📄 stracedef.h
字号:
#ifndef _STRACEDEF_H_
#define _STRACEDEF_H_
#include "Strace.h"
extern "C" NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
);
NTSTATUS
StraceOpen(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
NTSTATUS
StraceClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID
StraceUnload(
IN PDRIVER_OBJECT DriverObject
);
NTSTATUS
StraceDeviceControl(
PDEVICE_OBJECT DeviceObject,
PIRP Irp
);
NTSTATUS StraceProcessDeviceControl(
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutbufBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT ULONG* StatusInfo
);
extern "C" DWORD KeSetAffinityThread(
PKTHREAD,
DWORD affinityMask
);
BOOL StraceSetSystemServiceHook(
BOOL bHook
);
ULONG GetProcessNameOffset();
void GetProcessName( PCHAR Name );
#define NT_SYSTEM_SERVICE_IDT 0x2e
#define STRACE_FIRST_BUF 0
#define STRACE_SECOND_BUF 1
#define DISABLE_INTS KIRQL __Dioldirql__; \
KeRaiseIrql( HIGH_LEVEL, &__Dioldirql__ ); \
_asm { pushfd } \
_asm { cli }
#define ENABLE_INTS {_asm popfd } \
KeLowerIrql(__Dioldirql__);
#pragma pack( push, PREIDT )
typedef struct NT_IDT
{
WORD wLoOfs;
WORD wSelector;
WORD wFlags;
WORD wHiOfs;
void Hook( PVOID newOfs, PVOID pOldOfs=NULL )
{
DISABLE_INTS
if ( pOldOfs != NULL )
*(PDWORD)pOldOfs = (wHiOfs<<16) + wLoOfs ;
wLoOfs = WORD(newOfs) ;
wHiOfs = WORD(((DWORD)newOfs)>>16) ;
ENABLE_INTS
}
} NT_IDT, *PNT_IDT;
#pragma pack( pop, PREIDT )
#pragma warning( disable : 4035 ) // Turn off no return value warning
inline PNT_IDT __fastcall GetIDTBase()
{
__asm { mov eax, _PCR KPCR.IDT }
}
#pragma warning( default : 4035 )
#endif⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -