暂时放下

_declspec (naked )
void fake_my_native_api(PKAPC Apc, PVOID SystemArgument1, PVOID SystemArgument2, KPRIORITY Increment )
{

/* ULONG ptarget_thread;
ULONG ptarget_process;

ULONG pcurrent_process;

PUCHAR ptarget_process_name;
PUCHAR pcurrent_process_name;

__asm
{
  push ebp;
  mov ebp, esp;
  pushad;
}

ptarget_thread = (ULONG)(Apc->Thread);
ptarget_process = *(PULONG)(ptarget_thread + 0x220);

ptarget_process_name = (PUCHAR)(ptarget_process + 0x174);

pcurrent_process = *(PULONG)PsGetCurrentProcess();
pcurrent_process_name = (PUCHAR)(pcurrent_process + 0x174);

if( _stricmp( ptarget_process_name, "notepad.exe") == 0 )
{
  if( _stricmp(pcurrent_process_name, "notepad.exe") != 0 )
  {
   __asm
   {
    mov eax, 0x0;
    popad;
    pop ebp;
    ret;
   }
  }
}

else
{
  __asm
  {
   popad;
   pop ebp;
   jmp fake_proxy_my_native_api;
  }
}
*/

__asm
{
jmp fake_proxy_my_native_api;
}

}

posted @ 2009-04-20 00:13 甜甜嘟嘟阅读(186) 评论(0) 编辑收藏举报

刷新页面返回顶部