updates and moves

n/a

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook.sln

@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CheckKernelHook", "CheckKernelHook\CheckKernelHook.vcxproj", "{D49C7CB9-A5C2-4377-A234-7C440407A30E}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Debug|Win32.ActiveCfg = Debug|Win32
+		{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Debug|Win32.Build.0 = Debug|Win32
+		{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Release|Win32.ActiveCfg = Release|Win32
+		{D49C7CB9-A5C2-4377-A234-7C440407A30E}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.cpp

@@ -0,0 +1,114 @@
+#include "AddService.h"
+#include "stdafx.h"
+#include "CheckKernelHookDlg.h"
+#include <Winsvc.h>
+#pragma once
+
+
+BOOL Release(){
+	// 	HRSRC res = FindResource(NULL,MAKEINTRESOURCE(IDR_SYS),TEXT("BINARY"));
+	// 	if(!res)
+	// 		return FALSE;
+	// 	HGLOBAL resGlobal = LoadResource(NULL,res);
+	// 	if(!resGlobal)
+	// 		return FALSE;
+	// 	DWORD size=SizeofResource(NULL,res);
+	// 	BYTE* ptr=(BYTE*)LockResource(resGlobal);
+	// 	if(!ptr)
+	// 		return FALSE;
+	HANDLE hFile=CreateFile(TEXT("ReloadKernel.sys"), GENERIC_WRITE,
+		0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+	if(hFile==INVALID_HANDLE_VALUE)
+		return FALSE;
+	DWORD dw;
+	// 	if(!WriteFile(hFile,ptr,size,&dw,NULL)){
+	// 		CloseHandle(hFile);
+	// 		return FALSE;
+	// 	}
+	CloseHandle(hFile);
+	return TRUE;
+}
+
+
+
+
+BOOL UnloadDrv(TCHAR* DriverName){
+	SC_HANDLE      hSCManager;
+	SC_HANDLE      hService;
+	SERVICE_STATUS ss;
+
+
+	hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (!hSCManager){
+		return FALSE;
+	}
+
+
+	hService = OpenService( hSCManager,DriverName,SERVICE_ALL_ACCESS);
+	if( !hService ) {
+		CloseServiceHandle(hSCManager);
+		return FALSE;
+	}
+
+	ControlService(hService, SERVICE_CONTROL_STOP, &ss);
+	DeleteService(hService);
+	CloseServiceHandle(hService);
+	CloseServiceHandle(hSCManager);
+	return TRUE;
+}
+
+
+
+BOOL LoadDrv(TCHAR* DriverName){
+	TCHAR DrvFullPathName[MAX_PATH];
+	SC_HANDLE schSCManager;
+	SC_HANDLE schService;
+	UnloadDrv(L"CheckKernelHook");
+	// 	if(!Release())
+	// 		return FALSE;
+	GetFullPathName(TEXT("CheckKernelHook.sys"), MAX_PATH, DrvFullPathName, NULL);
+	schSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
+	if (!schSCManager)
+		return FALSE;
+
+
+	schService = CreateService( 
+		schSCManager,DriverName,DriverName,
+		SERVICE_ALL_ACCESS,
+		SERVICE_KERNEL_DRIVER,
+		SERVICE_DEMAND_START,
+		SERVICE_ERROR_NORMAL,
+		DrvFullPathName,
+		NULL,NULL,NULL,NULL,NULL
+		);
+
+
+	if (!schService){
+		if (GetLastError() == ERROR_SERVICE_EXISTS){
+			schService = OpenService(schSCManager,DriverName,SERVICE_ALL_ACCESS);
+			if (!schService){
+				CloseServiceHandle(schSCManager);
+				return FALSE;
+			}
+		}else{
+			CloseServiceHandle(schSCManager);
+			return FALSE;
+		}
+	}
+
+
+	if (!StartService(schService,0,NULL)){
+		if ( !(GetLastError()==ERROR_SERVICE_ALREADY_RUNNING ) ){
+			CloseServiceHandle(schService);
+			CloseServiceHandle(schSCManager);
+			return FALSE;
+		}
+	}
+
+
+	CloseServiceHandle(schService);
+	CloseServiceHandle(schSCManager);
+	return TRUE;
+}
+
+

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/AddService.h

@@ -0,0 +1,5 @@
+#include "stdafx.h"
+
+BOOL Release();
+BOOL UnloadDrv(TCHAR* DriverName);
+BOOL LoadDrv(TCHAR* DriverName);

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.cpp

@@ -0,0 +1,94 @@
+
+// CheckKernelHook.cpp : 定义应用程序的类行为。
+//
+
+#include "stdafx.h"
+#include "CheckKernelHook.h"
+#include "CheckKernelHookDlg.h"
+
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#endif
+
+
+// CCheckKernelHookApp
+
+BEGIN_MESSAGE_MAP(CCheckKernelHookApp, CWinApp)
+	ON_COMMAND(ID_HELP, &CWinApp::OnHelp)
+END_MESSAGE_MAP()
+
+
+// CCheckKernelHookApp 构造
+
+CCheckKernelHookApp::CCheckKernelHookApp()
+{
+	// 支持重新启动管理器
+	m_dwRestartManagerSupportFlags = AFX_RESTART_MANAGER_SUPPORT_RESTART;
+
+	// TODO: 在此处添加构造代码，
+	// 将所有重要的初始化放置在 InitInstance 中
+}
+
+
+// 唯一的一个 CCheckKernelHookApp 对象
+
+CCheckKernelHookApp theApp;
+
+
+// CCheckKernelHookApp 初始化
+
+BOOL CCheckKernelHookApp::InitInstance()
+{
+	// 如果一个运行在 Windows XP 上的应用程序清单指定要
+	// 使用 ComCtl32.dll 版本 6 或更高版本来启用可视化方式，
+	//则需要 InitCommonControlsEx()。否则，将无法创建窗口。
+	INITCOMMONCONTROLSEX InitCtrls;
+	InitCtrls.dwSize = sizeof(InitCtrls);
+	// 将它设置为包括所有要在应用程序中使用的
+	// 公共控件类。
+	InitCtrls.dwICC = ICC_WIN95_CLASSES;
+	InitCommonControlsEx(&InitCtrls);
+
+	CWinApp::InitInstance();
+
+
+	AfxEnableControlContainer();
+
+	// 创建 shell 管理器，以防对话框包含
+	// 任何 shell 树视图控件或 shell 列表视图控件。
+	CShellManager *pShellManager = new CShellManager;
+
+	// 标准初始化
+	// 如果未使用这些功能并希望减小
+	// 最终可执行文件的大小，则应移除下列
+	// 不需要的特定初始化例程
+	// 更改用于存储设置的注册表项
+	// TODO: 应适当修改该字符串，
+	// 例如修改为公司或组织名
+	SetRegistryKey(_T("应用程序向导生成的本地应用程序"));
+
+	CCheckKernelHookDlg dlg;
+	m_pMainWnd = &dlg;
+	INT_PTR nResponse = dlg.DoModal();
+	if (nResponse == IDOK)
+	{
+		// TODO: 在此放置处理何时用
+		//  “确定”来关闭对话框的代码
+	}
+	else if (nResponse == IDCANCEL)
+	{
+		// TODO: 在此放置处理何时用
+		//  “取消”来关闭对话框的代码
+	}
+
+	// 删除上面创建的 shell 管理器。
+	if (pShellManager != NULL)
+	{
+		delete pShellManager;
+	}
+
+	// 由于对话框已关闭，所以将返回 FALSE 以便退出应用程序，
+	//  而不是启动应用程序的消息泵。
+	return FALSE;
+}
+

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.h

@@ -0,0 +1,32 @@
+
+// CheckKernelHook.h : PROJECT_NAME 应用程序的主头文件
+//
+
+#pragma once
+
+#ifndef __AFXWIN_H__
+	#error "在包含此文件之前包含“stdafx.h”以生成 PCH 文件"
+#endif
+
+#include "resource.h"		// 主符号
+
+
+// CCheckKernelHookApp:
+// 有关此类的实现，请参阅 CheckKernelHook.cpp
+//
+
+class CCheckKernelHookApp : public CWinApp
+{
+public:
+	CCheckKernelHookApp();
+
+// 重写
+public:
+	virtual BOOL InitInstance();
+
+// 实现
+
+	DECLARE_MESSAGE_MAP()
+};
+
+extern CCheckKernelHookApp theApp;

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj

@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{D49C7CB9-A5C2-4377-A234-7C440407A30E}</ProjectGuid>
+    <RootNamespace>CheckKernelHook</RootNamespace>
+    <Keyword>MFCProj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Dynamic</UseOfMfc>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <UseOfMfc>Dynamic</UseOfMfc>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_WINDOWS;_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+    <Midl>
+      <MkTypLibCompatible>false</MkTypLibCompatible>
+      <ValidateAllParameters>true</ValidateAllParameters>
+      <PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </Midl>
+    <ResourceCompile>
+      <Culture>0x0804</Culture>
+      <PreprocessorDefinitions>_DEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;_WINDOWS;NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+    <Midl>
+      <MkTypLibCompatible>false</MkTypLibCompatible>
+      <ValidateAllParameters>true</ValidateAllParameters>
+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </Midl>
+    <ResourceCompile>
+      <Culture>0x0804</Culture>
+      <PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <AdditionalIncludeDirectories>$(IntDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+    <None Include="res\CheckKernelHook.ico" />
+    <None Include="res\CheckKernelHook.rc2" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="AddService.h" />
+    <ClInclude Include="CheckKernelHook.h" />
+    <ClInclude Include="CheckKernelHookDlg.h" />
+    <ClInclude Include="Resource.h" />
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="AddService.cpp" />
+    <ClCompile Include="CheckKernelHook.cpp" />
+    <ClCompile Include="CheckKernelHookDlg.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="CheckKernelHook.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+  <ProjectExtensions>
+    <VisualStudio>
+      <UserProperties RESOURCE_FILE="CheckKernelHook.rc" />
+    </VisualStudio>
+  </ProjectExtensions>
+</Project>

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHook.vcxproj.filters

@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="源文件">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="头文件">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
+    </Filter>
+    <Filter Include="资源文件">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="ReadMe.txt" />
+    <None Include="res\CheckKernelHook.rc2">
+      <Filter>资源文件</Filter>
+    </None>
+    <None Include="res\CheckKernelHook.ico">
+      <Filter>资源文件</Filter>
+    </None>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="CheckKernelHook.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="CheckKernelHookDlg.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="stdafx.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="targetver.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="Resource.h">
+      <Filter>头文件</Filter>
+    </ClInclude>
+    <ClInclude Include="AddService.h">
+      <Filter>源文件</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CheckKernelHook.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="CheckKernelHookDlg.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+    <ClCompile Include="AddService.cpp">
+      <Filter>源文件</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="CheckKernelHook.rc">
+      <Filter>资源文件</Filter>
+    </ResourceCompile>
+  </ItemGroup>
+</Project>

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.cpp

@@ -0,0 +1,283 @@
+
+// CheckKernelHookDlg.cpp : 实现文件
+//
+
+#include "stdafx.h"
+#include "CheckKernelHook.h"
+#include "CheckKernelHookDlg.h"
+#include "afxdialogex.h"
+#include "AddService.h"
+#ifdef _DEBUG
+#define new DEBUG_NEW
+#endif
+
+
+HANDLE g_hDevice = NULL;
+
+typedef struct
+{
+	WCHAR*     szTitle;           //列表的名称
+	int		  nWidth;            //列表的宽度
+
+}COLUMNSTRUCT;
+COLUMNSTRUCT g_Column_Data_Online[] = 
+{
+	{L"原始地址",			    148	},
+	{L"函数名称",			150	},
+	{L"Hook地址",	160	},
+	{L"模块名称",		300	},
+	{L"模块基址",			    80	},
+	{L"模块大小",		    81	},
+	{L"类型",			81	}
+};
+
+int g_Column_Count_Online = 7; //列表的个数
+int g_Column_Online_Width = 0; 
+
+
+// 用于应用程序“关于”菜单项的 CAboutDlg 对话框
+
+class CAboutDlg : public CDialogEx
+{
+public:
+	CAboutDlg();
+
+// 对话框数据
+	enum { IDD = IDD_ABOUTBOX };
+
+	protected:
+	virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV 支持
+
+// 实现
+protected:
+	DECLARE_MESSAGE_MAP()
+};
+
+CAboutDlg::CAboutDlg() : CDialogEx(CAboutDlg::IDD)
+{
+}
+
+void CAboutDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialogEx::DoDataExchange(pDX);
+}
+
+BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
+END_MESSAGE_MAP()
+
+
+// CCheckKernelHookDlg 对话框
+
+
+
+
+CCheckKernelHookDlg::CCheckKernelHookDlg(CWnd* pParent /*=NULL*/)
+	: CDialogEx(CCheckKernelHookDlg::IDD, pParent)
+{
+	m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
+}
+
+void CCheckKernelHookDlg::DoDataExchange(CDataExchange* pDX)
+{
+	CDialogEx::DoDataExchange(pDX);
+	DDX_Control(pDX, IDC_LIST, m_List);
+}
+
+BEGIN_MESSAGE_MAP(CCheckKernelHookDlg, CDialogEx)
+	ON_WM_SYSCOMMAND()
+	ON_WM_PAINT()
+	ON_WM_QUERYDRAGICON()
+END_MESSAGE_MAP()
+
+
+// CCheckKernelHookDlg 消息处理程序
+
+BOOL CCheckKernelHookDlg::OnInitDialog()
+{
+	CDialogEx::OnInitDialog();
+
+	// 将“关于...”菜单项添加到系统菜单中。
+
+	// IDM_ABOUTBOX 必须在系统命令范围内。
+	ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);
+	ASSERT(IDM_ABOUTBOX < 0xF000);
+
+	CMenu* pSysMenu = GetSystemMenu(FALSE);
+	if (pSysMenu != NULL)
+	{
+		BOOL bNameValid;
+		CString strAboutMenu;
+		bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);
+		ASSERT(bNameValid);
+		if (!strAboutMenu.IsEmpty())
+		{
+			pSysMenu->AppendMenu(MF_SEPARATOR);
+			pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);
+		}
+	}
+
+	// 设置此对话框的图标。当应用程序主窗口不是对话框时，框架将自动
+	//  执行此操作
+	SetIcon(m_hIcon, TRUE);			// 设置大图标
+	SetIcon(m_hIcon, FALSE);		// 设置小图标
+
+	m_List.SetExtendedStyle(LVS_EX_FULLROWSELECT);
+	for (int i = 0; i < g_Column_Count_Online; i++)
+	{
+		m_List.InsertColumn(i, g_Column_Data_Online[i].szTitle,LVCFMT_CENTER,g_Column_Data_Online[i].nWidth);
+
+		g_Column_Online_Width+=g_Column_Data_Online[i].nWidth;  
+	}
+
+
+	//LoadDrv(L"CheckKernelHook");
+
+	g_hDevice = OpenDevice(L"\\\\.\\CheckKernelHookLinkName");
+	if (g_hDevice==(HANDLE)-1)
+	{
+		MessageBox(L"打开设备失败");
+		return TRUE;
+	}
+
+	
+
+
+	CheckKernelHook();
+	
+	return TRUE;  // 除非将焦点设置到控件，否则返回 TRUE
+}
+
+VOID CCheckKernelHookDlg::CheckKernelHook()
+{
+	ULONG_PTR ulCount = 0x1000;
+	PINLINEHOOKINFO PInlineHookInfo = NULL;
+	BOOL bRet = FALSE;
+	DWORD ulReturnSize = 0;
+	do 
+	{
+		ULONG_PTR ulSize = 0;
+		if (PInlineHookInfo)
+		{
+			free(PInlineHookInfo);
+			PInlineHookInfo = NULL;
+		}
+		ulSize = sizeof(INLINEHOOKINFO) + ulCount * sizeof(INLINEHOOKINFO_INFORMATION);
+		PInlineHookInfo = (PINLINEHOOKINFO)malloc(ulSize);
+		if (!PInlineHookInfo)
+		{
+			break;
+		}
+		memset(PInlineHookInfo,0,ulSize);
+		bRet = DeviceIoControl(g_hDevice,CTL_CHECKKERNELMODULE,
+			NULL,
+			0,
+			PInlineHookInfo,
+			ulSize,
+			&ulReturnSize,
+			NULL);
+		ulCount = PInlineHookInfo->ulCount + 1000;
+	} while (bRet == FALSE && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
+
+	if(PInlineHookInfo->ulCount==0)
+	{
+		MessageBox(L"当前内核安全",L"");
+	}
+	else
+	{
+		InsertDataToList(PInlineHookInfo);
+	}
+	if (PInlineHookInfo)
+	{
+		free(PInlineHookInfo);
+		PInlineHookInfo = NULL;
+	}
+
+
+}
+
+VOID CCheckKernelHookDlg::InsertDataToList(PINLINEHOOKINFO PInlineHookInfo)
+{
+	CString OrgAddress,CurAddress,ModuleBase,ModuleSize;
+	for(int i=0;i<PInlineHookInfo->ulCount;i++)
+	{
+		OrgAddress.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulMemoryFunctionBase);
+		CurAddress.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulMemoryHookBase);
+		ModuleBase.Format(L"0x%p",PInlineHookInfo->InlineHook[i].ulHookModuleBase);
+		ModuleSize.Format(L"%d",PInlineHookInfo->InlineHook[i].ulHookModuleSize);
+		int n = m_List.InsertItem(m_List.GetItemCount(),OrgAddress,0);   //注意这里的i 就是Icon 在数组的位置
+		CString szFunc=L"";
+		CString ModuleName = L"";
+		szFunc +=PInlineHookInfo->InlineHook[i].lpszFunction;
+		ModuleName += PInlineHookInfo->InlineHook[i].lpszHookModuleImage;
+		m_List.SetItemText(n,1,szFunc);
+		m_List.SetItemText(n,2,CurAddress);
+		m_List.SetItemText(n,3,ModuleName);
+		m_List.SetItemText(n,4,ModuleBase);
+		m_List.SetItemText(n,5,ModuleSize);
+		CString Type= L"";
+		if(PInlineHookInfo->InlineHook[i].ulHookType==1)
+		{
+			Type +=L"SSDT Hook";
+		}
+		else if(PInlineHookInfo->InlineHook[i].ulHookType==2)
+		{
+			Type +=L"Next Call Hook";
+		}
+		else if(PInlineHookInfo->InlineHook[i].ulHookType==0)
+		{
+			Type +=L"Inline Hook";
+		}
+		m_List.SetItemText(n,6,Type);
+		
+	}
+	UpdateData(TRUE);
+}
+void CCheckKernelHookDlg::OnSysCommand(UINT nID, LPARAM lParam)
+{
+	if ((nID & 0xFFF0) == IDM_ABOUTBOX)
+	{
+		CAboutDlg dlgAbout;
+		dlgAbout.DoModal();
+	}
+	else
+	{
+		CDialogEx::OnSysCommand(nID, lParam);
+	}
+}
+
+// 如果向对话框添加最小化按钮，则需要下面的代码
+//  来绘制该图标。对于使用文档/视图模型的 MFC 应用程序，
+//  这将由框架自动完成。
+
+void CCheckKernelHookDlg::OnPaint()
+{
+	if (IsIconic())
+	{
+		CPaintDC dc(this); // 用于绘制的设备上下文
+
+		SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);
+
+		// 使图标在工作区矩形中居中
+		int cxIcon = GetSystemMetrics(SM_CXICON);
+		int cyIcon = GetSystemMetrics(SM_CYICON);
+		CRect rect;
+		GetClientRect(&rect);
+		int x = (rect.Width() - cxIcon + 1) / 2;
+		int y = (rect.Height() - cyIcon + 1) / 2;
+
+		// 绘制图标
+		dc.DrawIcon(x, y, m_hIcon);
+	}
+	else
+	{
+		CDialogEx::OnPaint();
+	}
+}
+
+//当用户拖动最小化窗口时系统调用此函数取得光标
+//显示。
+HCURSOR CCheckKernelHookDlg::OnQueryDragIcon()
+{
+	return static_cast<HCURSOR>(m_hIcon);
+}
+

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/CheckKernelHookDlg.h

@@ -0,0 +1,76 @@
+
+// CheckKernelHookDlg.h : 头文件
+//
+
+#pragma once
+#include "afxcmn.h"
+#include "resource.h"
+#include <WinIoCtl.h>
+
+
+typedef struct _INLINEHOOKINFO_INFORMATION {          //INLINEHOOKINFO_INFORMATION
+	ULONG ulHookType;
+	ULONG ulMemoryFunctionBase;    //原始地址
+	ULONG ulMemoryHookBase;        //HOOK 地址
+	CHAR lpszFunction[256];
+	CHAR lpszHookModuleImage[256];
+	ULONG ulHookModuleBase;
+	ULONG ulHookModuleSize;
+
+} INLINEHOOKINFO_INFORMATION, *PINLINEHOOKINFO_INFORMATION;
+
+typedef struct _INLINEHOOKINFO {          //InlineHook
+	ULONG ulCount;
+	INLINEHOOKINFO_INFORMATION InlineHook[1];
+} INLINEHOOKINFO, *PINLINEHOOKINFO;
+
+
+
+
+#define CTL_CHECKKERNELMODULE \
+	CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_NEITHER,FILE_ANY_ACCESS)
+
+// CCheckKernelHookDlg 对话框
+class CCheckKernelHookDlg : public CDialogEx
+{
+// 构造
+public:
+	CCheckKernelHookDlg(CWnd* pParent = NULL);	// 标准构造函数
+
+// 对话框数据
+	enum { IDD = IDD_CHECKKERNELHOOK_DIALOG };
+
+	VOID CheckKernelHook();
+	VOID InsertDataToList(PINLINEHOOKINFO PInlineHookInfo);
+	protected:
+	virtual void DoDataExchange(CDataExchange* pDX);	// DDX/DDV 支持
+
+	HANDLE OpenDevice(LPCTSTR wzLinkPath)
+	{
+		HANDLE hDevice = CreateFile(wzLinkPath,
+			GENERIC_READ | GENERIC_WRITE,
+			FILE_SHARE_READ | FILE_SHARE_WRITE,
+			NULL,
+			OPEN_EXISTING,
+			FILE_ATTRIBUTE_NORMAL,
+			NULL);
+		if (hDevice == INVALID_HANDLE_VALUE)
+		{
+		}
+		return hDevice;
+	}
+
+
+// 实现
+protected:
+	HICON m_hIcon;
+
+	// 生成的消息映射函数
+	virtual BOOL OnInitDialog();
+	afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
+	afx_msg void OnPaint();
+	afx_msg HCURSOR OnQueryDragIcon();
+	DECLARE_MESSAGE_MAP()
+public:
+	CListCtrl m_List;
+};

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/res/ReadMe.txt

@@ -0,0 +1 @@
+Check Kernel EAT Hook 

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.cpp

@@ -0,0 +1,8 @@
+
+// stdafx.cpp : 只包括标准包含文件的源文件
+// CheckKernelHook.pch 将作为预编译头
+// stdafx.obj 将包含预编译类型信息
+
+#include "stdafx.h"
+
+

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/stdafx.h

@@ -0,0 +1,58 @@
+
+// stdafx.h : 标准系统包含文件的包含文件，
+// 或是经常使用但不常更改的
+// 特定于项目的包含文件
+
+#pragma once
+
+#ifndef _SECURE_ATL
+#define _SECURE_ATL 1
+#endif
+
+#ifndef VC_EXTRALEAN
+#define VC_EXTRALEAN            // 从 Windows 头中排除极少使用的资料
+#endif
+
+#include "targetver.h"
+
+#define _ATL_CSTRING_EXPLICIT_CONSTRUCTORS      // 某些 CString 构造函数将是显式的
+
+// 关闭 MFC 对某些常见但经常可放心忽略的警告消息的隐藏
+#define _AFX_ALL_WARNINGS
+
+#include <afxwin.h>         // MFC 核心组件和标准组件
+#include <afxext.h>         // MFC 扩展
+
+
+#include <afxdisp.h>        // MFC 自动化类
+
+
+
+#ifndef _AFX_NO_OLE_SUPPORT
+#include <afxdtctl.h>           // MFC 对 Internet Explorer 4 公共控件的支持
+#endif
+#ifndef _AFX_NO_AFXCMN_SUPPORT
+#include <afxcmn.h>             // MFC 对 Windows 公共控件的支持
+#endif // _AFX_NO_AFXCMN_SUPPORT
+
+#include <afxcontrolbars.h>     // 功能区和控件条的 MFC 支持
+
+
+
+
+
+
+
+
+
+#ifdef _UNICODE
+#if defined _M_IX86
+#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")
+#elif defined _M_X64
+#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='amd64' publicKeyToken='6595b64144ccf1df' language='*'\"")
+#else
+#pragma comment(linker,"/manifestdependency:\"type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'\"")
+#endif
+#endif
+
+

Win32/Proof of Concepts/CheckKernelEATHook/CheckKernelHook/CheckKernelHook/targetver.h

@@ -0,0 +1,8 @@
+#pragma once
+
+// 包括 SDKDDKVer.h 将定义最高版本的可用 Windows 平台。
+
+// 如果要为以前的 Windows 平台生成应用程序，请包括 WinSDKVer.h，并将
+// WIN32_WINNT 宏设置为要支持的平台，然后再包括 SDKDDKVer.h。
+
+#include <SDKDDKVer.h>