摘要:
一、效果图二、分析这里对NtCreateProcessEx做拦截,用WinDbg来定位该函数在SSDT中的记录地址:0: kd> dd KeServiceDescriptorTable8055d700 80505450 00000000 0000011c 805058c48055d710 00000000 00000000 00000000 000000008055d720 00000000 00000000 00000000 000000008055d730 00000000 00000000 00000000 000000008055d740 00000002 00002710 .. 阅读全文
摘要:
一、上图来看看效果:二、程序代码#include void DriverUnload(PDRIVER_OBJECT pDriverObject){ KdPrint(("Stop Driver! \r\n"));}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){ PEPROCESS pEprocess = NULL; PEPROCESS pFirstEprocess = NULL; ULONG ulProcessName = 0; ULONG ulPr... 阅读全文