小弟初学驱动，按照8c6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3E0K6M7$3c8Q4x3X3g2H3k6h3c8A6P5g2)9J5k6h3y4G2L8g2)9J5c8Y4m8W2k6r3W2&6x3e0m8Q4x3V1j5%4z5e0t1@1y4#2)9J5k6h3S2@1L8h3H3`. 的ssdt hook框架写了一个ZwQueryPerformanceCounter的hook，成功编译得到sys后，用InstDrv加载缺提示找不到指定的程序。用框架自带的hook ZwSetInformationFile和NtOpenProcess能正常使用。请问各位应当为何？下面是sources文件
# $Id$
TARGETNAME=EmptyDriver1
TARGETPATH=obj
TARGETLIBS = C:\WinDDK\7600.16385.1\lib\wxp\i386\ntdll.lib
TARGETTYPE=DRIVER

# Create browse info
#BROWSER_INFO=1
#BROWSERFILE=<some path>

# Additional defines for the C/C++ preprocessor
C_DEFINES=$(C_DEFINES)

SOURCES=hook_sample.c ssdt_hook_function.c
下面是主要代码，都是参照框架原先的写的。

#include "ssdt_hook_struct.h"

// 定义HOOK的函数原型

typedef
NTSTATUS
(NTAPI *NTQUERYPREFORMANCECOUNTER)( OUT   PLARGE_INTEGER PerformanceCount,
									 OUT   PLARGE_INTEGER PerformanceFrequency OPTIONAL
									   );

// 对于ntddk.h中未定义的函数
// 可以根据<<Undocument>>一书在这里给出定义
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryPerformanceCounter (
						   OUT   PLARGE_INTEGER PerformanceCount,
						   OUT   PLARGE_INTEGER PerformanceFrequency OPTIONAL
			   );

// ==============================================================
// 用户自定义HOOK例程



NTSTATUS MyNtOpenProcess(	    OUT PLARGE_INTEGER PerformanceCounter,
						OUT  PLARGE_INTEGER PerformanceFrequency OPTIONAL)
{


	NTQUERYPREFORMANCECOUNTER OldNtOpenProcess = 
		(NTQUERYPREFORMANCECOUNTER)OldServiceAddressTable[SERVICE_ID(ZwQueryPerformanceCounter)];

	
	return OldNtOpenProcess(PerformanceCounter,PerformanceFrequency);
}


// Unload例程 卸载钩子
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
	KdPrint(("Unload Routine.\n"));
	UnHookService((ULONG)ZwQueryPerformanceCounter);
}

// DriverEntry例程 初始化并安装钩子
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,
					 IN PUNICODE_STRING RegistryPath)
{
	DriverObject->DriverUnload = Unload;
	InitServicesTable();
	HookService((ULONG)ZwQueryPerformanceCounter, (ULONG)MyNtOpenProcess);
	return STATUS_SUCCESS;
}

[培训]科锐逆向工程师培训第53期2025年7月8日开班！