-
Notifications
You must be signed in to change notification settings - Fork 65
/
example.c
44 lines (36 loc) · 950 Bytes
/
example.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#include <ntifs.h>
#include "hk.h"
NTSTATUS (*OriginalNtClose)(_In_ HANDLE Handle);
NTSTATUS HookedNtClose(
_In_ HANDLE Handle
)
{
DbgPrintEx(0, 0, "Called NtClose.\n");
return OriginalNtClose(Handle);
}
VOID DriverUnload(
_In_ PDRIVER_OBJECT DriverObject
)
{
UNREFERENCED_PARAMETER(DriverObject);
HkRestoreFunction((PVOID)NtClose, (PVOID)OriginalNtClose);
}
NTSTATUS DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
)
{
UNREFERENCED_PARAMETER(RegistryPath);
DriverObject->DriverUnload = DriverUnload;
/*
nt!NtClose:
fffff801`51eff010 4056 push rsi
fffff801`51eff012 57 push rdi
fffff801`51eff013 4156 push r14
fffff801`51eff015 4157 push r15
fffff801`51eff017 4883ec38 sub rsp,38h
fffff801`51eff01b 65488b042588010000 mov rax,qword ptr gs:[188h]
*/
HkDetourFunction((PVOID)NtClose, (PVOID)HookedNtClose, 20, (PVOID*)&OriginalNtClose);
return STATUS_SUCCESS;
}