-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathmain.cpp
More file actions
38 lines (29 loc) · 1.13 KB
/
main.cpp
File metadata and controls
38 lines (29 loc) · 1.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#include <ntifs.h>
#include <intrin.h>
#include "PageTable.h"
#include "rewrite.h"
#include "util.h"
extern "C" NTSTATUS DriverEntry(DRIVER_OBJECT* DriverObject, UNICODE_STRING*) {
DriverObject->DriverUnload = [](DRIVER_OBJECT*) -> void {
KeTerminateProcess();
};
auto Process = GetProcessByName(L"sublime_text.exe");
if (!Process) {
return STATUS_ACCESS_DENIED;
}
auto ProcessId = PsGetProcessId(Process);
ObDereferenceObject(Process);
UNICODE_STRING NtOpenFileName{};
RtlInitUnicodeString(&NtOpenFileName, L"NtOpenFile");
fNtOpenFileTrampoline = reinterpret_cast<fnNtOpenFile>(MmGetSystemRoutineAddress(&NtOpenFileName));
if (!SetupPageTableHook(ProcessId, reinterpret_cast<void**>(&fNtOpenFileTrampoline), fNtOpenFile, 17)) {
return STATUS_ACCESS_DENIED;
}
UNICODE_STRING NtCreateFileName{};
RtlInitUnicodeString(&NtCreateFileName, L"NtCreateFile");
fNtCreateFileTrampoline = reinterpret_cast<fnNtCreateFile>(MmGetSystemRoutineAddress(&NtCreateFileName));
if (!SetupPageTableHook(ProcessId, reinterpret_cast<void**>(&fNtCreateFileTrampoline), fNtCreateFile, 14)) {
return STATUS_ACCESS_DENIED;
}
return STATUS_SUCCESS;
};