当前位置:首页  服务指南

挂钩 NtResumeThread 实现全局Hook

发布时间:2017-02-06     作者:系统管理员     浏览:37


NtResumeThread");

     if (g_pfNtResumeThread == NULL)
     {
         return;
     }
    
     EnterCriticalSection(&cs);

    _asm
    {
        lea edi,g_OldNtQuerySystemInformation
        mov esi,g_pfNtQuerySystemInformation
        cld
        mov ecx,5
        rep movsb
        lea edi,g_OldNtResumeThread
        mov esi,g_pfNtResumeThread
        cld
        mov ecx,5
        rep movsb
    }

    g_NewNtQuerySystemInformation[0] = 0xe9;
    g_NewNtResumeThread[0] = 0xe9;
    _asm
    {
        lea eax, NewNtQuerySystemInformation
        mov ebx, g_pfNtQuerySystemInformation
        sub eax, ebx
        sub eax, 5
        mov dword ptr [g_NewNtQuerySystemInformation + 1], eax
        lea eax, NewNtResumeThread
        mov ebx, g_pfNtResumeThread
        sub eax, ebx
        sub eax, 5
        mov dword ptr [g_NewNtResumeThread + 1], eax
    }
    .......
    LeaveCriticalSection(&cs);

    g_bHook = TRUE;
}

//
还原被修改的代码
void WINAPI HookOff()
{
    ......
    g_bHook = FALSE;
}

4.
参考资料

Microsoft MSDN
,SDK & DDK
Windows NT 2000 Native API Reference
Windows 核心编程》
《挂钩Windows API
《如何在Windows NT中隐藏自己》

#
# EOF