分享反上传以及扫描文件 HOOK ZwCreateFile源码
分享反上传以及扫描文件 HOOK ZwCreateFile源码
NTSTATUS __stdcall NewZwCreateFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PVOID IoStatusBlock,
IN PLARGE_INTEGER AllocationSize OPTIONAL,
IN ULONG FileAttributes,
IN ULONG ShareAccess,
IN ULONG CreateDisposition,
IN ULONG CreateOptions,
IN PVOID EaBuffer OPTIONAL,
IN ULONG EaLength)
{
NTSTATUS status;
ZwCreateFile_1 OldZwCreateFile;
WCHAR lpwzDllName = {0};
WCHAR lpAttackDll = {L"1",L"2",L"3",L"4"};//要保护的东西名称 当然你可以自己想办法过滤不是游戏和系统的东西全部给我禁止访问
__try{
if (IsBadReadPtr(ObjectAttributes,sizeof(OBJECT_ATTRIBUTES)) == 0)
{
if (ValidateUnicodeString(ObjectAttributes->ObjectName))
{
//效验unicode的有效性
if (ObjectAttributes->ObjectName->Buffer != NULL &&
ObjectAttributes->ObjectName->Length > 6)
{
memcpy(lpwzDllName,ObjectAttributes->ObjectName->Buffer,ObjectAttributes->ObjectName->Length);
if (wcsstr(lpwzDllName,lpAttackDll) != 0 ||
wcsstr(lpwzDllName,lpAttackDll) != 0 ||
wcsstr(lpwzDllName,lpAttackDll) != 0 ||
wcsstr(lpwzDllName,lpAttackDll) != 0)
{
//拒绝访问
return STATUS_ACCESS_DENIED;
}
}
}
}
}__except(1){
}
OldZwCreateFile = (ZwCreateFile_1)ZwCreateFileHookZone;
status = OldZwCreateFile(FileHandle,
DesiredAccess,
ObjectAttributes,
IoStatusBlock,
AllocationSize,
FileAttributes,
ShareAccess,
CreateDisposition,
CreateOptions,
EaBuffer,
EaLength);
return status;
页:
[1]