Ҳǿƽڴд
2009-7-18 16:15:17

ѩ˷ƪдڴ桷ΪǴ룬»ȴPEһҪȥͷУſµĻKeStackAttachProcessһϷຯHook

ǰϵһл cr3Ĵ룬Լһ£ҪĿԽ

//ڵԴ˺DetachProcessMemoryǰ,ܵ,ΪwindbgCr3ָ
BOOLEAN AttachProcessMemory(PEPROCESS pEProcess,OUT ULONG *pOldCR3)
{
 BOOLEAN retval=FALSE;
 ULONG OldCR3;
 KSPIN_LOCK Locker;
 KIRQL Irql;
 
 KeInitializeSpinLock(&Locker);
 KeAcquireSpinLock(&Locker,&Irql);// DPC
 __asm
 {
  push eax;

  mov eax,cr3;
  mov OldCR3,eax;

  mov eax,pEProcess;
  add eax,g_DirectoryTableBaseOffset;
  mov eax,[eax];//õµCR3
  mov cr3,eax;

  pop eax;
 }
 KeReleaseSpinLock(&Locker,Irql);

 retval=TRUE;

 if(retval)
 {
  *pOldCR3=OldCR3;
 }
 return retval;
}
BOOLEAN DetachProcessMemory(ULONG OldCR3)
{
 KSPIN_LOCK Locker;
 KIRQL Irql;

 KeInitializeSpinLock(&Locker);
 KeAcquireSpinLock(&Locker,&Irql);
 __asm
 {
  push eax;

  mov eax,OldCR3;
  mov cr3,eax;

  pop eax;
 }
 KeReleaseSpinLock(&Locker,Irql);

 return TRUE;
}