前段时间做键盘程序找的资料，一个钩子程序，程序本身没有什么，主要是用了大量的api函数值得大家参考一下。-side of the keyboard to do procedures for the information, a hook procedures, the process itself is nothing much to it. it is mainly used a lot of api function worth examined.

通过读取ntoskrnl.exe文件的导出函数API相对虚拟地址，找到ntoskrnl.exe在内存中的基地址，计算各个API真正的起始地址，比较SSDT表中对应的API地址，不同则去掉SSDT钩子的驱动代码-First,the driver code acquires the RVA of APIs the export table of ntoskrnl.exe.Second,program acquires the base address of ntoskrnl.exe loaded