I saw the program of Webcrazy, very easy to use, I will use DBGPrint, now I know that the original NTREADFILE doesn't only read the file, read the east and the sea, this is why you get the get n't directly give ObreferenceObjectByHandle Is the reason for File_Object, this hard is definitely wrong, you should first judge the type of object, not familiar with this, Livekd! ObjectHeader listed by the ObjectHeader with ObjectHeader 0x18, is StandardHeader, there is a preheader The difference with Object is 0x28.
In the drive, set a variable count, hook ntreadfile, each time COUNT plus one, then use DBGPrint output, find that the mouse does not call NtreadFile, it will be dozens of times.
The variables and functions in the kernel seem to be that as long as the NTOSKRNL is exported, it can be used in the program, it can be used, still don't understand why, look at Linker & Loader.
