驱动HOOK IDT表

#define MAKELONG(addr1,addr2) ((addr1) | ((addr2)<<16))

typedef struct _IDTENTRY{
 unsigned short LowOffset;
 unsigned short Selector;
 unsigned char UnUsed_Io;
 unsigned char Segment_Type:4;
 unsigned char System_SegMent_Flag:1;
 unsigned char DPL:2;
 unsigned char P:1;
 unsigned short HiOffset;
}IDTENTRY,*PIDTENTRY;

typedef struct _IDTR{
 unsigned short IDTLimit;
 unsigned short LowIDTbase;
 unsigned short HiDIDTbase;
}IDTR;

 

ULONG ulIdt1Address = 0;
PIDTENTRY pstTempEntry = NULL;

ULONG GetIdtAddress(IN const ULONG ulNum)
{
 ULONG ulAddress = 0;
 IDTR idtr;
 PIDTENTRY pstTempEntry = NULL,pstOriEntry = NULL;

 _asm{
  sidt idtr

 }
 pstOriEntry = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiDIDTbase);
 pstTempEntry = pstOriEntry + ulNum;

 ulAddress = MAKELONG(pstTempEntry->LowOffset,pstTempEntry->HiOffset);
 return ulAddress;
}

#pragma code_seg()
_declspec(naked) VOID IdtFun()
{
 ULONG ulAddress;
 _asm{
   pushfd
   pushad
   mov ebp,esp
   sub esp,0x40
   mov ulAddress,eax
  }
  KdPrint(("idt HOOK\n"));
 _asm{
   mov esp,ebp
   popad
   popfd
   jmp ulIdt1Address
  }
}

void HookIdt(void)
{
 TempEntry = GetIdtAddress(1);
 Idt1Address = MAKELONG(pstTempEntry->LowOffset, pstTempEntry->HiOffset);

 pstTempEntry->LowOffset = (USHORT)IdtFun;
 pstTempEntry->HiOffset = (USHORT)((ULONG)IdtFun >> 16);
}