/////////////////////////////////////////////////////////////////////////////挂钩80x86 CPU ,Win2k或更高版本的系统服务表,这个驱动用来防止删除指定文件////Code by gt2333588 ///////////////////////////////////////////////////////////////////////////#include <ntddk.h>#include <stdio.h>typedef struct _SRVTABLE {PVOID *ServiceTable;ULONG LowCall; ULONG HiCall;PVOID *ArgTable;} SRVTABLE, *PSRVTABLE;extern PSRVTABLE KeServiceDescriptorTable;//调用原函数#define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)] PSRVTABLE ServiceTable;NTSTATUS(*RealZwSetInformationFile)(IN HANDLE FileHandle,OUT PIO_STATUS_BLOCK IoStatusBlock,IN PVOID FileInformation,IN ULONG Length,IN FILE_INFORMATION_CLASS FileInformationClass); //原函数NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,OUT PIO_STATUS_BLOCK IoStatusBlock,IN PVOID FileInformation,IN ULONG Length,IN FILE_INFORMATION_CLASS FileInformationClass); //自己的函数VOID HookAPI();VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);VOID UnHook();VOID UnhookSystemCall();NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath){DriverObject->DriverUnload = DriverUnload;ServiceTable = KeServiceDescriptorTable;HookAPI();return STATUS_SUCCESS;}VOID HookAPI(){RealZwSetInformationFile = SYSCALL(ZwSetInformationFile);__asm{climov eax,cr0and eax,not 10000hmov cr0,eax}SYSCALL(ZwSetInformationFile) = (PVOID)HookZwSetInformationFile;__asm{mov eax,cr0or eax,10000hmov cr0,eaxsti}return;}NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,OUT PIO_STATUS_BLOCK IoStatusBlock,IN PVOID FileInformation,IN ULONG Length,IN FILE_INFORMATION_CLASS FileInformationClass){PFILE_OBJECT pFileObject;NTSTATUS nRet= ObReferenceObjectByHandle(FileHandle, GENERIC_READ, *IoFileObjectType, KernelMode, (PVOID*)&pFileObject, 0);if(NT_SUCCESS(nRet)){UNICODE_STRING uDosName;nRet = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uDosName);if (NT_SUCCESS(nRet)){if (!_wcsicmp(pFileObject->FileName.Buffer, L\\工作\\HOOK\\objchk_wxp_x86\\i386\\test.txt) &&!_wcsicmp(uDosName.Buffer, LD:)){ExFreePool(uDosName.Buffer);return STATUS_ACCESS_DENIED;}ExFreePool(uDosName.Buffer);}}return RealZwSetInformationFile(FileHandle, IoStatusBlock, FileInformation, Length, FileInformationClass);}VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject){UnHook();}VOID UnHook(){__asm{climov eax,cr0and eax,not 10000hmov cr0,eax}UnhookSystemCall();__asm{mov eax,cr0or eax,10000hmov cr0,eaxsti}}VOID UnhookSystemCall(){SYSCALL(ZwSetInformationFile) = (PVOID)RealZwSetInformationFile;return;} 『关闭该页』　『打印该页』