不完全类型检测 “typedef char type_must_be_complete[ sizeof(T)? 1: -1 ];”

最新推荐文章于 2023-09-03 11:40:58 发布
原创 最新推荐文章于 2023-09-03 11:40:58 发布 · 1k 阅读 · 1 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

最近在关注Boost库中智能指针的相关知识,剖析到下面的一段代码,在头文件checked_delete.hpp中的用于释放空间的类模板函
checked_array_delete(T * x);:

template<class T> inline void checked_array_delete(T * x)  
{  
    typedef char type_must_be_complete[ sizeof(T)? 1: -1 ];  
    (void) sizeof(type_must_be_complete);  
    delete [] x;  
}

代码很简单,但表达的东西却很隐晦,其实这是一种不完全类型检测:T如果不是不完全类型那么sizeof(T)就应该是type_must_be_complete[-1],数组是不能为负数的,所以就会报错;
什么又是不完全类型呢?简单理解就是类型的定义不完整,比如只对类进行了声明,却未定义;


                

                
                
        

    

    
  


        

            

                      
                        最低0.47元/天 解锁文章
                        

                          
200万优质内容无限畅学

                          
                        

                      
            

        


    



                



	

		

			

				
					
muduo_base库学习笔记8——线程安全的单例类实现、pthread_once、atexit、typedef char T_must_be_<font color = orange>compl..

				
			

			

				

					qq_37299596的博客
				

				

					07-16
					
					333
					
				

			

		

		

			
				
了解单例模式:
实际应用中,有些对象,我们只需要一个就可以了,比如,一台计算机上可以连好几个打印机,但是这个计算机上的打印程序只能有一个,这里就可以通过单例模式来避免两个打印作业同时输出到打印机中,即在整个的打印过程中只有一个打印程序的实例。
单例模式是一种常用的软件设计模式。在它的核心结构中只包含一个被称为单例的特殊类。通过单例模式可以保证系统中一个类只有一个实例。
关于pthread_once
#include <pthread.h>

int pthread_once(pthread_on

			
		

	



                

            
              



	

		

			

				
					
重学IO:利用_IO_2_1_stdout泄露libc

				
			

			

				

					2301_79327647的博客
				

				

					08-19
					
					1090
					
				

			

		

		

			
				
这几天做IO类的题,发现自己是真的菜,决定暂时放一放apple1的学习,重新学习一下IO流。

本篇源码还是glibc-2.35。

			
		

	



              


  
              

                


	

		

			

				
					
C++删除完全类型数组

				
			

			

				

					hh1562535601的专栏
				

				

					03-17
					
					803
					
				

			

		

		

			
				
看智能指针的时候遇到一组函数蛮有意思的,即checked_delete(T* x)和checked_array_delete(T* x),这两个函数的作用是安全删除参数所指向的变量或数组。
template inline void checked_delete(T* x)
{
  typedef char type_must_be_complete[ sizeof(T)? 1: -1 ];

			
		

	





	

		

			

				
					
(void)sizeof(type_must_be_complete)检查完全类型

				
			

			

				

					lhh1113的博客
				

				

					02-21
					
					1185
					
				

			

		

		

			
				
检查完全类型:
举例如下
//BB.h
#include 
  2 class BB
  3 {
  4 public:
  5     BB()
  6     {
  7         std::cout<<"BB"<<std::endl;
  8     }
  9     ~BB()
 10     {
 11         std::cout<<"~BB"<<std::end

			
		

	



		

			
		



	

		

			

				
					
muduo编译出问题T_must_be_complete_type

				
			

			

				

					only_a_Heroic_car的博客
				

				

					11-30
					
					659
					
				

			

		

		

			
				
error: typedef ‘T_must_be_complete_type’ locally defined but not used [-Werror=unused-local-typedefs] typedef char T_must_be_complete_type[sizeof(T) == 0 ? -1 : 1];
解决办法:把 muduo目录里面的CMakelist.txt中的 -W...

			
		

	





	

		

			

				
					
C/C++常见考题深入分析之非完整版(我想永远也可能完整的,呵呵)

				
			

			

				

					Melody_1208的专栏
				

				

					11-11
					
					1375
					
				

			

		

		

			
				
首先请看如下代码:#include int getLength(char a[]);int main(){ char a[9]="123456789"char b[10]="123456789"char *b="123456789"; printf("sizeof a[]:%d/n",sizeof(a)); /* return the length of array a,inc

			
		

	





	

		

			

				
					
支持多线程的内存分配器__gnu_cxx::__mt_alloc

				
			

			

				

					陈嘉怡的专栏
				

				

					07-20
					
					2636
					
				

			

		

		

			
				
__gnu_cxx::new_allocator Simply wraps ::operator new and ::operator delete.

__gnu_cxx::malloc_allocator Simply wraps malloc and free. There is also a hook for an out-of-memory handler

__gnu_cxx:

			
		

	





	

		

			

				
					
#include <ntifs.h>
#include <ntddk.h>
#include <intrin.h>
#include "ptehook.h"
#define CR0_WP (1 << 16)
#define _WIN32_WINNT 0x0601
#define NTOS_MODE_USER
void HexDump(const void* data, size_t size);



typedef INT(*LDE_DISASM)(PVOID address, INT bits);
typedef unsigned long DWORD;
typedef unsigned __int64 ULONG64;

// 使用WDK标准类型
typedef unsigned char BYTE;

typedef LONG NTSTATUS;

// 修正的跳板指令结构
#pragma pack(push, 1)
typedef struct _JMP_ABS {
    BYTE opcode[6];     // FF 25 00 00 00 00 = jmp [rip+0]
    ULONG64 address;    // 目标地址 (紧跟在指令后)
} JMP_ABS, * PJMP_ABS;
#pragma pack(pop)
static_assert(sizeof(JMP_ABS) == 14, "JMP_ABS size must be 14 bytes");


LDE_DISASM lde_disasm;

// 初始化引擎
VOID lde_init()
{
    lde_disasm = (LDE_DISASM)ExAllocatePool(NonPagedPool, 12800);
    memcpy(lde_disasm, szShellCode, 12800);
}

// 得到完整指令长度,避免截断
ULONG GetFullPatchSize(PUCHAR Address)
{
    ULONG LenCount = 0, Len = 0;

    // 至少需要14字节
    while (LenCount <= 14)
    {
        Len = lde_disasm(Address, 64);
        Address = Address + Len;
        LenCount = LenCount + Len;
    }
    return LenCount;
}

#define PROCESS_NAME_LENGTH 16
#define DRIVER_TAG 'HKOB'

EXTERN_C char* PsGetProcessImageFileName(PEPROCESS process);
char target_process_name[] = "oxygen.exe";

typedef NTSTATUS(*fn_ObReferenceObjectByHandleWithTag)(
    HANDLE Handle,
    ACCESS_MASK DesiredAccess,
    POBJECT_TYPE ObjectType,
    KPROCESSOR_MODE AccessMode,
    ULONG Tag,
    PVOID* Object,
    POBJECT_HANDLE_INFORMATION HandleInformation
    );

fn_ObReferenceObjectByHandleWithTag g_OriginalObReferenceObjectByHandleWithTag = NULL;

// PTE Hook Framework
#define MAX_G_BIT_RECORDS 128
#define MAX_HOOK_COUNT 64
#define PAGE_ALIGN(va) ((PVOID)((ULONG_PTR)(va) & ~0xFFF))
#define PDPTE_PS_BIT (1 << 7)
#define PDE_PS_BIT (1 << 7)
#define PTE_NX_BIT (1ULL << 63)
#define CACHE_WB (6ULL << 3)

// 页表结构定义
typedef struct _PAGE_TABLE {
    UINT64 LineAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 pat : 1;
            UINT64 global : 1;
            UINT64 ignored_1 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_2 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PteAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 large_page : 1;
            UINT64 global : 1;
            UINT64 ignored_2 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_3 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PdeAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 ignored_1 : 1;
            UINT64 page_size : 1;
            UINT64 ignored_2 : 4;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_3 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PdpteAddress;
    UINT64* Pml4Address;
    BOOLEAN IsLargePage;
    BOOLEAN Is1GBPage;
    UINT64 OriginalPte;
    UINT64 OriginalPde;
    UINT64 OriginalPdpte;
    UINT64 OriginalPml4e;
    HANDLE ProcessId;
} PAGE_TABLE, * PPAGE_TABLE;

// G位信息记录结构体
typedef struct _G_BIT_INFO {
    void* AlignAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 large_page : 1;
            UINT64 global : 1;
            UINT64 ignored_2 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_3 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PdeAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 pat : 1;
            UINT64 global : 1;
            UINT64 ignored_1 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_2 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PteAddress;
    BOOLEAN IsLargePage;
} G_BIT_INFO, * PG_BIT_INFO;

typedef struct _HOOK_INFO {
    void* OriginalAddress;
    void* HookAddress;
    UINT8 OriginalBytes[20];
    UINT8 HookBytes[20];
    UINT32 HookLength;
    BOOLEAN IsHooked;
    HANDLE ProcessId;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 pat : 1;
            UINT64 global : 1;
            UINT64 ignored_1 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_2 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*HookedPte;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 large_page : 1;
            UINT64 global : 1;
            UINT64 ignored_2 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_3 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*HookedPde;
} HOOK_INFO;

class PteHookManager {
public:
    bool fn_pte_inline_hook_bp_pg(HANDLE process_id, _Inout_ void** ori_addr, void* hk_addr);
    bool fn_remove_hook(HANDLE process_id, void* hook_addr);
    static PteHookManager* GetInstance();
    HOOK_INFO* GetHookInfo() { return m_HookInfo; }
    char* GetTrampLinePool() { return m_TrampLinePool; }
    UINT32 GetHookCount() { return m_HookCount; }
    bool fn_resume_global_bits(void* align_addr);
    ~PteHookManager(); // 添加析构函数声明

private:
    bool WriteTrampolineInstruction(void* trampoline, const JMP_ABS& jmpCmd);
    void fn_add_g_bit_info(void* align_addr, void* pde_address, void* pte_address);
    bool fn_isolation_pagetable(UINT64 cr3_val, void* replace_align_addr, void* split_pde);
    bool fn_isolation_pages(HANDLE process_id, void* ori_addr);
    bool fn_split_large_pages(void* in_pde, void* out_pde);
    NTSTATUS get_page_table(UINT64 cr3, PAGE_TABLE& table);
    void* fn_pa_to_va(UINT64 pa);
    UINT64 fn_va_to_pa(void* va);
    __forceinline KIRQL DisableWriteProtection();
    __forceinline void EnableWriteProtection(KIRQL oldIrql);
    void logger(const char* info, bool is_err, LONG err_code = 0);
    void PrintPageTableInfo(const PAGE_TABLE& table);
    void PrintHookInfo(const HOOK_INFO& hookInfo);
    void PrintGBitInfo(const G_BIT_INFO& gbitInfo);

    static constexpr SIZE_T MAX_HOOKS = 256;  // 根据需求调整
    G_BIT_INFO m_GbitRecords[MAX_G_BIT_RECORDS];
    UINT32 m_GbitCount = 0;
    void* m_PteBase = 0;
    HOOK_INFO m_HookInfo[MAX_HOOK_COUNT] = { 0 };
    DWORD m_HookCount = 0;
    char* m_TrampLinePool = nullptr; // 合并为一个声明
    UINT32 m_PoolUsed = 0;
    static PteHookManager* m_Instance;
};



PteHookManager* PteHookManager::m_Instance = nullptr;

// 实现部分
__forceinline KIRQL PteHookManager::DisableWriteProtection() {
    KIRQL oldIrql = KeRaiseIrqlToDpcLevel();
    UINT64 cr0 = __readcr0();
    __writecr0(cr0 & ~0x10000);  // 清除CR0.WP位
    _mm_mfence();
    return oldIrql;
}

__forceinline void PteHookManager::EnableWriteProtection(KIRQL oldIrql) {
    _mm_mfence();
    UINT64 cr0 = __readcr0();
    __writecr0(cr0 | 0x10000);  // 设置CR0.WP位
    KeLowerIrql(oldIrql);
}
void PteHookManager::logger(const char* info, bool is_err, LONG err_code) {
    if (is_err) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[PTE_HOOK] ERROR: %s (0x%X)\n", info, err_code);
    }
    else {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "[PTE_HOOK] INFO: %s\n", info);
    }
}
void PteHookManager::PrintPageTableInfo(const PAGE_TABLE& table) {
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] Page Table Info for VA: 0x%p\n", (void*)table.LineAddress);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  PML4E: 0x%llx (Address: 0x%p)\n", table.OriginalPml4e, table.Pml4Address);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  PDPTE: 0x%llx (Address: 0x%p), Is1GBPage: %d\n",
        table.OriginalPdpte, table.PdpteAddress, table.Is1GBPage);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  PDE: 0x%llx (Address: 0x%p), IsLargePage: %d\n",
        table.OriginalPde, table.PdeAddress, table.IsLargePage);

    if (!table.IsLargePage && !table.Is1GBPage) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "  PTE: 0x%llx (Address: 0x%p)\n", table.OriginalPte, table.PteAddress);
    }
}

void PteHookManager::PrintHookInfo(const HOOK_INFO& hookInfo) {
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] Hook Info:\n");
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  Original Address: 0x%p\n", hookInfo.OriginalAddress);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  Hook Address: 0x%p\n", hookInfo.HookAddress);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  Hook Length: %d\n", hookInfo.HookLength);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  Is Hooked: %d\n", hookInfo.IsHooked);

    // 打印原始字节
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "  Original Bytes: ");
    for (UINT32 i = 0; i < sizeof(hookInfo.OriginalBytes); i++) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "%02X ", hookInfo.OriginalBytes[i]);
    }
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "\n");

    // 打印Hook字节
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "  Hook Bytes: ");
    for (UINT32 i = 0; i < sizeof(hookInfo.HookBytes); i++) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "%02X ", hookInfo.HookBytes[i]);
    }
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "\n");
}

void PteHookManager::PrintGBitInfo(const G_BIT_INFO& gbitInfo) {
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] G-Bit Info:\n");
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  Align Address: 0x%p\n", gbitInfo.AlignAddress);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "  IsLargePage: %d\n", gbitInfo.IsLargePage);

    if (gbitInfo.PdeAddress) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "  PDE: 0x%llx (Address: 0x%p)\n", gbitInfo.PdeAddress->value, gbitInfo.PdeAddress);
    }

    if (gbitInfo.PteAddress) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "  PTE: 0x%llx (Address: 0x%p)\n", gbitInfo.PteAddress->value, gbitInfo.PteAddress);
    }
}

void* PteHookManager::fn_pa_to_va(UINT64 pa) {
    PHYSICAL_ADDRESS physAddr;
    physAddr.QuadPart = pa;
    return MmGetVirtualForPhysical(physAddr);
}

UINT64 PteHookManager::fn_va_to_pa(void* va) {
    PHYSICAL_ADDRESS physAddr = MmGetPhysicalAddress(va);
    return physAddr.QuadPart;
}

NTSTATUS PteHookManager::get_page_table(UINT64 cr3_val, PAGE_TABLE& table) {
    UINT64 va = table.LineAddress;
    UINT64 pml4e_index = (va >> 39) & 0x1FF;
    UINT64 pdpte_index = (va >> 30) & 0x1FF;
    UINT64 pde_index = (va >> 21) & 0x1FF;
    UINT64 pte_index = (va >> 12) & 0x1FF;

    // PML4
    UINT64 pml4_pa = cr3_val & ~0xFFF;
    UINT64* pml4_va = (UINT64*)fn_pa_to_va(pml4_pa);
    if (!pml4_va) return STATUS_INVALID_ADDRESS;

    table.Pml4Address = &pml4_va[pml4e_index];
    table.OriginalPml4e = *table.Pml4Address;
    if (!(table.OriginalPml4e & 1)) return STATUS_ACCESS_VIOLATION;

    // PDPTE
    UINT64 pdpte_pa = table.OriginalPml4e & ~0xFFF;
    UINT64* pdpte_va = (UINT64*)fn_pa_to_va(pdpte_pa);
    if (!pdpte_va) return STATUS_INVALID_ADDRESS;

    table.PdpteAddress = (decltype(table.PdpteAddress))&pdpte_va[pdpte_index];
    table.OriginalPdpte = table.PdpteAddress->value;
    table.Is1GBPage = (table.PdpteAddress->flags.page_size) ? TRUE : FALSE;
    if (!(table.OriginalPdpte & 1)) return STATUS_ACCESS_VIOLATION;
    if (table.Is1GBPage) return STATUS_SUCCESS;

    // PDE
    UINT64 pde_pa = table.OriginalPdpte & ~0xFFF;
    UINT64* pde_va = (UINT64*)fn_pa_to_va(pde_pa);
    if (!pde_va) return STATUS_INVALID_ADDRESS;

    table.PdeAddress = (decltype(table.PdeAddress))&pde_va[pde_index];
    table.OriginalPde = table.PdeAddress->value;
    table.IsLargePage = (table.PdeAddress->flags.large_page) ? TRUE : FALSE;
    if (!(table.OriginalPde & 1)) return STATUS_ACCESS_VIOLATION;
    if (table.IsLargePage) return STATUS_SUCCESS;

    // PTE
    UINT64 pte_pa = table.OriginalPde & ~0xFFF;
    UINT64* pte_va = (UINT64*)fn_pa_to_va(pte_pa);
    if (!pte_va) return STATUS_INVALID_ADDRESS;

    table.PteAddress = (decltype(table.PteAddress))&pte_va[pte_index];
    table.OriginalPte = table.PteAddress->value;
    if (!(table.OriginalPte & 1)) return STATUS_ACCESS_VIOLATION;

    // 打印页表信息
    PrintPageTableInfo(table);

    return STATUS_SUCCESS;
}

bool PteHookManager::fn_split_large_pages(void* in_pde_ptr, void* out_pde_ptr) {
    auto in_pde = (decltype(PAGE_TABLE::PdeAddress))in_pde_ptr;
    auto out_pde = (decltype(PAGE_TABLE::PdeAddress))out_pde_ptr;

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 正在拆分大页: 输入PDE=0x%llx, 输出PDE=0x%p\n",
        in_pde->value, out_pde);

    PHYSICAL_ADDRESS LowAddr = { 0 }, HighAddr = { 0 };
    HighAddr.QuadPart = MAXULONG64;
    auto pt = (decltype(PAGE_TABLE::PteAddress))MmAllocateContiguousMemorySpecifyCache(
        PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);

    if (!pt) {
        logger("分配连续内存失败 (用于拆分大页)", true);
        return false;
    }

    UINT64 start_pfn = in_pde->flags.page_frame_number;
    for (int i = 0; i < 512; i++) {
        pt[i].value = 0;
        pt[i].flags.present = 1;
        pt[i].flags.write = in_pde->flags.write;
        pt[i].flags.user = in_pde->flags.user;
        pt[i].flags.write_through = in_pde->flags.write_through;
        pt[i].flags.cache_disable = in_pde->flags.cache_disable;
        pt[i].flags.accessed = in_pde->flags.accessed;
        pt[i].flags.dirty = in_pde->flags.dirty;
        pt[i].flags.global = 0;
        pt[i].flags.page_frame_number = start_pfn + i;
    }

    out_pde->value = in_pde->value;
    out_pde->flags.large_page = 0;
    out_pde->flags.page_frame_number = fn_va_to_pa(pt) >> 12;

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 大页拆分完成: 新PTE表物理地址=0x%llx\n", fn_va_to_pa(pt));

    return true;
}

bool PteHookManager::fn_isolation_pagetable(UINT64 cr3_val, void* replace_align_addr, void* split_pde_ptr) {
    PHYSICAL_ADDRESS LowAddr = { 0 }, HighAddr = { 0 };
    HighAddr.QuadPart = MAXULONG64;

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 开始隔离页表: CR3=0x%llx, 地址=0x%p\n",
        cr3_val, replace_align_addr);

    auto Va4kb = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);
    auto VaPt = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);
    auto VaPdt = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);
    auto VaPdpt = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);

    if (!VaPt || !Va4kb || !VaPdt || !VaPdpt) {
        if (VaPt) MmFreeContiguousMemory(VaPt);
        if (Va4kb) MmFreeContiguousMemory(Va4kb);
        if (VaPdt) MmFreeContiguousMemory(VaPdt);
        if (VaPdpt) MmFreeContiguousMemory(VaPdpt);
        logger("分配连续内存失败 (用于隔离页表)", true);
        return false;
    }

    PAGE_TABLE Table = { 0 };
    Table.LineAddress = (UINT64)replace_align_addr;
    NTSTATUS status = get_page_table(cr3_val, Table);
    if (!NT_SUCCESS(status)) {
        MmFreeContiguousMemory(VaPt);
        MmFreeContiguousMemory(Va4kb);
        MmFreeContiguousMemory(VaPdt);
        MmFreeContiguousMemory(VaPdpt);
        logger("获取页表信息失败", true, status);
        return false;
    }

    UINT64 pte_index = (Table.LineAddress >> 12) & 0x1FF;
    UINT64 pde_index = (Table.LineAddress >> 21) & 0x1FF;
    UINT64 pdpte_index = (Table.LineAddress >> 30) & 0x1FF;
    UINT64 pml4e_index = (Table.LineAddress >> 39) & 0x1FF;

    memcpy(Va4kb, replace_align_addr, PAGE_SIZE);

    if (Table.IsLargePage && split_pde_ptr) {
        auto split_pde = (decltype(PAGE_TABLE::PdeAddress))split_pde_ptr;
        memcpy(VaPt, (void*)(split_pde->flags.page_frame_number << 12), PAGE_SIZE);
    }
    else {
        memcpy(VaPt, (void*)(Table.PdeAddress->flags.page_frame_number << 12), PAGE_SIZE);
    }

    memcpy(VaPdt, (void*)(Table.PdpteAddress->flags.page_frame_number << 12), PAGE_SIZE);
    memcpy(VaPdpt, (void*)(Table.Pml4Address[pml4e_index] & ~0xFFF), PAGE_SIZE);

    auto new_pte = (decltype(PAGE_TABLE::PteAddress))VaPt;
    new_pte[pte_index].flags.page_frame_number = fn_va_to_pa(Va4kb) >> 12;

    auto new_pde = (decltype(PAGE_TABLE::PdeAddress))VaPdt;
    new_pde[pde_index].value = Table.OriginalPde;
    new_pde[pde_index].flags.large_page = 0;
    new_pde[pde_index].flags.page_frame_number = fn_va_to_pa(VaPt) >> 12;

    auto new_pdpte = (decltype(PAGE_TABLE::PdpteAddress))VaPdpt;
    new_pdpte[pdpte_index].flags.page_frame_number = fn_va_to_pa(VaPdt) >> 12;

    auto new_pml4 = (UINT64*)fn_pa_to_va(cr3_val & ~0xFFF);
    new_pml4[pml4e_index] = (new_pml4[pml4e_index] & 0xFFF) | (fn_va_to_pa(VaPdpt) & ~0xFFF);

    __invlpg(replace_align_addr);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 页表隔离完成: 新PFN=0x%llx\n", fn_va_to_pa(Va4kb) >> 12);

    return true;
}

bool PteHookManager::fn_isolation_pages(HANDLE process_id, void* ori_addr) {
    PEPROCESS Process;
    if (!NT_SUCCESS(PsLookupProcessByProcessId(process_id, &Process))) {
        logger("查找进程失败", true);
        return false;
    }

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 开始隔离页面: PID=%d, 地址=0x%p\n",
        (ULONG)(ULONG_PTR)process_id, ori_addr);

    KAPC_STATE ApcState;
    KeStackAttachProcess(Process, &ApcState);

    void* AlignAddr = PAGE_ALIGN(ori_addr);
    PAGE_TABLE Table = { 0 };
    Table.LineAddress = (UINT64)AlignAddr;

    UINT64 target_cr3 = *(UINT64*)((UCHAR*)Process + 0x28);
    if (!NT_SUCCESS(get_page_table(target_cr3, Table))) {
        KeUnstackDetachProcess(&ApcState);
        ObDereferenceObject(Process);
        logger("获取目标进程页表失败", true);
        return false;
    }

    bool success = false;
    decltype(PAGE_TABLE::PdeAddress) split_pde = nullptr;

    if (Table.IsLargePage) {
        split_pde = (decltype(PAGE_TABLE::PdeAddress))ExAllocatePoolWithTag(NonPagedPool, sizeof(*split_pde), 'pdeS');
        if (!split_pde || !fn_split_large_pages(Table.PdeAddress, split_pde)) {
            if (split_pde) ExFreePoolWithTag(split_pde, 'pdeS');
            KeUnstackDetachProcess(&ApcState);
            ObDereferenceObject(Process);
            logger("拆分大页失败", true);
            return false;
        }

        if (Table.PdeAddress->flags.global) {
            Table.PdeAddress->flags.global = 0;
            fn_add_g_bit_info(AlignAddr, Table.PdeAddress, nullptr);
            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                "[PTE_HOOK] 清除大页G位: PDE=0x%llx\n", Table.PdeAddress->value);
        }
    }
    else if (Table.PteAddress && Table.PteAddress->flags.global) {
        Table.PteAddress->flags.global = 0;
        fn_add_g_bit_info(AlignAddr, nullptr, Table.PteAddress);
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "[PTE_HOOK] 清除PTE G位: PTE=0x%llx\n", Table.PteAddress->value);
        success = fn_isolation_pagetable(__readcr3(), AlignAddr, split_pde);
        if (split_pde) ExFreePoolWithTag(split_pde, 'pdeS');
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "[PTE_HOOK] 页表状态: IsLargePage=%d, Is1GBPage=%d\n",
            Table.IsLargePage, Table.Is1GBPage);

        if (Table.PteAddress) {
            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                "[PTE_HOOK] PTE 值: 0x%llx (G位=%d)\n",
                Table.PteAddress->value, Table.PteAddress->flags.global);
        }


        KeUnstackDetachProcess(&ApcState);
        ObDereferenceObject(Process);

        if (success) {
            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                "[PTE_HOOK] 页面隔离成功\n");
        }
        else {
            logger("页面隔离失败", true);
        }

        return success;
    }

    KeUnstackDetachProcess(&ApcState);
    ObDereferenceObject(Process);
    return true;
}

bool PteHookManager::WriteTrampolineInstruction(void* trampoline, const JMP_ABS& jmpCmd)
{
    // 1. 确保8字节对齐
    if (reinterpret_cast<ULONG_PTR>(trampoline) & 0x7) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[PTE_HOOK] 错误: 跳板地址未对齐 (0x%p)\n", trampoline);
        return false;
    }

    // 2. 禁用写保护
    KIRQL oldIrql = DisableWriteProtection();

    // 3. 直接写入内存
    RtlCopyMemory(trampoline, &jmpCmd, sizeof(JMP_ABS));

    // 4. 刷新缓存
    __invlpg(trampoline);
    _mm_mfence();

    // 5. 恢复写保护
    EnableWriteProtection(oldIrql);

    // 6. 验证写入
    BYTE buffer[sizeof(JMP_ABS)];
    RtlCopyMemory(buffer, trampoline, sizeof(buffer));

    if (memcmp(buffer, &jmpCmd, sizeof(jmpCmd)) != 0) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[PTE_HOOK] 验证失败! 内存内容:\n");
        HexDump(buffer, sizeof(buffer));
        return false;
    }

    // 7. 反汇编验证
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 跳板指令: jmp [rip+0] -> 0x%016llX\n",
        jmpCmd.address);

    return true;
}

// 辅助函数:十六进制转储
void HexDump(const void* data, size_t size) {
    const BYTE* bytes = static_cast<const BYTE*>(data);
    for (size_t i = 0; i < size; ++i) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "%02X ", bytes[i]);
        if ((i + 1) % 16 == 0) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "\n");
    }
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "\n");
}


bool PteHookManager::fn_pte_inline_hook_bp_pg(HANDLE process_id, _Inout_ void** ori_addr, void* hk_addr)
{
    if (!ori_addr || !hk_addr || !*ori_addr) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[PTE_HOOK] 错误: 无效参数 (ori_addr=%p, hk_addr=%p)\n",
            ori_addr, hk_addr);
        return false;
    }

    // 分配跳板池(如果尚未分配)
    if (!m_TrampLinePool) {
        PHYSICAL_ADDRESS LowAddr = { LowAddr.QuadPart = 0x100000 };
        PHYSICAL_ADDRESS HighAddr = { HighAddr.QuadPart = ~0ull };

        m_TrampLinePool = (char*)MmAllocateContiguousMemorySpecifyCache(
            PAGE_SIZE * 8, LowAddr, HighAddr, LowAddr, MmNonCached);

        if (!m_TrampLinePool) {
            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
                "[PTE_HOOK] 错误: 无法分配跳板池内存\n");
            return false;
        }

        // 设置内存保护属性
        PMDL pMdl = IoAllocateMdl(m_TrampLinePool, PAGE_SIZE * 8, FALSE, FALSE, NULL);
        if (pMdl) {
            MmBuildMdlForNonPagedPool(pMdl);
            MmProtectMdlSystemAddress(pMdl, PAGE_EXECUTE_READWRITE);
            IoFreeMdl(pMdl);
        }

        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "[PTE_HOOK] 跳板池分配成功: 地址=0x%p, 大小=%d字节\n",
            m_TrampLinePool, PAGE_SIZE * 8);
    }



 

    // 计算跳板位置(8字节对齐)
    void* trampoline = (void*)((ULONG_PTR)(m_TrampLinePool + m_PoolUsed + 7) & ~7) ;
    SIZE_T requiredSize = ((char*)trampoline - m_TrampLinePool) + sizeof(JMP_ABS);

    // 构造正确的跳转指令
    JMP_ABS jmpCmd = {};
    memcpy(jmpCmd.opcode, "\xFF\x25\x00\x00\x00\x00", 6); // jmp [rip+0]
    jmpCmd.address = reinterpret_cast<ULONG64>(hk_addr);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 构造跳转指令:\n"
        "  目标地址: 0x%p\n"
        "  跳板位置: 0x%p\n"
        "  指令格式: FF 25 00 00 00 00 + 8字节地址\n",
        hk_addr, trampoline);

    // 写入跳板指令
    if (!WriteTrampolineInstruction(trampoline, jmpCmd)) {
        return false;
    }

    // 记录Hook信息
    bool hookRecorded = false;
    for (UINT32 i = 0; i < MAX_HOOK_COUNT; i++) {
        if (!m_HookInfo[i].IsHooked) {
            m_HookInfo[i].OriginalAddress = *ori_addr;
            m_HookInfo[i].HookAddress = trampoline;
            m_HookInfo[i].ProcessId = process_id;
            m_HookInfo[i].IsHooked = TRUE;
            RtlCopyMemory(m_HookInfo[i].HookBytes, &jmpCmd, sizeof(jmpCmd));
            m_HookInfo[i].HookLength = sizeof(JMP_ABS);
            m_HookCount++;

            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                "[PTE_HOOK] Hook记录 #%d: 原始地址=0x%p, 跳板=0x%p\n",
                i, *ori_addr, trampoline);

            hookRecorded = true;
            break;
        }
    }

    if (!hookRecorded) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[PTE_HOOK] 错误: 超过最大Hook数量限制 (%d)\n", MAX_HOOK_COUNT);
        return false;
    }

    // 更新原始地址为跳板地址
    *ori_addr = trampoline;
    m_PoolUsed = (UINT32)requiredSize;

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] Hook安装成功! 跳板指令:\n"
        "  jmp [rip+0] -> 0x%p\n",
        hk_addr);
    return true;
}




// 析构函数清理资源
PteHookManager::~PteHookManager()
{
    if (m_TrampLinePool) {
        MmFreeContiguousMemory(m_TrampLinePool);
        m_TrampLinePool = nullptr;
    }
}

bool PteHookManager::fn_remove_hook(HANDLE process_id, void* hook_addr) {
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 尝试移除Hook: Hook地址=0x%p\n", hook_addr);

    for (UINT32 i = 0; i < m_HookCount; i++) {
        if (m_HookInfo[i].HookAddress == hook_addr && m_HookInfo[i].IsHooked) {
            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                "[PTE_HOOK] 找到匹配的Hook: 原始地址=0x%p\n", m_HookInfo[i].OriginalAddress);

            KIRQL oldIrql = DisableWriteProtection();
            memcpy(m_HookInfo[i].OriginalAddress, m_HookInfo[i].OriginalBytes,
                sizeof(m_HookInfo[i].OriginalBytes));
            EnableWriteProtection(oldIrql);

            m_HookInfo[i].IsHooked = FALSE;

            DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                "[PTE_HOOK] Hook已成功移除\n");
            return true;
        }
    }

    logger("未找到匹配的Hook", true);
    return false;
}

void PteHookManager::fn_add_g_bit_info(void* align_addr, void* pde_address, void* pte_address) {
    if (m_GbitCount >= MAX_G_BIT_RECORDS) {
        logger("达到最大G位记录数量限制", true);
        return;
    }

    PG_BIT_INFO record = &m_GbitRecords[m_GbitCount++];
    record->AlignAddress = align_addr;
    record->PdeAddress = (decltype(G_BIT_INFO::PdeAddress))pde_address;
    record->PteAddress = (decltype(G_BIT_INFO::PteAddress))pte_address;
    record->IsLargePage = (pde_address && ((decltype(PAGE_TABLE::PdeAddress))pde_address)->flags.large_page);

    // 打印G位信息
    PrintGBitInfo(*record);
}

bool PteHookManager::fn_resume_global_bits(void* align_addr) {
    KIRQL oldIrql = DisableWriteProtection();
    bool found = false;

    DbgPrintEx(DPFLTR_ERROR_LEVEL, DPFLTR_INFO_LEVEL,
        "[PTE_HOOK] 开始恢复G位: 对齐地址=0x%p\n", align_addr);

    for (UINT32 i = 0; i < m_GbitCount; i++) {
        PG_BIT_INFO record = &m_GbitRecords[i];
        if (align_addr && record->AlignAddress != align_addr) continue;

        if (record->PteAddress) {
            record->PteAddress->flags.global = 1;
            __invlpg(record->AlignAddress);
            DbgPrintEx(DPFLTR_ERROR_LEVEL, DPFLTR_INFO_LEVEL,
                "  恢复PTE G位: PTE=0x%llx, 地址=0x%p\n",
                record->PteAddress->value, record->AlignAddress);
        }

        if (record->PdeAddress) {
            record->PdeAddress->flags.global = 1;
            if (record->IsLargePage) {
                __invlpg(record->AlignAddress);
            }
            DbgPrintEx(DPFLTR_ERROR_LEVEL, DPFLTR_INFO_LEVEL,
                "  恢复PDE G位: PDE=0x%llx, 地址=0x%p, 大页=%d\n",
                record->PdeAddress->value, record->AlignAddress, record->IsLargePage);
        }

        found = true;
        if (align_addr) break;
    }

    EnableWriteProtection(oldIrql);

    if (found) {
        DbgPrintEx(DPFLTR_ERROR_LEVEL, DPFLTR_INFO_LEVEL,
            "[PTE_HOOK] G位恢复完成\n");
    }
    else {
        logger("未找到匹配的G位记录", true);
    }

    return found;
}

PteHookManager* PteHookManager::GetInstance() {
    if (!m_Instance) {
        m_Instance = static_cast<PteHookManager*>(
            ExAllocatePoolWithTag(NonPagedPool, sizeof(PteHookManager), 'tpHk'));
        if (m_Instance) {
            RtlZeroMemory(m_Instance, sizeof(PteHookManager));
            DbgPrintEx(DPFLTR_ERROR_LEVEL, DPFLTR_INFO_LEVEL,
                "[PTE_HOOK] PTE Hook管理器实例已创建: 地址=0x%p\n", m_Instance);
        }
        else {
            DbgPrintEx(DPFLTR_ERROR_LEVEL, DPFLTR_ERROR_LEVEL,
                "[PTE_HOOK] 创建PTE Hook管理器实例失败\n");
        }
    }
    return m_Instance;
}

// 全局PTE Hook管理器实例
PteHookManager* g_PteHookManager = nullptr;

// 辅助函数:检查是否为目标进程
BOOLEAN IsTargetProcess(CHAR* imageName) {
    CHAR currentName[16];

    // 复制到本地缓冲区并确保 NULL 终止
    RtlCopyMemory(currentName, imageName, 16);
    currentName[15] = '\0'; // 确保终止

    // 修剪尾部空格
    for (int i = 15; i >= 0; i--) {
        if (currentName[i] == ' ') currentName[i] = '\0';
        else if (currentName[i] != '\0') break;
    }

    return (strcmp(currentName, target_process_name) == 0);
}

// Hook 函数
NTSTATUS MyObReferenceObjectByHandleWithTag(
    HANDLE Handle,
    ACCESS_MASK DesiredAccess,
    POBJECT_TYPE ObjectType,
    KPROCESSOR_MODE AccessMode,
    ULONG Tag,
    PVOID* Object,
    POBJECT_HANDLE_INFORMATION HandleInformation
) {
    __debugbreak(); // 强制中断,确认是否执行到这里
    PEPROCESS currentProcess = PsGetCurrentProcess();
    CHAR* imageName = PsGetProcessImageFileName(currentProcess);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[!] [HookFunction] 进入 Hook 函数! 当前进程: %s\n", imageName);


    if (IsTargetProcess(imageName)) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
            "[!] [HookFunction] 拒绝访问目标进程 PID=%d\n", HandleToULong(PsGetCurrentProcessId()));
        return STATUS_ACCESS_DENIED;
    }

    return g_OriginalObReferenceObjectByHandleWithTag(
        Handle,
        DesiredAccess,
        ObjectType,
        AccessMode,
        Tag,
        Object,
        HandleInformation
    );
}

NTSTATUS InstallHook() {
    UNICODE_STRING funcName;
    RtlInitUnicodeString(&funcName, L"ObReferenceObjectByHandleWithTag");

    g_OriginalObReferenceObjectByHandleWithTag = (fn_ObReferenceObjectByHandleWithTag)MmGetSystemRoutineAddress(&funcName);

    if (!g_OriginalObReferenceObjectByHandleWithTag) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[-] [InstallHook] 找到 ObReferenceObjectByHandleWithTag\n");
        return STATUS_NOT_FOUND;
    }

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[+] [InstallHook] 找到目标函数地址: %p\n", g_OriginalObReferenceObjectByHandleWithTag);

    void* targetFunc = (void*)g_OriginalObReferenceObjectByHandleWithTag;
    void* hookFunc = (void*)MyObReferenceObjectByHandleWithTag;
    HANDLE currentProcessId = PsGetCurrentProcessId();

    if (!g_PteHookManager->fn_pte_inline_hook_bp_pg(currentProcessId, &targetFunc, hookFunc)) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[-] [InstallHook] PTE Hook 安装失败\n");
        return STATUS_UNSUCCESSFUL;
    }

    g_OriginalObReferenceObjectByHandleWithTag = (fn_ObReferenceObjectByHandleWithTag)targetFunc;
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
        "[+] [InstallHook] Hook 成功安装. 跳板地址: %p\n", targetFunc);

  

    return STATUS_SUCCESS;
}

// 移除 Hook
VOID RemoveHook() {
    if (g_OriginalObReferenceObjectByHandleWithTag && g_PteHookManager) {
        g_PteHookManager->fn_remove_hook(PsGetCurrentProcessId(), (void*)MyObReferenceObjectByHandleWithTag);
    }
}

// 工作线程函数
VOID InstallHookWorker(PVOID Context) {
    UNREFERENCED_PARAMETER(Context);

    DbgPrint("[+] Worker thread started for hook installation\n");
    InstallHook();
    PsTerminateSystemThread(STATUS_SUCCESS);
}

// 进程创建回调
VOID ProcessNotifyCallback(
    _In_ HANDLE ParentId,
    _In_ HANDLE ProcessId,
    _In_ BOOLEAN Create
) {
    UNREFERENCED_PARAMETER(ParentId);

    if (Create) {
        PEPROCESS process = NULL;
        if (NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &process))) {
            CHAR* imageName = PsGetProcessImageFileName(process);

            CHAR currentName[16];
            RtlCopyMemory(currentName, imageName, 16);
            currentName[15] = '\0';
            for (int i = 15; i >= 0; i--) {
                if (currentName[i] == ' ') currentName[i] = '\0';
                else if (currentName[i] != '\0') break;
            }

            if (strcmp(currentName, target_process_name) == 0) {
                DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                    "[+] [ProcessNotifyCallback] 目标进程 %s 创建 (PID: %d)\n", currentName, HandleToULong(ProcessId));

                HANDLE threadHandle;
                NTSTATUS status = PsCreateSystemThread(
                    &threadHandle,
                    THREAD_ALL_ACCESS,
                    NULL,
                    NULL,
                    NULL,
                    InstallHookWorker,
                    NULL
                );

                if (NT_SUCCESS(status)) {
                    ZwClose(threadHandle);
                    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,
                        "[+] [ProcessNotifyCallback] 工作线程已创建\n");
                }
                else {
                    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
                        "[-] [ProcessNotifyCallback] 创建线程失败: 0x%X\n", status);
                }
            }

            ObDereferenceObject(process);
        }
    }
}


// 驱动卸载函数
VOID DriverUnload(PDRIVER_OBJECT DriverObject) {
    UNREFERENCED_PARAMETER(DriverObject);

    DbgPrint("[+] Driver unloading...\n");

    // 移除进程通知回调
    PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)ProcessNotifyCallback, TRUE);

    // 移除Hook
    RemoveHook();

    // 清理PTE Hook资源
    if (g_PteHookManager) {
        DbgPrint("[PTE_HOOK] Cleaning up PTE...\n");

        // 恢复所有被修改的G位
        g_PteHookManager->fn_resume_global_bits(nullptr);

        // 移除所有活动的Hook
        HOOK_INFO* hookInfo = g_PteHookManager->GetHookInfo();
        UINT32 hookCount = g_PteHookManager->GetHookCount();
        for (UINT32 i = 0; i < hookCount; i++) {
            if (hookInfo[i].IsHooked) {
                g_PteHookManager->fn_remove_hook(PsGetCurrentProcessId(), hookInfo[i].HookAddress);
            }
        }

        // 释放跳板池内存
        char* trampLinePool = g_PteHookManager->GetTrampLinePool();
        if (trampLinePool) {
            ExFreePoolWithTag(trampLinePool, 'JmpP');
        }

        // 释放管理器实例
        ExFreePoolWithTag(g_PteHookManager, 'tpHk');
        g_PteHookManager = nullptr;
    }

    DbgPrint("[+] Driver unloaded successfully\n");
}

extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
    UNREFERENCED_PARAMETER(RegistryPath);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[+] [DriverEntry] 驱动加载开始\n");

    DriverObject->DriverUnload = DriverUnload;

    g_PteHookManager = PteHookManager::GetInstance();
    if (!g_PteHookManager) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[-] [DriverEntry] 初始化 PteHookManager 失败\n");
        return STATUS_INSUFFICIENT_RESOURCES;
    }

    NTSTATUS status = PsSetCreateProcessNotifyRoutineEx((PCREATE_PROCESS_NOTIFY_ROUTINE_EX)ProcessNotifyCallback, FALSE);
    if (!NT_SUCCESS(status)) {
        DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
            "[-] [DriverEntry] 注册进程通知失败 (0x%X)\n", status);
        return status;
    }

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[+] [DriverEntry] 驱动加载成功\n");
    return STATUS_SUCCESS;
}
将整个代码修改正确

				
			

			

				

					06-25
				

			

		

		

			
				
static_assert(sizeof(JMP_ABS) == 14, "JMP_ABS size must be 14 bytes");  // 页表结构定义 typedef struct _PAGE_TABLE {  UINT64 LineAddress;  union {  struct {  UINT64 present : 1;  UINT64 write : 1;  ...

			
		

	





	

		

			

				
					
#include <ntifs.h>
#include <ntddk.h>
#include <intrin.h>
#include "ptehook.h"

#define CR0_WP (1 << 16)
#define DRIVER_TAG 'HKOB'
#define MAX_G_BIT_RECORDS 128
#define MAX_HOOK_COUNT 64
#define PAGE_ALIGN(va) ((PVOID)((ULONG_PTR)(va) & ~0xFFF))
#define PTE_NX_BIT (1ULL << 63)

// 调试打印宏
#define LOG_ERROR(fmt, ...) \
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[PTE_HOOK] ERROR: " fmt "\n", ##__VA_ARGS__)

#define LOG_INFO(fmt, ...) \
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[PTE_HOOK] INFO: " fmt "\n", ##__VA_ARGS__)

#define LOG_TRACE(fmt, ...) \
    DbgPrintEx(DPFLTR极IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "[PTE_HOOK] TRACE: " fmt "\n", ##__VA_ARGS__)

// 修正的跳板指令结构
#pragma pack(push, 1)
typedef struct _JMP_ABS {
    UINT8 opcode[6];     // FF 25 00 00 00 00 = jmp [rip+0]
    ULONG64 address;    // 目标地址 (紧跟在指令后)
} JMP_ABS, * PJMP_ABS;
#pragma pack(pop)
static_assert(sizeof(JMP_ABS) == 14, "JMP_ABS size must be 14 bytes");

// 声明PsGetProcessImageFileName
extern "C" NTSYSAPI CHAR* NTAPI PsGetProcessImageFileName(PEPROCESS Process);

// 页表结构定义
typedef struct _PAGE_TABLE {
    UINT64 LineAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 pat : 1;
            UINT64 global : 1;
            UINT64 ignored_1 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 极;
            UINT64 ignored_2 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PteAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 large_page : 1;
            UINT64 global : 1;
            UINT64 ignored_2 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_3 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PdeAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 ignored_1 : 1;
            UINT64 page_size : 1;
            UINT64 ignored_2 : 4;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_3 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PdpteAddress;
    UINT64* Pml4Address;
    BOOLEAN IsLargePage;
    BOOLEAN Is1GBPage;
    UINT64 OriginalPte;
    UINT64 OriginalPde;
    UINT64 OriginalPdpte;
    UINT64 OriginalPml4e;
    HANDLE ProcessId;
} PAGE_TABLE, * PPAGE_TABLE;

// G位信息记录结构体
typedef struct _G_BIT_INFO {
    void* AlignAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 large_page : 1;
            UINT64 global : 1;
            UINT64 ignored_2 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_3 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PdeAddress;
    union {
        struct {
            UINT64 present : 1;
            UINT64 write : 1;
            UINT64 user : 1;
            UINT64 write_through : 1;
            UINT64 cache_disable : 1;
            UINT64 accessed : 1;
            UINT64 dirty : 1;
            UINT64 pat : 1;
            UINT64 global : 1;
            UINT64 ignored_1 : 3;
            UINT64 page_frame_number : 36;
            UINT64 reserved_1 : 4;
            UINT64 ignored_2 : 7;
            UINT64 protection_key : 4;
            UINT64 execute_disable : 1;
        } flags;
        UINT64 value;
    }*PteAddress;
    BOOLEAN IsLargePage;
} G_BIT_INFO, * PG_BIT_INFO;

typedef struct _HOOK_INFO {
    void* OriginalAddress;
    void* HookAddress;
    UINT8 OriginalBytes[20];
    UINT8 HookBytes[20];
    UINT32 HookLength;
    BOOLEAN IsHooked;
    HANDLE ProcessId;
    UINT64 OriginalPteValue;
    UINT64 HookedPteValue;
} HOOK_INFO;

class PteHookManager {
public:
    bool fn_pte_inline_hook_bp_pg(HANDLE process_id, _Inout_ void** ori_addr, void* hk_addr);
    bool fn_remove_hook(HANDLE process_id, void* hook_addr);
    static PteHookManager* GetInstance();
    HOOK_INFO* GetHookInfo() { return m_HookInfo; }
    char* GetTrampLinePool() { return m_TrampLinePool; }
    UINT32 GetHookCount() { return m_HookCount; }
    bool fn_resume_global_bits(void* align_addr);
    ~PteHookManager();

private:
    bool WriteTrampolineInstruction(void* trampoline, const JMP_ABS& jmpCmd);
    bool SetPageExecution(void* address, bool executable);
    void fn_add_g_bit_info(void* align_addr, void* pde_address, void* pte_address);
    bool fn_isolation_pagetable(UINT64 cr3_val, void* replace_align_addr, void* split_pde);
    bool fn_isolation_pages(HANDLE process_id, void* ori_addr);
    bool fn_split_large_pages(void* in_pde, void* out_pde);
    NTSTATUS get_page_table(UINT64 cr3, PAGE_TABLE& table);
    void* fn_pa_to_va(UINT64 pa);
    UINT64 fn_va_to_pa(void* va);
    __forceinline KIRQL DisableWriteProtection();
    __forceinline void EnableWriteProtection(KIRQL oldIrql);
    void FlushCacheAndTlb(void* address);

    G_BIT_INFO m_GbitRecords[MAX_G_BIT_RECORDS];
    UINT32 m_GbitCount = 0;
    void* m_PteBase = 0;
    HOOK_INFO m_HookInfo[MAX_HOOK_COUNT] = { 0 };
    UINT32 m_HookCount = 0;
    char* m_TrampLinePool = nullptr;
    UINT32 m_PoolUsed = 0;
    static PteHookManager* m_Instance;
};

PteHookManager* PteHookManager::m_Instance = nullptr;

// 实现部分
__forceinline KIRQL P极HookManager::DisableWriteProtection() {
    KIRQL oldIrql = KeRaiseIrqlToDpcLevel();
    UINT64 cr0 = __readcr0();
    __writecr0(cr0 & ~CR0_WP);  // 清除CR0.WP位
    _mm_mfence();
    return oldIrql;
}

__forceinline void PteHookManager::EnableWriteProtection(KIRQL oldIrql) {
    _mm_mfence();
    UINT64 cr0 = __readcr0();
    __writecr0(cr0 | CR0_WP);  // 设置CR0.WP位
    KeLowerIrql(oldIrql);
}

void* PteHookManager::fn_pa_to_va(UINT64 pa) {
    PHYSICAL_ADDRESS physAddr;
    physAddr.QuadPart = pa;
    return MmGetVirtualForPhysical(physAddr);
}

UINT64 PteHookManager::fn_va_to_pa(void* va) {
    PHYSICAL_ADDRESS physAddr = MmGetPhysicalAddress(va);
    return physAddr.QuadPart;
}

NTSTATUS PteHookManager::get_page_table(UINT64 cr3_val, PAGE_TABLE& table) {
    UINT64 va = table.LineAddress;
    UINT64 pml4e_index = (va >> 39) & 0x1FF;
    UINT64 pdpte_index = (va >> 30) & 0x1FF;
    UINT64 pde_index = (va >> 21) & 0x1FF;
    UINT64 pte_index = (va >> 12) & 0x1FF;

    // PML4
    UINT64 pml4_pa = cr3_val & ~0xFFF;
    UINT64* pml4_va = (UINT64*)fn_pa_to_va(pml4_pa);
    if (!pml4_va) return STATUS_INVALID_ADDRESS;

    table.Pml4Address = &pml4_va[pml4e_index];
    table.OriginalPml4e = *table.Pml4Address;
    if (!(table.OriginalPml4e & 1)) return STATUS_ACCESS_VIOLATION;

    // PDPTE
    UINT64 pdpte_pa = table.OriginalPml4e & ~0xFFF;
    UINT64* pdpte_va = (UINT64*)fn_pa_to_va(pdpte_pa);
    if (!pdpte_va) return STATUS_INVALID_ADDRESS;

    table.PdpteAddress = (decltype(table.PdpteAddress))&pdpte_va[pdpte_index];
    table.OriginalPdpte = table.PdpteAddress->value;
    table.Is1GBPage = (table.PdpteAddress->flags.page_size) ? TRUE : FALSE;
    if (!(table.OriginalPdpte & 1)) return STATUS_ACCESS_VIOLATION;
    if (table.Is1GBPage) return STATUS_SUCCESS;

    // PDE
    UINT64 pde_pa = table.OriginalPdpte & ~0xFFF;
    UINT64* pde_va = (UINT64*)fn_pa_to_va(pde_pa);
    if (!pde_va) return STATUS_INVALID_ADDRESS;

    table.PdeAddress = (decltype(table.PdeAddress))&pde_va[pde_index];
    table.OriginalPde = table.PdeAddress->value;
    table.IsLargePage = (table.PdeAddress->flags.large_page) ? TRUE : FALSE;
    if (!(table.OriginalPde & 1)) return STATUS_ACCESS_VIOLATION;
    if (table.IsLargePage) return STATUS_SUCCESS;

    // PTE
    UINT64 pte_pa = table.OriginalPde & ~0xFFF;
    UINT64* pte_va = (UINT64*)fn_pa_to_va(pte_pa);
    if (!pte_va) return STATUS_INVALID_ADDRESS;

    table.PteAddress = (decltype(table.PteAddress))&pte_va[pte_index];
    table.OriginalPte = table.PteAddress->value;
    if (!(table.OriginalPte & 1)) return STATUS_ACCESS_VIOLATION;

    LOG_TRACE("Page Table Info: VA=0x%p, PTE=0x%llX", (void*)table.LineAddress, table.OriginalPte);
    return STATUS_SUCCESS;
}

bool PteHookManager::fn_split_large_pages(void* in_pde_ptr, void* out_pde_ptr) {
    auto in_pde = (decltype(PAGE_TABLE::PdeAddress))in_pde_ptr;
    auto out_pde = (decltype(PAGE_TABLE::PdeAddress))out_pde_ptr;

    LOG_INFO("Splitting large page: Input PDE=0x%llx", in_pde->value);

    PHYSICAL_ADDRESS LowAddr = { 0 }, HighAddr = { 0 };
    HighAddr.QuadPart = MAXULONG64;
    auto pt = (decltype(PAGE_TABLE::PteAddress))MmAllocateContiguousMemorySpecifyCache(
        PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);

    if (!pt) {
        LOG_ERROR("Failed to allocate contiguous memory for page splitting");
        return false;
    }

    UINT64 start_pfn = in_pde->flags.page_frame_number;
    for (int i = 0; i < 512; i++) {
        pt[i].value = 0;
        pt[i].flags.present = 1;
        pt[i].flags.write = in_pde->flags.write;
        pt[i].flags.user = in_pde->flags.user;
        pt[i].flags.write_through = in_pde->flags.write_through;
        pt[i].flags.cache_disable = in_pde->flags.cache_disable;
        pt[i].flags.accessed = in_pde->flags.accessed;
        pt[i].flags.dirty = in_pde->flags.dirty;
        pt[i].flags.global = 0;
        pt[i].flags.page_frame_number = start_pfn + i;
    }

    out_pde->value = in_pde->value;
    out_pde->flags.large_page = 0;
    out_pde->flags.page_frame_number = fn_va_to_pa(pt) >> 12;

    LOG_INFO("Large page split complete: New PTE table at PA=0x%llx", fn_va_to_pa(pt));
    return true;
}

bool PteHookManager::SetPageExecution(void* address, bool executable) {
    // 使用页表遍历函数修改NX位
    PAGE_TABLE table = { 0 };
    table.LineAddress = (UINT64)address;
    NTSTATUS status = get_page_table(__readcr3(), table);
    if (!NT_SUCCESS(status)) {
        LOG_ERROR("Failed to get page table for address 0x%p", address);
        return false;
    }

    KIRQL oldIrql = DisableWriteProtection();

    UINT64 oldPte = table.PteAddress->value;
    UINT64 newPte = oldPte;

    // 设置或清除NX位
    if (executable) {
        newPte &= ~PTE_NX_BIT;
    }
    else {
        newPte |= PTE_NX_BIT;
    }

    table.PteAddress->value = newPte;

    // 刷新TLB
    __invlpg(address);
    _mm_mfence();

    EnableWriteProtection(oldIrql);

    LOG_TRACE("PTE modified for 0x%p: Old=0x%llX, New=0x%llX", address, oldPte, newPte);
    return true;
}

bool PteHookManager::fn_isolation_pagetable(UINT64 cr3_val, void* replace_align_addr, void* split_pde_ptr) {
    PHYSICAL_ADDRESS LowAddr = { 0 }, HighAddr = { 0 };
    HighAddr.QuadPart = MAXULONG64;

    LOG_INFO("Isolating page table: CR3=0x%llx, Address=0x%p", cr3_val, replace_align_addr);

    auto Va4kb = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);
    auto VaPt = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, Low极, MmNonCached);
    auto VaPdt = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);
    auto VaPdpt = (UINT64*)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached);

    if (!VaPt || !Va4kb || !VaPdt || !VaPdpt) {
        if (VaPt) MmFreeContiguousMemory(VaPt);
        if (Va4kb) MmFreeContiguousMemory(Va4kb);
        if (VaPdt) MmFreeContiguousMemory(VaPdt);
        if (VaPdpt) MmFreeContiguousMemory(VaPd极);
        LOG_ERROR("Failed to allocate contiguous memory for isolation");
        return false;
    }

    PAGE_TABLE Table = { 0 };
    Table.LineAddress = (UINT64)replace_align_addr;
    NTSTATUS status = get_page_table(cr3_val, Table);
    if (!NT_SUCCESS(status)) {
        MmFreeContiguousMemory(VaPt);
        MmFreeContiguousMemory(Va4kb);
        MmFreeContiguousMemory(VaPdt);
        MmFreeContiguousMemory(VaPdpt);
        LOG_ERROR("get_page_table failed with status 0x%X", status);
        return false;
    }

    UINT64 pte_index = (Table.LineAddress >> 12) & 0x1FF;
    UINT64 pde_index = (Table.LineAddress >> 21) & 0x1FF;
    UINT64 pdpte_index = (Table.LineAddress >> 30) & 0x1FF;
    UINT64 pml4e_index = (Table.LineAddress >> 39) & 0x1FF;

    memcpy(Va4kb, replace_align_addr, PAGE_SIZE);

    if (Table.IsLargePage && split_pde_ptr) {
        auto split_pde = (decltype(PAGE_TABLE::PdeAddress))split_pde_ptr;
        memcpy(VaPt, (void*)(split_pde->flags.page_frame_number << 12), PAGE_SIZE);
    }
    else {
        memcpy(VaPt, (void*)(Table.PdeAddress->flags.page_frame_number << 12), PAGE_SIZE);
    }

    memcpy(VaPdt, (void*)(Table.PdpteAddress->flags.page_frame_number << 12), PAGE_SIZE);
    memcpy(VaPdpt, (void*)(Table.Pml4Address[pml4e_index] & ~0xFFF), PAGE_SIZE);

    auto new_pte = (decltype(PAGE_TABLE::PteAddress))VaPt;
    new_pte[pte_index].flags.page_frame_number = fn_va_to_pa(Va4kb) >> 12;

    auto new_pde = (decltype(PAGE_TABLE::PdeAddress))VaPdt;
    new_pde[pde_index].value = Table.OriginalPde;
    new_pde[pde_index].flags.large_page = 0;
    new_pde[pde_index].flags.page_frame_number = fn_va_to_pa(VaPt) >> 12;

    auto new_pdpte = (decltype(PAGE_TABLE::PdpteAddress))VaPdpt;
    new_pdpte[pdpte_index].flags.page_frame_number = fn_va_to_pa(VaPdt) >> 12;

    auto new_pml4 = (UINT64*)fn_pa_to_va(cr3_val & ~0xFFF);
    new_pml4[pml4e_index] = (new_pml4[pml4e_index] & 0xFFF) | (fn_va_to_pa(VaPdpt) & ~0xFFF);

    __invlpg(replace_align_addr);

    LOG_INFO("Page table isolation complete: New PFN=0x%llx", fn_va_to_pa(Va4kb) >> 12);
    return true;
}

bool PteHookManager::fn_isolation_pages(HANDLE process_id, void* ori_addr) {
    PEPROCESS Process;
    if (!NT_SUCCESS(PsLookupProcessByProcessId(process_id, &Process))) {
        LOG_ERROR("PsLookupProcessByProcessId failed");
        return false;
    }

    LOG_INFO("Isolating pages: PID=%d, Address=0x%p", HandleToUlong(process_id), ori_addr);

    KAPC_STATE ApcState;
    KeStackAttachProcess(Process, &ApcState);

    void* AlignAddr = PAGE_ALIGN(ori_addr);
    PAGE_TABLE Table = { 0 };
    Table.LineAddress = (UINT64)AlignAddr;

    UINT64 target_cr3 = *(UINT64*)((UCHAR*)Process + 0x28);
    if (!NT_SUCCESS(get_page_table(target_cr3, Table))) {
        KeUnstackDetachProcess(&ApcState);
        ObDereferenceObject(Process);
        LOG_ERROR("get_page_table failed");
        return false;
    }

    bool success = false;
    decltype(PAGE_TABLE::PdeAddress) split_pde = nullptr;

    if (Table.IsLargePage) {
        split_pde = (decltype(PAGE_TABLE::PdeAddress))ExAllocatePoolWithTag(NonPagedPool, sizeof(*split_pde), 'pdeS');
        if (!split_pde || !fn_split_large_pages(Table.PdeAddress, split_pde)) {
            if (split_pde) ExFreePoolWithTag(split_pde, 'pdeS');
            KeUnstackDetachProcess(&ApcState);
            ObDereferenceObject(Process);
            LOG_ERROR("Splitting large page failed");
            return false;
        }

        if (Table.PdeAddress->flags.global) {
            Table.PdeAddress->flags.global = 0;
            fn_add_g_bit_info(AlignAddr, Table.PdeAddress, nullptr);
            LOG_INFO("Cleared G-bit for large page PDE: 0x%llx", Table.PdeAddress->value);
        }
    }
    else if (Table.PteAddress && Table.PteAddress->flags.global) {
        Table.PteAddress->flags.global = 0;
        fn_add_g_bit_info(AlignAddr, nullptr, Table.PteAddress);
        LOG_INFO("Cleared G-bit for PTE: 0x%llx", Table.PteAddress->value);
    }

    success = fn_isolation_pagetable(__readcr3(), AlignAddr, split_pde);
    if (split_pde) ExFreePoolWithTag(split_pde, 'pdeS');

    KeUnstackDetachProcess(&ApcState);
    ObDereferenceObject(Process);

    if (success) {
        LOG_INFO("Page isolation successful");
    }
    else {
        LOG_ERROR("Page isolation failed");
    }

    return success;
}

bool PteHookManager::WriteTrampolineInstruction(void* trampoline, const JMP_ABS& jmpCmd) {
    // 确保8字节对齐
    if (reinterpret_cast<ULONG_PTR>(trampoline) & 0x7) {
        LOG_ERROR("Trampoline address not aligned: 0x%p", trampoline);
        return false;
    }

    // 禁用写保护
    KIRQL oldIrql = DisableWriteProtection();

    // 直接写入内存
    RtlCopyMemory(trampoline, &jmpCmd, sizeof(JMP_ABS));

    // 刷新缓存
    __invlpg(trampoline);
    _mm_mfence();

    // 恢复写保护
    EnableWriteProtection(oldIrql);

    LOG_TRACE("Trampoline instruction written at 0x%p", trampoline);
    return true;
}

void PteHookManager::fn_add_g_bit_info(void* align_addr, void* pde_address, void* pte_address) {
    if (m_GbitCount >= MAX_G_BIT_RECORDS) {
        LOG_ERROR("Max G-bit records reached");
        return;
    }

    PG_BIT_INFO record = &m_GbitRecords[m_GbitCount++];
    record->AlignAddress = align_addr;
    record->PdeAddress = (decltype(G_BIT_INFO::PdeAddress))pde_address;
    record->PteAddress = (decltype(G_BIT_INFO::PteAddress))pte_address;
    record->IsLargePage = (pde_address != nullptr);

    LOG_TRACE("Added G-bit record: Address=0x%p, PDE=0x%p, PTE=0x%p",
        align_addr, pde_address, pte_address);
}

bool PteHookManager::fn_resume_global_bits(void* align_addr) {
    KIRQL oldIrql = DisableWriteProtection();
    bool found = false;

    LOG_INFO("Restoring G-bits for address: 0x%p", align_addr);

    for (UINT32 i = 0; i < m_GbitCount; i++) {
        PG_BIT_INFO record = &m_GbitRecords[i];
        if (align_addr && record->AlignAddress != align_addr) continue;

        if (record->PteAddress) {
            record->PteAddress->flags.global = 1;
            __invlpg(record->AlignAddress);
            LOG_TRACE("Restored G-bit for PTE: 0x%p", record->AlignAddress);
        }

        if (record->PdeAddress) {
            record->PdeAddress->flags.global = 1;
            if (record->IsLargePage) {
                __invlpg(record->AlignAddress);
            }
            LOG_TRACE("Restored G-bit for PDE: 0x%p", record->AlignAddress);
        }

        found = true;
        if (align_addr) break;
    }

    EnableWriteProtection(oldIrql);

    if (found) {
        LOG_INFO("G-bits restoration complete");
    }
    else {
        LOG_ERROR("No matching G-bit record found");
    }

    return found;
}

bool PteHookManager::fn_pte_inline_hook_bp_pg(HANDLE process_id, _Inout_ void** ori_addr, void* hk_addr) {
    if (!ori_addr || !hk_addr || !*ori_addr) {
        LOG_ERROR("Invalid parameters: ori_addr=%p, hk_addr=%p", ori_addr, hk_addr);
        return false;
    }

    // 分配跳板池(如果尚未分配)
    if (!m_TrampLinePool) {
        PHYSICAL_ADDRESS LowAddr;
        LowAddr.QuadPart = 0x100000;
        PHYSICAL_ADDRESS HighAddr;
        HighAddr.QuadPart = ~0ull;

        m_TrampLinePool = (char*)MmAllocateContiguousMemorySpecifyCache(
            PAGE_SIZE * 8, LowAddr, HighAddr, LowAddr, MmNonCached);

        if (!m_TrampLinePool) {
            LOG_ERROR("Failed to allocate trampoline pool");
            return false;
        }

        // 设置跳板池可执行
        if (!SetPageExecution(m_TrampLinePool, true)) {
            MmFreeContiguousMemory(m_TrampLinePool);
            m_TrampLinePool = nullptr;
            LOG_ERROR("Failed to set trampoline pool executable");
            return false;
        }

        LOG_INFO("Trampoline pool allocated: Address=0x%p, Size=%d bytes",
            m_TrampLinePool, PAGE_SIZE * 8);
    }

    // 计算跳板位置(16字节对齐确保RIP相对寻址)
    void* trampoline = (void*)((ULONG_PTR)(m_TrampLinePool + m_PoolUsed + 15) & ~15);
    SIZE_T requiredSize = ((char*)trampoline - m_TrampLinePool) + sizeof(JMP_ABS);

    // 检查跳板池空间
    if (requiredSize > PAGE_SIZE * 8) {
        LOG_ERROR("Trampoline pool out of space: Used=%d, Required=%d", m_PoolUsed, requiredSize);
        return false;
    }

    // 构造跳转指令
    JMP_ABS jmpCmd;
    memcpy(jmpCmd.opcode, "\xFF\x25\x00\x00\x00\x00", 6); // jmp [rip+0]
    jmpCmd.address = reinterpret_cast<ULONG64>(hk_addr);

    LOG_INFO("Constructing jump instruction: Target=0x%p, Trampoline=0x%p", hk_addr, trampoline);

    // 写入跳板指令
    if (!WriteTrampolineInstruction(trampoline, jmpCmd)) {
        return false;
    }

    // 设置目标函数可执行(触发页错误)
    if (!SetPageExecution(*ori_addr, false)) {
        LOG_ERROR("Failed to set target function non-executable");
        return false;
    }

    // 记录Hook信息
    bool hookRecorded = false;
    for (UINT32 i = 0; i < MAX_HOOK_COUNT; i++) {
        if (!m_HookInfo[i].IsHooked) {
            m_HookInfo[i].OriginalAddress = *ori_addr;
            m_HookInfo[i].HookAddress = trampoline;
            m_HookInfo[i].ProcessId = process_id;
            m_HookInfo极i].IsHooked = TRUE;
            m_HookInfo[i].HookLength = sizeof(JMP_ABS);
            RtlCopyMemory(m_HookInfo[i].HookBytes, &jmpCmd, sizeof(jmpCmd));

            // 保存原始PTE值
            PAGE_TABLE table = { 0 };
            table.LineAddress = (UINT64)*ori_addr;
            if (NT_SUCCESS(get_page_table(__readcr3(), table))) {
                m_HookInfo[i].OriginalPteValue = table.OriginalPte;
            }

            m_HookCount++;
            hookRecorded = true;

            LOG_INFO("Hook recorded #%d: Original=0x%p, Trampoline=0x%p", i, *ori_addr, trampoline);
            break;
        }
    }

    if (!hookRecorded) {
        LOG_ERROR("Exceeded max hook count (%d)", MAX_HOOK_COUNT);
        return false;
    }

    // 更新原始地址为跳板地址
    *ori_addr = trampoline;
    m_PoolUsed = (UINT32)requiredSize;

    LOG_INFO("Hook installed successfully: Trampoline=0x%p -> Hook=0x%p", trampoline, hk_addr);
    return true;
}

bool PteHookManager::fn_remove_hook(HANDLE process_id, void* hook_addr) {
    LOG_INFO("Removing hook: HookAddr=0x%p", hook_addr);

    for (UINT32 i = 0; i < m_HookCount; i++) {
        if (m_HookInfo[i].HookAddress == hook_addr && m_HookInfo[i].IsHooked) {
            LOG_INFO("Found matching hook: OriginalAddr=0x%p", m_HookInfo[i].OriginalAddress);

            // 恢复目标函数执行权限
            SetPageExecution(m_HookInfo[i].OriginalAddress, true);

            // 恢复原始PTE值
            if (m_HookInfo[i].OriginalPteValue) {
                PAGE_TABLE table = { 0 };
                table.LineAddress = (UINT64)m_HookInfo[i].OriginalAddress;
                if (NT_SUCCESS(get_page_table(__readcr3(), table))) {
                    KIRQL oldIrql = KeRaiseIrqlToDpcLevel();
                    table.PteAddress->value = m_HookInfo[i].OriginalPteValue;
                    __invlpg(m_HookInfo[i].OriginalAddress);
                    KeLowerIrql(oldIrql);
                    LOG_TRACE("Restored PTE for 0x%p: 0x%llX",
                        m_HookInfo[i].OriginalAddress, m_HookInfo[i].OriginalPteValue);
                }
            }

            m_HookInfo[i].IsHooked = FALSE;
            LOG_INFO("Hook removed successfully");
            return true;
        }
    }

    LOG_ERROR("No matching hook found");
    return false;
}

PteHookManager::~PteHookManager() {
    if (m_TrampLinePool) {
        MmFreeContiguousMemory(m_TrampLinePool);
        m_TrampLinePool = nullptr;
        LOG_INFO("Trampoline pool freed");
    }
}

PteHookManager* PteHookManager::GetInstance() {
    if (!m_Instance) {
        m_Instance = static_cast<PteHookManager*>(
            ExAllocatePoolWithTag(NonPagedPool, sizeof(PteHookManager), 'tpHk'));
        if (m_Instance) {
            RtlZeroMemory(m_Instance, sizeof(PteHookManager));
            LOG_INFO("PTE Hook Manager instance created: 0x%p", m_Instance);
        }
        else {
            LOG_ERROR("Failed to create PTE Hook Manager instance");
        }
    }
    return m_Instance;
}

// 全局PTE Hook管理器实例
PteHookManager* g_PteHookManager = nullptr;

// 目标进程名称
const char target_process_name[] = "oxygen.exe";

// 辅助函数:检查是否为目标进程
BOOLEAN IsTargetProcess(CHAR* imageName) {
    CHAR currentName[16];
    RtlZeroMemory(currentName, sizeof(currentName));
    strncpy(currentName, imageName, sizeof(currentName) - 1);
    return (_stricmp(currentName, target_process_name) == 0);
}

// 函数类型定义
typedef NTSTATUS(*fn_ObReferenceObjectByHandleWithTag)(
    HANDLE Handle,
    ACCESS_MASK DesiredAccess,
    POBJECT_TYPE ObjectType,
    KPROCESSOR_MODE AccessMode,
    ULONG Tag,
    PVOID* Object,
    POBJECT_HANDLE_INFORMATION HandleInformation
    );

fn_ObReferenceObjectByHandleWithTag g_OriginalObReferenceObjectByHandleWithTag = nullptr;

// Hook 函数
NTSTATUS MyObReferenceObjectByHandleWithTag(
    HANDLE Handle,
    ACCESS_MASK DesiredAccess,
    POBJECT_TYPE ObjectType,
    KPROCESSOR_MODE AccessMode,
    ULONG Tag,
    PVOID* Object,
    POBJECT_HANDLE_INFORMATION HandleInformation
) {
    PEPROCESS currentProcess = PsGetCurrentProcess();
    CHAR* imageName = PsGetProcessImageFileName(currentProcess);

    LOG_INFO("Hook function called by process: %s", imageName);

    if (IsTargetProcess(imageName)) {
        LOG_INFO("Access denied for target process: %s", imageName);
        return STATUS_ACCESS_DENIED;
    }

    return g_OriginalObReferenceObjectByHandleWithTag(
        Handle,
        DesiredAccess,
        ObjectType,
        AccessMode,
        Tag,
        Object,
        HandleInformation
    );
}

NTSTATUS InstallHook(HANDLE targetProcessId) {
    UNICODE_STRING funcName;
    RtlInitUnicodeString(&funcName, L"ObReferenceObjectByHandleWithTag");

    g_OriginalObReferenceObjectByHandleWithTag =
        (fn_ObReferenceObjectByHandleWithTag)MmGetSystemRoutineAddress(&funcName);

    if (!g_OriginalObReferenceObjectByHandleWithTag) {
        LOG_ERROR("ObReferenceObjectByHandleWithTag not found");
        return STATUS_NOT_FOUND;
    }

    LOG_INFO("Target function found: 0x%p", g_OriginalObReferenceObjectByHandleWithTag);

    void* targetFunc = (void*)g_OriginalObReferenceObjectByHandleWithTag;
    void* hookFunc = (void*)MyObReferenceObjectByHandleWithTag;

    if (!g_PteHookManager->fn_pte_inline_hook_bp_pg(targetProcessId, &targetFunc, hookFunc)) {
        LOG_ERROR("PTE Hook installation failed");
        return STATUS_UNSUCCESSFUL;
    }

    g_OriginalObReferenceObjectByHandleWithTag = (fn_ObReferenceObjectByHandleWithTag)targetFunc;
    LOG_INFO("Hook installed successfully. Trampoline: 0x%p", targetFunc);

    return STATUS_SUCCESS;
}

// 移除 Hook
VOID RemoveHook() {
    if (g_OriginalObReferenceObjectByHandleWithTag && g_PteHookManager) {
        g_PteHookManager->fn_remove_hook(PsGetCurrentProcessId(),
            (void*)MyObReferenceObjectByHandleWithTag);
    }
}

// 工作线程上下文
typedef struct _HOOK_THREAD_CONTEXT {
    HANDLE TargetProcessId;
} HOOK_THREAD_CONTEXT, * PHOOK_THREAD_CONTEXT;

// 工作线程函数
VOID InstallHookWorker(PVOID Context) {
    PHOOK_THREAD_CONTEXT ctx = (PHOOK_THREAD_CONTEXT)Context;

    if (ctx) {
        LOG_INFO("Installing hook for PID: %d", HandleToUlong(ctx->TargetProcessId));
        InstallHook(ctx->TargetProcessId);
        ExFreePoolWithTag(ctx, 'CtxH');
    }

    PsTerminateSystemThread(STATUS_SUCCESS);
}

// 进程创建回调 - 修正后的签名
VOID ProcessNotifyCallback(
    _In_ PEPROCESS Process,
    _In_ HANDLE ProcessId,
    _In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
) {
    if (CreateInfo != NULL) { // 进程创建
        CHAR* imageName = PsGetProcessImageFileName(Process);

        if (IsTargetProcess(imageName)) {
            LOG_INFO("Target process created: %s (PID: %d)",
                imageName, HandleToUlong(ProcessId));

            // 创建工作线程上下文
            PHOOK_THREAD_CONTEXT ctx =
                (PHOOK_THREAD_CONTEXT)ExAllocatePoolWithTag(NonPagedPool, sizeof(HOOK_THREAD_CONTEXT), 'CtxH');
            if (ctx) {
                ctx->TargetProcessId = ProcessId;

                HANDLE threadHandle;
                NTSTATUS status = PsCreateSystemThread(
                    &threadHandle,
                    THREAD_ALL_ACCESS,
                    NULL,
                    NULL,
                    NULL,
                    InstallHookWorker,
                    ctx
                );

                if (NT_SUCCESS(status)) {
                    ZwClose(threadHandle);
                    LOG_INFO("Worker thread created for hook installation");
                }
                else {
                    ExFreePoolWithTag(ctx, 'CtxH');
                    LOG_ERROR("Failed to create worker thread: 0x%X", status);
                }
            }
            else {
                LOG_ERROR("Failed to allocate thread context");
            }
        }
    }
}

// 驱动卸载函数
VOID DriverUnload(PDRIVER_OBJECT DriverObject) {
    UNREFERENCED_PARAMETER(DriverObject);

    LOG_INFO("Driver unloading...");

    // 移除进程通知回调
    PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, TRUE);

    // 移除Hook
    RemoveHook();

    // 清理PTE Hook资源
    if (g_PteHookManager) {
        LOG_INFO("Cleaning up PTE Hook Manager");

        // 恢复所有被修改的G位
        g_PteHookManager->fn_resume_global_bits(nullptr);

        // 移除所有活动的Hook
        HOOK_INFO* hookInfo = g_PteHookManager->GetHookInfo();
        UINT32 hookCount = g_PteHookManager->GetHookCount();
        for (UINT32 i = 0; i < hookCount; i++) {
            if (hookInfo[i].IsHooked) {
                g_PteHookManager->fn_remove_hook(PsGetCurrentProcessId(), hookInfo[i].HookAddress);
            }
        }

        // 释放管理器实例
        ExFreePoolWithTag(g_PteHookManager, 'tpHk');
        g_PteHookManager = nullptr;
    }

    LOG_INFO("Driver unloaded successfully");
}

extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
    UNREFERENCED_PARAMETER(RegistryPath);

    LOG_INFO("Driver loading...");

    DriverObject->DriverUnload = DriverUnload;

    g_PteHookManager = PteHookManager::GetInstance();
    if (!g_PteHookManager) {
        LOG_ERROR("Failed to initialize PteHookManager");
        return STATUS_INSUFFICIENT_RESOURCES;
    }

    NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, FALSE);
    if (!NT_SUCCESS(status)) {
        LOG_ERROR("Failed to register process callback: 0x%X", status);
        return status;
    }

    LOG_INFO("Driver loaded successfully");
    return STATUS_SUCCESS;
}
严重性	代码	说明	项目	文件	行	禁止显示状态	详细信息
错误(活动)	E0020	未定义标识符 "极"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	51		
错误(活动)	E0276	后面有“::”的名称一定是类名或命名空间名	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	203		
错误(活动)	E0020	未定义标识符 "DPFLTR极IHVDRIVER_ID"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	276		
错误(活动)	E0020	未定义标识符 "DPFLTR极IHVDRIVER_ID"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	349		
错误(活动)	E0020	未定义标识符 "Low极"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	360		
错误(活动)	E0020	未定义标识符 "VaPd极"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	368		
错误(活动)	E0020	未定义标识符 "DPFLTR极IHVDRIVER_ID"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	508		
错误(活动)	E0020	未定义标识符 "DPFLTR极IHVDRIVER_ID"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	524		
错误(活动)	E0020	未定义标识符 "DPFLTR极IHVDRIVER_ID"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	541		
错误(活动)	E0020	未定义标识符 "DPFLTR极IHVDRIVER_ID"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	549		
错误(活动)	E0020	未定义标识符 "m_HookInfo极i"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	636		
错误(活动)	E0065	应输入“;”	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	636		
错误(活动)	E0020	未定义标识符 "DPFLTR极IHVDRIVER_ID"	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	687		
错误	C2065	“极”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	51		
错误	C2653	“P极HookManager”: 是类或命名空间名称	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	203		
错误	C2065	“DPFLTR极IHVDRIVER_ID”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	276		
错误	C2065	“DPFLTR极IHVDRIVER_ID”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	349		
错误	C2065	“Low极”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	360		
错误	C3536	“VaPt”: 初始化之前无法使用	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	364		
错误	C2664	“void MmFreeContiguousMemory(PVOID)”: 无法将参数 1 从“int”转换为“PVOID”	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	365		
错误	C2065	“VaPd极”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	368		
错误	C2664	“void MmFreeContiguousMemory(PVOID)”: 无法将参数 1 从“int”转换为“PVOID”	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	377		
错误	C2664	“void *memcpy(void *,const void *,size_t)”: 无法将参数 1 从“int”转换为“void *”	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	394		
错误	C2664	“void *memcpy(void *,const void *,size_t)”: 无法将参数 1 从“int”转换为“void *”	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	397		
错误	C2664	“UINT64 PteHookManager::fn_va_to_pa(void *)”: 无法将参数 1 从“int”转换为“void *”	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	409		
错误	C2065	“DPFLTR极IHVDRIVER_ID”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	508		
错误	C2065	“DPFLTR极IHVDRIVER_ID”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	524		
错误	C2065	“DPFLTR极IHVDRIVER_ID”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	541		
错误	C2065	“DPFLTR极IHVDRIVER_ID”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	549		
错误	C2065	“m_HookInfo极i”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	636		
错误	C2143	语法错误: 缺少“;”(在“]”的前面)	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	636		
错误	C2059	语法错误:“]”	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	636		
错误	C2065	“DPFLTR极IHVDRIVER_ID”: 未声明的标识符	obpcallback	C:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp	687		


					
最新发布

				
			

			

				

					06-26
				

			

		

		

			
				
static_assert(sizeof(JMP_ABS) == 14, "JMP_ABS size must be 14 bytes");  // 声明PsGetProcessImageFileName extern "C" NTSYSAPI CHAR* NTAPI PsGetProcessImageFileName(PEPROCESS Process);  // 页表结构定义 ...

			
		

	





	

		

			

				
					
C++之完全类型

				
			

			

				

					q5707802的专栏
				

				

					02-04
					
					592
					
				

			

		

		

			
				
在muduo源代码中,会看到这样的代码:
typedef char T_must_be_complete_type[sizeof(T) == 0 ? -1 : 1];
 T_must_be_complete_type dummy; (void) dummy;
   在C++中,类型Complete type和Incomplete type之分,对于Complete type, 它的大小在编译

			
		

	





	

		

			

				
					
muduo杂谈(一)Complete type

				
			

			

				

					qq_31978997的博客
				

				

					09-03
					
					121
					
				

			

		

		

			
				
muduo源码检查Complete type的技巧

			
		

	





	

		

			

				
					
linux多线程之pthread线程变量

				
			

			

				

					大隐隐于野
				

				

					03-29
					
					1082
					
				

			

		

		

			
				
线程存储:Thread Specific Data

线程存储作用
大家都知道,在多线程程序中,所有线程共享进程中的变量。现在有一全局变量,所有线程都可以使用它,改变它的值。而如果每个线程希望能单独拥有它,那么就需要使用线程存储了。
表面上看起来这是一个全局变量,所有线程都可以使用它,而它的值在每一个线程中又是单独存储的。这就是线程存储的意义。
线程存储是实现同一个线程中同函数间共享数据的一种很好的方式。

线程存储具体用法
创建一个类型为pthread_key_t类型的变量。
调用pthread_key

			
		

	





	

		

			

				
					
《Linux多线程服务端编程-使用muduo C++网络库》学习笔记——第二章

				
			

			

				

					mimigu7053的博客
				

				

					05-07
					
					420
					
				

			

		

		

			
				
本文目录第2章 线程同步精要互斥量(mutex)只用非递归的mutex死锁条件变量要用读写锁和信号量线程安全的单例模式实现使用shared_ptr实现copy-on-write
第2章 线程同步精要
线程同步四项原则,依照重要性排序:

尽量要共享对象,共享对象优先选择可修改的对象
使用高级并发编程构件
使用低级同步原语,只用非递归(可重入)的互斥量和条件变量,用读写锁、信号量
除原子级...

			
		

	





	

		

			

				
					
利用宏定义在编译阶段检查结构体大小的方法

				
			

			

				

					weixin_42031299的博客
				

				

					09-09
					
					1205
					
				

			

		

		

			
				
/下面的结构体,在32位的机器中占12字节,在64位的机器中占16字节 typedef struct {char a;//占1字节 long long b;//占8字节 } testType;//结构体大小如果16字节就报错,也就是程序如果在64位的机器上运行就报错 CHECK_SIZE_TYPE(testType , 16);

			
		

	





	

		

			

				
					
都是编译器惹得祸

				
			

			

				

					Owen_owen_lee的专栏
				

				

					01-07
					
					5811
					
				

			

		

		

			
				
吕同学的问题终于解决了,备份以下,顺便分享一下。

 

问题: 在使用boost::scoped_ptr时模板参数使用前置声明类型,编译器报错。

 

前置声明是个好习惯,既可以减少编译依赖,又可以避免循环包含带来的问题,其本身也是最小化原则的体现。

如果你已经把前置声明当作一种习惯而且经常使用boost的智能指针或者曾遇到过类似checked_delete之类的东西,你

			
		

	





	

		

			

				
					
muduo网络库学习笔记(6):单例类(线程安全的)

				
			

			

				

					li27z的博客
				

				

					08-15
					
					1324
					
				

			

		

		

			
				
muduo网络库-单例类(线程安全)

			
		

	





	

		

			

				
					
C++ 指针释放检查

				
			

			

				

					hit1524468的专栏
				

				

					12-06
					
					1655
					
				

			

		

		

			
				
在一些编译器中,支持sizeof()返回0,所以,会用到是否为合法类型,否则会导致中断触发


#include <iostream>

using namespace std;

template<typename T>
inline void checked_delete(T* x) noexcept
{
    typedef char type_must_be_complete[sizeof(T) ? 1 : -1];
    (void) sizeof(type_must.

			
		

	





	

		

			

				
					
【内存】scoped_ptr

				
			

			

				

					Edidaughter的博客
				

				

					12-11
					
					2331
					
				

			

		

		

			
				
1.初识scoped_ptr

scoped_ptr是一个与auto_ptr/unique_ptr很类似的智能指针,它包装了new操作符在堆上分配的动态对象,能够保证动态创建的对象在任何时候都可以被正确地删除。但scoped_ptr的所有权更加严格,能转让,一旦scoped_ptr获取了对象的管理权,我们就无法再从它那里收回来。scoped_ptr拥有一个很好的名字,它向代码的阅读者传递了明确的信息:这个智能指针只能在本作用域里使用,希望被转让。

2.
...

			
		

	



              




          




        



    





    



      

      

        
      

      





	

		评论	
	

  
	




  

    

      添加红包
      
    

    

      

        
        

          
          
        

        
请填写红包祝福语或标题

      

      

        
        

          
          
        

        
红包个数最小为10个

      

      

        
        

          
          
        

        
红包金额最低5元

      

      

        
        

          当前余额3.43前往充值 >
        

      

      

        

          需支付:10.00

        
        
      

    

  





  

    
    
  

  

    
    
  








  

    

      

        

          

            
            
成就一亿技术人!

          

          

        

        

          

          

            领取后你会自动成为博主和红包主的粉丝
            规则
          

        

      

      

        

          

            
              
            
            

              
hope_wisdom
 发出的红包
            

          

        

        

          

          

          

        

      

    

    

  



      
      

      
实付

      
使用余额支付

      

        

          

            
            点击重新获取
          

        

        
扫码支付

      

      

        
          
            
          
          
        
      

      

        
        钱包余额
          0
          

            
            

              

                
抵扣说明:

                
 1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
 2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

              

            

          

      

      余额充值