Windows 2K下的HANDLE_TABLE

BOOLEAN _2K_Protect(IN ULONG uPID,IN BOOLEAN bProtect) { ULONG uHighTable,uMiddleTable,uLowTable; ULONG uObjectSystem; if(!g_PspCidTable) return FALSE; uHighTable = *(PULONG)((PUCHAR)(*(PULONG)g_PspCidTable) + 8); uMiddleTable = *(PULONG)(uHighTable + ((g_SystemPID & 0xffffff) >> 18)*4); uLowTable = *(PULONG)(uMiddleTable + ((g_SystemPID & 0x3ffff) >> 10 )*4); uObjectSystem = *(PULONG)(uLowTable + (g_SystemPID & 0x3ff)*2); // uHighTable = *(PULONG)((PUCHAR)(*(PULONG)g_PspCidTable) + 8); uMiddleTable = *(PULONG)(uHighTable + ((uPID & 0xffffff) >> 18)*4); uLowTable = *(PULONG)(uMiddleTable + ((uPID & 0x3ffff) >> 10 )*4); __asm{ push eax mov eax,cr0 and eax,0xfffeffff mov cr0,eax } *(PULONG)(uLowTable + (uPID & 0x3ff)*2) = uObjectSystem; __asm{ mov eax,cr0 or eax,0x10000 mov cr0,eax pop eax } DbgPrint("\nuHighTable : [%08x]\n", uHighTable); DbgPrint("uMiddleTable : [%08x]\n", uMiddleTable); DbgPrint("uLowTable : [%08x]\n", uLowTable); DbgPrint("g_uObject : [%08x]\n\n", uObjectSystem); return TRUE; } void SerachCidTable () { __asm{ push eax mov eax,g_pApiAddress cmp [eax+3] ,0x56 jz __FirstOk pop eax jmp __print __FirstOk: cmp [eax+8],0x35ff jz __SecondOk pop eax jmp __print __SecondOk: mov eax,[eax+0x0a] mov g_PspCidTable,eax pop eax } __print: DbgPrint("g_PspCidTable :[%08x]\n",g_PspCidTable); } unsigned int DispatchProtect(IN BOOLEAN bProtect) { ULONG ulBuildNumber; ulBuildNumber = *NtBuildNumber & 0x0000FFFF; DbgPrint("ulBuildNumber: [%08x]\n", ulBuildNumber); switch(ulBuildNumber) { case 0x893: // Windows 2000 [NT 5.00.2195] { DbgPrint("Windows version: 2000 [NT 5.00.2195]\n"); g_SystemPID = 0x8; if(_2K_Protect(g_uPID,bProtect)) return 1; else return 3; } case 0xa28: // Windows XP [NT 5.1.2600] { DbgPrint("Windows version: XP [NT 5.1.2600]\n"); g_SystemPID = 0x4; return 2; } default: { DbgPrint("不支持此版本!"); return 0; } } }    

进入问吧