ULONG TimeDateStamp; //0x44
VOID* LoadedImports; //0x44
};
struct _ACTIVATION_CONTEXT* EntryPointActivationContext; //0x48
VOID* PatchInformation; //0x4c
struct _LIST_ENTRY ForwarderLinks; //0x50
struct _LIST_ENTRY ServiceTagLinks; //0x58
本文介绍了如何使用中断函数和中断门实现3环函数的HOOK技术。通过保存调用参数,修改页属性,以及创建中断门,实现了在3环代码中拦截特定函数的功能。在卸载驱动时,能够正确恢复被HOOK的函数。此外,还详细说明了在3环与0环之间的交互过程,包括函数修复、参数获取等关键步骤。
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
