386
    .model flat, stdcall
    option casemap:none

include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc
include \masm32\include\w2k\ntoskrnl.inc
include \masm32\include\w2k\w2kundoc.inc
includelib \masm32\lib\w2k\ntoskrnl.lib
include \masm32\Macros\Strings.mac
    
    .data
realaddr dd 0
CR0Reg dd 0
Messaga1 db "OpenProcess",0
Messaga2 db "Driver loaded", 0

    .code
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID

    pushad
    invoke DbgPrint, addr Messaga2
      mov edi, KeServiceDescriptorTable
    mov edi, [edi]
    mov eax, [edi+(07ah*4)] ;edi+07ah*4 - NtOpenProcess
    mov realaddr, eax
    
    cli
    mov eax, CR0
    mov CR0Reg, eax
    and eax, -1
    mov cr0, eax
    mov [edi+(07ah*4)], dword ptr offset hookproc
    mov eax, CR0Reg
    mov CR0, eax
    sti
    
    mov eax, pDriverObject
    assume eax:PTR DRIVER_OBJECT
    mov [eax].DriverUnload, offset DriverUnload
    assume eax:nothing

    popad
    mov eax, STATUS_SUCCESS
    ret
DriverEntry endp
;:::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverUnload proc pDriverObject:PDRIVER_OBJECT
    pushad
    mov edi, KeServiceDescriptorTable
    mov edi, [edi]

    cli
    mov eax, CR0
    mov CR0Reg, eax
    and eax, -1
    mov cr0, eax
    
    mov eax, dword ptr realaddr
    mov [edi+(07ah*4)], eax
    
    mov eax, CR0Reg
    mov CR0, eax
    sti
    popad
    ret
DriverUnload endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
hookproc proc
    invoke DbgPrint, addr Messaga1
      jmp dword ptr realaddr
; ret
hookproc endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
end DriverEntry