Revert "Hook Kifastcallentry"

This reverts commit 8c91b8bdf269d08bce3c13b23c98e1e58f785ac4.

Hook KiFastCallEntry/Common.c

@@ -1,355 +0,0 @@
-#include "Common.h"
-
-
-PFUNCDATA FuncData = NULL;
-PKEVENT  EventFuncMonitor = NULL; 
-
-MSG         Msg = {0}; 
-PKEVENT     EventArray[3] = {0}; 
-
-ERESOURCE  Resource;
-KMUTEX  Mutex;
-
-BOOLEAN         IsClear = FALSE;//资源是否销毁
-
-WIN_VERSION WinVersion = WINDOWS_UNKNOW;
-
-ULONG_PTR SectionObjectOfEProcess = 0;
-
-WIN_VERSION GetWindowsVersion()
-{
-	RTL_OSVERSIONINFOEXW osverInfo = {sizeof(osverInfo)}; 
-	pfnRtlGetVersion RtlGetVersion = NULL;
-	WIN_VERSION WinVersion;
-	WCHAR wzRtlGetVersion[] = L"RtlGetVersion";
-	RtlGetVersion = GetFunctionAddressByName(wzRtlGetVersion);    //Ntoskrnl.exe  导出表
-	if (RtlGetVersion)
-	{
-		RtlGetVersion((PRTL_OSVERSIONINFOW)&osverInfo); 
-	} 
-	else 
-	{
-		PsGetVersion(&osverInfo.dwMajorVersion, &osverInfo.dwMinorVersion, &osverInfo.dwBuildNumber, NULL);   //Documet
-	}
-	DbgPrint("Build Number: %d\r\n", osverInfo.dwBuildNumber);
-	if (osverInfo.dwMajorVersion == 5 && osverInfo.dwMinorVersion == 1) 
-	{
-		DbgPrint("WINDOWS_XP\r\n");
-		WinVersion = WINDOWS_XP;
-	}
-	else if (osverInfo.dwMajorVersion == 6 && osverInfo.dwMinorVersion == 1)
-	{
-		DbgPrint("WINDOWS 7\r\n");
-		WinVersion = WINDOWS_7;
-	}
-	else if (osverInfo.dwMajorVersion == 6 && 
-		osverInfo.dwMinorVersion == 2 &&
-		osverInfo.dwBuildNumber == 9200)
-	{
-		DbgPrint("WINDOWS 8\r\n");
-		WinVersion = WINDOWS_8;
-	}
-	else if (osverInfo.dwMajorVersion == 6 && 
-		osverInfo.dwMinorVersion == 3 && 
-		osverInfo.dwBuildNumber == 9600)
-	{
-		DbgPrint("WINDOWS 8.1\r\n");
-		WinVersion = WINDOWS_8_1;
-	}
-	else
-	{
-		DbgPrint("WINDOWS_UNKNOW\r\n");
-		WinVersion = WINDOWS_UNKNOW;
-	}
-	return WinVersion;
-}
-
-
-
-VOID InitGlobalVariable()
-{
-	WinVersion = GetWindowsVersion();
-	switch(WinVersion)
-	{
-	case WINDOWS_XP:
-		{
-
-			break;
-		}
-	case WINDOWS_7:
-		{
-			
-			break;
-
-		}
-	}
-}
-
-PVOID 
-	GetFunctionAddressByName(WCHAR *wzFunction)
-{
-	UNICODE_STRING uniFunction;  
-	PVOID AddrBase = NULL;
-	if (wzFunction && wcslen(wzFunction) > 0)
-	{
-		RtlInitUnicodeString(&uniFunction, wzFunction);      //常量指针
-		AddrBase = MmGetSystemRoutineAddress(&uniFunction);  //在System 进程  第一个模块  Ntosknrl.exe  ExportTable
-	}
-	return AddrBase;
-}
-
-
-
-
-
-
-BOOLEAN  GetProcessPathBySectionObject(PEPROCESS EProcess,WCHAR* wzProcessPath)
-{
-	PSECTION_OBJECT32   SectionObject32   = NULL;
-	PSECTION_OBJECT64   SectionObject64 = NULL;
-	PSEGMENT_OBJECT32   Segment32   = NULL;
-	PSEGMENT_OBJECT64   Segment64   = NULL;
-	PCONTROL_AREA32     ControlArea32 = NULL;
-	PCONTROL_AREA64     ControlArea64 = NULL;
-	PFILE_OBJECT        FileObject  = NULL;
-	BOOLEAN             bGetPath = FALSE;
-	switch(WinVersion)
-	{
-	case WINDOWS_XP:
-		{
-			SectionObjectOfEProcess = 0x138;
-			if (SectionObjectOfEProcess!=0&&MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + SectionObjectOfEProcess)))
-			{
-				SectionObject32 = *(PSECTION_OBJECT32*)((ULONG_PTR)EProcess + SectionObjectOfEProcess);
-				if (SectionObject32 && MmIsAddressValid(SectionObject32))
-				{
-					Segment32 = (PSEGMENT_OBJECT32)(SectionObject32->Segment);
-					if (Segment32 && MmIsAddressValid(Segment32))
-					{
-						ControlArea32 = (PCONTROL_AREA32)(Segment32->ControlArea);
-						if (ControlArea32 && MmIsAddressValid(ControlArea32))
-						{
-							FileObject = ControlArea32->FilePointer;
-							if (FileObject&&MmIsAddressValid(FileObject))
-							{
-								bGetPath = GetPathByFileObject(FileObject, wzProcessPath);
-								if (!bGetPath)
-								{
-									DbgPrint("Error\r\n");
-								}
-							}
-						}
-					}
-				}
-			}
-			break;
-		}
-	case WINDOWS_7:
-		{
-			SectionObjectOfEProcess = 0x268;
-			if (SectionObjectOfEProcess!=0&&MmIsAddressValid((PVOID)((ULONG_PTR)EProcess + SectionObjectOfEProcess)))
-			{
-				SectionObject64 = *(PSECTION_OBJECT64*)((ULONG_PTR)EProcess + SectionObjectOfEProcess);
-
-				if (SectionObject64 && MmIsAddressValid(SectionObject64))
-				{
-					Segment64 = (PSEGMENT_OBJECT64)(SectionObject64->Segment);
-					if (Segment64 && MmIsAddressValid(Segment64))
-					{
-						ControlArea64 = (PCONTROL_AREA64)Segment64->ControlArea;
-						if (ControlArea64 && MmIsAddressValid(ControlArea64))
-						{
-							FileObject = (PFILE_OBJECT)ControlArea64->FilePointer;
-							if (FileObject&&MmIsAddressValid(FileObject))
-							{
-								FileObject = (PFILE_OBJECT)((ULONG_PTR)FileObject & 0xFFFFFFFFFFFFFFF0);
-								bGetPath = GetPathByFileObject(FileObject, wzProcessPath);
-								if (!bGetPath)
-								{
-									DbgPrint("Error\r\n");
-								}
-							}
-						}
-
-
-					}
-
-				}
-
-			}
-			break;
-		}
-	}
-
-}
-BOOLEAN GetPathByFileObject(PFILE_OBJECT FileObject, WCHAR* wzPath)
-{
-	BOOLEAN bGetPath = FALSE;
-	POBJECT_NAME_INFORMATION ObjectNameInformation = NULL;
-	__try
-	{
-		if (FileObject && MmIsAddressValid(FileObject) && wzPath)
-		{
-			if (NT_SUCCESS(IoQueryFileDosDeviceName(FileObject,&ObjectNameInformation)))   //注意该函数调用后要释放内存
-			{
-				wcsncpy(wzPath,ObjectNameInformation->Name.Buffer,ObjectNameInformation->Name.Length);
-				bGetPath = TRUE;
-				ExFreePool(ObjectNameInformation);
-			}
-			if (!bGetPath)
-			{
-				if (IoVolumeDeviceToDosName||RtlVolumeDeviceToDosName)
-				{
-					NTSTATUS  Status = STATUS_UNSUCCESSFUL;
-					ULONG_PTR ulRet= 0;
-					PVOID     Buffer = ExAllocatePool(PagedPool,0x1000);
-					if (Buffer)
-					{
-						// ObQueryNameString :C:\Program Files\VMware\VMware Tools\VMwareTray.exe
-						memset(Buffer, 0, 0x1000);
-						Status = ObQueryNameString(FileObject, (POBJECT_NAME_INFORMATION)Buffer, 0x1000, &ulRet);
-						if (NT_SUCCESS(Status))
-						{
-							POBJECT_NAME_INFORMATION Temp = (POBJECT_NAME_INFORMATION)Buffer;
-							WCHAR szHarddiskVolume[100] = L"\\Device\\HarddiskVolume";
-							if (Temp->Name.Buffer!=NULL)
-							{
-								if (Temp->Name.Length / sizeof(WCHAR) > wcslen(szHarddiskVolume) &&
-									!_wcsnicmp(Temp->Name.Buffer, szHarddiskVolume, wcslen(szHarddiskVolume)))
-								{
-									// 如果是以 "\\Device\\HarddiskVolume" 这样的形式存在的，那么再查询其卷名。
-									UNICODE_STRING uniDosName;
-									if (NT_SUCCESS(IoVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName)))
-									{
-										if (uniDosName.Buffer!=NULL)
-										{
-											wcsncpy(wzPath, uniDosName.Buffer, uniDosName.Length);
-											wcsncat(wzPath, Temp->Name.Buffer + wcslen(szHarddiskVolume) + 1, Temp->Name.Length - (wcslen(szHarddiskVolume) + 1));
-											bGetPath = TRUE;
-										}    
-										ExFreePool(uniDosName.Buffer);
-									}
-									else if (NT_SUCCESS(RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName)))
-									{
-										if (uniDosName.Buffer!=NULL)
-										{
-											wcsncpy(wzPath, uniDosName.Buffer, uniDosName.Length);
-											wcsncat(wzPath, Temp->Name.Buffer + wcslen(szHarddiskVolume) + 1, Temp->Name.Length - (wcslen(szHarddiskVolume) + 1));
-											bGetPath = TRUE;
-										}    
-										ExFreePool(uniDosName.Buffer);
-									}
-								}
-								else
-								{
-									// 如果不是以 "\\Device\\HarddiskVolume" 这样的形式开头的，那么直接复制名称。
-									wcsncpy(wzPath, Temp->Name.Buffer, Temp->Name.Length);
-									bGetPath = TRUE;
-								}
-							}
-						}
-						ExFreePool(Buffer);
-					}
-				}
-			}
-		}
-	}
-	__except(1)
-	{
-		DbgPrint("GetPathByFileObject Catch __Except\r\n");
-		bGetPath = FALSE;
-	}
-	return bGetPath;
-}
-
-
-
-
-
-
-KIRQL 
-	SecCloseProtect()
-{
-	KIRQL Irql;
-
-	Irql = KeRaiseIrqlToDpcLevel();
-#ifdef _WIN64
-#else
-	_asm
-	{
-		CLI;					//	禁止中断
-		MOV EAX,CR0;  
-		AND EAX,NOT 10000H;		// CR0 16 BIT = 0
-		MOV CR0, EAX;        
-	}	
-#endif
-	return Irql;
-}
-
-
-VOID 
-	SecOpenProtect(KIRQL Irql)
-{
-#ifdef _WIN64
-#else
-	_asm 
-	{
-		MOV EAX,CR0;     
-		OR EAX,10000H;            
-		MOV CR0,EAX;           
-		STI;					//	开启中断
-	}
-#endif
-
-	KeLowerIrql(Irql);
-}
-
-
-
-PVOID __stdcall _CreateFileMap(PCWSTR SourceString, int a2, int a3)
-{
-	SECTION_IMAGE_INFORMATION SectionInformation; // [sp+8h] [bp-68h]@3
-	OBJECT_ATTRIBUTES ObjectAttributes; // [sp+38h] [bp-38h]@1
-	UNICODE_STRING DestinationString; // [sp+50h] [bp-20h]@1
-	struct _IO_STATUS_BLOCK IoStatusBlock; // [sp+58h] [bp-18h]@1
-	PVOID BaseAddress; // [sp+60h] [bp-10h]@1
-	ULONG_PTR ViewSize; // [sp+64h] [bp-Ch]@1
-	HANDLE FileHandle; // [sp+68h] [bp-8h]@1
-	HANDLE SectionHandle; // [sp+6Ch] [bp-4h]@1
-
-	IoStatusBlock.Status = 0;
-	IoStatusBlock.Information = 0;
-	BaseAddress = 0;
-	FileHandle = 0;
-	SectionHandle = 0;
-	ViewSize = 0;
-	RtlInitUnicodeString(&DestinationString, SourceString);
-	ObjectAttributes.ObjectName = &DestinationString;
-	ObjectAttributes.Length = 24;
-	ObjectAttributes.RootDirectory = 0;
-	ObjectAttributes.Attributes = 576;
-	ObjectAttributes.SecurityDescriptor = 0;
-	ObjectAttributes.SecurityQualityOfService = 0;
-	if ( ZwOpenFile(&FileHandle, FILE_SYNCHRONOUS_IO_NONALERT|FILE_RESERVE_OPFILTER|MEM_4MB_PAGES, &ObjectAttributes, 
-		&IoStatusBlock, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, 
-		FILE_ATTRIBUTE_DEVICE|FILE_ATTRIBUTE_ARCHIVE) >= 0 )
-	{//0x80100020    0x7  0x60
-		ObjectAttributes.ObjectName = 0;
-		//0xD 2 IMAGE_SECMENT = 0x100 0000
-		if ( ZwCreateSection(&SectionHandle, SECTION_MAP_EXECUTE|SECTION_MAP_READ|SECTION_MAP_WRITE, &ObjectAttributes,
-			0, PAGE_READONLY, 0x1000000u, FileHandle) >= 0
-			&& ZwQuerySection(SectionHandle, SectionImageInformation, &SectionInformation, 0x30u, 0) >= 0 )
-		{
-			if ( a2 )
-				*(int*)a2 = SectionInformation.ImageFileSize;
-			ZwMapViewOfSection(SectionHandle, (HANDLE)0xFFFFFFFF, &BaseAddress, 0, 0, 0, &ViewSize, ViewShare, 0, 0x20u);
-			if ( a3 )
-				*(int*)a3 = ViewSize;
-		}
-	}
-	if ( FileHandle )
-		ZwClose(FileHandle);
-	if ( SectionHandle )
-		ZwClose(SectionHandle);
-	return BaseAddress;
-}

Hook KiFastCallEntry/Common.h

@@ -1,326 +0,0 @@
-#pragma once
-#include "Monitor.h"
-
-
-//½ø³Ì¼à¿Ø
-#define CTL_MONITORPROCESS \
-	CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_NEITHER,FILE_ANY_ACCESS)
-#define CTL_GETRPROCESSINFOR \
-	CTL_CODE(FILE_DEVICE_UNKNOWN,0x831,METHOD_NEITHER,FILE_ANY_ACCESS)
-#define CTL_SUSMONITOR \
-	CTL_CODE(FILE_DEVICE_UNKNOWN,0x832,METHOD_NEITHER,FILE_ANY_ACCESS)
-#define CTL_SET_WHITE \
-	CTL_CODE(FILE_DEVICE_UNKNOWN,0x833,METHOD_NEITHER,FILE_ANY_ACCESS)
-#define CTL_SET_BLACK \
-	CTL_CODE(FILE_DEVICE_UNKNOWN,0x834,METHOD_NEITHER,FILE_ANY_ACCESS)
-
-
-
-#define CTL_GETFUNCBUFFER \
-	CTL_CODE(FILE_DEVICE_UNKNOWN,0x840,METHOD_NEITHER,FILE_ANY_ACCESS)
-#define CTL_SETFUNCEVENT \
-	CTL_CODE(FILE_DEVICE_UNKNOWN,0x841,METHOD_NEITHER,FILE_ANY_ACCESS)
-
-
-
-typedef struct _FUNC_DATA_{
-	ULONG pid;
-	ULONG tid;
-	ULONG sid;
-	UCHAR argc;
-	UCHAR bFromUser;
-	UCHAR bFromSSDT;
-	ULONG args[16];
-	LARGE_INTEGER time;
-	//LIST_ENTRY ListEntry;
-} FUNCDATA,*PFUNCDATA,**PPFUNCDATA;
-
-
-
-typedef struct _MSG_
-{
-	ULONG  ulCreate;
-	WCHAR wzProcessPath[512];
-}MSG,*PMSG;
-
-
-typedef enum WIN_VERSION {
-	WINDOWS_UNKNOW,
-	WINDOWS_XP,
-	WINDOWS_7,
-	WINDOWS_8,
-	WINDOWS_8_1
-} WIN_VERSION;
-
-WIN_VERSION GetWindowsVersion();
-PVOID 
-	GetFunctionAddressByName(WCHAR *wzFunction);
-typedef 
-	NTSTATUS 
-	(*pfnRtlGetVersion)(OUT PRTL_OSVERSIONINFOW lpVersionInformation);
-
-
-VOID InitGlobalVariable();
-
-
-BOOLEAN  GetProcessPathBySectionObject(PEPROCESS EProcess,WCHAR* wzProcessPath);
-BOOLEAN GetPathByFileObject(PFILE_OBJECT FileObject, WCHAR* wzPath);
-
-KIRQL 
-	SecCloseProtect();
-VOID 
-	SecOpenProtect(KIRQL Irql);
-
-typedef struct _CONTROL_AREA32
-{
-	PVOID Segment;
-	LIST_ENTRY DereferenceList;
-	ULONG32 NumberOfSectionReferences;
-	ULONG32 NumberOfPfnReferences;
-	ULONG32 NumberOfMappedViews;
-	ULONG32 NumberOfSystemCacheViews;
-	ULONG32 NumberOfUserReferences;
-	union
-	{
-		ULONG LongFlags;
-		ULONG Flags;
-	} u;
-	PFILE_OBJECT FilePointer; 
-} CONTROL_AREA32, *PCONTROL_AREA32;
-typedef  struct _CONTROL_AREA64
-{
-	PVOID Segment;
-	LIST_ENTRY DereferenceList;
-	ULONG64 NumberOfSectionReferences;
-	ULONG64 NumberOfPfnReferences;
-	ULONG64 NumberOfMappedViews;
-	ULONG64 NumberOfUserReferences;
-	union
-	{
-		ULONG LongFlags;
-		ULONG Flags;
-	} u;
-	PFILE_OBJECT FilePointer;
-}CONTROL_AREA64,*PCONTROL_AREA64;
-
-
-
-typedef struct  _SEGMENT_OBJECT32  
-{
-	struct _CONTROL_AREA32* ControlArea;
-	ULONG32  TotalNumberOfPtes;
-	ULONG32  NonExtendedPtes;
-	ULONG32  WritableUserReferences;
-	ULONG64  SizeOfSegment;
-	ULONG32  SegmentPteTemplate;
-	ULONG32  NumberOfCommittedPages;
-	PVOID    ExtendInfo;
-	PVOID    SystemImageBase;
-	PVOID    BasedAddress;
-	ULONG64  Unknown;
-	PVOID    PrototypePte;
-	ULONG32  ThePtes;
-}SEGMENT_OBJECT32,*PSEGMENT_OBJECT32;
-typedef struct  _SEGMENT_OBJECT64
-{
-	struct _CONTROL_AREA64* ControlArea;
-	ULONG32  TotalNumberOfPtes;
-	ULONG32  SegmentFlags;
-	ULONG64  NumberOfCommittedPages;
-	ULONG64  SizeOfSegment;
-	union  
-	{
-		ULONG64 ExtendInfo;
-		ULONG64 BasedAddress;
-	}Unknow;
-	ULONG64 SegmentLock;
-	ULONG64 u1;
-	ULONG64 u2;
-	ULONG64 PrototypePte;
-	ULONG64 ThePtes;
-}SEGMENT_OBJECT64,*PSEGMENT_OBJECT64;
-
-
-
-
-typedef struct _SECTION_OBJECT32 
-{
-	PVOID StartingVa;
-	PVOID EndingVa;
-	PVOID Parent;
-	PVOID LeftChild;
-	PVOID RightChild;
-	struct _SEGMENT_OBJECT32* Segment; 
-}SECTION_OBJECT32,*PSECTION_OBJECT32;
-typedef struct _SECTION_OBJECT64
-{
-	PVOID StartingVa;
-	PVOID EndingVa;
-	PVOID Parent;
-	PVOID LeftChild;
-	PVOID RightChild;
-	struct _SEGMENT_OBJECT64* Segment; 
-}SECTION_OBJECT64,*PSECTION_OBJECT64;
-
-
-
-
-typedef enum _SECTION_INFORMATION_CLASS {
-	SectionBasicInformation,
-	SectionImageInformation,
-	MaxSectionInfoClass  // MaxSectionInfoClass should always be the last enum
-} SECTION_INFORMATION_CLASS;
-
-
-typedef struct _SECTION_IMAGE_INFORMATION {
-	PVOID TransferAddress;
-	ULONG ZeroBits;
-	SIZE_T MaximumStackSize;
-	SIZE_T CommittedStackSize;
-	ULONG SubSystemType;
-	union {
-		struct {
-			USHORT SubSystemMinorVersion;
-			USHORT SubSystemMajorVersion;
-		};
-		ULONG SubSystemVersion;
-	};
-	ULONG GpValue;
-	USHORT ImageCharacteristics;
-	USHORT DllCharacteristics;
-	USHORT Machine;
-	BOOLEAN ImageContainsCode;
-	BOOLEAN Spare1;
-	ULONG LoaderFlags;
-	ULONG ImageFileSize;
-	ULONG Reserved[ 1 ];
-} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;
-
-
-
-extern
-	NTSTATUS
-	NTAPI
-	ZwQuerySection (
-	__in HANDLE SectionHandle,
-	__in SECTION_INFORMATION_CLASS SectionInformationClass,
-	__out_bcount(SectionInformationLength) PVOID SectionInformation,
-	__in SIZE_T SectionInformationLength,
-	__out_opt PSIZE_T ReturnLength
-	);
-
-
-typedef  enum _SYSTEM_INFORMATION_CLASS  
-{
-	SystemBasicInformation,  
-	SystemProcessorInformation,  
-	SystemPerformanceInformation,    
-	SystemTimeOfDayInformation,    
-	SystemPathInformation,    
-	SystemProcessInformation,    
-	SystemCallCountInformation,    
-	SystemDeviceInformation,    
-	SystemProcessorPerformanceInformation,    
-	SystemFlagsInformation,    
-	SystemCallTimeInformation,    
-	SystemModuleInformation,    
-	SystemLocksInformation,   
-	SystemStackTraceInformation,    
-	SystemPagedPoolInformation, 
-	SystemNonPagedPoolInformation,    
-	SystemHandleInformation, 
-	SystemObjectInformation,    
-	SystemPageFileInformation,    
-	SystemVdmInstemulInformation,    
-	SystemVdmBopInformation,   
-	SystemFileCacheInformation,   
-	SystemPoolTagInformation,    
-	SystemInterruptInformation,   
-	SystemDpcBehaviorInformation,   
-	SystemFullMemoryInformation,   
-	SystemLoadGdiDriverInformation,   
-	SystemUnloadGdiDriverInformation,   
-	SystemTimeAdjustmentInformation,   
-	SystemSummaryMemoryInformation, 
-	SystemMirrorMemoryInformation, 
-	SystemPerformanceTraceInformation,   
-	SystemObsolete0, 
-	SystemExceptionInformation,   
-	SystemCrashDumpStateInformation,    
-	SystemKernelDebuggerInformation,    
-	SystemContextSwitchInformation,    
-	SystemRegistryQuotaInformation,    
-	SystemExtendServiceTableInformation,   
-	SystemPrioritySeperation,   
-	SystemVerifierAddDriverInformation,    
-	SystemVerifierRemoveDriverInformation,    
-	SystemProcessorIdleInformation,   
-	SystemLegacyDriverInformation,
-	SystemCurrentTimeZoneInformation,   
-	SystemLookasideInformation,   
-	SystemTimeSlipNotification,   
-	SystemSessionCreate,
-	SystemSessionDetach,    
-	SystemSessionInformation,    
-	SystemRangeStartInformation ,   
-	SystemVerifierInformation ,   
-	SystemVerifierThunkExtend,    
-	SystemSessionProcessInformation,    
-	SystemLoadGdiDriverInSystemSpace,    
-	SystemNumaProcessorMap,    
-	SystemPrefetcherInformation,    
-	SystemExtendedProcessInformation,    
-	SystemRecommendedSharedDataAlignment,    
-	SystemComPlusPackage,    
-	SystemNumaAvailableMemory,    
-	SystemProcessorPowerInformation,    
-	SystemEmulationBasicInformation,    
-	SystemEmulationProcessorInformation,    
-	SystemExtendedHandleInformation,    
-	SystemLostDelayedWriteInformation,    
-	SystemBigPoolInformation,    
-	SystemSessionPoolTagInformation,    
-	SystemSessionMappedViewInformation,    
-	SystemHotpatchInformation,    
-	SystemObjectSecurityMode,    
-	SystemWatchdogTimerHandler,   
-	SystemWatchdogTimerInformation,    
-	SystemLogicalProcessorInformation,    
-	SystemWow64SharedInformation,    
-	SystemRegisterFirmwareTableInformationHandler,    
-	SystemFirmwareTableInformation,    
-	SystemModuleInformationEx,    
-	SystemVerifierTriageInformation,    
-	SystemSuperfetchInformation,    
-	SystemMemoryListInformation,    
-	SystemFileCacheInformationEx,    
-	MaxSystemInfoClass  
-
-} SYSTEM_INFORMATION_CLASS;
-
-typedef unsigned char BYTE;
-
-typedef unsigned char *LPBYTE;
-
-typedef unsigned char *PBYTE;
-
-typedef long BOOL;
-
-typedef ULONG DWORD;
-
-typedef ULONG *PDWORD;
-
-typedef unsigned short WORD;
-
-typedef unsigned int UINT;
-
-typedef UINT_PTR WPARAM;
-
-typedef LONG_PTR LPARAM;
-
-typedef ULONG FARADDRESS;
-
-typedef void* HDESK;
-
-typedef void* LPVOID;
-#define CALLBACK __stdcall

Hook KiFastCallEntry/HookKiFastCallEntry.h

@@ -1,505 +0,0 @@
-#pragma once
-
-#include "Monitor.h"
-#include <ntimage.h>
-typedef unsigned char  BYTE, *PBYTE;
-#define  LOBYTE(w) ((BYTE)(SHORT)(w))
-#define  HIBYTE(w) ((BYTE)((SHORT)(w)>>8))
-#define HIWORD(w) ((SHORT)((ULONG)(w))>>16)
-#define HIDWORD(w) ((ULONG)(((LONGLONG)(w)>>32)&0xFFFFFFFF))
-
-
-typedef HANDLE HWND;
-
-
-typedef struct _KSERVICE_TABLE_DESCRIPTOR {
-	PULONG_PTR Base;
-	PULONG Count;
-	ULONG Limit;
-	PUCHAR Number;
-} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
-
-int (__stdcall *OriZwDisplayStringAddress)(int);
-
-NTSTATUS _KisInstallKiFastCallEntryHook();
-NTSTATUS _HookZwDisplayString();
-ULONG __stdcall _FakeZwDisplayString(PCUNICODE_STRING StringTest);
-ULONG __stdcall _GetKiFastCallEntryRetuanAddress(PVOID VirtualAddress);
-
-
-NTSTATUS __stdcall _KisGetKiFastCallEntryMoveEbxAddress(ULONG StartAddress, ULONG Size, ULONG *MoveEbxAddress);
-ULONG __stdcall _KisGetKiFastCallEntryHookAddress(ULONG StartAddress, ULONG Length, ULONG *MmUserProbeAddress1);
-NTSTATUS __stdcall _KisHookKiFastCallEntryPoint(ULONG HookAddress);
-
-VOID _KifakeFastCallEntry();
-
-ULONG __stdcall HookKiFastCallEntry(signed __int64 *a1, signed __int64 a2);
-
-NTSTATUS _KisHookKiFastCallEntry();
-ULONG __stdcall _KisSyscallFilter(ULONG FuncAddress,ULONG edx  ,ULONG Index ,ULONG Argc, PVOID SSDTBase);
-//VOID __stdcall Filter(ULONG ServiceId, ULONG TableBase, ULONG Argc, ULONG StackAddr)
-
-VOID SetFakeFunction();
-
-
-NTSYSAPI
-	PIMAGE_NT_HEADERS
-	NTAPI
-	RtlImageNtHeader(PVOID Base);
-
-NTSTATUS FuncMonitorDeviceControl(ULONG_PTR  uIoControlCode,PVOID InputBuffer,ULONG_PTR uInSize,PVOID OutputBuffer,ULONG_PTR uOutSize);
-
-PVOID 
-	GetFunctionAddressByNameFromNtosExport(WCHAR *wzFunctionName);
-PVOID GetKeShadowServiceDescriptorTable32();
-PVOID GetKeShadowServiceDescriptorTable64();
-
-typedef struct _XBoxData_ {
-	ULONG pid;
-	ULONG tid;
-	ULONG sid;
-	UCHAR argc;
-	UCHAR bFromUser;
-	UCHAR bFromSSDT;
-	ULONG args[16];
-	LARGE_INTEGER time;
-	LIST_ENTRY ListEntry;
-} XBoxData, *PXBoxData, **PPXBoxData;
-
-NTSTATUS FuncEventToKernelEvent(PULONG_PTR InputBuffer,ULONG_PTR InSize);
-
-
-#define SDOW_MAX_NUM 850
-#define SSDT_MAX_NUM 500
-#define FSD_MAX_NUM 56
-#define KBD_MAX_NUM 28
-#define IDT_MAX_NUM 256
-#define MAX_REASON 350
-#define OPCODE_LEN 10
-#define SYSMODULE_MAX 256
-
-#define SSDT_MAX_HOOK_INDEX 30
-
-enum _SSDT_HOOK_INDEX
-{
-	SSDT_NTOPENPROCESS_INDEX = 0,
-	SSDT_NTCREATETHREAD_INDEX = 1,
-	SSDT_NTOPENTHREAD_INDEX = 2,
-	SSDT_NTWRITEVIRTUALMEMORY_INDEX = 3,
-	SSDT_NTDUPLICATEOBJECT_INDEX = 4,
-	SSDT_NTSETSYSTEMINFORMATION_INDEX = 5,
-	SSDT_NTQUEUEAPCTHREAD_INDEX  = 6 ,
-	SSDT_NTDEBUGACTIVEPROCESS_INDEX = 7,
-	SSDT_NTREMOVEPROCESSDEBUG_INDEX = 8
-
-}SSDT_HOOK_INDEX;
-
-enum _SHADOW_SSDT_HOOK_INDEX
-{
-	SHADOWSSDT_NTUSERFINDWINDOWSEX_INDEX = 0,
-	SHADOWSSDT_NTUSERQUERYWINDOW_INDEX = 1 ,
-	SHADOWSSDT_NTUSERSETWINDOWSHOOKEX_INDEX =  2,
-	SHADOWSSDT_NTUSERBUILDHWNDLIST_INDEX = 3,
-	SHADOWSSDT_NTUSERWINDOWFROMPOINT_INDEX = 4,
-	SHADOWSSDT_NTUSERSETPARENT_INDEX = 5,
-	SHADOWSSDT_NTUSERPOSTMESSAGE_INDEX = 6,
-	SHADOWSSDT_NTUSERMESSAGECALL_INDEX = 7,
-	SHADOWSSDT_NTUSERDESTROYWINDOW_INDEX = 8,
-	SHADOWSSDT_NTUSERSHOWWINDOW_INDEX = 9,
-	SHADOWSSDT_NTUSERSETWINDOWLONG_INDEX = 10 ,
-	SHADOWSSDT_NTUSERINTERNALGETWINDOWTEXT_INDEX = 11,
-	SHADOWSSDT_NTUSERSETWINDOWPOS_INDEX = 12 ,
-	SHADOWSSDT_NTUSERGETCLASSNAME_INDEX = 13 ,
-	SHADOWSSDT_NTUSERGETWINDOWPLACEMENT_INDEX = 14,
-	SHADOWSSDT_NTUSERGETFOREGROUNDWINDOW_INDEX    = 15
-
-}SHADOW_SSDT_HOOK_INDEX;
-
-#define SSDT_FILTER_NUM 500
-#define SHADOWSSDT_FILTER_NUM 850
-
-#define SECTIONOBJECT 0x138 //_EPROCESS中SectionObject的offset
-#define SEGMENT 0x014 //_SECTION_OBJECT中Segment的//
-#define CONTROLAREA 0x000 //_SEGMENT中ControlArea的offset
-#define FILEPOINTER 0x024 //_CONTROL_AREA中FilePointer的offset
-
-
-
-//TEB初始化
-typedef struct _INITIAL_TEB {
-	struct {
-		PVOID OldStackBase;
-		PVOID OldStackLimit;
-	} OldInitialTeb;
-	PVOID StackBase;
-	PVOID StackLimit;
-	PVOID StackAllocationBase;
-} INITIAL_TEB, *PINITIAL_TEB;
-
-
-
-typedef struct _SYSCALL_FILTER_INFO_TABLE
-{
-	ULONG ulKiFastCallEntry;
-	ULONG ulNewRetKiFastCallEntry;
-
-	UCHAR HookCode[13];
-	ULONG ulCopyLength;
-
-	ULONG ulSSDTAddr;
-	ULONG ulSHADOWSSDTAddr;
-
-	ULONG ulSSDTNum;
-	ULONG ulSHADOWSSDTNum;
-
-	ULONG FastCallType;
-
-	ULONG SavedSSDTTable[SSDT_FILTER_NUM];                  //SSDT原始函数地址表
-	ULONG ProxySSDTTable[SSDT_FILTER_NUM];            //SSDT代理函数地址表
-	ULONG SSDTServiceIndex[SSDT_MAX_HOOK_INDEX];
-	ULONG SSDTSwitchTable[SSDT_FILTER_NUM];              //SSDT Hook开关表
-
-	ULONG SavedShadowSSDTTable[SHADOWSSDT_FILTER_NUM];            //ShadowSSDT原始函数地址表
-	ULONG ProxyShadowSSDTTable[SHADOWSSDT_FILTER_NUM];      //ShadowSSDT代理函数地址表
-	ULONG ShadowSSDTServiceIndex[SSDT_MAX_HOOK_INDEX];
-	ULONG ShadowSSDTSwitchTable[SHADOWSSDT_FILTER_NUM];  //ShadowSSDT Hook开关表
-
-
-	ULONG ulEPROCESSPidOffset;	
-
-}SYSCALL_FILTER_INFO_TABLE,*PSYSCALL_FILTER_INFO_TABLE;
-
-
-typedef BOOL (*NTUSERPOSTTHREADMESSAGE)
-	(
-	DWORD idThread, 
-	UINT Msg, 
-	WPARAM wParam, 
-	LPARAM lParam
-	);
-
-
-
-typedef NTSTATUS (*NTDUPLICATEOBJECT)
-	(
-	IN HANDLE SourceProcessHandle,
-	IN HANDLE SourceHandle,
-	IN HANDLE TargetProcessHandle,
-	OUT PHANDLE TargetHandle OPTIONAL,
-	IN ACCESS_MASK DesiredAccess,
-	IN ULONG Attributes,
-	IN ULONG Options
-	);
-
-typedef NTSTATUS (*NTCREATEDEBUGOBJECT)
-	(
-	OUT PHANDLE  DebugObjectHandle,  
-	IN ACCESS_MASK  DesiredAccess,  
-	IN POBJECT_ATTRIBUTES  ObjectAttributes,  
-	IN ULONG  Flags   
-	);
-
-typedef NTSTATUS (*NTQUEUEAPCTHREAD)
-	(
-	IN HANDLE ThreadHandle,
-	IN PKNORMAL_ROUTINE ApcRoutine,
-	IN PVOID ApcContext OPTIONAL,
-	IN PVOID Argument1 OPTIONAL,
-	IN PVOID Argument2 OPTIONAL
-	);
-
-typedef NTSTATUS (*NTSETTHREADCONTEXT)
-	(
-	IN HANDLE hThread,
-	IN PCONTEXT pContext
-	);
-
-
-
-typedef NTSTATUS (*HOOKPROC)(int code, WPARAM wParam, LPARAM lParam);
-
-
-typedef NTSTATUS (*NTSETSYSTEMINFORMATION)(
-	__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
-	__inout PVOID SystemInformation,
-	__in ULONG SystemInformationLength);
-
-
-NTSTATUS FakeNtSetSystemInformation(
-	__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
-	__inout PVOID SystemInformation,
-	__in ULONG SystemInformationLength);
-
-typedef NTSTATUS (*NTOPENPROCESS) (
-	__out PHANDLE ProcessHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in POBJECT_ATTRIBUTES ObjectAttributes,
-	__in_opt PCLIENT_ID ClientId);
-
-
-NTSTATUS FakeNtOpenProcess (
-	__out PHANDLE ProcessHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in POBJECT_ATTRIBUTES ObjectAttributes,
-	__in_opt PCLIENT_ID ClientId
-	);
-
-
-NTSTATUS FakeNtCreateThread(
-	__out PHANDLE ThreadHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
-	__in HANDLE ProcessHandle,
-	__out PCLIENT_ID ClientId,
-	__in PCONTEXT ThreadContext,
-	__in PINITIAL_TEB InitialTeb,
-	__in BOOLEAN CreateSuspended
-	);
-
-typedef NTSTATUS (*NTCREATETHREAD)(
-	__out PHANDLE ThreadHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in_opt POBJECT_ATTRIBUTES ObjectAttributes,
-	__in HANDLE ProcessHandle,
-	__out PCLIENT_ID ClientId,
-	__in PCONTEXT ThreadContext,
-	__in PINITIAL_TEB InitialTeb,
-	__in BOOLEAN CreateSuspended);
-
-typedef NTSTATUS (*NTOPENTHREAD) (
-	__out PHANDLE ThreadHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in POBJECT_ATTRIBUTES ObjectAttributes,
-	__in_opt PCLIENT_ID ClientId);
-
-NTSTATUS FakeNtOpenThread (
-	__out PHANDLE ThreadHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in POBJECT_ATTRIBUTES ObjectAttributes,
-	__in_opt PCLIENT_ID ClientId
-	);
-
-
-typedef NTSTATUS (*NTWRITEVIRTUALMEMORY)(
-	__in HANDLE ProcessHandle,
-	__in_opt PVOID BaseAddress,
-	__in_bcount(BufferSize) CONST VOID *Buffer,
-	__in SIZE_T BufferSize,
-	__out_opt PSIZE_T NumberOfBytesWritten);
-
-NTSTATUS FakeNtWriteVirtualMemory(
-	__in HANDLE ProcessHandle,
-	__in_opt PVOID BaseAddress,
-	__in_bcount(BufferSize) CONST VOID *Buffer,
-	__in SIZE_T BufferSize,
-	__out_opt PSIZE_T NumberOfBytesWritten
-	);
-
-
-typedef NTSTATUS (*NTDUPLICATEOBJECT)(
-	__in HANDLE SourceProcessHandle,
-	__in HANDLE SourceHandle,
-	__in_opt HANDLE TargetProcessHandle,
-	__out_opt PHANDLE TargetHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in ULONG HandleAttributes,
-	__in ULONG Options);
-
-NTSTATUS FakeNtDuplicateObject (
-	__in HANDLE SourceProcessHandle,
-	__in HANDLE SourceHandle,
-	__in_opt HANDLE TargetProcessHandle,
-	__out_opt PHANDLE TargetHandle,
-	__in ACCESS_MASK DesiredAccess,
-	__in ULONG HandleAttributes,
-	__in ULONG Options);
-
-typedef NTSTATUS (*NTDEBUGACTIVEPROCESS)  ( IN HANDLE  ProcessHandle,  
-	IN HANDLE  DebugObjectHandle   
-	);
-
-NTSTATUS FakeNtDebugActiveProcess  (IN HANDLE  ProcessHandle,  
-	IN HANDLE  DebugObjectHandle   
-	);
-
-typedef NTSTATUS (*NTREMOVEPROCESSDEBUG)  ( IN HANDLE  ProcessHandle,  
-	IN HANDLE  DebugObjectHandle   
-	);
-
-NTSTATUS FakeNtRemoveProcessDebug  ( IN HANDLE  ProcessHandle,  
-	IN HANDLE  DebugObjectHandle   
-	) ;
-
-/************************窗口过滤相关函数********************************/
-
-typedef HWND (*NTUSERFINDWINDOWEX)(
-	__in HWND hwndParent, 
-	__in HWND hwndChild, 
-	__in PUNICODE_STRING pstrClassName OPTIONAL, 
-	__in PUNICODE_STRING pstrWindowName OPTIONAL, 
-	__in DWORD dwType);
-
-HWND FakeNtUserFindWindowEx(
-	__in HWND hwndParent, 
-	__in HWND hwndChild, 
-	__in PUNICODE_STRING pstrClassName OPTIONAL, 
-	__in PUNICODE_STRING pstrWindowName OPTIONAL, 
-	__in DWORD dwType);
-
-
-typedef UINT_PTR (*NTUSERQUERYWINDOW)(
-	IN ULONG WindowHandle,
-	IN ULONG TypeInformation);
-
-UINT_PTR FakeNtUserQueryWindow(
-	IN ULONG WindowHandle,
-	IN ULONG TypeInformation);
-
-
-
-typedef
-	NTSTATUS (*NtQUEUEAPCTHREAD)(
-	IN HANDLE ThreadHandle,
-	IN PKNORMAL_ROUTINE ApcRoutine,
-	IN PVOID ApcContext OPTIONAL,
-	IN PVOID Argument1 OPTIONAL,
-	IN PVOID Argument2 OPTIONAL
-	);
-
-NTSTATUS
-	NTAPI FakeNtQueueApcThread(
-	IN HANDLE ThreadHandle,
-	IN PKNORMAL_ROUTINE ApcRoutine,
-	IN PVOID ApcContext OPTIONAL,
-	IN PVOID Argument1 OPTIONAL,
-	IN PVOID Argument2 OPTIONAL
-	);
-
-
-typedef HANDLE (*NTUSERSETWINDOWSHOOKEX)(IN HANDLE Mod,
-	IN PUNICODE_STRING UnsafeModuleName,
-	IN DWORD ThreadId,
-	IN INT HookId,
-	IN HOOKPROC HookProc,
-	IN BOOL Ansi);
-
-
-HANDLE  FakeNtUserSetWindowsHookEx(HANDLE Mod,
-	PUNICODE_STRING UnsafeModuleName,
-	DWORD ThreadId,
-	INT HookId,
-	HOOKPROC HookProc,
-	BOOL Ansi);
-
-
-typedef NTSTATUS (*NTUSERBUILDHWNDLIST)(
-	IN HDESK hdesk, 
-	IN HWND hwndNext, 
-	IN ULONG fEnumChildren, 
-	IN DWORD idThread, 
-	IN UINT cHwndMax, 
-	OUT HWND *phwndFirst, 
-	OUT ULONG* pcHwndNeeded);
-
-
-
-NTSTATUS FakeNtUserBuildHwndList(
-	IN HDESK hdesk, 
-	IN HWND hwndNext, 
-	IN ULONG fEnumChildren, 
-	IN DWORD idThread, 
-	IN UINT cHwndMax, 
-	OUT HWND *phwndFirst, 
-	OUT ULONG* pcHwndNeeded);
-
-typedef ULONG (*NTUSERWINDOWFROMPOINT)(LONG x, LONG y);
-
-ULONG FakeNtUserWindowFromPoint(LONG x, LONG y);
-
-typedef HWND (*NTUSERSETPARENT)(HWND hWndChild,HWND hWndNewParent);
-
-HWND FakeNtUserSetParent(HWND hWndChild,HWND hWndNewParent);
-
-typedef BOOL (*NTUSERPOSTMESSAGE)(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam);
-
-
-BOOL FakeNtUserPostMessage(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam);
-
-typedef ULONG (*NTUSERMESSAGECALL)(
-	HWND hwnd, 
-	UINT msg,
-	WPARAM wParam,
-	LPARAM lParam,
-	PULONG xParam,
-	ULONG xpfnProc,
-	BOOL bAnsi
-	);
-
-ULONG FakeNtUserMessageCall(
-	HWND hwnd, 
-	UINT msg,
-	WPARAM wParam,
-	LPARAM lParam,
-	PULONG xParam,
-	ULONG xpfnProc,
-	BOOL bAnsi
-	);
-
-typedef BOOL (*NTUSERDESTROYWINDOW)(HWND hWnd);
-
-BOOL FakeNtUserDestroyWindow( HWND hWnd );
-
-typedef BOOL (*NTUSERSHOWWINDOW)(HWND hWnd,long nCmdShow);
-
-BOOL FakeNtUserShowWindow(HWND hWnd,long nCmdShow);
-
-typedef long (*NTUSERSETWINDOWLONG)(HWND hWnd, ULONG Index, long NewValue, BOOL Ansi);
-
-long FakeNtUserSetWindowLong(HWND hWnd, ULONG Index, long NewValue, BOOL Ansi);
-
-typedef INT (*NTUSERINTERNALGETWINDOWTEXT)(HWND hWnd, LPWSTR lpString, INT nMaxCount);
-
-INT CALLBACK FakeNtUserInternalGetWindowText(HWND hWnd, LPWSTR lpString, INT nMaxCount);
-
-
-typedef BOOL (*NTUSERSETWINDOWPOS)(
-	HWND hWnd,
-	HWND hWndInsertAfter,
-	int X,
-	int Y,
-	int cx,
-	int cy,
-	UINT uFlags);
-
-BOOL CALLBACK
-	FakeNtUserSetWindowPos(
-	HWND hWnd,
-	HWND hWndInsertAfter,
-	int X,
-	int Y,
-	int cx,
-	int cy,
-	UINT uFlags);
-
-typedef (*NTUSERGETCLASSNAME)(IN HWND hWnd,
-	OUT PUNICODE_STRING ClassName,
-	IN BOOL Ansi);
-
-INT CALLBACK
-	FakeNtUserGetClassName (IN HWND hWnd,
-	OUT PUNICODE_STRING ClassName,
-	IN BOOL Ansi);
-
-typedef BOOL (*NTUSERGETWINDOWPLACEMENT)(HWND hWnd,
-	void* lpwndpl);
-
-
-BOOL CALLBACK
-	FakeNtUserGetWindowPlacement(HWND hWnd,
-	void* lpwndpl);
-
-typedef ULONG (*NTUSERGETFOREGROUNDWINDOW)(VOID);
-
-
-ULONG FakeNtUserGetForegroundWindow(VOID);
-/*****************************************************************************************************/

Hook KiFastCallEntry/Monitor.c

@@ -1,75 +0,0 @@
-
-#ifndef CXX_MONITOR_H
-#	include "Monitor.h"
-#include "HookKiFastCallEntry.h"
-#endif
-
-
-
-extern BOOLEAN         IsClear;//资源是否销毁 
-
-extern PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
-WCHAR FirstModulePath[260] = {0};
-ULONG_PTR FirstModuleBase = 0;
-ULONG_PTR FirstModuleSize = 0;
-NTSTATUS
-DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString)
-{
-	NTSTATUS		status = STATUS_SUCCESS;
-
-
-	// Unload routine
-	DriverObject->DriverUnload = DriverUnload;
-
-
-
-	
-	InitGlobalVariable();
-
-	GetFirstModuleInformation(DriverObject);
-
-	_KisInstallKiFastCallEntryHook();
-
-	return STATUS_SUCCESS;
-}
-
-
-VOID GetFirstModuleInformation(PDRIVER_OBJECT DriverObject)
-{
-	  ULONG Base=0;//模块基地址
-    LDR_DATA_TABLE_ENTRY* SectionBase=NULL;
-    LIST_ENTRY* Entry=NULL;
-    LIST_ENTRY InLoadOrderLinks;
-    Entry=((LIST_ENTRY*)DriverObject->DriverSection)->Flink;
-    do
-    {
-        SectionBase=CONTAINING_RECORD(Entry,LDR_DATA_TABLE_ENTRY,InLoadOrderLinks);//得到这个Entry所属的Section的地址，此方法经过验证可行
-        if (SectionBase->EntryPoint&&SectionBase->BaseDllName.Buffer&&SectionBase->FullDllName.Buffer&&
-            SectionBase->LoadCount
-            )
-        {
-			if(wcscmp(SectionBase->BaseDllName.Buffer,L"ntkrnlpa.exe")!=0)
-			{
-				wcsncpy(FirstModulePath,SectionBase->FullDllName.Buffer,SectionBase->FullDllName.Length);
-				FirstModuleBase= SectionBase->DllBase;
-				FirstModuleSize = SectionBase->SizeOfImage;
-				DbgPrint("第一模块名称:%wZ,地址:%x\r\n",&(SectionBase->FullDllName),SectionBase->DllBase);
-				break;
-			}
-			DbgPrint("第一模块名称:%wZ,地址:%x\n",&(SectionBase->FullDllName),SectionBase->DllBase);
-			
-  
-        }
-        Entry=Entry->Flink;
-    }while(Entry!=((LIST_ENTRY*)DriverObject->DriverSection)->Flink);//直到遍历回来
-}
-
-
-
-
-VOID
-	DriverUnload(IN PDRIVER_OBJECT DriverObject)
-{	
-
-	return;
-}

Hook KiFastCallEntry/Monitor.h

@@ -1,64 +0,0 @@
-/***************************************************************************************
-* AUTHOR : MZ
-* DATE   : 2016-2-12
-* MODULE : Monitor.H
-*
-* IOCTRL Sample Driver
-*
-* Description:
-*		Demonstrates communications between USER and KERNEL.
-*
-****************************************************************************************
-* Copyright (C) 2010 MZ.
-****************************************************************************************/
-
-#ifndef CXX_MONITOR_H
-#define CXX_MONITOR_H
-
-#include <ntifs.h>
-#include <devioctl.h>
-#include "Common.h"
-
-
-#define DEVICE_NAME   L"\\Device\\MonitorDeviceName"
-#define LINK_NAME       L"\\DosDevices\\MonitorLinkName"
-
-NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING pRegistryString);
-VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
-NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP pIrp);
-NTSTATUS
-	DefaultPassThrough(PDEVICE_OBJECT  DeviceObject,PIRP Irp);
-
-
-VOID GetFirstModuleInformation(PDRIVER_OBJECT DriverObject);
-typedef struct _LDR_DATA_TABLE_ENTRY
-{
-	LIST_ENTRY InLoadOrderLinks;
-	LIST_ENTRY InMemoryOrderLinks;
-	LIST_ENTRY InInitializationOrderLinks;
-	PVOID DllBase;
-	PVOID EntryPoint;
-	ULONG SizeOfImage;
-	UNICODE_STRING FullDllName;
-	UNICODE_STRING BaseDllName;
-	ULONG Flags;
-	USHORT LoadCount;
-	USHORT TlsIndex;
-	union
-	{
-		LIST_ENTRY HashLinks;
-		struct
-		{
-			PVOID SectionPointer;
-			ULONG CheckSum;
-		};
-	};
-	union
-	{
-		ULONG TimeDateStamp;
-		PVOID LoadedImports;
-	};
-	PVOID EntryPointActivationContext;
-	PVOID PatchInformation;
-} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
-#endif	

Hook KiFastCallEntry/Monitor.sln

@@ -1,16 +0,0 @@
-Microsoft Visual Studio Solution File, Format Version 11.00
-# Visual Studio 2010
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Monitor", "Monitor.vcxproj", "{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		WinDDK|Win32 = WinDDK|Win32
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.ActiveCfg = WinDDK|Win32
-		{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}.WinDDK|Win32.Build.0 = WinDDK|Win32
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal

Hook KiFastCallEntry/Monitor.vcxproj

@@ -1,73 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup Label="ProjectConfigurations">
-    <ProjectConfiguration Include="WinDDK|Win32">
-      <Configuration>WinDDK</Configuration>
-      <Platform>Win32</Platform>
-    </ProjectConfiguration>
-  </ItemGroup>
-  <PropertyGroup Label="Globals">
-    <ProjectGuid>{4EE67C57-BE79-4CD7-B3B0-94AECE62DB41}</ProjectGuid>
-    <Keyword>Win32Proj</Keyword>
-    <RootNamespace>"Monitor"</RootNamespace>
-  </PropertyGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-  <ImportGroup Label="ExtensionSettings">
-  </ImportGroup>
-  <PropertyGroup Label="UserMacros" />
-  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
-    <TargetExt>.sys</TargetExt>
-    <GenerateManifest>false</GenerateManifest>
-    <ExecutablePath>$(WLHBASE)\bin\x86\x86;$(WLHBASE)\bin\x86</ExecutablePath>
-    <IncludePath>$(WLHBASE)\inc\api;$(WLHBASE)\inc\crt;$(WLHBASE)\inc\ddk;$(WLHBASE)\inc</IncludePath>
-    <ReferencePath />
-    <LibraryPath>$(WLHBASE)\lib\win7\i386</LibraryPath>
-    <SourcePath />
-    <ExcludePath />
-  </PropertyGroup>
-  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='WinDDK|Win32'">
-    <ClCompile>
-      <PreprocessorDefinitions>_X86_;DBG=1</PreprocessorDefinitions>
-      <ExceptionHandling>false</ExceptionHandling>
-      <BufferSecurityCheck>false</BufferSecurityCheck>
-      <CallingConvention>StdCall</CallingConvention>
-      <CompileAs>CompileAsC</CompileAs>
-      <AdditionalIncludeDirectories>
-      </AdditionalIncludeDirectories>
-    </ClCompile>
-    <Link>
-      <AdditionalDependencies>ntoskrnl.lib;hal.lib;wdm.lib;%(AdditionalDependencies)</AdditionalDependencies>
-    </Link>
-    <Link>
-      <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
-      <SubSystem>Native</SubSystem>
-      <Driver>Driver</Driver>
-      <EntryPointSymbol>DriverEntry</EntryPointSymbol>
-      <SetChecksum>true</SetChecksum>
-      <BaseAddress>0x10000</BaseAddress>
-      <RandomizedBaseAddress>
-      </RandomizedBaseAddress>
-      <DataExecutionPrevention>
-      </DataExecutionPrevention>
-    </Link>
-  </ItemDefinitionGroup>
-  <ItemGroup>
-    <ClCompile Include=".\Monitor.c" />
-    <ClCompile Include=".\Monitor.h" />
-    <ClCompile Include="Common.c" />
-    <ClCompile Include="HookKiFastCallEntry.c" />
-    <ClCompile Include="MonitorProcess.c" />
-  </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="Common.h" />
-    <ClInclude Include="HookKiFastCallEntry.h" />
-    <ClInclude Include="MonitorProcess.h" />
-  </ItemGroup>
-  <ItemGroup>
-    <None Include="sources" />
-  </ItemGroup>
-  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
-  <ImportGroup Label="ExtensionTargets">
-  </ImportGroup>
-</Project>

Hook KiFastCallEntry/Monitor.vcxproj.filters

@@ -1,41 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <ItemGroup>
-    <ClCompile Include=".\Monitor.c" />
-    <ClCompile Include=".\Monitor.h" />
-    <ClCompile Include="Common.c">
-      <Filter>公共</Filter>
-    </ClCompile>
-    <ClCompile Include="HookKiFastCallEntry.c">
-      <Filter>KiFastCallEntry</Filter>
-    </ClCompile>
-    <ClCompile Include="MonitorProcess.c">
-      <Filter>监控进程</Filter>
-    </ClCompile>
-  </ItemGroup>
-  <ItemGroup>
-    <Filter Include="监控进程">
-      <UniqueIdentifier>{34b07019-c15d-4da9-9329-db715de7b412}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="公共">
-      <UniqueIdentifier>{aebc1b79-2de6-4b1a-a158-4cf360c32b96}</UniqueIdentifier>
-    </Filter>
-    <Filter Include="KiFastCallEntry">
-      <UniqueIdentifier>{eaf33335-dc2f-4d24-b0e6-0021734f6aab}</UniqueIdentifier>
-    </Filter>
-  </ItemGroup>
-  <ItemGroup>
-    <ClInclude Include="Common.h">
-      <Filter>公共</Filter>
-    </ClInclude>
-    <ClInclude Include="HookKiFastCallEntry.h">
-      <Filter>KiFastCallEntry</Filter>
-    </ClInclude>
-    <ClInclude Include="MonitorProcess.h">
-      <Filter>监控进程</Filter>
-    </ClInclude>
-  </ItemGroup>
-  <ItemGroup>
-    <None Include="sources" />
-  </ItemGroup>
-</Project>

Hook KiFastCallEntry/Monitor.vcxproj.user

@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-</Project>

Hook KiFastCallEntry/clean.bat

@@ -1,28 +0,0 @@
-rem /////////////////
-rem / Add by ChiChou
-rem / 
-rem / FileName:Clean.bat
-rem / Description:Clean
-rem /
-rem ////////////////
-rd .\bin /s /q
-rd .\WinDDK /s /q
-rd .\objchk_w2k_x86 /s /q
-rd .\objchk_wxp_x86 /s /q
-rd .\objchk_wnet_x86 /s /q
-rd .\objchk_wlh_x86 /s /q
-rd .\objfre_w2k_x86 /s /q
-rd .\objfre_wxp_x86 /s /q
-rd .\objfre_wnet_x86 /s /q
-rd .\objfre_wlh_x86 /s /q
-del .\*.log
-del .\*.err
-del .\*.xml
-rem ***** del VS2005 file *****
-del .\*.ncb
-del .\*.user
-del .\*.suo /A:H
-rem ***** del VS6.0 file *****
-del .\*.plg
-del .\*.opt
-exit

Hook KiFastCallEntry/makefile

@@ -1,6 +0,0 @@
-#
-# DO NOT EDIT THIS FILE!!!  Edit .\sources. if you want to add a new source
-# file to this component.  This file merely indirects to the real make file
-# that is shared by all the components of NT OS/2
-#
-!INCLUDE $(NTMAKEENV)\makefile.def

Hook KiFastCallEntry/mybuild.bat

@@ -1,3 +0,0 @@
-set WLHBASE=C:\WINDDK\6001.18002
-set WDF_ROOT=C:\WINDDK\6001.18002
-ddkbuild.cmd -WLHXP chk . -cZ -WDF

Hook KiFastCallEntry/readme.txt

@@ -1,2 +0,0 @@
-通过hook kifastcallentry 监控ssdt&sssdt表函数
-需要监控的ssdt&sssdt函数自己设置fake函数

Hook KiFastCallEntry/sources

@@ -1,12 +0,0 @@
-TARGETNAME=Monitor
-#TARGETPATH=$(BASEDIR)\lib
-TARGETPATH=obj
-TARGETTYPE=DRIVER
-LINKER_FLAGS=/integritycheck
-INCLUDES=.\
-
-SOURCES= \
- Monitor.c \
- Common.c \
- HookKiFastCallEntry.c
-