订阅
SYSCALL_INDEX宏
API获取自己进程的PID
HOOK_SYSCALL 和 UNHOOK_SYSCALL宏
作者:admin 日期:2010-04-12
HOOK_SYSCALL 和 UNHOOK_SYSCALL宏采用被勾住的Zw*函数的地址,获取器索引号,并自动讲SSDT中该索引的相应地址与_Hook函数的地址进行交换。
#define HOOK_SYSCALL(_Function,_Hook,_Orig)\
_Orig=(PVOID)InterlockedExchange((PLONG)\
&MappedSystemCallTable[SYSCALL_INDEX(_Function)],(LONG)_Hook)
#define UNHOOK_SYSCALL(_Function,_Hook,_Orig)\
InterlockedExchange((PLONG)\
&MappedSystemCallTable[SYSCALL_INDEX(_Function)],(LONG)_Hook)
#define HOOK_SYSCALL(_Function,_Hook,_Orig)\
_Orig=(PVOID)InterlockedExchange((PLONG)\
&MappedSystemCallTable[SYSCALL_INDEX(_Function)],(LONG)_Hook)
#define UNHOOK_SYSCALL(_Function,_Hook,_Orig)\
InterlockedExchange((PLONG)\
&MappedSystemCallTable[SYSCALL_INDEX(_Function)],(LONG)_Hook)
文章来自: 
Tags: 评论: 0 | 查看次数: 11971
