RtlInitUnicodeString(&LinkName,ENUM_LINKNAME); IoCreateSymbolicLink(&LinkName,&DeviceName); pDriverObject->MajorFunction[IRP_MJ_CREATE] = pDriverObject->MajorFunction[IRP_MJ_CLOSE] = pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = GeneralDispatch; pDriverObject->DriverUnload = DriverUnload; PsLookupProcessByProcessId((HANDLE)1480,&pProcess); EnumDllByProcess(pProcess); return status; } 二、通过进程名获取进程的dll 思想:遍历进程比较进程名 PEPROCESS GetPProcessFromImageFileName(LPTSTR pName) { PEPROCESS Process;//eProcess; LPTSTR ProcessName; //ULONG Count; for (ProcessId = 0; ProcessId < 1999; ProcessId += 4) ULONG ProcessId; { if (PsLookupProcessByProcessId((HANDLE)ProcessId, &Process) == STATUS_SUCCESS) } } return Process; { } if (Process != 0) { } if (MmIsAddressValid((PVOID)Process)) { } DbgPrint(\,Process); ProcessName = (LPTSTR)((ULONG)Process+IMAGEFILENAMEOFFSET); DbgPrint(\,ProcessName); if(strcmp(ProcessName,pName)==0) { } return Process;
2. 字符串类型比较 3. Hook
? Inline Hook
Inline Hook是通过修改前5个字节,函数的前两个指令是 Push ebp Mov ebp,esp
这两条指令所占的机器码正好是5个字节 可将其改为 Jmp addr //也是5个字节
但是采用此类inline hook会经常蓝屏,因为现在电脑基本都是多CPU的,所以当修改的函数是经常被调用的,就会hook的过程被打断,从而导致蓝屏,而一个比较简单的解决办法是调用ExInterlockedCompareExchange64函数(一次性修改8个字节,否则修改失败)
? SSDT Hook