|
阅读:1061回复:0
为什么以下hook代码在2003下蓝屏
//定义记录结构
typedef struct ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; //Used only in checked build unsigned int NumberOfServices; unsigned char *ParamTableBase; } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t; __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; //宏定义 #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)] VOID HookSystemCall() { OldZwSetInformationFile = (ZW_SETINFORMATIONFILE)(SYSTEMSERVICE(ZwSetInformationFile)); _asm cli (ZW_SETINFORMATIONFILE)(SYSTEMSERVICE(ZwSetInformationFile)) = NewZwSetInformationFile; _asm sti } NTSTATUS NewZwSetInformationFile( IN HANDLE FileHandle, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PVOID FileInformation, IN ULONG FileInformationLength, IN FILE_INFORMATION_CLASS FileInformationClass ) { CHAR FilePath[MAX_PATH] = {0}; CHAR ProcessName[NT_PROCNAMELEN] = {0}; PCHAR pTempString = NULL; ULONG bRet = 0; switch(FileInformationClass) { case FileDispositionInformation: GetFilePath(FileHandle,FilePath); _strupr(FilePath); GetProcessName(ProcessName); _strupr(ProcessName); pTempString = strstr(FilePath,"\\SPOOL\\PRINTERS"); bRet = memcmp(ProcessName,"EXPLORER.EXE",12); if(pTempString&&!bRet) if(pTempString) { if(!bRet) { return STATUS_SUCCESS; } } break; default: break; } return ((ZW_SETINFORMATIONFILE)(OldZwSetInformationFile))( FileHandle, IoStatusBlock, FileInformation, FileInformationLength, FileInformationClass ); } |
|
