📄 hookfactory.cpp
字号:
#include "HookFactory.h"
PHook CreateHook(IN const PVOID pNewFuncPtr,IN const ULONG funcID)
{
ULONG TotalCount=pNtoskrnl->ServiceLimit;
PNTPROC ServiceTable=pNtoskrnl->ServiceTable;
if(funcID == TotalCount)
return NULL;
PHook mNewHook = new Hook;
// Save ID of function
mNewHook->mFuncSST_ID = funcID;
// Save true function ptr
mNewHook->mpTrueFuncPtr = ServiceTable[funcID];
// Save new function ptr
mNewHook->mpNewFuncPtr = pNewFuncPtr;
return mNewHook;
}
PHook CreateHook(IN const PVOID pNewFuncPtr,IN const PVOID pTrueFuncPtr)
{
ULONG TotalCount=pNtoskrnl->ServiceLimit;
PNTPROC ServiceTable=pNtoskrnl->ServiceTable;
// Searching function ID in SST
ULONG index=0;
for(;index<TotalCount;++index)
{
if(ServiceTable[index] == pTrueFuncPtr)
break;
}
if(index == TotalCount) // Not found
return NULL;
return CreateHook(pNewFuncPtr,index);
}
PHook CreateHook(IN const PVOID pNewFuncPtr,IN PUNICODE_STRING function_name)
{
/* All Zw* functions exported by NTOSKRNL.exe start with :
mov eax, ULONG // where ULONG is the index # of the syscall in th SSDT*/
PNTPROC ServiceTable=pNtoskrnl->ServiceTable;
PVOID pTrueFuncPtr_ZW=MmGetSystemRoutineAddress(function_name);
// VAR 1
if(pTrueFuncPtr_ZW == NULL)
return NULL;
ULONG mFuncID = *(PULONG)((PUCHAR) pTrueFuncPtr_ZW + 1);
if( mFuncID == NULL)
return NULL;
return CreateHook(pNewFuncPtr,mFuncID);
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -