NTSTATUS MyNtDeleteFile(__in POBJECT_ATTRIBUTES ObjectAttributes) {
DbgBreakPoint();
OriDeleteFileFun OriDeleteFile = (OriDeleteFileFun)g_NtDeleteFileAdd;
return
OriDeleteFile(ObjectAttributes);
}
VOID
OpenSSDTHook() {
if
(g_SSDTOPEN) {
return
;
}
PULONG
pSSDT_Base = KeServiceDescriptorTable.ServiceTableBase;
g_NtDeleteFileAdd = (
ULONG
)pSSDT_Base[102];
__asm{
push eax
mov eax,cr0
and eax,~0x10000
mov cr0,eax
pop eax
}
pSSDT_Base[102] = MyNtDeleteFile;
__asm {
push eax
mov eax,cr0
or eax,0x10000
mov cr0,eax
pop eax
}
g_SSDTOPEN = TRUE;
DbgBreakPoint();
}