├── sources
    ├── HookGDI.c
    ├── Base.h
    ├── RootKit.c
    ├── SSDT.suo
    ├── RootKit.suo
    ├── SSDTHook.c
    ├── HookProcess.c
    ├── HookGDI.h
    ├── SSDT.rc
    ├── SSDTHook.h
    ├── ShadowHook.h
    ├── HookProcess.h
    ├── HookFile.h
    ├── RootKit.sln
    ├── ShadowHook.c
    ├── RootKit.h
    ├── HookFile.c
    └── RootKit.vcproj
└── README.md


/sources/HookGDI.c:
--------------------------------------------------------------------------------
1 | #include "HookGDI.h"


--------------------------------------------------------------------------------
/sources/Base.h:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yawenok/SSDT-Hook/HEAD/sources/Base.h


--------------------------------------------------------------------------------
/sources/RootKit.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yawenok/SSDT-Hook/HEAD/sources/RootKit.c


--------------------------------------------------------------------------------
/sources/SSDT.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yawenok/SSDT-Hook/HEAD/sources/SSDT.suo


--------------------------------------------------------------------------------
/sources/RootKit.suo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yawenok/SSDT-Hook/HEAD/sources/RootKit.suo


--------------------------------------------------------------------------------
/sources/SSDTHook.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yawenok/SSDT-Hook/HEAD/sources/SSDTHook.c


--------------------------------------------------------------------------------
/sources/HookProcess.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/yawenok/SSDT-Hook/HEAD/sources/HookProcess.c


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SSDT-Hook
2 | 2011年参加信息安全比赛时候写的项目，提取出Windows内核钩子示例程序，采用Hook“SSDT表”的方式:
3 | 1. 含有完整的内核钩子框架,在此基础上可以很方便的扩展；
4 | 2. 含有文件隐藏和进程隐藏的示例。
5 | 


--------------------------------------------------------------------------------
/sources/HookGDI.h:
--------------------------------------------------------------------------------
 1 | #ifndef __HOOKGDI_H
 2 | #define __HOOKGDI_H
 3 | 
 4 | 
 5 | 
 6 | 
 7 | 
 8 | 
 9 | 
10 | 
11 | 
12 | 
13 | #endif	// __HOOKGDI_H
14 | 


--------------------------------------------------------------------------------
/sources/SSDT.rc:
--------------------------------------------------------------------------------
 1 | #include <windows.h>
 2 | 
 3 | #include <ntverp.h>
 4 | 
 5 | #define VER_FILETYPE    VFT_DRV
 6 | #define VER_FILESUBTYPE VFT2_DRV_SYSTEM
 7 | #define VER_FILEDESCRIPTION_STR     "SSDT"
 8 | #define VER_INTERNALNAME_STR       "SSDT.sys"
 9 | 
10 | #include "common.ver"
11 | 
12 | 


--------------------------------------------------------------------------------
/sources/SSDTHook.h:
--------------------------------------------------------------------------------
 1 | #ifndef __SSDTHOOK_H__
 2 | #define __SSDTHOOK_H__
 3 | 
 4 | #include "Base.h"
 5 | 
 6 | BOOLEAN InitSSDTHook();
 7 | 
 8 | NTSTATUS InstallSSDTHook(ULONG oldService, ULONG newService);
 9 | 
10 | NTSTATUS UnInstallSSDTHook(ULONG oldService);
11 | 
12 | #endif	// __SSDTHOOK_H__
13 | 


--------------------------------------------------------------------------------
/sources/ShadowHook.h:
--------------------------------------------------------------------------------
 1 | #ifndef __SHADOWHOOK_H__
 2 | #define __SHADOWHOOK_H__
 3 | 
 4 | #include "Base.h"
 5 | 
 6 | BOOLEAN InitShadowHook();
 7 | 
 8 | NTSTATUS InstallShadowHook(ULONG oldService, ULONG newService);
 9 | 
10 | NTSTATUS UnInstallShadowHook(ULONG oldService);
11 | 
12 | #endif	// __SHADOWHOOK_H__
13 | 


--------------------------------------------------------------------------------
/sources/HookProcess.h:
--------------------------------------------------------------------------------
 1 | #ifndef __HOOKPROCESS_H
 2 | #define __HOOKPROCESS_H
 3 | 
 4 | #include "SSDTHook.h"
 5 | 
 6 | NTSTATUS HookNtTerminateProcess(
 7 | 								IN HANDLE ProcessHandle,
 8 | 								IN NTSTATUS ExitStatus
 9 | 								);
10 | 
11 | NTSTATUS OpenProcess(
12 | 					 IN ULONG uPID, 
13 | 					 OUT PHANDLE pHandle,
14 | 					 IN ACCESS_MASK DesiredAccess);
15 | 
16 | ULONG TerminateProcess(HANDLE hProcess);
17 | 
18 | ULONG KillProcess(ULONG uPID);
19 | 
20 | #endif	// __HOOKPROCESS_H
21 | 


--------------------------------------------------------------------------------
/sources/HookFile.h:
--------------------------------------------------------------------------------
 1 | #ifndef __HOOKFILE_H
 2 | #define __HOOKFILE_H
 3 | 
 4 | #include "SSDTHook.h"
 5 | 
 6 | NTSTATUS
 7 | HookNtDeleteFile(
 8 | 				 IN POBJECT_ATTRIBUTES  ObjectAttributes
 9 | 				 );
10 | 
11 | NTSTATUS 
12 | HookNtReadFile(
13 | 			   IN HANDLE  FileHandle,
14 | 			   IN HANDLE  Event  OPTIONAL,
15 | 			   IN PIO_APC_ROUTINE  ApcRoutine  OPTIONAL,
16 | 			   IN PVOID  ApcContext  OPTIONAL,
17 | 			   OUT PIO_STATUS_BLOCK  IoStatusBlock,
18 | 			   OUT PVOID  Buffer,
19 | 			   IN ULONG  Length,
20 | 			   IN PLARGE_INTEGER  ByteOffset  OPTIONAL,
21 | 			   IN PULONG  Key  OPTIONAL
22 | 			   );
23 | 
24 | NTSTATUS 
25 | HookNtSetInformationFile(
26 | 						 IN HANDLE  FileHandle,
27 | 						 OUT PIO_STATUS_BLOCK  IoStatusBlock,
28 | 						 IN PVOID  FileInformation,
29 | 						 IN ULONG  Length,
30 | 						 IN FILE_INFORMATION_CLASS  FileInformationClass
31 | 						 );
32 | 
33 | 
34 | #endif	// __HOOKFILE_H
35 | 


--------------------------------------------------------------------------------
/sources/RootKit.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 9.00
 3 | # Visual Studio 2005
 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "RootKit", "RootKit.vcproj", "{A8E192AF-03B3-4CC5-A1EB-A9A32612949C}"
 5 | EndProject
 6 | Global
 7 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 8 | 		Debug|Win32 = Debug|Win32
 9 | 		Release|Win32 = Release|Win32
10 | 	EndGlobalSection
11 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | 		{A8E192AF-03B3-4CC5-A1EB-A9A32612949C}.Debug|Win32.ActiveCfg = Debug|Win32
13 | 		{A8E192AF-03B3-4CC5-A1EB-A9A32612949C}.Debug|Win32.Build.0 = Debug|Win32
14 | 		{A8E192AF-03B3-4CC5-A1EB-A9A32612949C}.Release|Win32.ActiveCfg = Release|Win32
15 | 		{A8E192AF-03B3-4CC5-A1EB-A9A32612949C}.Release|Win32.Build.0 = Release|Win32
16 | 	EndGlobalSection
17 | 	GlobalSection(SolutionProperties) = preSolution
18 | 		HideSolutionNode = FALSE
19 | 	EndGlobalSection
20 | EndGlobal
21 | 


--------------------------------------------------------------------------------
/sources/ShadowHook.c:
--------------------------------------------------------------------------------
 1 | #include "ShadowHook.h"
 2 | 
 3 | BOOLEAN __declspec(dllimport) _stdcall KeAddSystemServiceTable(PVOID, BOOLEAN, PVOID, PVOID, PVOID); 
 4 | 
 5 | ULONG GetCsrssProcessId()
 6 | {
 7 | 
 8 | 	return 0;
 9 | }
10 | 
11 | ULONG GetAddressOfShadowTable()   
12 | {   
13 | 	ULONG  uAddress = 0;
14 | 	ULONG  i		= 0;
15 | 	PULONG pAddress = (PULONG)KeAddSystemServiceTable;   
16 | 
17 | 	for (i = 0; i < 4096; i++, pAddress++)   
18 | 	{   
19 | 		__try   
20 | 		{   
21 | 			uAddress = *pAddress;   
22 | 		}   
23 | 		__except(EXCEPTION_EXECUTE_HANDLER)   
24 | 		{   
25 | 			return 0;   
26 | 		}   
27 | 
28 | 		if (MmIsAddressValid((PVOID)uAddress))   
29 | 		{   
30 | 			if (RtlEqualMemory((PVOID)uAddress, &KeServiceDescriptorTable, sizeof(ULONG)))   
31 | 			{   
32 | 				if ((PVOID)uAddress == &KeServiceDescriptorTable)   
33 | 				{   
34 | 					continue;   
35 | 				}
36 | 				return uAddress;   
37 | 			}   
38 | 		}   
39 | 	}   
40 | 
41 | 	return 0;   
42 | }
43 | 
44 | BOOLEAN InitShadowHook()
45 | {
46 | 	return TRUE;
47 | }
48 | 
49 | NTSTATUS InstallShadowHook(ULONG oldService, ULONG newService)
50 | {
51 | 	return STATUS_SUCCESS;
52 | }
53 | 
54 | NTSTATUS UnInstallShadowHook(ULONG oldService)
55 | {
56 | 	return STATUS_SUCCESS;
57 | }
58 | 


--------------------------------------------------------------------------------
/sources/RootKit.h:
--------------------------------------------------------------------------------
 1 | #ifndef __ROOTKIT_H
 2 | #define __ROOTKIT_H
 3 | 
 4 | #ifdef __cplusplus
 5 | extern "C" 
 6 | {
 7 | #endif
 8 | 
 9 | #include <ntifs.h>
10 | #include <ntddk.h>
11 | #include <tdiinfo.h>
12 | #include <tdistat.h>
13 | #include <devioctl.h> 
14 | 
15 | #ifdef __cplusplus
16 | }
17 | #endif
18 | 
19 | #include <stdlib.h>
20 | #include "SSDTHook.h"
21 | #include "ShadowHook.h"
22 | #include "HookFile.h"
23 | 
24 | #define DEVICE_NAME_PROCESS				L"\\Device\\RootKit_Grd"
25 | #define SYMBOLINK_NAME_PROCESS			L"\\??\\RootKit_Grd"
26 | 
27 | #define	ROOTKIT_DEVICE_TYPE				FILE_DEVICE_UNKNOWN
28 | 
29 | #define	IO_INSERT_ADD_PROTECTED			(ULONG) CTL_CODE(ROOTKIT_DEVICE_TYPE, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
30 | #define	IO_INSERT_DEL_PROTECTED			(ULONG) CTL_CODE(ROOTKIT_DEVICE_TYPE, 0x802, METHOD_BUFFERED, FILE_ANY_ACCESS)
31 | #define	IO_INSERT_QUE_PROTECTED			(ULONG) CTL_CODE(ROOTKIT_DEVICE_TYPE, 0x803, METHOD_BUFFERED, FILE_ANY_ACCESS)
32 | 
33 | 
34 | NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING  pRegistryPath);
35 | 
36 | VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject);
37 | 
38 | NTSTATUS Create(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp);
39 | NTSTATUS Close(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp);
40 | NTSTATUS Read(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp);
41 | NTSTATUS Write(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp);
42 | NTSTATUS Dispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp);
43 | NTSTATUS IoControl(IN PDEVICE_OBJECT pDeviceObject, IN PIRP pIrp);
44 | 
45 | 
46 | #endif	// __ROOTKIT_H
47 | 


--------------------------------------------------------------------------------
/sources/HookFile.c:
--------------------------------------------------------------------------------
 1 | #include "HookFile.h"
 2 | 
 3 | typedef NTSTATUS
 4 | (* PHookNtDeleteFile)(
 5 | 					  IN POBJECT_ATTRIBUTES  ObjectAttributes
 6 | 					  );
 7 | 
 8 | typedef NTSTATUS 
 9 | (* PHookNtReadFile)(
10 | 			   IN HANDLE  FileHandle,
11 | 			   IN HANDLE  Event  OPTIONAL,
12 | 			   IN PIO_APC_ROUTINE  ApcRoutine  OPTIONAL,
13 | 			   IN PVOID  ApcContext  OPTIONAL,
14 | 			   OUT PIO_STATUS_BLOCK  IoStatusBlock,
15 | 			   OUT PVOID  Buffer,
16 | 			   IN ULONG  Length,
17 | 			   IN PLARGE_INTEGER  ByteOffset  OPTIONAL,
18 | 			   IN PULONG  Key  OPTIONAL
19 | 			   );
20 | 
21 | typedef NTSTATUS 
22 | (* PHookNtSetInformationFile)(
23 | 							  IN HANDLE  FileHandle,
24 | 							  OUT PIO_STATUS_BLOCK  IoStatusBlock,
25 | 							  IN PVOID  FileInformation,
26 | 							  IN ULONG  Length,
27 | 							  IN FILE_INFORMATION_CLASS  FileInformationClass
28 | 							  );
29 | 
30 | NTSTATUS
31 | HookNtDeleteFile(
32 | 				 IN POBJECT_ATTRIBUTES  ObjectAttributes
33 | 				 )
34 | {
35 | 	PHookNtDeleteFile pReal = (PHookNtDeleteFile)GetAddressFromBackupSSDT((ULONG)ZwDeleteFile);
36 | 
37 | 	return pReal(ObjectAttributes);
38 | }
39 | 
40 | NTSTATUS 
41 | HookNtReadFile(
42 | 			   IN HANDLE  FileHandle,
43 | 			   IN HANDLE  Event  OPTIONAL,
44 | 			   IN PIO_APC_ROUTINE  ApcRoutine  OPTIONAL,
45 | 			   IN PVOID  ApcContext  OPTIONAL,
46 | 			   OUT PIO_STATUS_BLOCK  IoStatusBlock,
47 | 			   OUT PVOID  Buffer,
48 | 			   IN ULONG  Length,
49 | 			   IN PLARGE_INTEGER  ByteOffset  OPTIONAL,
50 | 			   IN PULONG  Key  OPTIONAL
51 | 			   )
52 | {
53 | 	PFILE_OBJECT	pfile_Obj;
54 | 	NTSTATUS		rtStatus  = ObReferenceObjectByHandle(FileHandle, GENERIC_READ, *IoFileObjectType, KernelMode, (PVOID*)&pfile_Obj, 0);
55 | 	PHookNtReadFile pReal	  = (PHookNtReadFile)GetAddressFromBackupSSDT((ULONG)ZwReadFile);
56 | 
57 | 	KdPrint(("==>:%s\r\n",__FUNCTION__));
58 | 
59 | 	if (NT_SUCCESS(rtStatus))
60 | 	{
61 | 		if (NT_SUCCESS(rtStatus))
62 | 		{
63 | 			KdPrint(("FileName:%ws\r\n",pfile_Obj->FileName.Buffer));
64 | 		}
65 | 	}
66 | 
67 | 	KdPrint(("<==:%s\r\n",__FUNCTION__));
68 | 
69 | 	return pReal(FileHandle,Event,ApcRoutine,ApcContext,IoStatusBlock,Buffer,Length,ByteOffset,Key);
70 | }
71 | 
72 | NTSTATUS 
73 | HookNtSetInformationFile(
74 | 						 IN HANDLE  FileHandle,
75 | 						 OUT PIO_STATUS_BLOCK  IoStatusBlock,
76 | 						 IN PVOID  FileInformation,
77 | 						 IN ULONG  Length,
78 | 						 IN FILE_INFORMATION_CLASS  FileInformationClass
79 | 						 )
80 | {
81 | 	PFILE_OBJECT			  pfile_Obj;
82 | 	NTSTATUS				  rtStatus  = ObReferenceObjectByHandle(FileHandle, GENERIC_READ, *IoFileObjectType, KernelMode, (PVOID*)&pfile_Obj, 0);
83 | 	PHookNtSetInformationFile pReal	    = (PHookNtSetInformationFile)GetAddressFromBackupSSDT((ULONG)ZwSetInformationFile);
84 | 
85 | 	KdPrint(("==>:%s\r\n",__FUNCTION__));
86 | 
87 | 	if (NT_SUCCESS(rtStatus))
88 | 	{
89 | 		KdPrint(("FileName:%ws\r\n",pfile_Obj->FileName.Buffer));
90 | 	}
91 | 
92 | 	KdPrint(("<==:%s\r\n",__FUNCTION__));
93 | 
94 | 	return pReal(FileHandle,IoStatusBlock,FileInformation,Length,FileInformationClass);
95 | }
96 | 


--------------------------------------------------------------------------------
/sources/RootKit.vcproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="gb2312"?>
  2 | <VisualStudioProject
  3 | 	ProjectType="Visual C++"
  4 | 	Version="8.00"
  5 | 	Name="RootKit"
  6 | 	ProjectGUID="{A8E192AF-03B3-4CC5-A1EB-A9A32612949C}"
  7 | 	RootNamespace="SSDT"
  8 | 	>
  9 | 	<Platforms>
 10 | 		<Platform
 11 | 			Name="Win32"
 12 | 		/>
 13 | 	</Platforms>
 14 | 	<ToolFiles>
 15 | 	</ToolFiles>
 16 | 	<Configurations>
 17 | 		<Configuration
 18 | 			Name="Debug|Win32"
 19 | 			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
 20 | 			IntermediateDirectory="$(ConfigurationName)"
 21 | 			ConfigurationType="1"
 22 | 			>
 23 | 			<Tool
 24 | 				Name="VCPreBuildEventTool"
 25 | 			/>
 26 | 			<Tool
 27 | 				Name="VCCustomBuildTool"
 28 | 			/>
 29 | 			<Tool
 30 | 				Name="VCXMLDataGeneratorTool"
 31 | 			/>
 32 | 			<Tool
 33 | 				Name="VCWebServiceProxyGeneratorTool"
 34 | 			/>
 35 | 			<Tool
 36 | 				Name="VCMIDLTool"
 37 | 			/>
 38 | 			<Tool
 39 | 				Name="VCCLCompilerTool"
 40 | 				Optimization="0"
 41 | 				AdditionalIncludeDirectories="$(WDKPATH)\inc\ddk;$(WDKPATH)\inc\api;$(WDKPATH)\inc\crt"
 42 | 				PreprocessorDefinitions="WIN32;_CONSOLE;_X86_;_DDK_;_DEBUG;DBG=1"
 43 | 				IgnoreStandardIncludePath="true"
 44 | 				ExceptionHandling="0"
 45 | 				BasicRuntimeChecks="0"
 46 | 				RuntimeLibrary="1"
 47 | 				BufferSecurityCheck="false"
 48 | 				EnableFunctionLevelLinking="true"
 49 | 				RuntimeTypeInfo="false"
 50 | 				UsePrecompiledHeader="0"
 51 | 				DebugInformationFormat="3"
 52 | 				CallingConvention="2"
 53 | 			/>
 54 | 			<Tool
 55 | 				Name="VCManagedResourceCompilerTool"
 56 | 			/>
 57 | 			<Tool
 58 | 				Name="VCResourceCompilerTool"
 59 | 			/>
 60 | 			<Tool
 61 | 				Name="VCPreLinkEventTool"
 62 | 			/>
 63 | 			<Tool
 64 | 				Name="VCLinkerTool"
 65 | 				AdditionalDependencies="ntoskrnl.lib hal.lib int64.lib ntstrsafe.lib exsup.lib ksecdd.lib"
 66 | 				OutputFile="$(OutDir)\$(ProjectName).sys"
 67 | 				LinkIncremental="1"
 68 | 				AdditionalLibraryDirectories="$(WDKPATH)\lib\WXP\i386"
 69 | 				GenerateManifest="false"
 70 | 				IgnoreAllDefaultLibraries="true"
 71 | 				GenerateDebugInformation="true"
 72 | 				SubSystem="3"
 73 | 				Driver="1"
 74 | 				EntryPointSymbol="DriverEntry"
 75 | 				TargetMachine="1"
 76 | 			/>
 77 | 			<Tool
 78 | 				Name="VCALinkTool"
 79 | 			/>
 80 | 			<Tool
 81 | 				Name="VCManifestTool"
 82 | 			/>
 83 | 			<Tool
 84 | 				Name="VCXDCMakeTool"
 85 | 			/>
 86 | 			<Tool
 87 | 				Name="VCBscMakeTool"
 88 | 			/>
 89 | 			<Tool
 90 | 				Name="VCFxCopTool"
 91 | 			/>
 92 | 			<Tool
 93 | 				Name="VCAppVerifierTool"
 94 | 			/>
 95 | 			<Tool
 96 | 				Name="VCWebDeploymentTool"
 97 | 			/>
 98 | 			<Tool
 99 | 				Name="VCPostBuildEventTool"
100 | 			/>
101 | 		</Configuration>
102 | 		<Configuration
103 | 			Name="Release|Win32"
104 | 			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
105 | 			IntermediateDirectory="$(ConfigurationName)"
106 | 			ConfigurationType="1"
107 | 			>
108 | 			<Tool
109 | 				Name="VCPreBuildEventTool"
110 | 			/>
111 | 			<Tool
112 | 				Name="VCCustomBuildTool"
113 | 			/>
114 | 			<Tool
115 | 				Name="VCXMLDataGeneratorTool"
116 | 			/>
117 | 			<Tool
118 | 				Name="VCWebServiceProxyGeneratorTool"
119 | 			/>
120 | 			<Tool
121 | 				Name="VCMIDLTool"
122 | 			/>
123 | 			<Tool
124 | 				Name="VCCLCompilerTool"
125 | 				Optimization="3"
126 | 				InlineFunctionExpansion="2"
127 | 				EnableIntrinsicFunctions="true"
128 | 				WholeProgramOptimization="true"
129 | 				AdditionalIncludeDirectories="$(WDKPATH)\inc\ddk;$(WDKPATH)\inc\api;$(WDKPATH)\inc\crt"
130 | 				PreprocessorDefinitions="WIN32;_CONSOLE;_X86_;_DDK_;_NDEBUG;DBG=0"
131 | 				IgnoreStandardIncludePath="true"
132 | 				StringPooling="true"
133 | 				ExceptionHandling="0"
134 | 				BasicRuntimeChecks="0"
135 | 				RuntimeLibrary="0"
136 | 				BufferSecurityCheck="false"
137 | 				EnableFunctionLevelLinking="true"
138 | 				RuntimeTypeInfo="false"
139 | 				UsePrecompiledHeader="0"
140 | 				DebugInformationFormat="3"
141 | 				CallingConvention="2"
142 | 			/>
143 | 			<Tool
144 | 				Name="VCManagedResourceCompilerTool"
145 | 			/>
146 | 			<Tool
147 | 				Name="VCResourceCompilerTool"
148 | 			/>
149 | 			<Tool
150 | 				Name="VCPreLinkEventTool"
151 | 			/>
152 | 			<Tool
153 | 				Name="VCLinkerTool"
154 | 				AdditionalDependencies="ntoskrnl.lib hal.lib int64.lib ntstrsafe.lib exsup.lib ksecdd.lib"
155 | 				OutputFile="$(OutDir)\$(ProjectName).sys"
156 | 				LinkIncremental="1"
157 | 				AdditionalLibraryDirectories="$(WDKPATH)\lib\WXP\i386"
158 | 				GenerateManifest="false"
159 | 				IgnoreAllDefaultLibraries="true"
160 | 				GenerateDebugInformation="true"
161 | 				SubSystem="3"
162 | 				Driver="1"
163 | 				OptimizeReferences="2"
164 | 				LinkTimeCodeGeneration="1"
165 | 				EntryPointSymbol="DriverEntry"
166 | 				TargetMachine="1"
167 | 			/>
168 | 			<Tool
169 | 				Name="VCALinkTool"
170 | 			/>
171 | 			<Tool
172 | 				Name="VCManifestTool"
173 | 			/>
174 | 			<Tool
175 | 				Name="VCXDCMakeTool"
176 | 			/>
177 | 			<Tool
178 | 				Name="VCBscMakeTool"
179 | 			/>
180 | 			<Tool
181 | 				Name="VCFxCopTool"
182 | 			/>
183 | 			<Tool
184 | 				Name="VCAppVerifierTool"
185 | 			/>
186 | 			<Tool
187 | 				Name="VCWebDeploymentTool"
188 | 			/>
189 | 			<Tool
190 | 				Name="VCPostBuildEventTool"
191 | 			/>
192 | 		</Configuration>
193 | 	</Configurations>
194 | 	<References>
195 | 	</References>
196 | 	<Files>
197 | 		<Filter
198 | 			Name="Resource files"
199 | 			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
200 | 			>
201 | 			<File
202 | 				RelativePath=".\SSDT.rc"
203 | 				>
204 | 			</File>
205 | 		</Filter>
206 | 		<Filter
207 | 			Name="Hook"
208 | 			>
209 | 			<File
210 | 				RelativePath=".\Base.h"
211 | 				>
212 | 			</File>
213 | 			<File
214 | 				RelativePath=".\ShadowHook.c"
215 | 				>
216 | 			</File>
217 | 			<File
218 | 				RelativePath=".\ShadowHook.h"
219 | 				>
220 | 			</File>
221 | 			<File
222 | 				RelativePath=".\SSDTHook.c"
223 | 				>
224 | 			</File>
225 | 			<File
226 | 				RelativePath=".\SSDTHook.h"
227 | 				>
228 | 			</File>
229 | 		</Filter>
230 | 		<Filter
231 | 			Name="HookFile"
232 | 			>
233 | 			<File
234 | 				RelativePath=".\HookFile.c"
235 | 				>
236 | 			</File>
237 | 			<File
238 | 				RelativePath=".\HookFile.h"
239 | 				>
240 | 			</File>
241 | 		</Filter>
242 | 		<Filter
243 | 			Name="HoolProcess"
244 | 			>
245 | 			<File
246 | 				RelativePath=".\HookProcess.c"
247 | 				>
248 | 			</File>
249 | 			<File
250 | 				RelativePath=".\HookProcess.h"
251 | 				>
252 | 			</File>
253 | 		</Filter>
254 | 		<Filter
255 | 			Name="HoolGDI"
256 | 			>
257 | 			<File
258 | 				RelativePath=".\HookGDI.c"
259 | 				>
260 | 			</File>
261 | 			<File
262 | 				RelativePath=".\HookGDI.h"
263 | 				>
264 | 			</File>
265 | 		</Filter>
266 | 		<Filter
267 | 			Name="RootKit"
268 | 			>
269 | 			<File
270 | 				RelativePath=".\RootKit.c"
271 | 				>
272 | 			</File>
273 | 			<File
274 | 				RelativePath=".\RootKit.h"
275 | 				>
276 | 			</File>
277 | 		</Filter>
278 | 		<File
279 | 			RelativePath="..\..\..\..\..\Application Data\Microsoft\Internet Explorer\Quick Launch\PExplorer.lnk"
280 | 			>
281 | 		</File>
282 | 	</Files>
283 | 	<Globals>
284 | 	</Globals>
285 | </VisualStudioProject>
286 | 


--------------------------------------------------------------------------------