脱钩demo

最新推荐文章于 2024-06-02 00:31:06 发布

冲不动了啊啊啊

最新推荐文章于 2024-06-02 00:31:06 发布

阅读量405

点赞数

文章标签：开发语言安全 c++ 网络安全

本文链接：https://blog.csdn.net/qq_37561898/article/details/131388469

版权

#include <ntddk.h>

extern "C" PVOID
NTAPI
VirtualAlloc(
    PVOID lpAddress,
    SIZE_T dwSize,
    DWORD flAllocationType,
    DWORD flProtect
);

typedef PVOID(NTAPI* VirtualAllocPtr)(
    PVOID,
    SIZE_T,
    DWORD,
    DWORD
);

VirtualAllocPtr OriginalVirtualAlloc;

PVOID HookedVirtualAlloc(
    PVOID lpAddress,
    SIZE_T dwSize,
    DWORD flAllocationType,
    DWORD flProtect
) {
    // 在此处处理VirtualAlloc的调用，然后将控制权交还给原始函数
    return OriginalVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);
}

extern "C" NTSTATUS
DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
) {
    UNREFERENCED_PARAMETER(RegistryPath);

    // 获取VirtualAlloc函数的地址
    PVOID virtualAllocAddress = MmGetSystemRoutineAddress(&C_UNICODE_STRING("VirtualAlloc"));

  
    OriginalVirtualAlloc = (VirtualAllocPtr)virtualAllocAddress;

    // 脱钩
    InterlockedExchangePointer(&virtualAllocAddress, HookedVirtualAlloc);

    DriverObject->DriverUnload = UnloadDriver;
    return STATUS_SUCCESS;
}

extern "C" VOID UnloadDriver(
    _In_ PDRIVER_OBJECT DriverObject
) {
    UNREFERENCED_PARAMETER(DriverObject);

    // 恢复原始VirtualAlloc函数
    PVOID virtualAllocAddress = MmGetSystemRoutineAddress(&C_UNICODE_STRING("VirtualAlloc"));
    InterlockedExchangePointer(&virtualAllocAddress, OriginalVirtualAlloc);
}