//得到内核函数在SSDT表中索引的地址,其中0x3E是服务ID号
ULONG NtDeleteFileAddress = (ULONG)(KeServiceDescriptorTable->ServiceTableBase+0x3E);
//在SSDT表中取到内核函数的地址,并保存以便卸载驱动的时候恢复
置入代码 (#FINIT) ' 初始化协处理器 防止浮点异常
_Read_DRIVER_OBJECT (DriverObject, pDriverObj, 168)
DriverObject.MajorFunction [1] = &DispatchCreate ' DriverObject.MajorFunction [#IRP_MJ_CREATE]
DriverObject.MajorFunction [3] = &DispatchClose ' IRP_MJ_CLOSE
DriverObject.MajorFunction [15] = &DispatchDeviceControl ' IRP_MJ_DEVICE_CONTROL
DriverObject.DriverUnload = &DriverUnload
_Write_DRIVER_OBJECT (pDriverObj, DriverObject, 168)
RtlInitAnsiString (astrDevName, #DEVICE_NAME)
status = RtlAnsiStringToUnicodeString (ustrDevName, astrDevName, 真)
.如果真 (status < 0)
返回 (#STATUS_UNSUCCESSFUL)
.如果真结束
status = IoCreateDevice (pDriverObj, 0, ustrDevName, #FILE_DEVICE_UNKNOWN, 0, 假, pDevObj)
.如果真 (status < 0)
RtlFreeUnicodeString (ustrDevName)
返回 (#STATUS_UNSUCCESSFUL)
.如果真结束
.如果 (IoIsWdmVersionAvailable (1, 16))
RtlInitAnsiString (astrLinkName, #SYMBOLIC_LINK_GLOBAL_NAME)
.否则
RtlInitAnsiString (astrLinkName, #SYMBOLIC_LINK_NAME)
.如果结束
status = RtlAnsiStringToUnicodeString (ustrLinkName, astrLinkName, 真)
.如果真 (status < 0)
RtlFreeUnicodeString (ustrDevName)
返回 (#STATUS_UNSUCCESSFUL)
.如果真结束
status = IoCreateSymbolicLink (ustrLinkName, ustrDevName)
RtlFreeUnicodeString (ustrDevName)
RtlFreeUnicodeString (ustrLinkName)
.如果真 (status < 0)
IoDeleteDevice (pDevObj)
返回 (#STATUS_UNSUCCESSFUL)
.如果真结束
SSDT_HOOK ()
返回 (#STATUS_SUCCESS)
上一篇 高效安全的DLL间数据传输的方式