该文章展示了如何在Windows驱动程序中hook系统函数VirtualAlloc。通过DriverEntry函数获取VirtualAlloc的地址,然后使用InterlockedExchangePointer进行替换,实现函数钩子。当驱动卸载时,会恢复原始的VirtualAlloc函数,确保系统功能的正常运行。
#include <ntddk.h>
extern "C" PVOID
NTAPI
VirtualAlloc(
PVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
);
typedef PVOID(NTAPI* VirtualAllocPtr)(
PVOID,
SIZE_T,
DWORD,
DWORD
);
VirtualAllocPtr OriginalVirtualAlloc;
PVOID HookedVirtualAlloc(
PVOID lpAddress,
SIZE_T dwSize,
DWORD flAllocationType,
DWORD flProtect
) {
// 在此处处理VirtualAlloc的调用,然后将控制权交还给原始函数
return OriginalVirtualAlloc(lpAddress, dwSize, flAllocationType, flProtect);
}
extern "C" NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
) {
UNREFERENCED_PARAMETER(RegistryPath);
// 获取VirtualAlloc函数的地址
PVOID virtualAllocAddress = MmGetSystemRoutineAddress(&C_UNICODE_STRING("VirtualAlloc"));
OriginalVirtualAlloc = (VirtualAllocPtr)virtualAllocAddress;
// 脱钩
InterlockedExchangePointer(&virtualAllocAddress, HookedVirtualAlloc);
DriverObject->DriverUnload = UnloadDriver;
return STATUS_SUCCESS;
}
extern "C" VOID UnloadDriver(
_In_ PDRIVER_OBJECT DriverObject
) {
UNREFERENCED_PARAMETER(DriverObject);
// 恢复原始VirtualAlloc函数
PVOID virtualAllocAddress = MmGetSystemRoutineAddress(&C_UNICODE_STRING("VirtualAlloc"));
InterlockedExchangePointer(&virtualAllocAddress, OriginalVirtualAlloc);
}
扫一扫
10-09
05-04
452
452
07-31
5346
5346
05-22
01-10
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
