Hook 分发函数后如何动态卸载

Robot · 发表于 2013-2-22 11:50

IDA,">求高手给个思路我写了个简单的键盘过滤驱动 Hookl了IRP_MJ_READ 请求当卸载的时候请问下如何才能卸载谢谢

下面是主要实现Hook 的代码

PDRIVER_DISPATCH OldDispatchRead;//原IRP_MJ_READ函数的入口地址全局变量
//在 DriverEntry 里
PDRIVER_OBJECT KbdDriverObject = NULL;
UNICODE_STRING KbdName;
NTSTATUS status;

//init string
RtlInitUnicodeString(&KbdName,KBD_DRIVER_NAME);

status = ObReferenceObjectByName(
&KbdName,
OBJ_CASE_INSENSITIVE, //不区分大小写
NULL,
0,
*IoDriverObjectType,
KernelMode,
NULL,
&KbdDriverObject
);

if(!NT_SUCCESS(status)){
DbgPrint("cannot get the kbd object/n");
return STATUS_UNSUCCESSFUL;
}
DbgPrint("Hook 开始");
//保留原分发函数的入口地址
OldDispatchRead = KbdDriverObject->MajorFunction[IRP_MJ_READ];
//绑定新的分发函数
InterlockedExchangePointer(&KbdDriverObject->MajorFunction[IRP_MJ_READ],newDisperseFun);
//解除引用
ObDereferenceObject(KbdDriverObject);

Dazdingo · 发表于 2013-11-13 23:49

说错了。。。。是InterlockedExchangePointer(&KbdDriverObject->MajorFunction[IRP_MJ_READ],OldDispatchRead);

Dazdingo · 发表于 2013-11-13 23:48

把KbdDriverObject放在DeviceObject.Extension里面，然后卸载的时候把它取出来， InterlockedExchangePointer(newDisperseFun，&KbdDriverObject->MajorFunction[IRP_MJ_READ])，不行么？

帐号		自动登录	找回密码
密码			注册[Register]

[其他转载] Hook 分发函数后 如何动态卸载

[其他转载] Hook 分发函数后如何动态卸载