VC驱动监控进程的创建(3)

add ebx,40
push ebx

call check

cmp eax,1//由check()的返回值判断是否让可执行文件继续执行
jne block

popad
popfd
jmp RealCallee//通过，调用ntcreatesection

block:popad
mov ebx, dword ptr[esp+8]

mov dword ptr[ebx],0
mov eax,0xC0000022L//不让其通过，返回STATUS_ACCESS_DENIED
popfd
ret 32

}
}

到此，驱动程序的工作基本完成，所以在用户程序中用到一个线程来等待驱动的判断结果。
 char*name=(char*)&outputbuff[8];

        for(x=0;x<stringcount;x++)

        {
            if(!stricmp(name,strings[x])){a=1;goto skip;}

        }
        strcpy(msgbuff, "Do you want to run ");
        strcat(msgbuff,&outputbuff[8]);

       
        if(IDYES==MessageBox(0, msgbuff,"WARNING",
           MB_YESNO|MB_ICONQUESTION|0x00200000L))

        {a=1; strings[stringcount]=_strdup(name);stringcount++;}
        else a=0;
   
        // write response to the buffer, and driver will get it
        skip:memmove(&outputbuff[4],&a,4);

        //让驱动继续
        a=0;
        memmove(&outputbuff[0],&a,4);
}}