我hook掉这个内核函数。。然后每次加载驱动就BSOD晕怎么回事啊。代码好象没什么问题。
这里是驱动部分的改NtOpenProcess前5个字节的代码
HookCodedb0e9h
HookAddressdd?
_Hookproc
.iflpNtOpenProcess
cli
moveax,cr0
andeax,0FFFEFFFFH
movcr0,eax
movesi,lpNtOpenProcess;这个变量存放的NtOpenProcess地址
leaedi,RawNtOpenProcess;保存前5个字节的变量一会在hookproc里面用来恢复
movecx,5
repmovsb
moveax,lpNtOpenProcess
addeax,5
movedx,offsetMy_NtOpenProcess;这个是准备跳到的地址改NtOpenProcess跳进My_NtOpenProcess里面来
subedx,eax
movHookAddress,edx
leaesi,HookCode
movedi,lpNtOpenProcess
movecx,5
repmovsb
moveax,cr0
oreax,00010000H
movcr0,eax
sti
.endif
ret
_Hookendp
这里是让NtOpenProcess准备掉进来的代码
My_NtOpenProcess:
pushad
cli
moveax,cr0
andeax,0FFFEFFFFH
movcr0,eax
movesi,offsetRawNtOpenProcess
movedi,lpNtOpenProcess
movecx,5
@@:
moval,BYTEptr[esi]
movBYTEptr[edi],al
incesi
incedi
loop@B
moveax,cr0
oreax,00010000H
movcr0,eax
sti
popad
jmplpNtOpenProcess
简单的把前5个字节恢复然后jmp回去这样也出错?SHIT
分 -->
|