#include <ntddk.h>
typedef unsigned long DWORD, *PDWORD;
typedef unsigned char BYTE, *PBYTE, *PCHAR;
typedef unsigned long ULONG_PTR;
typedef ULONG_PTR DWORD_PTR;
NTSTATUS( *Real_ZwClose )( HANDLE Handle );
#define _Lookup( _Call ) \
KeServiceDescriptorTable.ServiceTable[* ( unsigned int * ) \
( ( unsigned char * ) _Call + 1 )]
typedef struct _SSDT
{
PDWORD ServiceTable;
PDWORD CounterTableBase;
DWORD ServiceLimit;
PCHAR ArgumentTable;
} SSDT;
__declspec(dllimport) SSDT KeServiceDescriptorTable;
DWORD_PTR *SSDT_Hook( DWORD_PTR *_OrigCall, DWORD_PTR *_Hook )
{
unsigned long *returnVal = _Lookup( _OrigCall );
_Lookup( _OrigCall ) = _Hook;
return( returnVal );
}
void DriverUnload( PDRIVER_OBJECT DriverObject)
{
SSDT_Hook( ( DWORD_PTR * ) ZwClose, ( DWORD_PTR * ) Real_ZwClose );
}
NTSTATUS my_ZwClose( HANDLE Handle )
{
DbgPrint( "ZwClose called!" );
Real_ZwClose( Handle );
return( STATUS_SUCCESS );
}
NTSTATUS DriverEntry( PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath )
{
DriverObject->DriverUnload = DriverUnload;
Real_ZwClose = SSDT_Hook( ( DWORD_PTR * ) ZwClose, ( DWORD_PTR * ) my_ZwClose );
return( STATUS_SUCCESS );
}