BOOLEAN HandleEvent_Hook(IN OUT PGUEST_REGS pRegs) { NTSTATUS status = STATUS_SUCCESS; PEPROCESS proc; EPTHOOKITEM item; KAPC_STATE state; PHYSICAL_ADDRESS pa; ULONG uCPUID; ULONG64 uPID, uHookedAddr, uJmpAddr; int uItemID; uCPUID = KeGetCurrentProcessorNumber(); uPID = pRegs->rbx; uHookedAddr = pRegs->rcx; uJmpAddr = pRegs->rdx; DbgPrint("PID = %llX HookedAddr = %LLX JmpAddr = %llX\n", uPID, uHookedAddr, uJmpAddr); if (uHookedAddr == 0 || uJmpAddr == 0) goto Error; status = PsLookupProcessByProcessId((HANDLE)uPID, &proc); if (NT_SUCCESS(status)) { DbgPrint("HOOK PID = %llX HookedAddr = %LLX JmpAddr = %llX\n", uPID, uHookedAddr, uJmpAddr); CurFuckPID = (HANDLE)uPID; KeStackAttachProcess(proc, &state); // 这里必须切换进程,这样才能获取到真正的物理地址 pa = MmGetPhysicalAddress((PVOID)uHookedAddr); if (!pa.QuadPart)//判断地址是不是为0,这里GG了,进程获取自身虚拟的地址的物理地址,返回值为0 { DbgPrint("ERROR uHookedAddr, PhysicalAddress = %llX\n", pa.QuadPart); goto Error; } item.pPte = EptGetPteAddressByPA(pa); if (!item.pPte) { DbgPrint("ERROR pPTE\n"); goto Error; } item.pHookedVA = (PVOID)uHookedAddr; item.pJmpVA = (PVOID)uJmpAddr; item.PID = CurFuckPID; uItemID = AddEPTHookItem(&item); if (uItemID == -1) { DbgPrint("ERROR uItemID == -1\n"); goto Error; } KeUnstackDetachProcess(&state); KdPrint(("EPTHook %s[%d] 0x%llX --> 0x%llX\n", PsGetProcessImageFileName(proc), uPID, uHookedAddr, uJmpAddr)); pRegs->rsi = uItemID; return TRUE; } Error: pRegs->rsi = -1; return FALSE; }
[课程]FART 脱壳王!加量不加价!FART作者讲授!
syser 不在物理内存...
syser
