看雪学院Rootkit学习，1.内核Hook:对于hook，从ring3有很多，ring3到ring0也有很多，根据api调用环节递进的顺序，在每一个环节都有hook的机会，可以有int 2e或者sysenter hook，ssdt hook，inline hook ，irp hook，object hook，idt hook-See snow Institute Rootkit learning, kernel Hook: hook from ring3 many, ring3 to ring

This driver is designed to collect metadata about securable objects such as // Process, File, Event, and Section objects. The metadata is used to construct // a chronological object log which conveys information about object definitions // and

Prototype for user-supplied service hook. This function is expected to return a type of factory object specific to the requested service.

wr960204武稀松.2012.2 主页 http://www.raysoftware.cn 通用Hook库. 支持X86和X64. Get 使用了开源的BeaEngine反汇编引擎.BeaEngine的好处是可以用BCB编译成OMF格式的Obj, 被链接进Delphi的DCU和目标文件中.不需要额外带DLL. BeaEngin引擎 http://www.beaengine.org/ 限制: 1.不能Hook代码大小小于