HookZwCreateFile

内核驱动编程，想在驱动级上Hook ZwCreateFile()，然后做点其他事情....

在入口DriverEntry先hook了这个函数

HOOK_SYSCALL(ZwCreateFile, MyZwCreateFile, OriZwCreateFile);

HOOK_SYSCALL函数可以获得Zw*函数的地址，然后取得索引，自动的交换SSDT中索引所对应的函数地址和我们hook函数的地址。

然后：

NTSTATUSMyZwCreateFile(        OUT PHANDLE FileHandle,       IN ACCESS_MASK DesiredAccess,        IN POBJECT_ATTRIBUTES ObjectAttributes,        OUT PIO_STATUS_BLOCK IoStatusBlock,        IN PLARGE_INTEGER AllocationSize OPTIONAL,       IN ULONG FileAttributes,       IN ULONG ShareAccess,        IN ULONG CreateDisposition,        IN ULONG CreateOptions,        IN PVOID EaBuffer OPTIONAL,        IN ULONG EaLength ){UNICODE_STRING openFileName;RtlInitUnicodeString(&openFileName, ObjectAttributes->ObjectName->Buffer);// 宽字符比较if(wcsstr(ObjectAttributes->ObjectName->Buffer, L"@L")){// do something i wantreturn STATUS_SEVERITY_ERROR;}}

其实，我想说的是这个

wcsstr(ObjectAttributes->ObjectName->Buffer, L"@L")

wcsstr在一个宽字符串string中搜索另一个宽字符串
ObjectAttributes->ObjectName->Buffer 是操作的文件名

// OBJECT_ATTRIBUTES typedef struct _OBJECT_ATTRIBUTES { ULONG Length;//长度 18h HANDLE RootDirectory;// 00000000 PUNICODE_STRING ObjectName;//指向对象名的指针 ULONG Attributes;//对象属性00000040h PVOID SecurityDescriptor;  // Points to type SECURITY_DESCRIPTOR，0 PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE，0 } OBJECT_ATTRIBUTES;