|
阅读:2040回复:7
请教:为什么我在XP下做的文件隐藏,打包后安装到别的XP下会蓝屏2000下又可以,万望指点,附源码!!!
驱动是在XP下开发的,在本机没问题,但在另一台XP上出现蓝屏,很怪的是2000,2003都没有问题,没办法根跟踪,我只有一句句注释指去找错误,发现是HOOK SYSTEM的ZwQueryDirectoryFile时出的错,代码如下,出这个错,痛苦:
//定义取系统服务的未开公函数 typedef struct _ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; }ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry; extern PServiceDescriptorTableEntry KeServiceDescriptorTable; #define SYSTEMSERVICE(_function) KeServiceDescriptorTable->ServiceTableBase[*(PULONG)((PUCHAR)_function+1)] //声明函数ZwQueryDirectoryFile extern NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery); //定义ZwQueryDirectoryFile的原型 typedef NTSTATUS (*REALZWQUERYDIRECTORYFILE)(IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery); REALZWQUERYDIRECTORYFILE RealZwQueryDirectoryFile; //定义ZwQueryDirectoryFile的替换函数 NTSTATUS HookZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery); NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) { ... //注释了这两句就没问题了:( RealZwQueryDirectoryFile =(REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)); (REALZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = HookZwQueryDirectoryFile; ... } NTSTATUS HookZwQueryDirectoryFile( IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery) { NTSTATUS rc; //这句是用来测试看是不是别的问题 rc = ((REALZWQUERYDIRECTORYFILE)(RealZwQueryDirectoryFile))( hFile, hEvent , IoApcRoutine , IoApcContext , pIoStatusBlock, FileInformationBuffer, FileInformationBufferLength, FileInfoClass, bReturnOnlyOneEntry, PathMask , bRestartQuery); return(rc); } |
|
最新喜欢: Pregun...
|
|
沙发#
发布于:2003-12-30 02:53
帮我看看呀 :(
|
|
|
板凳#
发布于:2003-12-30 11:08
你有没有禁用Windows NT/2000的内存保护,使只读内存区可写?
|
|
|
地板#
发布于:2003-12-30 11:28
怎么样才能禁用内存,使只读内存可写?
|
|
|
地下室#
发布于:2003-12-30 13:09
to else:
多谢提醒,已基本OK |
|
|
5楼#
发布于:2003-12-30 13:30
呵呵,其实就是注意CR0的位16 WP位的设定,本来是为COW准备的,没想到还会添麻烦,嘿嘿。。。。。。
|
|
|
|
6楼#
发布于:2003-12-31 10:01
我也遇到过此类问题,但并非上面的原因.
|
|
|
7楼#
发布于:2003-12-31 19:32
那你遇到的又是什么问题??又是如何解决的呢??
|
|
|