在ssdt hook中 经常会有下面的代码
//定义一个原函数指针
typedef NTSTATUS (__stdcall *REALZWOPENPROCESS)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
REALZWOPENPROCESS RealZwOpenProcess;
......
//为什么可以直接调用呢? 这个函数是否会调用内核的NtOpenProcess函数?为什么
status = RealZwOpenProcess(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ClientId
);
------解决方案--------------------
REALZWOPENPROCESS
等效下面了
NTSTATUS (__stdcall *)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId
);
好看看 typedef
比如:
typedef char * pC;
这样
pC a
就等于
char * a;