一个很强的代码，谁能翻译成DELPHI的？高手来一下

dcrr64 2008-12-18 05:36:26

*************************************************************************************************************************** 

#include<ntddk.h> 



typedef struct _SERVICE_DEscrīptOR_TABLE 

{ 

   PVOID   ServiceTableBase; 

   PULONG   ServiceCounterTableBase; 

   ULONG   NumberOfService; 

   ULONG   ParamTableBase; 

}SERVICE_DEscrīptOR_TABLE,*PSERVICE_DEscrīptOR_TABLE; //由于KeServiceDescrīptorTable只有一项,这里就简单点了 

extern PSERVICE_DEscrīptOR_TABLE     KeServiceDescrīptorTable;//KeServiceDescrīptorTable为导出函数 



///////////////////////////////////// 

VOID Hook(); 

VOID Unhook(); 

VOID OnUnload(IN PDRIVER_OBJECT DriverObject); 

////////////////////////////////////// 

ULONG JmpAddress;//跳转到NtOpenProcess里的地址 

ULONG OldServiceAddress;//原来NtOpenProcess的服务地址 

////////////////////////////////////// 

__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle, 

               ACCESS_MASK DesiredAccess, 

               POBJECT_ATTRIBUTES ObjectAttributes, 

               PCLIENT_ID ClientId)  

{ 

   DbgPrint("NtOpenProcess() called"); 

   __asm{ 

     push     0C4h 

     push     804eb560h   //共十个字节 

     jmp     [JmpAddress]     

  } 

} 

/////////////////////////////////////////////////// 

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath) 

{ 

   DriverObject->DriverUnload = OnUnload; 

   DbgPrint("Unhooker load"); 

   Hook(); 

   return STATUS_SUCCESS; 

} 

///////////////////////////////////////////////////// 

VOID OnUnload(IN PDRIVER_OBJECT DriverObject) 

{ 

   DbgPrint("Unhooker unload!"); 

   Unhook(); 

} 

///////////////////////////////////////////////////// 

VOID Hook() 

{ 

   ULONG   Address; 

   Address = (ULONG)KeServiceDescrīptorTable->ServiceTableBase + 0x7A * 4;//0x7A为NtOpenProcess服务ID 

   DbgPrint("Address:0x%08X",Address); 



   ōldServiceAddress = *(ULONG*)Address;//保存原来NtOpenProcess的地址 

   DbgPrint("OldServiceAddress:0x%08X",OldServiceAddress); 



   DbgPrint("MyNtOpenProcess:0x%08X",MyNtOpenProcess); 



   JmpAddress = (ULONG)NtOpenProcess + 10; //跳转到NtOpenProcess函数头＋10的地方，这样在其前面写的JMP都失效了 

   DbgPrint("JmpAddress:0x%08X",JmpAddress); 

     

   __asm{//去掉内存保护 

     cli 

         mov   eax,cr0 

     and   eax,not 10000h 

     mov   cr0,eax 

   } 



   *((ULONG*)Address) = (ULONG)MyNtOpenProcess;//HOOK SSDT 



   __asm{//恢复内存保护   

           mov   eax,cr0 

     or   eax,10000h 

     mov   cr0,eax 

     sti 

   } 

} 

////////////////////////////////////////////////////// 

VOID Unhook() 

{ 

   ULONG   Address; 

   Address = (ULONG)KeServiceDescrīptorTable->ServiceTableBase + 0x7A * 4;//查找SSDT 



   __asm{ 

     cli 

           mov   eax,cr0 

     and   eax,not 10000h 

     mov   cr0,eax 

   } 



   *((ULONG*)Address) = (ULONG)OldServiceAddress;//还原SSDT 



   __asm{   

         mov   eax,cr0 

     or   eax,10000h 

     mov   cr0,eax 

     sti 

   } 



   DbgPrint("Unhook"); 

} 

××××××××××××××××××××××××××××××××××××××××××××××××××××××××××