Homepage
Focus original
Security text
Security tool
Security hole
Focus project
Focus forum
about us
Add article
English Version
Article classification
Feature article
Vulnerability analysis
Security configuration
Hacker teaching
Programming technology <<
Tool introduction
Firewall technology
Intrusion detection
Crack
Focus announcement
Focus summit
Article recommended
Analysis of LSD RPC Overflow Vulnerability
Ring 0 code in any user mode
Analysis of IIS's nsiislog.dll overflow problem
Several implementation and application of the internal nuclear grade HOOK: 2003-03-26 Article property: Original article Source: http://www.whitecell.org/ Documentation: SINISTER (jias_at_21cn.com) Several implementations of kernel hook HOOK And Application Author: sinisteremail: sinister@whitecell.orghomepage: http://www.whitecell.org / Implementing Nuclear Level Hook For intercepting, analysis, tracking system cores, a dealties. The method of implementing is different means that the application side focus is different. If you want to intercept Native API, it is possible to use the Hook Service Table method. If you want to analyze some system calls, you might think of using the Hook Int 2E interrupt. If you want to intercept or track the call of other kernel Driver, you should use the Hook PE method to implement. Here we pay more attention to achieving, many masters have been published in the Internet. Everyone can combine it. The following is aware of several instance programs I have explained the implementation of various methods. In the wrong point, I also hope that you are correct. 1, hook service table method: This method is more useful for intercepting the Native API. The principle is to achieve the purpose of interception by replacing the corresponding Native API's address in a service table in the system. Because this method is simple, there are many information on the Internet. So this will not give an example program. SERVICE TABLE structure follows: typedef struct ServiceDescriptorEntry {unsigned int * ServiceTableBase; unsigned int * ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char * ParamTableBase;} ServiceDescriptorTableEntry_t, * PServiceDescriptorTableEntry_t; 2, HOOK INT 2E Method: This method for tracking, analysis system The call is more useful. The principle is to achieve it by replacing the IntT table in the IDT table, so that it is implemented to our own interrupt service processing routine. Mastering this method requires that you have a certain basis for the protection mode. The following program demonstrates this process.
/ ************************************************** *************** File Name: WSSHOKINT2E.C Description: System call tracking Author: sinister final modification date: 2002-11-02 ********** *********************************************************** **** / # include "ntddk.h" #include "string.h" #define dword unsigned __int32 # define word unsigned __int16 # Define Byte unsigned __int8 # define bool __int32 # define loword ((Word) (Word) ) # Define HiWord ((Word) ((DWORD) >> 16) & 0xfff) #DEFINE LOBYTE ((Byte)) # define Hibyte (w) BYTE) ((Word) >> 8) & 0xFF) # Define Makelong (A, B) ((Word) ((Word)) | ((DWORD) ((Word) ))) << 16)) #define SYSTEMCALL 0x2e # define SYSNAME "System" #define PROCESSNAMELEN 16 # pragma pack (1) // define IDTR typedef struct tagIDTR {WORD IDTLimit; WORD LowIDTbase; WORD HiIDTbase;} IDTR, * PIDTR ; // Define IDT TypedEf strunt tagidtentry {Word OffsetLow; Word Selector; Byte Unused_lo; unsigned char unused_hi: 5; unsigned char DPL: 2; unsigned char P: 1; WORD OffsetHigh;} IDTENTRY, * PIDTENTRY; #pragma pack () DWORD OldInt2eService; ULONG ProcessNameOffset; TCHAR ProcessName [PROCESSNAMELEN]; static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject); ULONG GetProcessNameOffset (); VOID GetProcessName (PCHAR Name); VOID InstallNewInt2e (); VOID UninstallNewInt2e (); VOID __fastcall NativeApiCall () {KIRQL oldIrql; DWORD ServiceID; DWORD ProcessId; __asm mov ServiceID, eax; ProcessId = (DWORD ) PsgetCurrentProcessId (); getProcessName (ProcessName); KeraiseiRQL (High_level, & OldiRQL);
// Enhance the current IRQL level to prevent the interrupt Switch (ServiceID) {case 0x20: dbgprint ("newint2e: processname:% s; processid:% D; Native API: NTCREATEFILE () / N", processname, processid; Break; case 0x2b: DbgPrint ( "NEWINT2E: ProcessName:% s; ProcessID:% d; Native Api: NtCreateSection () / n", ProcessName, ProcessId); break; case 0x30: DbgPrint ( "NEWINT2E: ProcessName:% s; ProcessID: % d; Native Api: NtCreateToken () / n ", ProcessName, ProcessId); break;} KeLowerIrql (oldIrql); // restore the original IRQL} __ declspec (naked) NewInt2eService () {__asm {pushad pushfd push fs mov bx, 0x30 MOV FS, BX Push DS Push ES STI Call NativeApical; // Call Record Function CLI POP ES POP DS POP FS POPFD POPAD JMP OLDINT2ELVICE; / / Skip to Original INT 2E Continue Work}} Void Instance Allnewint2e () {idtr idtr; pidtenTry nid; // Get idTR in the idTR Decision and the base address __asm {sIDT idTR;} // gets the IDT base OIDT = (PIDTENTRY) makelong (idtr.lowidtbase, idtr.hiIIIDTBASE ); // Save the original INT 2E service routine Oldint 3Service = makelong (OIDT [SystemCall] .Offsetlow, Oidt [SystemCall] .offSeth; Nid = & (OIDT [SystemCall]); __ASM {CLI Lea Eax, NewInt2ENTTETESERVICE; / / Get a new INT 2E service routine offset MOV EBX, NIDT; MOV [EBX], AX; // int 2e service routine low 16-bit SHR EAX, 16 // INT 2E service routine high 16-bit MOV [EBX 6], AX; LIDT IDTR / / Pack of new IDT sti}} void uninstallnewint2e () {idtr idtr; pidTentry oidt; pidtentry nid;
__asm {sIDT idtr;} Oidt = (pidtenTry) makelong (idtr.lowidtbase, idtr.hiidtbase); Nidt = & (OIDT [SystemCall]); _ASM {CLI Lea Eax, Oldint2Embe; MOV EBX, NIDT; MOV [EBX], ax; shr eax, 16 mov [ebx 6], ax; lidt idtr sti}} // drive inlet NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {UNICODE_STRING nameString, linkString; PDEVICE_OBJECT deviceObject; NTSTATUS status; HANDLE hHandle; int i; // unload drive DriverObject-> DriverUnload = DriverUnload; // build equipment RtlInitUnicodeString (& nameString, L "// device // WssHookInt2e"); status = IoCreateDevice (DriverObject, 0, & nameString, FILE_DEVICE_UNKNOWN, 0, TRUE, & deviceObject ); if return status (NT_SUCCESS (status)!); RtlInitUnicodeString (& linkString, L "// DosDevices // WssHookInt2e"); status = IoCreateSymbolicLink (& linkString, & nameString); (! NT_SUCCESS (status)) if {IoDeleteDevice (DriverObject-> DeviceObject ); return status;} for (i = 0; i
} // object operation processing device static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) {Irp-> IoStatus.Status = STATUS_SUCCESS; Irp-> IoStatus.Information = 0L; IoCompleteRequest (Irp, 0); return Irp-> IoStatus .Status;} VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject) {UNICODE_STRING nameString; UninstallNewInt2e (); RtlInitUnicodeString (& nameString, L "// DosDevices // WssHookInt2e"); IoDeleteSymbolicLink (& nameString); IoDeleteDevice (pDriverObject-> DeviceObject); return;} Ulong getProcessNameOffset () {peprocess curproc; int i; curproc = psgetcurrentprocess (); /// scan for 12kb, hopping the kpeb never grows there big! // for (i = 0; i <3 * Page_size; i ) { IF (! Strncmp (Pchar) Curproc I, Strlen (sysname))) {Return i;}} // // Name Not Found - OH, Well // Return 0;} void getProcessName (Pchar Name) {PEPROCESS curproc; char * nameptr; ULONG i; if (ProcessNameOffset) {curproc = PsGetCurrentProcess (); nameptr = (PCHAR) curproc ProcessNameOffset; strncpy (Name, nameptr, 16);} else {strcpy (Name, "??? ");}} 3, HOOK PE method This method is to intercept, analyze more kernel-driven function calls. The principle is implemented in accordance with the corresponding function in the replacement PE format exported table. Some tips are required in this method. If the kernel mode does not directly provide a function of getModuleHandl (), getProcAddress (), and getProcAddress () and other functions to get the address of the module. Then we need yourself to write, here you have used an unapproved function and structure. ZwQuerySystemInformation and System_Module_information are enabled to get the base address of the module. This way we can enumerate the function in the table according to the PE format. But this has taken a problem, that is, the page properties of kernel data after Windows 2000 are read-only and cannot be changed.
The kernel mode does not provide functions such as VirtualProtectex () such as application layer to modify page properties. So we also need us to write. Because we are in kernel mode, we can achieve our goal by modifying the write protection bit of the CR0 register. This is implemented in the function of intercepting the kernel mode functions we expect. This method requires you to have a certain basis for the PE format. The following program demonstrates this process. / ************************************************** *************** File Name: WSSHOKPE.C Description: Intercepting kernel function Author: sinister final modification date: 2002-11-02 ********** *********************************************************** **** / # include "ntddk.h" #include "windef.h"
typedef enum _SYSTEM_INFORMATION_CLASS {SystemBasicInformation, SystemProcessorInformation, SystemPerformanceInformation, SystemTimeOfDayInformation, SystemNotImplemented1, SystemProcessesAndThreadsInformation, SystemCallCounts, SystemConfigurationInformation, SystemProcessorTimes, SystemGlobalFlag, SystemNotImplemented2, SystemModuleInformation, SystemLockInformation, SystemNotImplemented3, SystemNotImplemented4, SystemNotImplemented5, SystemHandleInformation, SystemObjectInformation, SystemPagefileInformation, SystemInstructionEmulationCounts, SystemInvalidInfoClass1, SystemCacheInformation, SystemPoolTagInformation, SystemProcessorStatistics, SystemDpcInformation, SystemNotImplemented6, SystemLoadImage, SystemUnloadImage, SystemTimeAdjustment, SystemNotImplemented7, SystemNotImplemented8, SystemNotImplemented9, SystemCrashDumpInformation, SystemExceptionInformation, SystemCrashD umpStateInformation, SystemKernelDebuggerInformation, SystemContextSwitchInformation, SystemRegistryQuotaInformation, SystemLoadAndCallImage, SystemPrioritySeparation, SystemNotImplemented10, SystemNotImplemented11, SystemInvalidInfoClass2, SystemInvalidInfoClass3, SystemTimeZoneInformation, SystemLookasideInformation, SystemSetTimeSlipEvent, SystemCreateSession, SystemDeleteSession, SystemInvalidInfoClass4, SystemRangeStartInformation, SystemVerifierInformation, SystemAddVerifier, SystemSessionProcessesInformation} SYSTEM_INFORMATION_CLASS; typedef struct tagSYSTEM_MODULE_INFORMATION {ULONG Reserved [2 ]; Pvoid base; ulong size; ulong flag; ushort index;
USHORT Unknown; USHORT LoadCount; USHORT ModuleNameOffset; CHAR ImageName [256];} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION; #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ # define IMAGE_NT_SIGNATURE 0x50450000 // PE00 # define IMAGE_NT_SIGNATURE1 0x00004550 // 00EPtypedef struct _IMAGE_DOS_HEADER {// DOS .EXE header WORD e_magic; // Magic number WORD e_cblp; // Bytes on last page of file WORD e_cp; // Pages in file WORD e_crlc; // Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra Paragraphs Needed Word E_MAXALLOC; // Maximum Extra Paragraphs Needed Word E_ss; // Initial (Relative) SS Value Word E_SP; // Initial SP Value Word E_CSUM; // Checksum W ORD E_IP; // Initial IP Value Word E_CS; // Initial (Relative) CS Value Word E_LFARLC; // File Address of Relocation Table Word E_OVNO; // Overlay Number Word E_RES [4]; // RESERVED WORDS WORD E_OEMID; / / OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2 [10]; // Reserved words LONG e_lfanew; // File address of new exe header} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER; typedef struct _IMAGE_FILE_HEADER {WORD Machine Word Numberofsections; DWORD TIMEDATESTAMP;
DWORD PointerToSymbolTable; DWORD NumberOfSymbols; WORD SizeOfOptionalHeader; WORD Characteristics;} IMAGE_FILE_HEADER, * PIMAGE_FILE_HEADER; typedef struct _IMAGE_DATA_DIRECTORY {DWORD VirtualAddress; DWORD Size;} IMAGE_DATA_DIRECTORY, * PIMAGE_DATA_DIRECTORY; #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16 //// Optional header format.//typedef struct _IMAGE_OPTIONAL_HEADER {// // Standard fields // WORD Magic;. BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData;. // // NT additional fields // DWORD ImageBase DWord SectionAlignment; Word MajorOperatingSystemVersion; Word MAJORIMAGEVERSIS; Word MinorImageVersion; Word MAJORSUBSYSTEMVERSION; WORD minorsub systemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32; typedef struct _IMAGE_NT_HEADERS {DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader;} IMAGE_NT_HEADERS32, * PIMAGE_NT_HEADERS32; typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS;
typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS; //// Section header format.//#define IMAGE_SIZEOF_SHORT_NAME 8typedef struct _IMAGE_SECTION_HEADER {BYTE Name [IMAGE_SIZEOF_SHORT_NAME]; union {DWORD PhysicalAddress; DWORD VirtualSize;} Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics;} IMAGE_SECTION_HEADER, * PIMAGE_SECTION_HEADER; #define IMAGE_SIZEOF_SECTION_HEADER 40 //// Export Format // typedef struct _IMAGE_EXPORT_DIRECTORY {DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NUMBEROFFUNCTIONS; DWORD NUMBEROFNAMES; DWORD ADDRESSOFNAMES; // RVA from Base of Image Dword AddressOfNames; // RVA F rom base of image DWORD AddressOfNameOrdinals; // RVA from base of image} IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY; #define BASEADDRLEN 10NTSYSAPINTSTATUSNTAPIZwQuerySystemInformation (IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL); typedef NTSTATUS (* ZWCREATEFILE) (OUT pHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG createDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength);
ZWCREATEFILE OldZwCreateFile; static NTSTATUS MydrvDispatch (IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject); VOID DisableWriteProtect (PULONG pOldAttr); VOID EnableWriteProtect (ULONG ulOldAttr); FARPROC HookFunction (PCHAR pModuleBase, PCHAR pHookName, FARPROC pHookFunc) ; NTSTATUS HookNtCreateFile (OUT pHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG createDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) ; PCHAR MyGetModuleBaseAddress (PCHAR pModuleName) {PSYSTEM_MODULE_INFORMATION pSysModule; ULONG uReturn; ULONG uCount; PCHAR pBuffer = NULL; PCHAR pName = NULL; NTSTATUS status; UINT ui; CHAR szBuffer [B ASEADDRLEN]; PCHAR pBaseAddress; status = ZwQuerySystemInformation (SystemModuleInformation, szBuffer, BASEADDRLEN, & uReturn); pBuffer = (PCHAR) ExAllocatePool (NonPagedPool, uReturn); if (pBuffer) {status = ZwQuerySystemInformation (SystemModuleInformation, pBuffer, uReturn, & uReturn); if (status == status_success) {ucount = (ulong) * ((Ulong *) pBuffer; psysmodule = (pster sizeof (ulong)); for (ui = 0; ui
if (! pName) {pName = pSysModule-> ImageName;} else {pName ;} if {pBaseAddress = (PCHAR) pSysModule-> Base; ExFreePool (pBuffer); return pBaseAddress;} (_stricmp (pName, pModuleName)!) pSysModule ;}} ExFreePool (pBuffer);} return NULL;} FARPROC HookFunction (PCHAR pModuleBase, PCHAR HookFunName, FARPROC HookFun) {PIMAGE_DOS_HEADER pDosHdr; PIMAGE_NT_HEADERS pNtHdr; PIMAGE_SECTION_HEADER pSecHdr; PIMAGE_EXPORT_DIRECTORY pExtDir; UINT ui, uj; PCHAR funName; DWORD * DWADDRNAME; DWORD * DWADDRFUN; FARPROC POLDFUN; ULONG UATTRIB; PDOSHDR = (PIMAGE_DOS_HEADER) PMODulebas e; if (IMAGE_DOS_SIGNATURE == pDosHdr-> e_magic) {pNtHdr = (PIMAGE_NT_HEADERS) (pModuleBase pDosHdr-> e_lfanew); if (IMAGE_NT_SIGNATURE == pNtHdr-> Signature || IMAGE_NT_SIGNATURE1 == pNtHdr-> Signature) {pSecHdr = ( PIMAGE_SECTION_HEADER) (pModuleBase pDosHdr-> e_lfanew sizeof (IMAGE_NT_HEADERS)); for (ui = 0; ui <(UINT) pNtHdr-> FileHeader.NumberOfSections;! ui ) {if (strcmp (pSecHdr-> Name, ".edata ")) {Pextdir =
(PIMAGE_EXPORT_DIRECTORY) (pModuleBase pSecHdr-> VirtualAddress); dwAddrName = (PDWORD) (pModuleBase pExtDir-> AddressOfNames); dwAddrFun = (PDWORD) (pModuleBase pExtDir-> AddressOfFunctions); for (uj = 0; uj <(UINT ) pExtDir-> NumberOfFunctions; uj ) {funName = pModuleBase * dwAddrName; if (strcmp (funName, HookFunName)) {DbgPrint ( "HOOK% s () / n", funName);! DisableWriteProtect (& uAttrib); pOldFun = ( FarProc) (PMODULEBASE * DWADDRFUN); * dwaddrfun = (pchar) hookfun - pmodulebase; enableWriteProtect (Uattrib); Return Poldfun;} dwaddrname ; dwaddrfun ;}} pSecHdr ;}}} return NULL;} // drive inlet NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {UNICODE_STRING nameString, linkString; PDEVICE_OBJECT deviceObject; NTSTATUS status; HANDLE hHandle; PCHAR pModuleAddress; int i; // unload drive DriverObject -> Driverunload = driverunload; // Established equipment RTLinitunicodeString (& nameString, L "// device // wsshookpe"); status = IocreateDevice (DriverObject, 0, &)
nameString, FILE_DEVICE_UNKNOWN, 0, TRUE, & deviceObject); if) return status (NT_SUCCESS (status!); RtlInitUnicodeString (& linkString, L "// DosDevices // WssHookPE"); status = IoCreateSymbolicLink (& linkString, & nameString); if (NT_SUCCESS! (status)) {IoDeleteDevice (DriverObject-> DeviceObject); return status;} pModuleAddress = MyGetModuleBaseAddress ( "ntoskrnl.exe"); if (pModuleAddress == NULL) {DbgPrint ( "MyGetModuleBaseAddress () / n"); return 0; } OldZwCreateFile = (ZWCREATEFILE) HookFunction (pModuleAddress, "ZwCreateFile", (ZWCREATEFILE) HookNtCreateFile); if (OldZwCreateFile == NULL) {DbgPrint ( "HOOK FAILED / n"); return 0;} DbgPrint ( "HOOK SUCCEED / n" ); For (i = 0; i
NULL) {DbgPrint ( "MyGetModuleBaseAddress () / n"); return;} OldZwCreateFile = (ZWCREATEFILE) HookFunction (pModuleAddress, "ZwCreateFile", (ZWCREATEFILE) OldZwCreateFile); if (OldZwCreateFile == NULL) {DbgPrint ( "UNHOOK FAILED! / n "); return;} DbgPrint (" uNHOOK SUCCEED / n "); RtlInitUnicodeString (& nameString, L" // DosDevices // WssHookPE "); IoDeleteSymbolicLink (& nameString); IoDeleteDevice (pDriverObject-> DeviceObject); return;} NTSTATUS HookNtCreateFile (OUT pHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN PLARGE_INTEGER AllocationSize OPTIONAL, IN ULONG FileAttributes, IN ULONG ShareAccess, IN ULONG createDisposition, IN ULONG CreateOptions, IN PVOID EaBuffer OPTIONAL, IN ULONG EaLength) {NTSTATUS Status; DBGPrint ("Hook ZwcreateFile () / N"); status = ((zwcreatefile) (FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); return status;} VOID DisableWriteProtect (PULONG pOldAttr) {ULONG uAttr; _asm {push eax; mov eax, cr0; mov uAttr, eax; And Eax, 0ffeffffh; // CR0 16 bit = 0 MOV CR0, Eax; POP Eax;}; * Poldattr = uattr; // Save the original CRO attribute} Void EnableWriteProtect (ulong uoldattr) {_ASM {Push Eax;
Mov Eax, uoldattr; // Restore the original CR0 attribute MOV CR0, EAX; POP Eax;};} About us: WSS (WhiteCell Security Systems), a non-profit private technical organization, is committed to research on various system security technology . Adhere to the traditional Hacker spirit, pursue the pureness of technology. WSS Home: http://www.whitecell.org/copyright? 1998-2003 Xfocus Team. All Rights Reserved
