|
阅读:2007回复:2
驱动hook的解决方法.?
汇编代码如下:
.text:00012786 mov eax, ds:KeServiceDescriptorTable .text:0001278B mov esi, [eax] .text:0001278D mov ecx, ds:ZwOpenKey .text:00012793 mov edx, [ecx+1] .text:00012796 mov edx, [esi+edx*4] .text:00012799 mov dword_12C08, edx .text:0001279F mov ecx, [ecx+1] .text:000127A2 mov eax, [eax] .text:000127A4 mov dword ptr [eax+ecx*4], offset loc_11F36 .text:000127AB mov eax, ds:KeServiceDescriptorTable .text:000127B0 mov esi, [eax] .text:000127B2 mov ecx, ds:ZwEnumerateKey .text:000127B8 mov edx, [ecx+1] .text:000127BB mov edx, [esi+edx*4] .text:000127BE mov dword_12C10, edx .text:000127C4 mov ecx, [ecx+1] .text:000127C7 mov eax, [eax] .text:000127C9 mov dword ptr [eax+ecx*4], offset loc_11FDE .text:000127D0 mov eax, ds:KeServiceDescriptorTable .text:000127D5 mov esi, [eax] .text:000127D7 mov ecx, ds:ZwEnumerateValueKey .text:000127DD mov edx, [ecx+1] .text:000127E0 mov edx, [esi+edx*4] .text:000127E3 mov dword_12C00, edx .text:000127E9 mov ecx, [ecx+1] .text:000127EC mov eax, [eax] .text:000127EE mov dword ptr [eax+ecx*4], offset loc_12194 .text:000127F5 mov eax, ds:KeServiceDescriptorTable .text:000127FA mov esi, [eax] .text:000127FC mov ecx, ds:ZwSetValueKey .text:00012802 mov edx, [ecx+1] .text:00012805 mov edx, [esi+edx*4] .text:00012808 mov dword_12C04, edx .text:0001280E mov ecx, [ecx+1] .text:00012811 mov eax, [eax] .text:00012813 mov dword ptr [eax+ecx*4], offset loc_1234A .text:0001281A mov eax, ds:KeServiceDescriptorTable .text:0001281F mov ecx, ds:ZwDeleteValueKey .text:00012825 mov edx, [ecx+1] .text:00012828 mov esi, [eax] .text:0001282A mov edx, [esi+edx*4] .text:0001282D mov dword_12C0C, edx .text:00012833 mov ecx, [ecx+1] .text:00012836 mov eax, [eax] .text:00012838 mov dword ptr [eax+ecx*4], offset loc_12494 这些代码HOOK了几个注册表函数...(SSDT) 但我现在想用到其中几个函数...有什么方法可以实现阿.? 要代码的噢..(C或C++的) 我是新手噢.. 帮帮忙吧.. 谢谢各位啰..  |
|
|
沙发#
发布于:2007-07-03 17:13
看regmon代码
|
|
|
|
板凳#
发布于:2007-07-03 18:34
引用第1楼newyear于2007-07-03 17:13发表的 : 哪里有 regmon 代码阿.? 请教一下.. |
|