|
阅读:1476回复:2
hook 问题
用下面的函数去hook ntoskrnl.exe里的函数,发现hook失败。帮看看是为什么?
PVOID HookFunction(PVOID pBaseAddress, PCSTR Name, PVOID InFunc, ULONG* OutFunc) { PIMAGE_DOS_HEADER pDosHeader = NULL; PIMAGE_NT_HEADERS pNtHeader = NULL; PIMAGE_DATA_DIRECTORY pDirectory = NULL; PIMAGE_EXPORT_DIRECTORY pExports = NULL; ULONG nSize, Address, i; PULONG pFunctions = NULL; PSHORT pOrdinals = NULL; PULONG pNames = NULL; PVOID pFunction = NULL; ULONG Ordinal = 0; if(pBaseAddress == NULL) return NULL; pDosHeader = (PIMAGE_DOS_HEADER)pBaseAddress; pNtHeader = (PIMAGE_NT_HEADERS)((PCHAR)pBaseAddress + pDosHeader->e_lfanew); pDirectory = pNtHeader->OptionalHeader.DataDirectory + IMAGE_DIRECTORY_ENTRY_EXPORT; nSize = pDirectory->Size; Address = pDirectory->VirtualAddress; pExports = (PIMAGE_EXPORT_DIRECTORY)((PCHAR)pBaseAddress + Address); pFunctions = (PULONG)((PCHAR)pBaseAddress + pExports->AddressOfFunctions); pOrdinals = (PSHORT)((PCHAR)pBaseAddress + pExports->AddressOfNameOrdinals); pNames = (PULONG)((PCHAR)pBaseAddress + pExports->AddressOfNames); for(i = 0; i < pExports->NumberOfNames; i++) { Ordinal = pOrdinals; if(pFunctions[Ordinal] < Address || pFunctions[Ordinal] >= Address + nSize) { DbgPrint("function: %s \n",(PSTR)((PCHAR)pBaseAddress + pNames) ); if(strcmp((PSTR)((PCHAR)pBaseAddress + pNames), Name) == 0) { _asm int 3; pFunction = (PCHAR)pBaseAddress + pFunctions[Ordinal]; *OutFunc = (ULONG)pFunction; DisableProtection(); pFunctions[Ordinal] = (ULONG)((ULONG)InFunc - (ULONG)pBaseAddress); EnableProtection(); break; } } } return pFunction; } void DisableProtection() { __asm { mov eax,cr0 mov CR0VALUE,eax and eax,0xfffeffff mov cr0,eax } } void EnableProtection() { __asm { mov eax,CR0VALUE mov cr0,eax } } |
|
|
|
沙发#
发布于:2007-03-08 12:30
EAT Hook,效果不明显,除非你是boot=0的
|
|
|
|
板凳#
发布于:2007-03-08 12:03
ding
|
|
|