kd> ed nt!Kd_DEFAULT_Mask 0xFFFFFFFF
kd> ed nt!Kd_IHVDRIVER_Mask 0xFFFFFFFF
kd> g
KDTARGET: Refreshing KD connection
*** Fatal System Error: 0x0000007e
(0xFFFFFFFFC0000005,0xFFFFF805802B1699,0xFFFFFC89CAC5A458,0xFFFFFC89CAC59C90)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
For analysis of this file, run !analyze -v
nt!DbgBreakPointWithStatus:
fffff805`7affd0b0 cc int 3
kd> !analyze -v
Connected to Windows 10 19041 x64 target at (Tue Jul 15 22:09:55.446 2025 (UTC + 8:00)), ptr64 TRUE
Loading Kernel Symbols
...................................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
............................
................................................................
.....................................................
Loading User Symbols
Loading unloaded module list
......
ERROR: FindPlugIns 8007007b
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff805802b1699, The address that the exception occurred at
Arg3: fffffc89cac5a458, Exception Record Address
Arg4: fffffc89cac59c90, Context Record Address
Debugging Details:
------------------
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
KEY_VALUES_STRING: 1
Key : AV.Type
Value: Read
Key : Analysis.CPU.mSec
Value: 3609
Key : Analysis.Elapsed.mSec
Value: 47643
Key : Analysis.IO.Other.Mb
Value: 0
Key : Analysis.IO.Read.Mb
Value: 3
Key : Analysis.IO.Write.Mb
Value: 0
Key : Analysis.Init.CPU.mSec
Value: 3734
Key : Analysis.Init.Elapsed.mSec
Value: 52586
Key : Analysis.Memory.CommitPeak.Mb
Value: 74
Key : Analysis.Version.DbgEng
Value: 10.0.27829.1001
Key : Analysis.Version.Description
Value: 10.2503.24.01 amd64fre
Key : Analysis.Version.Ext
Value: 1.2503.24.1
Key : Bugcheck.Code.KiBugCheckData
Value: 0x7e
Key : Bugcheck.Code.LegacyAPI
Value: 0x7e
Key : Bugcheck.Code.TargetModel
Value: 0x7e
Key : Failure.Bucket
Value: AV_pte1!InitHookWin10
Key : Failure.Exception.Code
Value: 0xc0000005
Key : Failure.Exception.IP.Address
Value: 0xfffff805802b1699
Key : Failure.Exception.IP.Module
Value: pte1
Key : Failure.Exception.IP.Offset
Value: 0x1699
Key : Failure.Exception.Record
Value: 0xfffffc89cac5a458
Key : Failure.Hash
Value: {14fb13e5-207c-6ef8-f4d3-d7bd4cc8e1a3}
Key : Hypervisor.Enlightenments.Value
Value: 12576
Key : Hypervisor.Enlightenments.ValueHex
Value: 0x3120
Key : Hypervisor.Flags.AnyHypervisorPresent
Value: 1
Key : Hypervisor.Flags.ApicEnlightened
Value: 0
Key : Hypervisor.Flags.ApicVirtualizationAvailable
Value: 0
Key : Hypervisor.Flags.AsyncMemoryHint
Value: 0
Key : Hypervisor.Flags.CoreSchedulerRequested
Value: 0
Key : Hypervisor.Flags.CpuManager
Value: 0
Key : Hypervisor.Flags.DeprecateAutoEoi
Value: 1
Key : Hypervisor.Flags.DynamicCpuDisabled
Value: 0
Key : Hypervisor.Flags.Epf
Value: 0
Key : Hypervisor.Flags.ExtendedProcessorMasks
Value: 0
Key : Hypervisor.Flags.HardwareMbecAvailable
Value: 0
Key : Hypervisor.Flags.MaxBankNumber
Value: 0
Key : Hypervisor.Flags.MemoryZeroingControl
Value: 0
Key : Hypervisor.Flags.NoExtendedRangeFlush
Value: 1
Key : Hypervisor.Flags.NoNonArchCoreSharing
Value: 0
Key : Hypervisor.Flags.Phase0InitDone
Value: 1
Key : Hypervisor.Flags.PowerSchedulerQos
Value: 0
Key : Hypervisor.Flags.RootScheduler
Value: 0
Key : Hypervisor.Flags.SynicAvailable
Value: 1
Key : Hypervisor.Flags.UseQpcBias
Value: 0
Key : Hypervisor.Flags.Value
Value: 536632
Key : Hypervisor.Flags.ValueHex
Value: 0x83038
Key : Hypervisor.Flags.VpAssistPage
Value: 1
Key : Hypervisor.Flags.VsmAvailable
Value: 0
Key : Hypervisor.RootFlags.AccessStats
Value: 0
Key : Hypervisor.RootFlags.CrashdumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.CreateVirtualProcessor
Value: 0
Key : Hypervisor.RootFlags.DisableHyperthreading
Value: 0
Key : Hypervisor.RootFlags.HostTimelineSync
Value: 0
Key : Hypervisor.RootFlags.HypervisorDebuggingEnabled
Value: 0
Key : Hypervisor.RootFlags.IsHyperV
Value: 0
Key : Hypervisor.RootFlags.LivedumpEnlightened
Value: 0
Key : Hypervisor.RootFlags.MapDeviceInterrupt
Value: 0
Key : Hypervisor.RootFlags.MceEnlightened
Value: 0
Key : Hypervisor.RootFlags.Nested
Value: 0
Key : Hypervisor.RootFlags.StartLogicalProcessor
Value: 0
Key : Hypervisor.RootFlags.Value
Value: 0
Key : Hypervisor.RootFlags.ValueHex
Value: 0x0
Key : SecureKernel.HalpHvciEnabled
Value: 0
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 7e
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: fffff805802b1699
BUGCHECK_P3: fffffc89cac5a458
BUGCHECK_P4: fffffc89cac59c90
FAULTING_THREAD: ffffbd0465f0f040
EXCEPTION_RECORD: fffffc89cac5a458 -- (.exr 0xfffffc89cac5a458)
ExceptionAddress: fffff805802b1699 (pte1!InitHookWin10+0x0000000000000639)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 00000245cb781000
Attempt to read from address 00000245cb781000
CONTEXT: fffffc89cac59c90 -- (.cxr 0xfffffc89cac59c90)
rax=0000000000000000 rbx=0000000000000000 rcx=00000000001ff000
rdx=0000000000000000 rsi=00000245cb781000 rdi=ffffdf7d0da01000
rip=fffff805802b1699 rsp=fffffc89cac5a690 rbp=0000000000000000
r8=fffffc89cac5a068 r9=7fffbd046545f688 r10=7ffffffffffffffc
r11=ffffbd0465f0f040 r12=ffff8d005e2fa950 r13=ffffffff800020c4
r14=fffff805802b42a8 r15=ffffbd046b39fe30
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
pte1!InitHookWin10+0x639:
fffff805`802b1699 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
Resetting default scope
PROCESS_NAME: System
READ_ADDRESS: unable to get nt!PspSessionIdBitmap
00000245cb781000
ERROR_CODE: (NTSTATUS) 0xc0000005 - 0x%p 0x%p %s
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 0000000000000000
EXCEPTION_PARAMETER2: 00000245cb781000
EXCEPTION_STR: 0xc0000005
STACK_TEXT:
fffffc89`cac5a690 fffff805`802b1f7d : fffff805`7b266000 00000000`00001ec8 00000000`00000ca0 fffff805`7ae1cb26 : pte1!InitHookWin10+0x639 [C:\Users\17116\source\repos\pte1\pte1\Ô´.cpp @ 204]
fffffc89`cac5a830 fffff805`802b20fb : ffffbd04`6b39fe30 ffffbd04`6575f000 ffffbd04`6575f000 ffffbd04`6cc53de0 : pte1!DriverEntry+0x9d [C:\Users\17116\source\repos\pte1\pte1\Ô´.cpp @ 349]
fffffc89`cac5a890 fffff805`802b2030 : ffffbd04`6575f000 fffffc89`cac5aa60 ffffbd04`6c6aedd0 ffffbd04`6b39fe30 : pte1!FxDriverEntryWorker+0xbf [minkernel\wdf\framework\kmdf\src\dynamic\stub\stub.cpp @ 360]
fffffc89`cac5a8d0 fffff805`7b3538f4 : ffffbd04`6575f000 00000000`00000000 ffffbd04`6b39fe30 00000000`00000000 : pte1!FxDriverEntry+0x20 [minkernel\wdf\framework\kmdf\src\dynamic\stub\stub.cpp @ 249]
fffffc89`cac5a900 fffff805`7b31e3cd : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00001000 : nt!PnpCallDriverEntry+0x4c
fffffc89`cac5a960 fffff805`7b364207 : 00000000`00000000 00000000`00000000 fffff805`7b925440 00000000`00000000 : nt!IopLoadDriver+0x4e5
fffffc89`cac5ab30 fffff805`7af034b5 : ffffbd04`00000000 ffffffff`800020c4 ffffbd04`65f0f040 ffffbd04`0000000c : nt!IopLoadUnloadDriver+0x57
fffffc89`cac5ab70 fffff805`7aea29a5 : ffffbd04`65f0f040 00000000`00000080 ffffbd04`6545f1c0 000fa067`b8bbbdff : nt!ExpWorkerThread+0x105
fffffc89`cac5ac10 fffff805`7affc868 : fffff805`75eaf180 ffffbd04`65f0f040 fffff805`7aea2950 00000000`00000000 : nt!PspSystemThreadStartup+0x55
fffffc89`cac5ac60 00000000`00000000 : fffffc89`cac5b000 fffffc89`cac55000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28
FAULTING_SOURCE_LINE: C:\Users\17116\source\repos\pte1\pte1\Ô´.cpp
FAULTING_SOURCE_FILE: C:\Users\17116\source\repos\pte1\pte1\Ô´.cpp
FAULTING_SOURCE_LINE_NUMBER: 204
FAULTING_SOURCE_CODE:
200: UnmapPhysicalMemory(Cr3Va);
201: return status;
202: }
203:
> 204: RtlCopyMemory(LargePageBuf, OrigDataVa, 0x200000);
205: UnmapPhysicalMemory(OrigDataVa);
206:
207: // ??????????????
208: PUCHAR HookLoc = (PUCHAR)LargePageBuf + (TargetVa & 0x1FFFFF) + Offset;
209: HookLoc[0] = 0x90; // NOP
SYMBOL_NAME: pte1!InitHookWin10+639
MODULE_NAME: pte1
IMAGE_NAME: pte1.sys
STACK_COMMAND: .cxr 0xfffffc89cac59c90 ; kb
BUCKET_ID_FUNC_OFFSET: 639
FAILURE_BUCKET_ID: AV_pte1!InitHookWin10
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {14fb13e5-207c-6ef8-f4d3-d7bd4cc8e1a3}
Followup: MachineOwner
---------
#include <ntifs.h>
#include <wdm.h>
// 完整的页表项结构
typedef union _HARDWARE_PTE {
struct {
ULONG64 Valid : 1;
ULONG64 Write : 1;
ULONG64 Owner : 1;
ULONG64 WriteThrough : 1;
ULONG64 CacheDisable : 1;
ULONG64 Accessed : 1;
ULONG64 Dirty : 1;
ULONG64 LargePage : 1; // 修复:添加缺失的LargePage
ULONG64 Global : 1;
ULONG64 CopyOnWrite : 1;
ULONG64 Prototype : 1;
ULONG64 reserved0 : 1;
ULONG64 PageFrameNumber : 36;
ULONG64 reserved1 : 4;
ULONG64 SoftwareWsIndex : 11;
ULONG64 NoExecute : 1;
};
ULONG64 AsUINT64; // 添加联合体支持
} HARDWARE_PTE, * PHARDWARE_PTE;
// 全局资源记录
typedef struct _HOOK_CONTEXT {
PVOID NewPages[4]; // [0]PPE [1]PDE [2]PTE [3]Data
ULONG_PTR OriginalPTE;
BOOLEAN IsLargePage;
} HOOK_CONTEXT, * PHOOK_CONTEXT;
static HANDLE g_hSection = NULL; // 全局节对象句柄
NTSTATUS MapPhysicalMemory(IN PHYSICAL_ADDRESS PhysicalAddress, OUT PVOID* MappedVa)
{
SIZE_T size = PAGE_SIZE;
NTSTATUS status = STATUS_SUCCESS;
// 第一次调用时打开节对象
if (g_hSection == NULL) {
UNICODE_STRING physName;
RtlInitUnicodeString(&physName, L"\\Device\\PhysicalMemory");
OBJECT_ATTRIBUTES oa;
InitializeObjectAttributes(&oa, &physName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
status = ZwOpenSection(&g_hSection, SECTION_ALL_ACCESS, &oa);
if (!NT_SUCCESS(status)) {
DbgPrint("ZwOpenSection failed: 0x%X\n", status);
return status;
}
}
// 映射物理内存
PHYSICAL_ADDRESS baseAddress = PhysicalAddress;
status = ZwMapViewOfSection(
g_hSection,
NtCurrentProcess(),
MappedVa,
0L,
size,
&baseAddress,
&size,
ViewUnmap,
0,
PAGE_READWRITE
);
if (!NT_SUCCESS(status)) {
DbgPrint("ZwMapViewOfSection failed: 0x%X\n", status);
}
return status;
}
VOID UnmapPhysicalMemory(PVOID MappedVa)
{
if (MappedVa) {
ZwUnmapViewOfSection(NtCurrentProcess(), MappedVa);
}
}
NTSTATUS InitHookWin10(IN ULONG_PTR TargetVa, IN HANDLE Pid, IN ULONG_PTR Offset)
{
PEPROCESS Process = NULL;
PHYSICAL_ADDRESS Cr3Pa = { 0 };
PVOID Cr3Va = NULL;
HOOK_CONTEXT ctx = { 0 };
NTSTATUS status;
// 1. 获取目标进程CR3
status = PsLookupProcessByProcessId(Pid, &Process);
if (!NT_SUCCESS(status)) {
DbgPrint("PsLookupProcessByProcessId failed: 0x%X\n", status);
return status;
}
// 获取进程CR3 (Win10 10240偏移为0x28)
Cr3Pa.QuadPart = *(ULONG_PTR*)((PUCHAR)Process + 0x28) & ~0xF;
ObDereferenceObject(Process);
// 2. 映射CR3
status = MapPhysicalMemory(Cr3Pa, &Cr3Va);
if (!NT_SUCCESS(status)) {
DbgPrint("MapPhysicalMemory for CR3 failed: 0x%X\n", status);
return status;
}
// 3. 计算页表索引 (x64四级页表)
ULONG Pml4Index = (TargetVa >> 39) & 0x1FF;
ULONG PdptIndex = (TargetVa >> 30) & 0x1FF;
ULONG PdIndex = (TargetVa >> 21) & 0x1FF;
ULONG PtIndex = (TargetVa >> 12) & 0x1FF;
// 4. 复制并修改PML4E (实际为PDPT)
PHYSICAL_ADDRESS LowAddr = { 0 };
PHYSICAL_ADDRESS HighAddr = { 0 };
HighAddr.QuadPart = ~0ULL; // 修复:正确的初始化
ctx.NewPages[0] = MmAllocateContiguousMemorySpecifyCache(
PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmCached);
if (ctx.NewPages[0] == NULL) {
DbgPrint("MmAllocateContiguousMemorySpecifyCache for PPE failed\n");
UnmapPhysicalMemory(Cr3Va);
return STATUS_INSUFFICIENT_RESOURCES;
}
PHARDWARE_PTE OrigPml4e = (PHARDWARE_PTE)((PUCHAR)Cr3Va + Pml4Index * sizeof(ULONG64));
PHYSICAL_ADDRESS PdptPa = { 0 };
PdptPa.QuadPart = OrigPml4e->PageFrameNumber << 12;
PVOID PdptVa = NULL;
status = MapPhysicalMemory(PdptPa, &PdptVa);
if (!NT_SUCCESS(status)) {
DbgPrint("MapPhysicalMemory for PDPT failed: 0x%X\n", status);
MmFreeContiguousMemory(ctx.NewPages[0]);
UnmapPhysicalMemory(Cr3Va);
return status;
}
RtlCopyMemory(ctx.NewPages[0], PdptVa, PAGE_SIZE); // 复制原始PDPT
UnmapPhysicalMemory(PdptVa);
// 5. 处理PDPTE (实际为PD)
ctx.NewPages[1] = MmAllocateContiguousMemorySpecifyCache(
PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmCached);
if (ctx.NewPages[1] == NULL) {
DbgPrint("MmAllocateContiguousMemorySpecifyCache for PDE failed\n");
MmFreeContiguousMemory(ctx.NewPages[0]);
UnmapPhysicalMemory(Cr3Va);
return STATUS_INSUFFICIENT_RESOURCES;
}
PHARDWARE_PTE OrigPdpte = (PHARDWARE_PTE)((PUCHAR)ctx.NewPages[0] + PdptIndex * sizeof(ULONG64));
PHYSICAL_ADDRESS PdPa = { 0 };
PdPa.QuadPart = OrigPdpte->PageFrameNumber << 12;
PVOID PdVa = NULL;
status = MapPhysicalMemory(PdPa, &PdVa);
if (!NT_SUCCESS(status)) {
DbgPrint("MapPhysicalMemory for PD failed: 0x%X\n", status);
MmFreeContiguousMemory(ctx.NewPages[0]);
MmFreeContiguousMemory(ctx.NewPages[1]);
UnmapPhysicalMemory(Cr3Va);
return status;
}
RtlCopyMemory(ctx.NewPages[1], PdVa, PAGE_SIZE); // 复制原始PD
UnmapPhysicalMemory(PdVa);
// 6. 检查大页
PHARDWARE_PTE OrigPde = (PHARDWARE_PTE)((PUCHAR)ctx.NewPages[1] + PdIndex * sizeof(ULONG64));
ctx.IsLargePage = OrigPde->LargePage;
if (ctx.IsLargePage) {
// 处理2MB大页
ULONG_PTR LargePageBase = TargetVa & ~0x1FFFFF;
PHYSICAL_ADDRESS DataPa = { 0 };
DataPa.QuadPart = OrigPde->PageFrameNumber << 12;
// 分配2MB对齐内存
PVOID LargePageBuf = MmAllocateContiguousMemorySpecifyCache(
0x200000, LowAddr, HighAddr, LowAddr, MmCached);
if (LargePageBuf == NULL) {
DbgPrint("Failed to allocate 2MB contiguous memory\n");
MmFreeContiguousMemory(ctx.NewPages[0]);
MmFreeContiguousMemory(ctx.NewPages[1]);
UnmapPhysicalMemory(Cr3Va);
return STATUS_INSUFFICIENT_RESOURCES;
}
PHYSICAL_ADDRESS NewDataPa = MmGetPhysicalAddress(LargePageBuf);
// 复制原始数据
PVOID OrigDataVa = NULL;
status = MapPhysicalMemory(DataPa, &OrigDataVa);
if (!NT_SUCCESS(status)) {
DbgPrint("MapPhysicalMemory for large page data failed: 0x%X\n", status);
MmFreeContiguousMemory(LargePageBuf);
MmFreeContiguousMemory(ctx.NewPages[0]);
MmFreeContiguousMemory(ctx.NewPages[1]);
UnmapPhysicalMemory(Cr3Va);
return status;
}
RtlCopyMemory(LargePageBuf, OrigDataVa, 0x200000);
UnmapPhysicalMemory(OrigDataVa);
// 修改新页面指令
PUCHAR HookLoc = (PUCHAR)LargePageBuf + (TargetVa & 0x1FFFFF) + Offset;
HookLoc[0] = 0x90; // NOP
HookLoc[1] = 0x90; // NOP
HookLoc[2] = 0xC3; // RET
// 更新PDE
OrigPde = (PHARDWARE_PTE)((PUCHAR)ctx.NewPages[1] + PdIndex * sizeof(ULONG64));
OrigPde->PageFrameNumber = NewDataPa.QuadPart >> 12;
ctx.NewPages[3] = LargePageBuf;
}
else {
// 处理4KB页
ctx.NewPages[2] = MmAllocateContiguousMemorySpecifyCache(
PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmCached);
if (ctx.NewPages[2] == NULL) {
DbgPrint("MmAllocateContiguousMemorySpecifyCache for PTE failed\n");
MmFreeContiguousMemory(ctx.NewPages[0]);
MmFreeContiguousMemory(ctx.NewPages[1]);
UnmapPhysicalMemory(Cr3Va);
return STATUS_INSUFFICIENT_RESOURCES;
}
PHYSICAL_ADDRESS PtPa = { 0 };
PtPa.QuadPart = OrigPde->PageFrameNumber << 12;
PVOID PtVa = NULL;
status = MapPhysicalMemory(PtPa, &PtVa);
if (!NT_SUCCESS(status)) {
DbgPrint("MapPhysicalMemory for PT failed: 0x%X\n", status);
MmFreeContiguousMemory(ctx.NewPages[0]);
MmFreeContiguousMemory(ctx.NewPages[1]);
MmFreeContiguousMemory(ctx.NewPages[2]);
UnmapPhysicalMemory(Cr3Va);
return status;
}
RtlCopyMemory(ctx.NewPages[2], PtVa, PAGE_SIZE); // 复制原始PT
UnmapPhysicalMemory(PtVa);
// 处理PTE
PHARDWARE_PTE OrigPte = (PHARDWARE_PTE)((PUCHAR)ctx.NewPages[2] + PtIndex * sizeof(ULONG64));
ctx.OriginalPTE = OrigPte->AsUINT64; // 使用联合体访问
PHYSICAL_ADDRESS DataPa = { 0 };
DataPa.QuadPart = OrigPte->PageFrameNumber << 12;
// 分配新数据页
PVOID NewData = MmAllocateContiguousMemorySpecifyCache(
PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmCached);
if (NewData == NULL) {
DbgPrint("Failed to allocate data page\n");
MmFreeContiguousMemory(ctx.NewPages[0]);
MmFreeContiguousMemory(ctx.NewPages[1]);
MmFreeContiguousMemory(ctx.NewPages[2]);
UnmapPhysicalMemory(Cr3Va);
return STATUS_INSUFFICIENT_RESOURCES;
}
PHYSICAL_ADDRESS NewDataPa = MmGetPhysicalAddress(NewData);
// 复制原始数据
PVOID OrigDataVa = NULL;
status = MapPhysicalMemory(DataPa, &OrigDataVa);
if (!NT_SUCCESS(status)) {
DbgPrint("MapPhysicalMemory for data page failed: 0x%X\n", status);
MmFreeContiguousMemory(NewData);
MmFreeContiguousMemory(ctx.NewPages[0]);
MmFreeContiguousMemory(ctx.NewPages[1]);
MmFreeContiguousMemory(ctx.NewPages[2]);
UnmapPhysicalMemory(Cr3Va);
return status;
}
RtlCopyMemory(NewData, OrigDataVa, PAGE_SIZE);
UnmapPhysicalMemory(OrigDataVa);
// 修改新页面指令
PUCHAR HookLoc = (PUCHAR)NewData + (TargetVa & 0xFFF) + Offset;
HookLoc[0] = 0x90; // NOP
HookLoc[1] = 0x90; // NOP
HookLoc[2] = 0xC3; // RET
// 更新PTE
OrigPte = (PHARDWARE_PTE)((PUCHAR)ctx.NewPages[2] + PtIndex * sizeof(ULONG64));
OrigPte->PageFrameNumber = NewDataPa.QuadPart >> 12;
ctx.NewPages[3] = NewData;
}
// 7. 更新页表链
PHARDWARE_PTE NewPdpte = (PHARDWARE_PTE)((PUCHAR)ctx.NewPages[0] + PdptIndex * sizeof(ULONG64));
NewPdpte->PageFrameNumber = MmGetPhysicalAddress(ctx.NewPages[1]).QuadPart >> 12;
PHARDWARE_PTE NewPml4e = (PHARDWARE_PTE)((PUCHAR)Cr3Va + Pml4Index * sizeof(ULONG64));
NewPml4e->PageFrameNumber = MmGetPhysicalAddress(ctx.NewPages[0]).QuadPart >> 12;
// 8. 清理映射
UnmapPhysicalMemory(Cr3Va);
// 保存上下文以便卸载(实际应保存到全局变量)
// g_HookContext = ctx;
return STATUS_SUCCESS;
}
// 驱动卸载时释放资源
VOID UninstallHook(PHOOK_CONTEXT ctx)
{
for (int i = 0; i < 4; i++) {
if (ctx->NewPages[i] != NULL) {
MmFreeContiguousMemory(ctx->NewPages[i]);
ctx->NewPages[i] = NULL;
}
}
}
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
HOOK_CONTEXT ctx = { 0 }; // 实际应从全局获取
UninstallHook(&ctx);
if (g_hSection) {
ZwClose(g_hSection);
g_hSection = NULL;
}
DbgPrint("Driver unloaded\n");
}
extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
// 获取NtOpenProcess地址
UNICODE_STRING funcName = RTL_CONSTANT_STRING(L"NtOpenProcess");
ULONG_PTR funcAddr = (ULONG_PTR)MmGetSystemRoutineAddress(&funcName);
if (funcAddr == 0) {
DbgPrint("Failed to get NtOpenProcess address\n");
return STATUS_NOT_FOUND;
}
ULONG_PTR pageBase = funcAddr & ~0xFFF;
ULONG_PTR offset = funcAddr & 0xFFF;
// 假设目标进程PID为1234
return InitHookWin10(pageBase, (HANDLE)7880, offset);
}
这个是什么错误导致的
扫一扫
6万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
