pwp

pwp

DICHook_OpenSource/DICHook.cpp

@@ -31,7 +31,7 @@ typedef struct _HOOK_NTQUERY_CONTEXT {
 typedef BOOL(*fnIoCtlPostCallback)(HOOK_DEVICE_IO_CONTEXT *);
 fnIoCtlPostCallback g_IoCtlPostCallback = 0;
 
-typedef void(*fndiccabk)(ULONG64, ULONG64, ULONG64, ULONG64, ULONG64);
+typedef void(*fndiccabk)(ULONG64, ULONG64, ULONG64, ULONG64, ULONG64, ULONG64);
 typedef void(*fnntqcabk)(ULONG64, ULONG64, ULONG64);
 typedef VOID(*fnExtraCallback)(VOID);
 fndiccabk dicpostcabk = 0;
@@ -546,7 +546,7 @@ VOID InstallHook(fnIoCtlPostCallback PostCallback, PVOID PreCallback, PVOID NtQu
 	*(ULONG64 *)(pcode + 0x22) = ((ULONG64)DispatchCallback) ^ 0x7fffffff;
 
 	//ViPacketLookaside.Region=0
-	//防止RtlpInterlockedPopEntrySList返回值
+	//防止RtlpInterlockedPopEntrySList返回非0值
 	*(ULONG64*)(ViPacketLookaside + 0x8) = 0;
 	//修改ViPacketLookaside.AllocEx
 	ULONG64 pfn = *(ULONG64*)(ViPacketLookaside + 0x30);
@@ -573,7 +573,7 @@ BOOL FnDICPostCallback(HOOK_DEVICE_IO_CONTEXT *Context) {
 	if (Context) {
 		PFILE_OBJECT FileObject = (PFILE_OBJECT)Context->Object;
 		if (dicpostcabk) {
-			dicpostcabk(Context->IoControlCode, Context->InputBuffer, Context->InputBufferLength, Context->OutputBuffer, Context->OutputBufferLength);
+			dicpostcabk((ULONG64)Context->Object, Context->IoControlCode, Context->InputBuffer, Context->InputBufferLength, Context->OutputBuffer, Context->OutputBufferLength);
 		}
 		return TRUE;
 	}
@@ -585,7 +585,7 @@ VOID FnDICPreCallback(HOOK_DEVICE_IO_CONTEXT *aContext){
 		ExFreePool(Context.JmpPage);
 		ExFreePool(aContext);
 		if (dicprecabk) {
-			dicprecabk(Context.IoControlCode, Context.InputBuffer, Context.InputBufferLength, Context.OutputBuffer, Context.OutputBufferLength);
+			dicprecabk((ULONG64)Context.Object, Context.IoControlCode, Context.InputBuffer, Context.InputBufferLength, Context.OutputBuffer, Context.OutputBufferLength);
 		}
 	}
 }

DICHook_OpenSource/main.cpp

@@ -6,10 +6,10 @@
 #include "DICHook.h"
 #include <ntddndis.h>
 
-VOID NtDeviceIoControlFileCallback(ULONG64 IoControlCode, ULONG64 InputBuffer, ULONG64 InputBufferLength, ULONG64 OutputBuffer, ULONG64 OutputBufferLength) {
-	//此时irql == 2 !
+VOID NtDeviceIoControlFileCallback(ULONG64 pObject, ULONG64 IoControlCode, ULONG64 InputBuffer, ULONG64 InputBufferLength, ULONG64 OutputBuffer, ULONG64 OutputBufferLength) {
+	//此时irql == 2 !
 	// 
-	//修改物理Mac地址例子
+	//修改物理Mac地址例子
 	if (IoControlCode == IOCTL_NDIS_QUERY_GLOBAL_STATS &&
 		InputBufferLength >= 4 && MmiGetPhysicalAddress((PVOID)InputBuffer) && MmiGetPhysicalAddress((PVOID)(InputBuffer + 4 - 1)) &&
 		OutputBufferLength >= 6 && MmiGetPhysicalAddress((PVOID)OutputBuffer) && MmiGetPhysicalAddress((PVOID)(OutputBuffer + 6 - 1))) {
@@ -30,9 +30,9 @@ VOID NtDeviceIoControlFileCallback(ULONG64 IoControlCode, ULONG64 InputBuffer, U
 	}
 }
 VOID NtQueryVolumeInformationFileCallback(ULONG64 FsInformationClass, ULONG64 FsInformation, ULONG64 Length) {
-	//此时irql == 2 !
+	//此时irql == 2 !
 	// 
-	//修改分区序列号例子
+	//修改分区序列号例子
 	switch (FsInformationClass)
 	{
 	case FileFsVolumeInformation:
@@ -52,17 +52,17 @@ VOID NtQueryVolumeInformationFileCallback(ULONG64 FsInformationClass, ULONG64 Fs
 }
 extern "C" NTSTATUS DriverEntry(PDRIVER_OBJECT drv, PUNICODE_STRING reg_path) {
 	Mmi_Init();
-	GetRealTime();//初始化GetRealTime
+	GetRealTime();//初始化GetRealTime
 
-	//设置是否启用 NtQueryVolumeInformationFile Hook,TRUE为开启,FALSE为关闭
-	//注意,win10 1507 - win10 1709不支持NtQueryVolumeInformationFile Hook,因为无法从堆栈中获取到参数
-	//NtQueryVolumeInformationFile Hook 完美兼容win7以及win10 1803及以上版本
+	//设置是否启用 NtQueryVolumeInformationFile Hook,TRUE为开启,FALSE为关闭
+	//注意,win10 1507 - win10 1709不支持NtQueryVolumeInformationFile Hook,因为无法从堆栈中获取到参数
+	//NtQueryVolumeInformationFile Hook 完美兼容win7以及win10 1803及以上版本
 	setntqhookstats(FALSE);
 
-	//设置NtDeviceIoControlFile Hook的Callback,win7,win10全系统兼容
+	//设置NtDeviceIoControlFile Hook的Callback,win7,win10全系统兼容
 	setdicprecabk(NtDeviceIoControlFileCallback);
 
-	//设置NtQueryVolumeInformationFile Hook的Callback
+	//设置NtQueryVolumeInformationFile Hook的Callback
 	setntqcabk(NtQueryVolumeInformationFileCallback);
 	return STATUS_SUCCESS;
 }