Hook 分发函数后 如何动态卸载
求高手给个思路 我写了个简单的键盘过滤驱动 Hookl了IRP_MJ_READ 请求 当卸载的时候请问下如何才能卸载 谢谢下面是主要实现Hook 的代码
PDRIVER_DISPATCH OldDispatchRead;//原IRP_MJ_READ函数的入口地址 全局变量
//在 DriverEntry 里
PDRIVER_OBJECT KbdDriverObject = NULL;
UNICODE_STRING KbdName;
NTSTATUS status;
//init string
RtlInitUnicodeString(&KbdName,KBD_DRIVER_NAME);
status = ObReferenceObjectByName(
&KbdName,
OBJ_CASE_INSENSITIVE, //不区分大小写
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
&KbdDriverObject
);
if(!NT_SUCCESS(status)){
DbgPrint("cannot get the kbd object/n");
return STATUS_UNSUCCESSFUL;
}
DbgPrint("Hook 开始");
//保留原分发函数的入口地址
OldDispatchRead = KbdDriverObject->MajorFunction;
//绑定新的分发函数
InterlockedExchangePointer(&KbdDriverObject->MajorFunction,newDisperseFun);
//解除引用
ObDereferenceObject(KbdDriverObject);
说错了。。。。是InterlockedExchangePointer(&KbdDriverObject->MajorFunction,OldDispatchRead); 把KbdDriverObject放在DeviceObject.Extension里面,然后卸载的时候把它取出来, InterlockedExchangePointer(newDisperseFun,&KbdDriverObject->MajorFunction),不行么?
页:
[1]