没啥子技术含量,参考了海风月影的ring3inline hook lib库,主要是简化你的编程工作量,有了此库,你不需要使用一大堆的内联汇编来写那个裸函数,也不需要为了堆栈破坏问题而蓝屏,目前只支持32系统……
来看看到底挂钩一个函数有多简单!你可以专注的编写过滤逻辑而完全不需要理会挂钩过程
代码:
typedef NTSTATUS ( __stdcall *DZwCreateFile)( PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, ULONG ShareAccess, ULONG CreateDisposition, ULONG CreateOptions, PVOID EaBuffer, ULONG EaLength ); NTSTATUS Detour_NtCreateFile(DZwCreateFile Fun, PHANDLE FileHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PIO_STATUS_BLOCK IoStatusBlock, PLARGE_INTEGER AllocationSize, ULONG FileAttributes, __in ULONG ShareAccess, __in ULONG CreateDisposition, __in ULONG CreateOptions, __in_opt PVOID EaBuffer, __in ULONG EaLength ) { KdPrint(("NtCreateFileRoutine Called! ProcessId:%d FilePath:%ws\n",PsGetCurrentProcessId(),ObjectAttributes->ObjectName->Buffer)); return Fun(FileHandle,DesiredAccess,ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions, EaBuffer,EaLength); } 安装钩子只要一个函数就可完全搞定 BOOLEAN __stdcall InstallHook(PVOID FuncAddr,PVOID NewAddr,BOOLEAN IsStubPaged,HOOK_INFO* Info);