inline hook疑问 ,为什么蓝?
源代码如下:
MyNtGetContextThread proc ThreadHandle,ThreadContext
ret
MyNtGetContextThread endp
OldNtGetContextThread proc ThreadHandle,ThreadContext
nop
nop
mov eax,NtGetContextThread_Addr
add eax,5
jmp eax
OldNtGetContextThread endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pRegistryPath:PUNICODE_STRING
pushad
cli
mov eax, cr0
and eax,0fffeffffh
mov cr0, eax
invoke KeRaiseIrqlToDpcLevel
mov oldIrql,eax
invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("NtGetContextThread")
mov NtGetContextThread_Addr,eax
mov ecx,5
mov esi,eax
mov edi,offset OldNtGetContextThread
rep movsb
mov edx,offset MyNtGetContextThread
sub edx,eax
sub edx,5
mov byte ptr [eax],0e9h
xchg [eax+1],edx
invoke KeLowerIrql,oldIrql
mov eax, cr0
or eax,10000h
mov cr0, eax
sti
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload,offset DriverUnload
assume eax:nothing
popad
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry
我想知道为什么蓝
答:另外一些资源并不是显式地装入的,如对话框资源,它是在建立对话框的函数中由Windows自己装入的,如下面例子中的invokeDialogBoxParam,hIn...详情>>
