[原创]另一种进入NT内核方法的汇编版本

要说明的是该方法本身不是我的原创 ，是其他大牛首先写出来的。

而我只是将该方法的C版本 "翻译" 成 masm32 版本。: )

.386
.model flat, stdcall
option casemap:none

include c:masm32includewindows.inc
include c:masm32includeuser32.inc
include c:masm32includekernel32.inc
include c:masm32includeadvapi32.inc
includelib c:masm32libuser32.lib
includelib c:masm32libkernel32.lib
includelib c:masm32libadvapi32.lib
include c:masm32macrosucmacros.asm

UNICODE_STRING STRUCT
_Length WORD ?
MaximumLength WORD ?
Buffer DWORD ?
UNICODE_STRING ENDS

SystemLoadAndCallImage equ 38

_ZwSetSystemInformation typedef proto :dword,:dword,:dword
lpZwSetSystemInformation typedef ptr _ZwSetSystemInformation

_RtlInitUnicodeString typedef proto :dword,:dword
lpRtlInitUnicodeString typedef ptr _RtlInitUnicodeString

SYSTEM_LOAD_AND_CALL_IMAGE struct

ModuleName UNICODE_STRING <?>

SYSTEM_LOAD_AND_CALL_IMAGE ends

.const
txt db 'Just Do It!',0
cp db 'hopy|侯佩',0
WSTR drvnameW,"??c: mpDrv.sys"
drvname db '??c:tmpDrv.sys',0
dllname db 'ntdll.dll',0
szZwSetSystemInformation db 'ZwSetSystemInformation',0
szRtlInitUnicodeString db 'RtlInitUnicodeString',0

.data?
hInstance dd ?
hdll dd ?
stSysCallImage SYSTEM_LOAD_AND_CALL_IMAGE <>
ZwSetSystemInformation lpZwSetSystemInformation ?
RtlInitUnicodeString lpRtlInitUnicodeString ?

.code
start:
invoke GetModuleHandle, 0
mov hInstance,eax

invoke LoadLibrary,addr dllname
mov hdll,eax

invoke GetProcAddress,hdll,addr szZwSetSystemInformation
mov ZwSetSystemInformation,eax

invoke GetProcAddress,hdll,addr szRtlInitUnicodeString
mov RtlInitUnicodeString,eax

invoke RtlInitUnicodeString,addr stSysCallImage.ModuleName,
addr drvnameW

invoke ZwSetSystemInformation,SystemLoadAndCallImage,
addr stSysCallImage,
sizeof SYSTEM_LOAD_AND_CALL_IMAGE

invoke MessageBox,NULL,addr txt,addr cp,MB_OK

invoke ExitProcess,NULL
end start