hookfactory.h

实现了隐藏进程,使进程对任务管理器和进程查看器均不可见,使文件对资源管理器不可见 是驱动编程入门的好例子

#if !defined(AFX_HOOKFACTORY_H__7F47A6C3_689C_45D5_B974_108EB9F86911__INCLUDED_)
#define AFX_HOOKFACTORY_H__7F47A6C3_689C_45D5_B974_108EB9F86911__INCLUDED_

#include "common.h"
extern "C"
{
	typedef struct _SYSTEM_SERVICE_TABLE
	{
		PNTPROC ServiceTable;
		PDWORD  CounterTable;
		ULONG   ServiceLimit;
		PBYTE   ArgumentTable;
	}
	SYSTEM_SERVICE_TABLE ,
		* PSYSTEM_SERVICE_TABLE ,
		* * PPSYSTEM_SERVICE_TABLE ;

	typedef struct _SERVICE_DESCRIPTOR_TABLE {
		SYSTEM_SERVICE_TABLE ntoskrnl;  //SST for ntoskrnl.exe
		SYSTEM_SERVICE_TABLE win32k;    //SST for win32k.sys
		SYSTEM_SERVICE_TABLE unused1;
		SYSTEM_SERVICE_TABLE unused2;   
	}
	SERVICE_DESCRIPTOR_TABLE ,
		* PSERVICE_DESCRIPTOR_TABLE,
		* * PPSERVICE_DESCRIPTOR_TABLE ;

	//import SSDT pointer
	extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
	PSYSTEM_SERVICE_TABLE pNtoskrnl = &(KeServiceDescriptorTable->ntoskrnl);
}// extern "C"



typedef struct _Hook
{
	ULONG mFuncSST_ID;
	PVOID mpNewFuncPtr;
	PVOID mpTrueFuncPtr;
} Hook, *PHook;


PHook CreateHook(IN const PVOID pNewFuncPtr,IN PUNICODE_STRING function_name);
//PHook CreateHook(IN const PVOID pNewFuncPtr,IN const PVOID pTrueFuncPtr);
PHook CreateHook(IN const PVOID pNewFuncPtr,IN const ULONG funcID);

#endif // !defined(AFX_HOOKFACTORY_H__7F47A6C3_689C_45D5_B974_108EB9F86911__INCLUDED_)