XP/2003/VISTA的简单INLINE HOOK

利用HOTPATCH CODE~
XP SP2以上才可以用


//By MJ0011 2007-6-24
KSPIN_LOCK SDTSpinLock;
void WPOFF();
VOID WPON();
ULONG g_uCr0 = 0;

void WPOFF()
{
   
    ULONG uAttr;
   
    _asm
    {
        push eax;
        mov eax, cr0;
        mov uAttr, eax;
        and eax, 0FFFEFFFFh; // CR0 16 BIT = 0
        mov cr0, eax;
        pop eax;
        cli
    };
   
    g_uCr0 = uAttr; //保存原有的 CRO ?傩?
   
}

VOID WPON()
{
   
    _asm
    {
        sti
            push eax;
        mov eax, g_uCr0; //恢?驮?有 CR0 ?傩?
        mov cr0, eax;
        pop eax;
    };
   
}
NTSTATUS InlineHookFuncXP(IN PVOID FuncAddress,
                         IN PVOID NewFuncAddress)
{
//FuncAddress:orignal function address
//NewFuncAddress:new function address to hook
//if function successed,the old function which the hook function will jump to
//is the FuncAddress+2

KIRQL OldIrql ;
NTSTATUS stat;

    KeAcquireSpinLock( &SDTSpinLock, &OldIrql );

    WPOFF();
    //进dpc

    __asm
    {
        push eax
        push ecx
        lea eax,[FuncAddress]
        mov eax,[eax]
        cmp byte ptr[eax],0x8b
        jnz failtohook
        cmp byte ptr[eax+1],0xff
        jnz failtohook
        mov ecx,0xffffffff
loopcheck:
        cmp byte ptr[eax+ecx],0x90
        jnz failtohook
        dec ecx
        cmp ecx,0xfffffffa
        jnz loopcheck
       
        ;check function header if "mov edi,edi"
        mov byte ptr[eax],0xeb
        mov byte ptr[eax+1],0xf9
        ;write the new function header:jmp short funcaddr-5(0x00-0x07)
        mov byte ptr[eax-5],0xe9
        ;write 1 byte :jmp xxxxx
        mov ecx,[NewFuncAddress]
        sub ecx,eax
        mov dword ptr[eax-4],ecx
        jmp hookok
failtohook:
        mov stat,0xc0000001
        jmp end
hookok:
        mov stat,0
end:
        pop ecx
        pop eax


    }
    WPON();
            KeReleaseSpinLock( &SDTSpinLock, OldIrql );

    return stat;
}