#include <ntifs.h>
#include <ntddk.h>
#include <intrin.h>
#include "ptehook.h"
#define CR0_WP (1 << 16
)
#define DRIVER_TAG 'HKOB'
#define MAX_G_BIT_RECORDS 128
#define MAX_HOOK_COUNT
64
#define PAGE_ALIGN(va
) ((
PVOID)((ULONG_PTR
)(va
) & ~0xFFF
))
#define PTE_NX_BIT (1ULL << 63
)
// 调试打印宏
#define LOG_
ERROR(fmt, ...
) \
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_
ERROR_LEVEL, "[PTE_HOOK]
ERROR: " fmt "\n", ##__VA_ARGS__
)
#define LOG_INFO(fmt, ...
) \
DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "[PTE_HOOK] INFO
: " fmt "\n", ##__VA_ARGS__
)
#define LOG_TRACE(fmt, ...
) \
DbgPrintEx(DPFLTR极IHVDRIVER_ID, DPFLTR_TRACE_LEVEL, "[PTE_HOOK] TRACE
: " fmt "\n", ##__VA_ARGS__
)
// 修正的跳板指令结构
#pragma pack(push, 1
)
typedef struct _JMP_ABS {
UINT8 opcode[6]; // FF 25 00 00 00 00 = jmp [rip+0]
ULONG
64 address; // 目标地址 (紧跟在指令后
)
} JMP_ABS, * PJMP_ABS;
#pragma pack(pop
)
static_assert(sizeof(JMP_ABS
) == 14, "JMP_ABS size must be 14 bytes"
);
// 声明PsGetProcessImageFileName
extern "C" NTSYSAPI CHAR* NTAPI PsGetProcessImageFileName(PEPROCESS Process
);
// 页表结构定义
typedef struct _PAGE_TABLE {
UINT
64 LineAddress;
union {
struct {
UINT
64 present
: 1;
UINT
64 write
: 1;
UINT
64 user
: 1;
UINT
64 write_through
: 1;
UINT
64 cache_disable
: 1;
UINT
64 accessed
: 1;
UINT
64 dirty
: 1;
UINT
64 pat
: 1;
UINT
64 global
: 1;
UINT
64 ignored_1
: 3;
UINT
64 page_frame_number
: 36;
UINT
64 reserved_1
: 极;
UINT
64 ignored_2
: 7;
UINT
64 protection_key
: 4;
UINT
64 execute_disable
: 1;
} flags;
UINT
64 value;
}*PteAddress;
union {
struct {
UINT
64 present
: 1;
UINT
64 write
: 1;
UINT
64 user
: 1;
UINT
64 write_through
: 1;
UINT
64 cache_disable
: 1;
UINT
64 accessed
: 1;
UINT
64 dirty
: 1;
UINT
64 large_page
: 1;
UINT
64 global
: 1;
UINT
64 ignored_2
: 3;
UINT
64 page_frame_number
: 36;
UINT
64 reserved_1
: 4;
UINT
64 ignored_3
: 7;
UINT
64 protection_key
: 4;
UINT
64 execute_disable
: 1;
} flags;
UINT
64 value;
}*PdeAddress;
union {
struct {
UINT
64 present
: 1;
UINT
64 write
: 1;
UINT
64 user
: 1;
UINT
64 write_through
: 1;
UINT
64 cache_disable
: 1;
UINT
64 accessed
: 1;
UINT
64 ignored_1
: 1;
UINT
64 page_size
: 1;
UINT
64 ignored_2
: 4;
UINT
64 page_frame_number
: 36;
UINT
64 reserved_1
: 4;
UINT
64 ignored_3
: 7;
UINT
64 protection_key
: 4;
UINT
64 execute_disable
: 1;
} flags;
UINT
64 value;
}*PdpteAddress;
UINT
64* Pml4Address;
BOOLEAN IsLargePage;
BOOLEAN Is1GBPage;
UINT
64 OriginalPte;
UINT
64 OriginalPde;
UINT
64 OriginalPdpte;
UINT
64 OriginalPml4e;
HANDLE ProcessId;
} PAGE_TABLE, * PPAGE_TABLE;
// G位信息记录结构体
typedef struct _G_BIT_INFO {
void* AlignAddress;
union {
struct {
UINT
64 present
: 1;
UINT
64 write
: 1;
UINT
64 user
: 1;
UINT
64 write_through
: 1;
UINT
64 cache_disable
: 1;
UINT
64 accessed
: 1;
UINT
64 dirty
: 1;
UINT
64 large_page
: 1;
UINT
64 global
: 1;
UINT
64 ignored_2
: 3;
UINT
64 page_frame_number
: 36;
UINT
64 reserved_1
: 4;
UINT
64 ignored_3
: 7;
UINT
64 protection_key
: 4;
UINT
64 execute_disable
: 1;
} flags;
UINT
64 value;
}*PdeAddress;
union {
struct {
UINT
64 present
: 1;
UINT
64 write
: 1;
UINT
64 user
: 1;
UINT
64 write_through
: 1;
UINT
64 cache_disable
: 1;
UINT
64 accessed
: 1;
UINT
64 dirty
: 1;
UINT
64 pat
: 1;
UINT
64 global
: 1;
UINT
64 ignored_1
: 3;
UINT
64 page_frame_number
: 36;
UINT
64 reserved_1
: 4;
UINT
64 ignored_2
: 7;
UINT
64 protection_key
: 4;
UINT
64 execute_disable
: 1;
} flags;
UINT
64 value;
}*PteAddress;
BOOLEAN IsLargePage;
} G_BIT_INFO, * PG_BIT_INFO;
typedef struct _HOOK_INFO {
void* OriginalAddress;
void* HookAddress;
UINT8 OriginalBytes[20];
UINT8 HookBytes[20];
UINT32 HookLength;
BOOLEAN IsHooked;
HANDLE ProcessId;
UINT
64 OriginalPteValue;
UINT
64 HookedPteValue;
} HOOK_INFO;
class PteHookManager {
public
:
bool fn_pte_inline_hook_bp_pg(HANDLE process_id, _Inout_ void** ori_addr, void* hk_addr
);
bool fn_remove_hook(HANDLE process_id, void* hook_addr
);
static PteHookManager* GetInstance(
);
HOOK_INFO* GetHookInfo(
) { return m_HookInfo; }
char* GetTrampLinePool(
) { return m_TrampLinePool; }
UINT32 GetHookCount(
) { return m_HookCount; }
bool fn_resume_global_bits(void* align_addr
);
~PteHookManager(
);
private
:
bool WriteTrampolineInstruction(void* trampoline, const JMP_ABS& jmpCmd
);
bool SetPageExecution(void* address, bool executable
);
void fn_add_g_bit_info(void* align_addr, void* pde_address, void* pte_address
);
bool fn_isolation_pagetable(UINT
64 cr3_val, void* replace_align_addr, void* split_pde
);
bool fn_isolation_pages(HANDLE process_id, void* ori_addr
);
bool fn_split_large_pages(void* in_pde, void* out_pde
);
NTSTATUS get_page_table(UINT
64 cr3, PAGE_TABLE& table
);
void* fn_pa_to_va(UINT
64 pa
);
UINT
64 fn_va_to_pa(void* va
);
__forceinline KIRQL DisableWriteProtection(
);
__forceinline void EnableWriteProtection(KIRQL oldIrql
);
void FlushCacheAndTlb(void* address
);
G_BIT_INFO m_GbitRecords[MAX_G_BIT_RECORDS];
UINT32 m_GbitCount = 0;
void* m_PteBase = 0;
HOOK_INFO m_HookInfo[MAX_HOOK_COUNT] = { 0 };
UINT32 m_HookCount = 0;
char* m_TrampLinePool = nullptr;
UINT32 m_PoolUsed = 0;
static PteHookManager* m_Instance;
};
PteHookManager* PteHookManager
::m_Instance = nullptr;
// 实现部分
__forceinline KIRQL P极HookManager
::DisableWriteProtection(
) {
KIRQL oldIrql = KeRaiseIrqlToDpcLevel(
);
UINT
64 cr0 = __readcr0(
);
__writecr0(cr0 & ~CR0_WP
); // 清除CR0.WP位
_mm_mfence(
);
return oldIrql;
}
__forceinline void PteHookManager
::EnableWriteProtection(KIRQL oldIrql
) {
_mm_mfence(
);
UINT
64 cr0 = __readcr0(
);
__writecr0(cr0 | CR0_WP
); // 设置CR0.WP位
KeLowerIrql(oldIrql
);
}
void* PteHookManager
::fn_pa_to_va(UINT
64 pa
) {
PHYSICAL_ADDRESS physAddr;
physAddr.QuadPart = pa;
return MmGetVirtualForPhysical(physAddr
);
}
UINT
64 PteHookManager
::fn_va_to_pa(void* va
) {
PHYSICAL_ADDRESS physAddr = MmGetPhysicalAddress(va
);
return physAddr.QuadPart;
}
NTSTATUS PteHookManager
::get_page_table(UINT
64 cr3_val, PAGE_TABLE& table
) {
UINT
64 va = table.LineAddress;
UINT
64 pml4e_index = (va >> 39
) & 0x1FF;
UINT
64 pdpte_index = (va >> 30
) & 0x1FF;
UINT
64 pde_index = (va >> 21
) & 0x1FF;
UINT
64 pte_index = (va >> 12
) & 0x1FF;
// PML4
UINT
64 pml4_pa = cr3_val & ~0xFFF;
UINT
64* pml4_va = (UINT
64*
)fn_pa_to_va(pml4_pa
);
if (!pml4_va
) return STATUS_INVALID_ADDRESS;
table.Pml4Address = &pml4_va[pml4e_index];
table.OriginalPml4e = *table.Pml4Address;
if (!(table.OriginalPml4e & 1
)) return STATUS_ACCESS_VIOLATION;
// PDPTE
UINT
64 pdpte_pa = table.OriginalPml4e & ~0xFFF;
UINT
64* pdpte_va = (UINT
64*
)fn_pa_to_va(pdpte_pa
);
if (!pdpte_va
) return STATUS_INVALID_ADDRESS;
table.PdpteAddress = (decltype(table.PdpteAddress
))&pdpte_va[pdpte_index];
table.OriginalPdpte = table.PdpteAddress->value;
table.Is1GBPage = (table.PdpteAddress->flags.page_size
) ? TRUE
: FALSE;
if (!(table.OriginalPdpte & 1
)) return STATUS_ACCESS_VIOLATION;
if (table.Is1GBPage
) return STATUS_SUCCESS;
// PDE
UINT
64 pde_pa = table.OriginalPdpte & ~0xFFF;
UINT
64* pde_va = (UINT
64*
)fn_pa_to_va(pde_pa
);
if (!pde_va
) return STATUS_INVALID_ADDRESS;
table.PdeAddress = (decltype(table.PdeAddress
))&pde_va[pde_index];
table.OriginalPde = table.PdeAddress->value;
table.IsLargePage = (table.PdeAddress->flags.large_page
) ? TRUE
: FALSE;
if (!(table.OriginalPde & 1
)) return STATUS_ACCESS_VIOLATION;
if (table.IsLargePage
) return STATUS_SUCCESS;
// PTE
UINT
64 pte_pa = table.OriginalPde & ~0xFFF;
UINT
64* pte_va = (UINT
64*
)fn_pa_to_va(pte_pa
);
if (!pte_va
) return STATUS_INVALID_ADDRESS;
table.PteAddress = (decltype(table.PteAddress
))&pte_va[pte_index];
table.OriginalPte = table.PteAddress->value;
if (!(table.OriginalPte & 1
)) return STATUS_ACCESS_VIOLATION;
LOG_TRACE("Page Table Info
: VA=0x%p, PTE=0x%llX", (void*
)table.LineAddress, table.OriginalPte
);
return STATUS_SUCCESS;
}
bool PteHookManager
::fn_split_large_pages(void* in_pde_ptr, void* out_pde_ptr
) {
auto in_pde = (decltype(PAGE_TABLE
::PdeAddress
))in_pde_ptr;
auto out_pde = (decltype(PAGE_TABLE
::PdeAddress
))out_pde_ptr;
LOG_INFO("Splitting large page
: Input PDE=0x%llx", in_pde->value
);
PHYSICAL_ADDRESS LowAddr = { 0 }, HighAddr = { 0 };
HighAddr.QuadPart = MAXULONG
64;
auto pt = (decltype(PAGE_TABLE
::PteAddress
))MmAllocateContiguousMemorySpecifyCache(
PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached
);
if (!pt
) {
LOG_
ERROR("Failed to allocate contiguous memory for page splitting"
);
return false;
}
UINT
64 start_pfn = in_pde->flags.page_frame_number;
for (int i = 0; i < 512; i++
) {
pt[i].value = 0;
pt[i].flags.present = 1;
pt[i].flags.write = in_pde->flags.write;
pt[i].flags.user = in_pde->flags.user;
pt[i].flags.write_through = in_pde->flags.write_through;
pt[i].flags.cache_disable = in_pde->flags.cache_disable;
pt[i].flags.accessed = in_pde->flags.accessed;
pt[i].flags.dirty = in_pde->flags.dirty;
pt[i].flags.global = 0;
pt[i].flags.page_frame_number = start_pfn + i;
}
out_pde->value = in_pde->value;
out_pde->flags.large_page = 0;
out_pde->flags.page_frame_number = fn_va_to_pa(pt
) >> 12;
LOG_INFO("Large page split complete
: New PTE table at PA=0x%llx", fn_va_to_pa(pt
));
return true;
}
bool PteHookManager
::SetPageExecution(void* address, bool executable
) {
// 使用页表遍历函数修改NX位
PAGE_TABLE table = { 0 };
table.LineAddress = (UINT
64)address;
NTSTATUS status = get_page_table(__readcr3(
), table
);
if (!NT_SUCCESS(status
)) {
LOG_
ERROR("Failed to get page table for address 0x%p", address
);
return false;
}
KIRQL oldIrql = DisableWriteProtection(
);
UINT
64 oldPte = table.PteAddress->value;
UINT
64 newPte = oldPte;
// 设置或清除NX位
if (executable
) {
newPte &= ~PTE_NX_BIT;
}
else {
newPte |= PTE_NX_BIT;
}
table.PteAddress->value = newPte;
// 刷新TLB
__invlpg(address
);
_mm_mfence(
);
EnableWriteProtection(oldIrql
);
LOG_TRACE("PTE modified for 0x%p
: Old=0x%llX, New=0x%llX", address, oldPte, newPte
);
return true;
}
bool PteHookManager
::fn_isolation_pagetable(UINT
64 cr3_val, void* replace_align_addr, void* split_pde_ptr
) {
PHYSICAL_ADDRESS LowAddr = { 0 }, HighAddr = { 0 };
HighAddr.QuadPart = MAXULONG
64;
LOG_INFO("Isolating page table
: CR3=0x%llx, Address=0x%p", cr3_val, replace_align_addr
);
auto Va4kb = (UINT
64*
)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached
);
auto VaPt = (UINT
64*
)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, Low极, MmNonCached
);
auto VaPdt = (UINT
64*
)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached
);
auto VaPdpt = (UINT
64*
)MmAllocateContiguousMemorySpecifyCache(PAGE_SIZE, LowAddr, HighAddr, LowAddr, MmNonCached
);
if (!VaPt || !Va4kb || !VaPdt || !VaPdpt
) {
if (VaPt
) MmFreeContiguousMemory(VaPt
);
if (Va4kb
) MmFreeContiguousMemory(Va4kb
);
if (VaPdt
) MmFreeContiguousMemory(VaPdt
);
if (VaPdpt
) MmFreeContiguousMemory(VaPd极
);
LOG_
ERROR("Failed to allocate contiguous memory for isolation"
);
return false;
}
PAGE_TABLE Table = { 0 };
Table.LineAddress = (UINT
64)replace_align_addr;
NTSTATUS status = get_page_table(cr3_val, Table
);
if (!NT_SUCCESS(status
)) {
MmFreeContiguousMemory(VaPt
);
MmFreeContiguousMemory(Va4kb
);
MmFreeContiguousMemory(VaPdt
);
MmFreeContiguousMemory(VaPdpt
);
LOG_
ERROR("get_page_table failed with status 0x%X", status
);
return false;
}
UINT
64 pte_index = (Table.LineAddress >> 12
) & 0x1FF;
UINT
64 pde_index = (Table.LineAddress >> 21
) & 0x1FF;
UINT
64 pdpte_index = (Table.LineAddress >> 30
) & 0x1FF;
UINT
64 pml4e_index = (Table.LineAddress >> 39
) & 0x1FF;
memcpy(Va4kb, replace_align_addr, PAGE_SIZE
);
if (Table.IsLargePage && split_pde_ptr
) {
auto split_pde = (decltype(PAGE_TABLE
::PdeAddress
))split_pde_ptr;
memcpy(VaPt, (void*
)(split_pde->flags.page_frame_number << 12
), PAGE_SIZE
);
}
else {
memcpy(VaPt, (void*
)(Table.PdeAddress->flags.page_frame_number << 12
), PAGE_SIZE
);
}
memcpy(VaPdt, (void*
)(Table.PdpteAddress->flags.page_frame_number << 12
), PAGE_SIZE
);
memcpy(VaPdpt, (void*
)(Table.Pml4Address[pml4e_index] & ~0xFFF
), PAGE_SIZE
);
auto new_pte = (decltype(PAGE_TABLE
::PteAddress
))VaPt;
new_pte[pte_index].flags.page_frame_number = fn_va_to_pa(Va4kb
) >> 12;
auto new_pde = (decltype(PAGE_TABLE
::PdeAddress
))VaPdt;
new_pde[pde_index].value = Table.OriginalPde;
new_pde[pde_index].flags.large_page = 0;
new_pde[pde_index].flags.page_frame_number = fn_va_to_pa(VaPt
) >> 12;
auto new_pdpte = (decltype(PAGE_TABLE
::PdpteAddress
))VaPdpt;
new_pdpte[pdpte_index].flags.page_frame_number = fn_va_to_pa(VaPdt
) >> 12;
auto new_pml4 = (UINT
64*
)fn_pa_to_va(cr3_val & ~0xFFF
);
new_pml4[pml4e_index] = (new_pml4[pml4e_index] & 0xFFF
) | (fn_va_to_pa(VaPdpt
) & ~0xFFF
);
__invlpg(replace_align_addr
);
LOG_INFO("Page table isolation complete
: New PFN=0x%llx", fn_va_to_pa(Va4kb
) >> 12
);
return true;
}
bool PteHookManager
::fn_isolation_pages(HANDLE process_id, void* ori_addr
) {
PEPROCESS Process;
if (!NT_SUCCESS(PsLookupProcessByProcessId(process_id, &Process
))) {
LOG_
ERROR("PsLookupProcessByProcessId failed"
);
return false;
}
LOG_INFO("Isolating pages
: PID=%d, Address=0x%p", HandleToUlong(process_id
), ori_addr
);
KAPC_STATE ApcState;
KeStackAttachProcess(Process, &ApcState
);
void* AlignAddr = PAGE_ALIGN(ori_addr
);
PAGE_TABLE Table = { 0 };
Table.LineAddress = (UINT
64)AlignAddr;
UINT
64 target_cr3 = *(UINT
64*
)((UCHAR*
)Process + 0x28
);
if (!NT_SUCCESS(get_page_table(target_cr3, Table
))) {
KeUnstackDetachProcess(&ApcState
);
ObDereferenceObject(Process
);
LOG_
ERROR("get_page_table failed"
);
return false;
}
bool success = false;
decltype(PAGE_TABLE
::PdeAddress
) split_pde = nullptr;
if (Table.IsLargePage
) {
split_pde = (decltype(PAGE_TABLE
::PdeAddress
))ExAllocatePoolWithTag(NonPagedPool, sizeof(*split_pde
), 'pdeS'
);
if (!split_pde || !fn_split_large_pages(Table.PdeAddress, split_pde
)) {
if (split_pde
) ExFreePoolWithTag(split_pde, 'pdeS'
);
KeUnstackDetachProcess(&ApcState
);
ObDereferenceObject(Process
);
LOG_
ERROR("Splitting large page failed"
);
return false;
}
if (Table.PdeAddress->flags.global
) {
Table.PdeAddress->flags.global = 0;
fn_add_g_bit_info(AlignAddr, Table.PdeAddress, nullptr
);
LOG_INFO("Cleared G-bit for large page PDE
: 0x%llx", Table.PdeAddress->value
);
}
}
else if (Table.PteAddress && Table.PteAddress->flags.global
) {
Table.PteAddress->flags.global = 0;
fn_add_g_bit_info(AlignAddr, nullptr, Table.PteAddress
);
LOG_INFO("Cleared G-bit for PTE
: 0x%llx", Table.PteAddress->value
);
}
success = fn_isolation_pagetable(__readcr3(
), AlignAddr, split_pde
);
if (split_pde
) ExFreePoolWithTag(split_pde, 'pdeS'
);
KeUnstackDetachProcess(&ApcState
);
ObDereferenceObject(Process
);
if (success
) {
LOG_INFO("Page isolation successful"
);
}
else {
LOG_
ERROR("Page isolation failed"
);
}
return success;
}
bool PteHookManager
::WriteTrampolineInstruction(void* trampoline, const JMP_ABS& jmpCmd
) {
// 确保8字节对齐
if (reinterpret_cast<ULONG_PTR>(trampoline
) & 0x7
) {
LOG_
ERROR("Trampoline address not aligned
: 0x%p", trampoline
);
return false;
}
// 禁用写保护
KIRQL oldIrql = DisableWriteProtection(
);
// 直接写入内存
RtlCopyMemory(trampoline, &jmpCmd, sizeof(JMP_ABS
));
// 刷新缓存
__invlpg(trampoline
);
_mm_mfence(
);
// 恢复写保护
EnableWriteProtection(oldIrql
);
LOG_TRACE("Trampoline instruction written at 0x%p", trampoline
);
return true;
}
void PteHookManager
::fn_add_g_bit_info(void* align_addr, void* pde_address, void* pte_address
) {
if (m_GbitCount >= MAX_G_BIT_RECORDS
) {
LOG_
ERROR("Max G-bit records reached"
);
return;
}
PG_BIT_INFO record = &m_GbitRecords[m_GbitCount++];
record->AlignAddress = align_addr;
record->PdeAddress = (decltype(G_BIT_INFO
::PdeAddress
))pde_address;
record->PteAddress = (decltype(G_BIT_INFO
::PteAddress
))pte_address;
record->IsLargePage = (pde_address != nullptr
);
LOG_TRACE("Added G-bit record
: Address=0x%p, PDE=0x%p, PTE=0x%p",
align_addr, pde_address, pte_address
);
}
bool PteHookManager
::fn_resume_global_bits(void* align_addr
) {
KIRQL oldIrql = DisableWriteProtection(
);
bool found = false;
LOG_INFO("Restoring G-bits for address
: 0x%p", align_addr
);
for (UINT32 i = 0; i < m_GbitCount; i++
) {
PG_BIT_INFO record = &m_GbitRecords[i];
if (align_addr && record->AlignAddress != align_addr
) continue;
if (record->PteAddress
) {
record->PteAddress->flags.global = 1;
__invlpg(record->AlignAddress
);
LOG_TRACE("Restored G-bit for PTE
: 0x%p", record->AlignAddress
);
}
if (record->PdeAddress
) {
record->PdeAddress->flags.global = 1;
if (record->IsLargePage
) {
__invlpg(record->AlignAddress
);
}
LOG_TRACE("Restored G-bit for PDE
: 0x%p", record->AlignAddress
);
}
found = true;
if (align_addr
) break;
}
EnableWriteProtection(oldIrql
);
if (found
) {
LOG_INFO("G-bits restoration complete"
);
}
else {
LOG_
ERROR("No matching G-bit record found"
);
}
return found;
}
bool PteHookManager
::fn_pte_inline_hook_bp_pg(HANDLE process_id, _Inout_ void** ori_addr, void* hk_addr
) {
if (!ori_addr || !hk_addr || !*ori_addr
) {
LOG_
ERROR("Invalid parameters
: ori_addr=%p, hk_addr=%p", ori_addr, hk_addr
);
return false;
}
// 分配跳板池(如果尚未分配)
if (!m_TrampLinePool
) {
PHYSICAL_ADDRESS LowAddr;
LowAddr.QuadPart = 0x100000;
PHYSICAL_ADDRESS HighAddr;
HighAddr.QuadPart = ~0ull;
m_TrampLinePool = (char*
)MmAllocateContiguousMemorySpecifyCache(
PAGE_SIZE * 8, LowAddr, HighAddr, LowAddr, MmNonCached
);
if (!m_TrampLinePool
) {
LOG_
ERROR("Failed to allocate trampoline pool"
);
return false;
}
// 设置跳板池可执行
if (!SetPageExecution(m_TrampLinePool, true
)) {
MmFreeContiguousMemory(m_TrampLinePool
);
m_TrampLinePool = nullptr;
LOG_
ERROR("Failed to set trampoline pool executable"
);
return false;
}
LOG_INFO("Trampoline pool allocated
: Address=0x%p, Size=%d bytes",
m_TrampLinePool, PAGE_SIZE * 8
);
}
// 计算跳板位置(16字节对齐确保RIP相对寻址)
void* trampoline = (void*
)((ULONG_PTR
)(m_TrampLinePool + m_PoolUsed + 15
) & ~15
);
SIZE_T requiredSize = ((char*
)trampoline - m_TrampLinePool
) + sizeof(JMP_ABS
);
// 检查跳板池空间
if (requiredSize > PAGE_SIZE * 8
) {
LOG_
ERROR("Trampoline pool out of space
: Used=%d, Required=%d", m_PoolUsed, requiredSize
);
return false;
}
// 构造跳转指令
JMP_ABS jmpCmd;
memcpy(jmpCmd.opcode, "\xFF\x25\x00\x00\x00\x00", 6
); // jmp [rip+0]
jmpCmd.address = reinterpret_cast<ULONG
64>(hk_addr
);
LOG_INFO("Constructing jump instruction
: Target=0x%p, Trampoline=0x%p", hk_addr, trampoline
);
// 写入跳板指令
if (!WriteTrampolineInstruction(trampoline, jmpCmd
)) {
return false;
}
// 设置目标函数不可执行(触发页错误)
if (!SetPageExecution(*ori_addr, false
)) {
LOG_
ERROR("Failed to set target function non-executable"
);
return false;
}
// 记录Hook信息
bool hookRecorded = false;
for (UINT32 i = 0; i < MAX_HOOK_COUNT; i++
) {
if (!m_HookInfo[i].IsHooked
) {
m_HookInfo[i].OriginalAddress = *ori_addr;
m_HookInfo[i].HookAddress = trampoline;
m_HookInfo[i].ProcessId = process_id;
m_HookInfo极i].IsHooked = TRUE;
m_HookInfo[i].HookLength = sizeof(JMP_ABS
);
RtlCopyMemory(m_HookInfo[i].HookBytes, &jmpCmd, sizeof(jmpCmd
));
// 保存原始PTE值
PAGE_TABLE table = { 0 };
table.LineAddress = (UINT
64)*ori_addr;
if (NT_SUCCESS(get_page_table(__readcr3(
), table
))) {
m_HookInfo[i].OriginalPteValue = table.OriginalPte;
}
m_HookCount++;
hookRecorded = true;
LOG_INFO("Hook recorded #%d
: Original=0x%p, Trampoline=0x%p", i, *ori_addr, trampoline
);
break;
}
}
if (!hookRecorded
) {
LOG_
ERROR("Exceeded max hook count (%d
)", MAX_HOOK_COUNT
);
return false;
}
// 更新原始地址为跳板地址
*ori_addr = trampoline;
m_PoolUsed = (UINT32
)requiredSize;
LOG_INFO("Hook installed successfully
: Trampoline=0x%p -> Hook=0x%p", trampoline, hk_addr
);
return true;
}
bool PteHookManager
::fn_remove_hook(HANDLE process_id, void* hook_addr
) {
LOG_INFO("Removing hook
: HookAddr=0x%p", hook_addr
);
for (UINT32 i = 0; i < m_HookCount; i++
) {
if (m_HookInfo[i].HookAddress == hook_addr && m_HookInfo[i].IsHooked
) {
LOG_INFO("Found matching hook
: OriginalAddr=0x%p", m_HookInfo[i].OriginalAddress
);
// 恢复目标函数执行权限
SetPageExecution(m_HookInfo[i].OriginalAddress, true
);
// 恢复原始PTE值
if (m_HookInfo[i].OriginalPteValue
) {
PAGE_TABLE table = { 0 };
table.LineAddress = (UINT
64)m_HookInfo[i].OriginalAddress;
if (NT_SUCCESS(get_page_table(__readcr3(
), table
))) {
KIRQL oldIrql = KeRaiseIrqlToDpcLevel(
);
table.PteAddress->value = m_HookInfo[i].OriginalPteValue;
__invlpg(m_HookInfo[i].OriginalAddress
);
KeLowerIrql(oldIrql
);
LOG_TRACE("Restored PTE for 0x%p
: 0x%llX",
m_HookInfo[i].OriginalAddress, m_HookInfo[i].OriginalPteValue
);
}
}
m_HookInfo[i].IsHooked = FALSE;
LOG_INFO("Hook removed successfully"
);
return true;
}
}
LOG_
ERROR("No matching hook found"
);
return false;
}
PteHookManager
::~PteHookManager(
) {
if (m_TrampLinePool
) {
MmFreeContiguousMemory(m_TrampLinePool
);
m_TrampLinePool = nullptr;
LOG_INFO("Trampoline pool freed"
);
}
}
PteHookManager* PteHookManager
::GetInstance(
) {
if (!m_Instance
) {
m_Instance = static_cast<PteHookManager*>(
ExAllocatePoolWithTag(NonPagedPool, sizeof(PteHookManager
), 'tpHk'
));
if (m_Instance
) {
RtlZeroMemory(m_Instance, sizeof(PteHookManager
));
LOG_INFO("PTE Hook Manager instance created
: 0x%p", m_Instance
);
}
else {
LOG_
ERROR("Failed to create PTE Hook Manager instance"
);
}
}
return m_Instance;
}
// 全局PTE Hook管理器实例
PteHookManager* g_PteHookManager = nullptr;
// 目标进程名称
const char target_process_name[] = "oxygen.exe";
// 辅助函数:检查是否为目标进程
BOOLEAN IsTargetProcess(CHAR* imageName
) {
CHAR currentName[16];
RtlZeroMemory(currentName, sizeof(currentName
));
strncpy(currentName, imageName, sizeof(currentName
) - 1
);
return (_stricmp(currentName, target_process_name
) == 0
);
}
// 函数类型定义
typedef NTSTATUS(*fn_ObReferenceObjectByHandleWithTag
)(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
ULONG Tag,
PVOID* Object,
POBJECT_HANDLE_INFORMATION HandleInformation
);
fn_ObReferenceObjectByHandleWithTag g_OriginalObReferenceObjectByHandleWithTag = nullptr;
// Hook 函数
NTSTATUS MyObReferenceObjectByHandleWithTag(
HANDLE Handle,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
ULONG Tag,
PVOID* Object,
POBJECT_HANDLE_INFORMATION HandleInformation
) {
PEPROCESS currentProcess = PsGetCurrentProcess(
);
CHAR* imageName = PsGetProcessImageFileName(currentProcess
);
LOG_INFO("Hook function called by process
: %s", imageName
);
if (IsTargetProcess(imageName
)) {
LOG_INFO("Access denied for target process
: %s", imageName
);
return STATUS_ACCESS_DENIED;
}
return g_OriginalObReferenceObjectByHandleWithTag(
Handle,
DesiredAccess,
ObjectType,
AccessMode,
Tag,
Object,
HandleInformation
);
}
NTSTATUS InstallHook(HANDLE targetProcessId
) {
UNICODE_STRING funcName;
RtlInitUnicodeString(&funcName, L"ObReferenceObjectByHandleWithTag"
);
g_OriginalObReferenceObjectByHandleWithTag =
(fn_ObReferenceObjectByHandleWithTag
)MmGetSystemRoutineAddress(&funcName
);
if (!g_OriginalObReferenceObjectByHandleWithTag
) {
LOG_
ERROR("ObReferenceObjectByHandleWithTag not found"
);
return STATUS_NOT_FOUND;
}
LOG_INFO("Target function found
: 0x%p", g_OriginalObReferenceObjectByHandleWithTag
);
void* targetFunc = (void*
)g_OriginalObReferenceObjectByHandleWithTag;
void* hookFunc = (void*
)MyObReferenceObjectByHandleWithTag;
if (!g_PteHookManager->fn_pte_inline_hook_bp_pg(targetProcessId, &targetFunc, hookFunc
)) {
LOG_
ERROR("PTE Hook installation failed"
);
return STATUS_UNSUCCESSFUL;
}
g_OriginalObReferenceObjectByHandleWithTag = (fn_ObReferenceObjectByHandleWithTag
)targetFunc;
LOG_INFO("Hook installed successfully. Trampoline
: 0x%p", targetFunc
);
return STATUS_SUCCESS;
}
// 移除 Hook
VOID RemoveHook(
) {
if (g_OriginalObReferenceObjectByHandleWithTag && g_PteHookManager
) {
g_PteHookManager->fn_remove_hook(PsGetCurrentProcessId(
),
(void*
)MyObReferenceObjectByHandleWithTag
);
}
}
// 工作线程上下文
typedef struct _HOOK_THREAD_CONTEXT {
HANDLE TargetProcessId;
} HOOK_THREAD_CONTEXT, * PHOOK_THREAD_CONTEXT;
// 工作线程函数
VOID InstallHookWorker(
PVOID Context
) {
PHOOK_THREAD_CONTEXT ctx = (PHOOK_THREAD_CONTEXT
)Context;
if (ctx
) {
LOG_INFO("Installing hook for PID
: %d", HandleToUlong(ctx->TargetProcessId
));
InstallHook(ctx->TargetProcessId
);
ExFreePoolWithTag(ctx, 'CtxH'
);
}
PsTerminateSystemThread(STATUS_SUCCESS
);
}
// 进程创建回调 - 修正后的签名
VOID ProcessNotifyCallback(
_In_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_In_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
) {
if (CreateInfo != NULL
) { // 进程创建
CHAR* imageName = PsGetProcessImageFileName(Process
);
if (IsTargetProcess(imageName
)) {
LOG_INFO("Target process created
: %s (PID
: %d
)",
imageName, HandleToUlong(ProcessId
));
// 创建工作线程上下文
PHOOK_THREAD_CONTEXT ctx =
(PHOOK_THREAD_CONTEXT
)ExAllocatePoolWithTag(NonPagedPool, sizeof(HOOK_THREAD_CONTEXT
), 'CtxH'
);
if (ctx
) {
ctx->TargetProcessId = ProcessId;
HANDLE threadHandle;
NTSTATUS status = PsCreateSystemThread(
&threadHandle,
THREAD_ALL_ACCESS,
NULL,
NULL,
NULL,
InstallHookWorker,
ctx
);
if (NT_SUCCESS(status
)) {
ZwClose(threadHandle
);
LOG_INFO("Worker thread created for hook installation"
);
}
else {
ExFreePoolWithTag(ctx, 'CtxH'
);
LOG_
ERROR("Failed to create worker thread
: 0x%X", status
);
}
}
else {
LOG_
ERROR("Failed to allocate thread context"
);
}
}
}
}
// 驱动卸载函数
VOID DriverUnload(PDRIVER_OBJECT DriverObject
) {
UNREFERENCED_PARAMETER(DriverObject
);
LOG_INFO("Driver unloading..."
);
// 移除进程通知回调
PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, TRUE
);
// 移除Hook
RemoveHook(
);
// 清理PTE Hook资源
if (g_PteHookManager
) {
LOG_INFO("Cleaning up PTE Hook Manager"
);
// 恢复所有被修改的G位
g_PteHookManager->fn_resume_global_bits(nullptr
);
// 移除所有活动的Hook
HOOK_INFO* hookInfo = g_PteHookManager->GetHookInfo(
);
UINT32 hookCount = g_PteHookManager->GetHookCount(
);
for (UINT32 i = 0; i < hookCount; i++
) {
if (hookInfo[i].IsHooked
) {
g_PteHookManager->fn_remove_hook(PsGetCurrentProcessId(
), hookInfo[i].HookAddress
);
}
}
// 释放管理器实例
ExFreePoolWithTag(g_PteHookManager, 'tpHk'
);
g_PteHookManager = nullptr;
}
LOG_INFO("Driver unloaded successfully"
);
}
extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath
) {
UNREFERENCED_PARAMETER(RegistryPath
);
LOG_INFO("Driver loading..."
);
DriverObject->DriverUnload = DriverUnload;
g_PteHookManager = PteHookManager
::GetInstance(
);
if (!g_PteHookManager
) {
LOG_
ERROR("Failed to initialize PteHookManager"
);
return STATUS_INSUFFICIENT_RESOURCES;
}
NTSTATUS status = PsSetCreateProcessNotifyRoutineEx(ProcessNotifyCallback, FALSE
);
if (!NT_SUCCESS(status
)) {
LOG_
ERROR("Failed to register process callback
: 0x%X", status
);
return status;
}
LOG_INFO("Driver loaded successfully"
);
return STATUS_SUCCESS;
}
严重性 代码 说明 项目 文件 行 禁止显示状态 详细信息
错误(活动
) E0020 未定义
标识符 "极" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 51
错误(活动
) E0276 后面有“
::”的名称一定是类名或命名空间名 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 203
错误(活动
) E0020 未定义
标识符 "DPFLTR极IHVDRIVER_ID" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 276
错误(活动
) E0020 未定义
标识符 "DPFLTR极IHVDRIVER_ID" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 349
错误(活动
) E0020 未定义
标识符 "Low极" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 360
错误(活动
) E0020 未定义
标识符 "VaPd极" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 368
错误(活动
) E0020 未定义
标识符 "DPFLTR极IHVDRIVER_ID" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 508
错误(活动
) E0020 未定义
标识符 "DPFLTR极IHVDRIVER_ID" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 524
错误(活动
) E0020 未定义
标识符 "DPFLTR极IHVDRIVER_ID" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 541
错误(活动
) E0020 未定义
标识符 "DPFLTR极IHVDRIVER_ID" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 549
错误(活动
) E0020 未定义
标识符 "m_HookInfo极i" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 636
错误(活动
) E0065 应输入“;” obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 636
错误(活动
) E0020 未定义
标识符 "DPFLTR极IHVDRIVER_ID" obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 687
错误 C2065 “极”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 51
错误 C2653 “P极HookManager”
: 不是类或命名空间名称 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 203
错误 C2065 “DPFLTR极IHVDRIVER_ID”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 276
错误 C2065 “DPFLTR极IHVDRIVER_ID”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 349
错误 C2065 “Low极”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 360
错误 C3536 “VaPt”
: 初始化之前无法使用 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 3
64
错误 C26
64 “void MmFreeContiguousMemory(
PVOID)”
: 无法将参数 1 从“int”转换为“
PVOID” obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 365
错误 C2065 “VaPd极”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 368
错误 C26
64 “void MmFreeContiguousMemory(
PVOID)”
: 无法将参数 1 从“int”转换为“
PVOID” obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 377
错误 C26
64 “void *memcpy(void *,const void *,size_t
)”
: 无法将参数 1 从“int”转换为“void *” obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 394
错误 C26
64 “void *memcpy(void *,const void *,size_t
)”
: 无法将参数 1 从“int”转换为“void *” obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 397
错误 C26
64 “UINT
64 PteHookManager
::fn_va_to_pa(void *
)”
: 无法将参数 1 从“int”转换为“void *” obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 409
错误 C2065 “DPFLTR极IHVDRIVER_ID”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 508
错误 C2065 “DPFLTR极IHVDRIVER_ID”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 524
错误 C2065 “DPFLTR极IHVDRIVER_ID”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 541
错误 C2065 “DPFLTR极IHVDRIVER_ID”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 549
错误 C2065 “m_HookInfo极i”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 636
错误 C2143
语法错误: 缺少“;”(在“]”的
前面) obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 636
错误 C2059
语法错误:“]” obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 636
错误 C2065 “DPFLTR极IHVDRIVER_ID”
: 未声明的
标识符 obpcallback C
:\Users\17116\source\repos\obpcallback\obpcallback\源.cpp 687
博客提及在stdafx.h中进行定义,但未给出具体定义内容,涉及C++编程相关信息技术知识。
扫一扫
2602
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
