原作者Azy,发表于DebugMan论坛。
=======================================================
这个方法的最大好处在于简单~~不用分别处理~~
VOID __stdcall HandleMapData( IN PFILE_OBJECT FileObject, IN PLARGE_INTEGER FileOffset, IN ULONG Length, IN ULONG Flags, OUT PVOID *Bcb, OUT PVOID *Buffer ) { if(!_strnicmp((PCHAR)((ULONG)PsGetCurrentProcess() + ImageNameOffset), "explorer.exe", strlen("explorer.exe"))) { if(CcPinMappedData(FileObject, FileOffset, Length, Flags, Bcb)) { HandleFileHide(*Buffer, Length); } } return; } void __declspec(naked) NewCcMapData() { __asm { pushad pushfd cli push [ebp+1ch] push [ebp+18h] push [ebp+14h] push [ebp+10h] push [ebp+0ch] push [ebp+8] call HandleMapData sti popfd popad mov ecx, [ebp-10h] mov fs:0, ecx pop edi pop esi pop ebx _emit 0xc9 ret 18h } }