阅读:1805回复:4
why I failed in hook registry functions like regmon does on Windows XP?
I use the same way to hook registry operation in my filter driver,
but it fails on Windows XP, on windows 2000 everything is ok, why? I based my code on regmon 4.0 for NT, maybe XP doesn\'t allow being hooked, but as far as I know, regmon 6.0 can work on XP, how does it do that? I have no source code of regmon 6.0, so everything maintains mysterious for me. please help and thanks! |
|
沙发#
发布于:2004-05-12 13:05
what is your fails mean??
is it bugcheck or something else?? |
|
|
板凳#
发布于:2004-05-13 09:21
我看到一个文章说xp对核心态注册表函数地址写保护,也就是说如果改写该地址会出错,好像regmon6绕过了这个保护机制,请问有什么办法吗?
|
|
地板#
发布于:2004-05-13 12:32
是指禁用写保护吗
unsigned long CR0VALUE = 0; /*++ Routine Description: 禁用Windows NT/2000/XP的内存保护,使只读内存区可写 Arguments: Return Value: --*/ void DisableProtection() { __asm { mov eax,cr0 mov CR0VALUE,eax and eax,0fffeffffh mov cr0,eax } } /*++ Routine Description: 恢复Windows NT/2000/XP的内存保护 Arguments: Return Value: --*/ void EnableProtection() { __asm { mov eax,CR0VALUE mov cr0,eax } } |
|
地下室#
发布于:2004-05-13 22:05
thanks, I will try
|
|