Hooking KiFastSystemCall
来源:互联网 发布:老子西出函谷关 知乎 编辑:程序博客网 时间:2024/06/07 05:11
program KiFastSystemCall;
uses
Windows, madCodeHook, SysUtils;
var
realKiFastSystemCall: procedure;
dwIndexPVM: DWORD;
function hookZwProtectVirtualMemory(hProcess: THandle; lpAddress: Pointer; dwSize, flNewProtect: DWORD; lpflOldProtect: Pointer): DWORD; stdcall;
var
Stack1, Stack2: DWORD;
begin
Result := 0;
MessageBoxA(0, PChar(IntToHex(DWORD(lpAddress), 8)), 'ZwProtectVirtualMemory', 0);
asm
pop eax
mov [Stack1], eax
pop eax
mov [Stack2], eax
mov eax, [dwIndexPVM]
call realKiFastSystemCall
mov [Result], eax
push [Stack2]
push [Stack1]
end;
end;
procedure hookKiFastSystemCall; assembler;
label
CallPVM;
begin
asm
cmp eax, [dwIndexPVM]
je @CallPVM
jmp realKiFastSystemCall
@CallPVM:
pop eax
jmp hookZwProtectVirtualMemory
end;
end;
begin
MessageBoxA(0, 'You need to call me once before you install the hook, otherwise I don''t initialize properly.', 'MessageBoxA Bug Fix', 0);
dwIndexPVM := PDWORD(DWORD(GetProcAddress(GetModuleHandle('ntdll.dll'), 'ZwProtectVirtualMemory'))+1)^;
HookAPI('ntdll.dll', 'KiFastSystemCall', @hookKiFastSystemCall, @realKiFastSystemCall);
end.
uses
Windows, madCodeHook, SysUtils;
var
realKiFastSystemCall: procedure;
dwIndexPVM: DWORD;
function hookZwProtectVirtualMemory(hProcess: THandle; lpAddress: Pointer; dwSize, flNewProtect: DWORD; lpflOldProtect: Pointer): DWORD; stdcall;
var
Stack1, Stack2: DWORD;
begin
Result := 0;
MessageBoxA(0, PChar(IntToHex(DWORD(lpAddress), 8)), 'ZwProtectVirtualMemory', 0);
asm
pop eax
mov [Stack1], eax
pop eax
mov [Stack2], eax
mov eax, [dwIndexPVM]
call realKiFastSystemCall
mov [Result], eax
push [Stack2]
push [Stack1]
end;
end;
procedure hookKiFastSystemCall; assembler;
label
CallPVM;
begin
asm
cmp eax, [dwIndexPVM]
je @CallPVM
jmp realKiFastSystemCall
@CallPVM:
pop eax
jmp hookZwProtectVirtualMemory
end;
end;
begin
MessageBoxA(0, 'You need to call me once before you install the hook, otherwise I don''t initialize properly.', 'MessageBoxA Bug Fix', 0);
dwIndexPVM := PDWORD(DWORD(GetProcAddress(GetModuleHandle('ntdll.dll'), 'ZwProtectVirtualMemory'))+1)^;
HookAPI('ntdll.dll', 'KiFastSystemCall', @hookKiFastSystemCall, @realKiFastSystemCall);
end.
- Hooking KiFastSystemCall
- 关于sysenter与KiFastSystemCall
- KiFastSystemCall函数问题
- Hooking SpringBoard
- IAT hooking
- SystemCallStub与KiFastSystemCall的关系
- 另类HOOK 以KiFastSystemCall为例
- 对XP上的KiFastSystemCall进行浅析
- API hooking revealed
- API Hooking Revealed
- TDI Hooking [Zz]
- Hooking the kernel directly
- Hooking the kernel directly
- [DOC]Hooking Windows api
- Hooking the kernel directly
- API hooking revealed
- [Tutorial] Hooking SpringBoard
- API Hooking 的原理
- Just do it!
- vb.net 如何判断文件是否在外部被修改?
- 点对点传输
- 二叉树的基本运算实验
- 文章三篇
- Hooking KiFastSystemCall
- OOP在三层系统中的应用
- Thought of js package, namespace or module again
- Jbpm Delegation机制源代码分析和实例
- JSIntegration
- C.M. Coolidge画的狗
- 核心(Core) Javascript 学习手记
- Friendly URLs in Tapestry
- 工作日志2006.11.26
