HookZwCreateFile
来源:互联网 发布:java数据库连接代码 编辑:程序博客网 时间:2024/05/14 21:46
内核驱动编程,想在驱动级上Hook ZwCreateFile(),然后做点其他事情....
在入口DriverEntry先hook了这个函数
HOOK_SYSCALL(ZwCreateFile, MyZwCreateFile, OriZwCreateFile);
HOOK_SYSCALL函数可以获得Zw*函数的地址,然后取得索引,自动的交换SSDT中索引所对应的函数地址和我们hook函数的地址。
然后:
NTSTATUSMyZwCreateFile( OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG CreateDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength ){UNICODE_STRING openFileName;RtlInitUnicodeString(&openFileName, ObjectAttributes->ObjectName->Buffer);// 宽字符比较if(wcsstr(ObjectAttributes->ObjectName->Buffer, L"@L")){// do something i wantreturn STATUS_SEVERITY_ERROR;}}其实,我想说的是这个
wcsstr(ObjectAttributes->ObjectName->Buffer, L"@L")
wcsstr在一个宽字符串string中搜索另一个宽字符串
ObjectAttributes->ObjectName->Buffer 是操作的文件名
// OBJECT_ATTRIBUTES typedef struct _OBJECT_ATTRIBUTES { ULONG Length;//长度 18h HANDLE RootDirectory;// 00000000 PUNICODE_STRING ObjectName;//指向对象名的指针 ULONG Attributes;//对象属性00000040h PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR,0 PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE,0 } OBJECT_ATTRIBUTES;