├── .gitattributes ├── .gitignore ├── LICENSE.txt ├── PageTableHook.sln ├── PageTableHook ├── IA32 │ ├── ia32.h │ ├── ia32.hpp │ ├── ia32_compact.h │ └── ia32_defines_only.h ├── Main.cpp ├── PageHook.cpp ├── PageHook.h ├── PageTableHook.inf ├── PageTableHook.vcxproj ├── PageTableHook.vcxproj.filters ├── STL.cpp └── hde │ ├── LICENSE │ ├── hde.h │ ├── hde32.cpp │ ├── hde32.h │ ├── hde64.cpp │ ├── hde64.h │ ├── hde_stdint.h │ ├── table32.h │ └── table64.h ├── QQ截图20221204191827.png └── README.md /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Oo]ut/ 33 | [Ll]og/ 34 | [Ll]ogs/ 35 | 36 | # Visual Studio 2015/2017 cache/options directory 37 | .vs/ 38 | # Uncomment if you have tasks that create the project's static files in wwwroot 39 | #wwwroot/ 40 | 41 | # Visual Studio 2017 auto generated files 42 | Generated\ Files/ 43 | 44 | # MSTest test Results 45 | [Tt]est[Rr]esult*/ 46 | [Bb]uild[Ll]og.* 47 | 48 | # NUnit 49 | *.VisualState.xml 50 | TestResult.xml 51 | nunit-*.xml 52 | 53 | # Build Results of an ATL Project 54 | [Dd]ebugPS/ 55 | [Rr]eleasePS/ 56 | dlldata.c 57 | 58 | # Benchmark Results 59 | BenchmarkDotNet.Artifacts/ 60 | 61 | # .NET Core 62 | project.lock.json 63 | project.fragment.lock.json 64 | artifacts/ 65 | 66 | # ASP.NET Scaffolding 67 | ScaffoldingReadMe.txt 68 | 69 | # StyleCop 70 | StyleCopReport.xml 71 | 72 | # Files built by Visual Studio 73 | *_i.c 74 | *_p.c 75 | *_h.h 76 | *.ilk 77 | *.meta 78 | *.obj 79 | *.iobj 80 | *.pch 81 | *.pdb 82 | *.ipdb 83 | *.pgc 84 | *.pgd 85 | *.rsp 86 | *.sbr 87 | *.tlb 88 | *.tli 89 | *.tlh 90 | *.tmp 91 | *.tmp_proj 92 | *_wpftmp.csproj 93 | *.log 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio LightSwitch build output 298 | **/*.HTMLClient/GeneratedArtifacts 299 | **/*.DesktopClient/GeneratedArtifacts 300 | **/*.DesktopClient/ModelManifest.xml 301 | **/*.Server/GeneratedArtifacts 302 | **/*.Server/ModelManifest.xml 303 | _Pvt_Extensions 304 | 305 | # Paket dependency manager 306 | .paket/paket.exe 307 | paket-files/ 308 | 309 | # FAKE - F# Make 310 | .fake/ 311 | 312 | # CodeRush personal settings 313 | .cr/personal 314 | 315 | # Python Tools for Visual Studio (PTVS) 316 | __pycache__/ 317 | *.pyc 318 | 319 | # Cake - Uncomment if you are using it 320 | # tools/** 321 | # !tools/packages.config 322 | 323 | # Tabs Studio 324 | *.tss 325 | 326 | # Telerik's JustMock configuration file 327 | *.jmconfig 328 | 329 | # BizTalk build output 330 | *.btp.cs 331 | *.btm.cs 332 | *.odx.cs 333 | *.xsd.cs 334 | 335 | # OpenCover UI analysis results 336 | OpenCover/ 337 | 338 | # Azure Stream Analytics local run output 339 | ASALocalRun/ 340 | 341 | # MSBuild Binary and Structured Log 342 | *.binlog 343 | 344 | # NVidia Nsight GPU debugger configuration file 345 | *.nvuser 346 | 347 | # MFractors (Xamarin productivity tool) working folder 348 | .mfractor/ 349 | 350 | # Local History for Visual Studio 351 | .localhistory/ 352 | 353 | # BeatPulse healthcheck temp database 354 | healthchecksdb 355 | 356 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 357 | MigrationBackup/ 358 | 359 | # Ionide (cross platform F# VS Code tools) working folder 360 | .ionide/ 361 | 362 | # Fody - auto-generated XML schema 363 | FodyWeavers.xsd -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) [year] [fullname] 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /PageTableHook.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 17 4 | VisualStudioVersion = 17.4.33110.190 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "PageTableHook", "PageTableHook\PageTableHook.vcxproj", "{A7994EA4-5CFC-4527-847E-98C00AD926D9}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|ARM64 = Debug|ARM64 11 | Debug|x64 = Debug|x64 12 | Release|ARM64 = Release|ARM64 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Debug|ARM64.ActiveCfg = Debug|ARM64 17 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Debug|ARM64.Build.0 = Debug|ARM64 18 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Debug|ARM64.Deploy.0 = Debug|ARM64 19 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Debug|x64.ActiveCfg = Debug|x64 20 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Debug|x64.Build.0 = Debug|x64 21 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Debug|x64.Deploy.0 = Debug|x64 22 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Release|ARM64.ActiveCfg = Release|ARM64 23 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Release|ARM64.Build.0 = Release|ARM64 24 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Release|ARM64.Deploy.0 = Release|ARM64 25 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Release|x64.ActiveCfg = Release|x64 26 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Release|x64.Build.0 = Release|x64 27 | {A7994EA4-5CFC-4527-847E-98C00AD926D9}.Release|x64.Deploy.0 = Release|x64 28 | EndGlobalSection 29 | GlobalSection(SolutionProperties) = preSolution 30 | HideSolutionNode = FALSE 31 | EndGlobalSection 32 | GlobalSection(ExtensibilityGlobals) = postSolution 33 | SolutionGuid = {4FCA4C44-4FF9-427C-8F43-3EF3E61C0070} 34 | EndGlobalSection 35 | EndGlobal 36 | -------------------------------------------------------------------------------- /PageTableHook/Main.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "PageHook.h" 5 | 6 | NTSTATUS(*NtCreateFileOrig)( 7 | PHANDLE FileHandle, 8 | ACCESS_MASK DesiredAccess, 9 | POBJECT_ATTRIBUTES ObjectAttributes, 10 | PIO_STATUS_BLOCK IoStatusBlock, 11 | PLARGE_INTEGER AllocationSize, 12 | ULONG FileAttributes, 13 | ULONG ShareAccess, 14 | ULONG CreateDisposition, 15 | ULONG CreateOptions, 16 | PVOID EaBuffer, 17 | ULONG EaLength 18 | ); 19 | 20 | NTSTATUS NtCreateFileHook( 21 | PHANDLE FileHandle, 22 | ACCESS_MASK DesiredAccess, 23 | POBJECT_ATTRIBUTES ObjectAttributes, 24 | PIO_STATUS_BLOCK IoStatusBlock, 25 | PLARGE_INTEGER AllocationSize, 26 | ULONG FileAttributes, 27 | ULONG ShareAccess, 28 | ULONG CreateDisposition, 29 | ULONG CreateOptions, 30 | PVOID EaBuffer, 31 | ULONG EaLength 32 | ) 33 | { 34 | static WCHAR BlockedFileName[] = L"test.txt"; 35 | static SIZE_T BlockedFileNameLength = (sizeof(BlockedFileName) / sizeof(BlockedFileName[0])) - 1; 36 | 37 | PWCH NameBuffer; 38 | USHORT NameLength; 39 | 40 | __try 41 | { 42 | 43 | ProbeForRead(ObjectAttributes, sizeof(OBJECT_ATTRIBUTES), 1); 44 | ProbeForRead(ObjectAttributes->ObjectName, sizeof(UNICODE_STRING), 1); 45 | 46 | NameBuffer = ObjectAttributes->ObjectName->Buffer; 47 | NameLength = ObjectAttributes->ObjectName->Length; 48 | 49 | ProbeForRead(NameBuffer, NameLength, 1); 50 | NameLength /= sizeof(WCHAR); 51 | 52 | if (NameLength >= BlockedFileNameLength && 53 | _wcsnicmp(&NameBuffer[NameLength - BlockedFileNameLength], BlockedFileName, BlockedFileNameLength) == 0) 54 | { 55 | DbgPrintEx(77,0,"Blocked access to %ws\n", BlockedFileName); 56 | return STATUS_ACCESS_DENIED; 57 | } 58 | } 59 | __except (EXCEPTION_EXECUTE_HANDLER) 60 | { 61 | NOTHING; 62 | } 63 | 64 | return NtCreateFileOrig(FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock, AllocationSize, FileAttributes, 65 | ShareAccess, CreateDisposition, CreateOptions, EaBuffer, EaLength); 66 | } 67 | 68 | 69 | 70 | 71 | int drv_main() 72 | { 73 | HANDLE process_id = reinterpret_cast(404); 74 | PEPROCESS target_process = nullptr; 75 | if (PsLookupProcessByProcessId(process_id, &target_process) == STATUS_SUCCESS) 76 | { 77 | KAPC_STATE apc_state; 78 | KeStackAttachProcess(target_process,&apc_state); 79 | PageHook::add_page_hook(NtCreateFile, NtCreateFileHook, (void**)&NtCreateFileOrig); 80 | KeUnstackDetachProcess(&apc_state); 81 | } 82 | return 0; 83 | } -------------------------------------------------------------------------------- /PageTableHook/PageHook.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "IA32/ia32.hpp" 6 | #include "hde/hde.h" 7 | 8 | namespace PageHook 9 | { 10 | union virt_helper 11 | { 12 | struct pt_index 13 | { 14 | uint64_t reserved : 12; 15 | uint64_t pte : 9; 16 | uint64_t pde : 9; 17 | uint64_t pdpte : 9; 18 | uint64_t pml4e : 9; 19 | }index; 20 | uint64_t all; 21 | }; 22 | 23 | static const uint8_t jmp_code[] = 24 | { 25 | 0x68, 0x00, 0x00, 0x00, 0x00, //push low 32bit +1 26 | 0xC7, 0x44 ,0x24 ,0x04, 0x00, 0x00, 0x00, 0x00, //mov dword[rsp + 4] +9 27 | 0xC3 //ret 28 | }; 29 | 30 | static uint64_t pte_base = 0; 31 | static uint64_t pde_base = 0; 32 | static uint64_t ppe_base = 0; 33 | static uint64_t pxe_base = 0; 34 | 35 | auto phys_to_virt(std::uint64_t phys) -> void* { 36 | PHYSICAL_ADDRESS phys_addr = { .QuadPart = (int64_t)(phys) }; 37 | return reinterpret_cast(MmGetVirtualForPhysical(phys_addr)); 38 | } 39 | 40 | auto pfn_to_virt(std::uint64_t pfn) -> void* { 41 | return reinterpret_cast(phys_to_virt(pfn << 12)); 42 | } 43 | 44 | auto virt_to_phys(void* virt) -> void* { return (void*)MmGetPhysicalAddress(virt).QuadPart; } 45 | 46 | auto virt_to_pfn(void* virt) -> std::uint64_t { return reinterpret_cast(virt_to_phys(virt)) >> 12; } 47 | 48 | constexpr auto cr3_pfn(std::uint64_t _cr3) -> std::uint64_t { return ((_cr3 & 0xFFFFFFFFF000) >> 12); } 49 | 50 | constexpr auto page_align(std::uint64_t _virt) -> std::uint64_t { return (_virt & 0xFFFFFFFFFFFFF000); } 51 | 52 | constexpr auto page_offset(std::uint64_t _virt) -> std::uint64_t { return (_virt & 0xFFF); } 53 | 54 | void init_pte_base() 55 | { 56 | cr3 system_cr3 = { .flags = __readcr3() }; 57 | uint64_t dirbase_phys = system_cr3.address_of_page_directory << 12; 58 | pt_entry_64* pt_entry = reinterpret_cast(phys_to_virt(dirbase_phys)); 59 | for (uint64_t idx = 0; idx < PML4E_ENTRY_COUNT_64; idx++) 60 | { 61 | if (pt_entry[idx].page_frame_number == system_cr3.address_of_page_directory) 62 | { 63 | pte_base = (idx + 0x1FFFE00ui64) << 39ui64; 64 | pde_base = (idx << 30ui64) + pte_base; 65 | ppe_base = (idx << 30ui64) + pte_base + (idx << 21ui64); 66 | pxe_base = (idx << 12ui64) + ppe_base; 67 | break; 68 | } 69 | } 70 | DbgPrintEx(77, 0, "PTE_BASE:%p\n", pte_base); 71 | } 72 | 73 | auto get_pml4e(std::uint64_t virt) -> pml4e_64* 74 | { 75 | //PML4E的index*8+PXE基质 76 | auto pml4e_idx = (virt >> 39) & 0x1FF; 77 | return reinterpret_cast((pml4e_idx << 3) + pxe_base); 78 | } 79 | 80 | auto get_pdpte(std::uint64_t virt) -> pdpte_64* 81 | { 82 | //PDPTE的index*8+PPE基质 83 | auto pdpte_idx = (virt >> 30) & 0x3FFFF; 84 | return reinterpret_cast((pdpte_idx << 3) + ppe_base); 85 | } 86 | 87 | auto get_pde(std::uint64_t virt) -> pde_64* 88 | { 89 | //PDE的index*8+PDE基质 90 | auto pde_idx = (virt >> 21) & 0x7FFFFFF; 91 | return reinterpret_cast((pde_idx << 3) + pde_base); 92 | } 93 | 94 | auto get_pte(std::uint64_t virt) -> pte_64* 95 | { 96 | //PTE的index*8+PTE基质 97 | auto pte_idx = (virt >> 12) & 0xFFFFFFFFF; 98 | return reinterpret_cast((pte_idx << 3) + pte_base); 99 | } 100 | 101 | //大页拆分小页 102 | auto split_large_page(pde_64* large_page) -> std::tuple 103 | { 104 | if (!large_page->large_page) 105 | return { nullptr,0 }; 106 | pt_entry_64* new_pte = new pt_entry_64[PTE_ENTRY_COUNT_64]; 107 | for (auto idx = 0; idx < PTE_ENTRY_COUNT_64; idx++) 108 | { 109 | new_pte[idx].flags = large_page->flags; 110 | new_pte->large_page = 0; 111 | new_pte->page_frame_number = large_page->page_frame_number + idx; 112 | } 113 | return { new_pte,virt_to_pfn(new_pte) }; 114 | } 115 | 116 | auto split_large_page(pde_64* pde_virt, pt_entry_64* pt_virt) -> void 117 | { 118 | auto start_pfn = pde_virt->page_frame_number; 119 | for (int idx = 0; idx < 512; idx++) 120 | { 121 | pt_virt[idx].flags = pde_virt->flags; 122 | pt_virt[idx].large_page = 0; 123 | pt_virt[idx].page_frame_number = start_pfn + idx; 124 | } 125 | } 126 | 127 | auto create_pagetable() -> std::tuple 128 | { 129 | auto new_page = new pt_entry_64[0x200]; 130 | RtlZeroMemory(new_page, PAGE_SIZE); 131 | auto pfn = virt_to_pfn(new_page); 132 | return { pfn,reinterpret_cast(new_page) }; 133 | } 134 | 135 | auto create_page() -> std::tuple 136 | { 137 | auto new_page = new char[PAGE_SIZE]; 138 | RtlZeroMemory(new_page, PAGE_SIZE); 139 | auto pfn = virt_to_pfn(new_page); 140 | return { pfn,new_page }; 141 | } 142 | 143 | auto copy_page(std::uint64_t _virt) -> std::tuple 144 | { 145 | auto new_page = new char[PAGE_SIZE]; 146 | RtlCopyMemory(new_page, (void*)_virt, PAGE_SIZE); 147 | return { virt_to_pfn(new_page),new_page }; 148 | } 149 | 150 | auto copy_pagetable(pt_entry_64* dst_virt, pt_entry_64* scr_virt) -> void 151 | { 152 | for (size_t idx = 0; idx < 512; idx++) 153 | dst_virt[idx] = scr_virt[idx]; 154 | } 155 | 156 | /// 157 | /// 记得切换到目标进程的地址空间后再进行page hook 158 | /// 159 | /// 160 | /// 161 | /// 162 | /// 163 | auto add_page_hook(void* target_function, void* hook_function, void** original_function) -> void 164 | { 165 | init_pte_base(); 166 | 167 | //获取pxe 168 | auto pml4e = get_pml4e(reinterpret_cast(target_function)); 169 | auto pdpte = get_pdpte(reinterpret_cast(target_function)); 170 | auto pde = get_pde(reinterpret_cast(target_function)); 171 | 172 | pt_entry_64* pml4 = nullptr; 173 | pt_entry_64* pdpt = nullptr; 174 | pt_entry_64* pd = nullptr; 175 | pt_entry_64* pt = nullptr; 176 | 177 | pml4 = (pt_entry_64*)pfn_to_virt(cr3_pfn(__readcr3())); 178 | pdpt = (pt_entry_64*)pfn_to_virt(pml4e->page_frame_number); 179 | pd = (pt_entry_64*)pfn_to_virt(pdpte->page_frame_number); 180 | if (pde->present && !pde->large_page) 181 | pt = (pt_entry_64*)pfn_to_virt(pde->page_frame_number); 182 | 183 | //从pml4e开始构造页表 184 | auto [new_pdpt_pfn, new_pdpt_virt] = create_pagetable(); 185 | copy_pagetable(new_pdpt_virt, pdpt); 186 | 187 | auto [new_pd_pfn, new_pd_virt] = create_pagetable(); 188 | copy_pagetable(new_pd_virt, pd); 189 | 190 | auto [new_pt_pfn, new_pt_virt] = create_pagetable(); 191 | pde->large_page ? split_large_page(pde, new_pt_virt) : copy_pagetable(new_pt_virt, pt); 192 | 193 | auto [hook_page_pfn, hook_page_virt] = copy_page(page_align(reinterpret_cast(target_function))); 194 | 195 | //定位足够长的代码来写jmp code 196 | size_t code_len = 0; 197 | hde64s hde64_code; 198 | while (code_len < 14) { 199 | HdeDisassemble(((uint8_t*)target_function + code_len), &hde64_code); 200 | code_len += hde64_code.len; 201 | } 202 | 203 | //生成trampline函数 204 | auto trampline = new unsigned char[0x100]; 205 | ULARGE_INTEGER jmp_to_back = { .QuadPart = (uint64_t)(target_function)+code_len }; 206 | RtlCopyMemory(trampline, target_function, code_len); 207 | RtlCopyMemory(&trampline[code_len], jmp_code, sizeof(jmp_code)); 208 | RtlCopyMemory(&trampline[code_len + 1], &jmp_to_back.LowPart, sizeof(uint32_t)); 209 | RtlCopyMemory(&trampline[code_len + 9], &jmp_to_back.HighPart, sizeof(uint32_t)); 210 | 211 | //在新的页面上hook 212 | uint64_t page_offset = (uint64_t)(target_function) & 0xFFF; 213 | uint8_t* hook_page = reinterpret_cast(hook_page_virt); 214 | ULARGE_INTEGER jmp_to_detour = { .QuadPart = (uint64_t)(hook_function) }; 215 | RtlCopyMemory(&hook_page[page_offset], jmp_code, sizeof(jmp_code)); 216 | RtlCopyMemory(&hook_page[page_offset + 1], &jmp_to_detour.LowPart, sizeof(uint32_t)); 217 | RtlCopyMemory(&hook_page[page_offset + 9], &jmp_to_detour.HighPart, sizeof(uint32_t)); 218 | 219 | 220 | virt_helper helper = { .all = reinterpret_cast(target_function) }; 221 | 222 | //将新的页面链接起来 223 | new_pdpt_virt[helper.index.pdpte].page_frame_number = new_pd_pfn; 224 | new_pd_virt[helper.index.pde].page_frame_number = new_pt_pfn; 225 | new_pd_virt[helper.index.pde].large_page = 0; 226 | new_pt_virt[helper.index.pte].page_frame_number = hook_page_pfn; 227 | 228 | //最后一步,修改pml4e 229 | pml4e->page_frame_number = new_pdpt_pfn; 230 | 231 | __invlpg(pml4e); 232 | 233 | *original_function = trampline; 234 | } 235 | } 236 | -------------------------------------------------------------------------------- /PageTableHook/PageHook.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | namespace PageHook 3 | { 4 | auto add_page_hook(void* target_function, void* hook_function, void** original_function) -> void; 5 | } -------------------------------------------------------------------------------- /PageTableHook/PageTableHook.inf: -------------------------------------------------------------------------------- 1 | ; 2 | ; PageTableHook.inf 3 | ; 4 | 5 | [Version] 6 | Signature="$WINDOWS NT$" 7 | Class=System ; TODO: specify appropriate Class 8 | ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318} ; TODO: specify appropriate ClassGuid 9 | Provider=%ManufacturerName% 10 | CatalogFile=PageTableHook.cat 11 | DriverVer= ; TODO: set DriverVer in stampinf property pages 12 | PnpLockdown=1 13 | 14 | [DestinationDirs] 15 | DefaultDestDir = 12 16 | PageTableHook_Device_CoInstaller_CopyFiles = 11 17 | 18 | [SourceDisksNames] 19 | 1 = %DiskName%,,,"" 20 | 21 | [SourceDisksFiles] 22 | PageTableHook.sys = 1,, 23 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames 24 | 25 | ;***************************************** 26 | ; Install Section 27 | ;***************************************** 28 | 29 | [Manufacturer] 30 | %ManufacturerName%=Standard,NT$ARCH$ 31 | 32 | [Standard.NT$ARCH$] 33 | %PageTableHook.DeviceDesc%=PageTableHook_Device, Root\PageTableHook ; TODO: edit hw-id 34 | 35 | [PageTableHook_Device.NT] 36 | CopyFiles=Drivers_Dir 37 | 38 | [Drivers_Dir] 39 | PageTableHook.sys 40 | 41 | ;-------------- Service installation 42 | [PageTableHook_Device.NT.Services] 43 | AddService = PageTableHook,%SPSVCINST_ASSOCSERVICE%, PageTableHook_Service_Inst 44 | 45 | ; -------------- PageTableHook driver install sections 46 | [PageTableHook_Service_Inst] 47 | DisplayName = %PageTableHook.SVCDESC% 48 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER 49 | StartType = 3 ; SERVICE_DEMAND_START 50 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL 51 | ServiceBinary = %12%\PageTableHook.sys 52 | 53 | ; 54 | ;--- PageTableHook_Device Coinstaller installation ------ 55 | ; 56 | 57 | [PageTableHook_Device.NT.CoInstallers] 58 | AddReg=PageTableHook_Device_CoInstaller_AddReg 59 | CopyFiles=PageTableHook_Device_CoInstaller_CopyFiles 60 | 61 | [PageTableHook_Device_CoInstaller_AddReg] 62 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller" 63 | 64 | [PageTableHook_Device_CoInstaller_CopyFiles] 65 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll 66 | 67 | [PageTableHook_Device.NT.Wdf] 68 | KmdfService = PageTableHook, PageTableHook_wdfsect 69 | [PageTableHook_wdfsect] 70 | KmdfLibraryVersion = $KMDFVERSION$ 71 | 72 | [Strings] 73 | SPSVCINST_ASSOCSERVICE= 0x00000002 74 | ManufacturerName="" ;TODO: Replace with your manufacturer name 75 | DiskName = "PageTableHook Installation Disk" 76 | PageTableHook.DeviceDesc = "PageTableHook Device" 77 | PageTableHook.SVCDESC = "PageTableHook Service" 78 | -------------------------------------------------------------------------------- /PageTableHook/PageTableHook.vcxproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | x64 7 | 8 | 9 | Release 10 | x64 11 | 12 | 13 | Debug 14 | ARM64 15 | 16 | 17 | Release 18 | ARM64 19 | 20 | 21 | 22 | {A7994EA4-5CFC-4527-847E-98C00AD926D9} 23 | {1bc93793-694f-48fe-9372-81e2b05556fd} 24 | v4.5 25 | 12.0 26 | Debug 27 | x64 28 | PageTableHook 29 | $(LatestTargetPlatformVersion) 30 | 31 | 32 | 33 | Windows10 34 | true 35 | WindowsKernelModeDriver10.0 36 | Driver 37 | KMDF 38 | Universal 39 | false 40 | 41 | 42 | Windows10 43 | false 44 | WindowsKernelModeDriver10.0 45 | Driver 46 | KMDF 47 | Universal 48 | false 49 | 50 | 51 | Windows10 52 | true 53 | WindowsKernelModeDriver10.0 54 | Driver 55 | KMDF 56 | Universal 57 | 58 | 59 | Windows10 60 | false 61 | WindowsKernelModeDriver10.0 62 | Driver 63 | KMDF 64 | Universal 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | DbgengKernelDebugger 76 | $(VC_IncludePath);$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH) 77 | false 78 | 79 | 80 | DbgengKernelDebugger 81 | $(VC_IncludePath);$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH) 82 | false 83 | 84 | 85 | DbgengKernelDebugger 86 | 87 | 88 | DbgengKernelDebugger 89 | 90 | 91 | 92 | sha256 93 | 94 | 95 | stdcpp20 96 | false 97 | 98 | 99 | drv_main 100 | 101 | 102 | false 103 | 104 | 105 | 106 | 107 | sha256 108 | 109 | 110 | stdcpp20 111 | false 112 | 113 | 114 | drv_main 115 | 116 | 117 | false 118 | 119 | 120 | 121 | 122 | sha256 123 | 124 | 125 | 126 | 127 | sha256 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | -------------------------------------------------------------------------------- /PageTableHook/PageTableHook.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {8E41214B-6785-4CFE-B992-037D68949A14} 18 | inf;inv;inx;mof;mc; 19 | 20 | 21 | {cd3eb3db-34ab-48e9-8029-3590f49d306a} 22 | 23 | 24 | {c8389574-5369-4792-bf29-a0f138eed0b6} 25 | 26 | 27 | {3fa166f9-4da6-4772-97a1-9ae13ecdc758} 28 | 29 | 30 | 31 | 32 | Source Files 33 | 34 | 35 | Source Files 36 | 37 | 38 | Source Files 39 | 40 | 41 | Source Files\Hde 42 | 43 | 44 | Source Files\Hde 45 | 46 | 47 | 48 | 49 | Header Files\IA32 50 | 51 | 52 | Header Files\IA32 53 | 54 | 55 | Header Files\Hde 56 | 57 | 58 | Header Files\Hde 59 | 60 | 61 | Header Files\Hde 62 | 63 | 64 | Header Files\Hde 65 | 66 | 67 | Header Files\Hde 68 | 69 | 70 | Header Files\Hde 71 | 72 | 73 | Header Files 74 | 75 | 76 | -------------------------------------------------------------------------------- /PageTableHook/STL.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #pragma warning(disable: 4595) 6 | #pragma warning(disable: 4996) 7 | #pragma warning(disable: 4100) 8 | 9 | [[noreturn]] DECLSPEC_NORETURN void raise_exception(unsigned long const exception_code) noexcept(false) 10 | { 11 | #pragma warning(disable : __WARNING_USE_OTHER_FUNCTION) 12 | KeBugCheck(exception_code); 13 | #pragma warning(default : __WARNING_USE_OTHER_FUNCTION) 14 | } 15 | 16 | _NODISCARD void __CRTDECL _invalid_parameter_noinfo_noreturn() 17 | { 18 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 19 | } 20 | 21 | _NODISCARD _ACRTIMP void __CRTDECL _invoke_watson( 22 | _In_opt_z_ wchar_t const* const expression, 23 | _In_opt_z_ wchar_t const* const function_name, _In_opt_z_ wchar_t const* const file_name, 24 | _In_ unsigned int const line_number, _In_ uintptr_t const reserved 25 | ) 26 | { 27 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 28 | } 29 | 30 | _NODISCARD _Ret_notnull_ _Post_writable_byte_size_(_Size) _VCRT_ALLOCATOR void* __CRTDECL operator new(size_t _Size) 31 | { 32 | _Size = (_Size != 0) ? _Size : 1; 33 | auto const p = ExAllocatePool(NonPagedPool, _Size); 34 | if (p == nullptr) 35 | { 36 | raise_exception(MUST_SUCCEED_POOL_EMPTY); 37 | } 38 | return p; 39 | } 40 | 41 | _NODISCARD _Ret_notnull_ _Post_writable_byte_size_(_Size) _VCRT_ALLOCATOR void* __CRTDECL operator new[](size_t _Size) 42 | { 43 | _Size = (_Size != 0) ? _Size : 1; 44 | auto const p = ExAllocatePool(NonPagedPool, _Size); 45 | if (p == nullptr) 46 | { 47 | raise_exception(MUST_SUCCEED_POOL_EMPTY); 48 | } 49 | return p; 50 | } 51 | 52 | void __CRTDECL operator delete(void* _Block) noexcept 53 | { 54 | if (_Block) 55 | { 56 | ExFreePool(_Block); 57 | } 58 | } 59 | 60 | void __CRTDECL operator delete(void* _Block, size_t _Size) noexcept 61 | { 62 | if (_Block) 63 | { 64 | ExFreePool(_Block); 65 | } 66 | } 67 | 68 | void __CRTDECL operator delete[](void* _Block, size_t _Size) noexcept 69 | { 70 | if (_Block) 71 | { 72 | ExFreePool(_Block); 73 | } 74 | } 75 | 76 | namespace std 77 | { 78 | [[noreturn]] DECLSPEC_NORETURN void __CLRCALL_PURE_OR_CDECL _Xbad_alloc() 79 | { 80 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 81 | } 82 | 83 | [[noreturn]] DECLSPEC_NORETURN void __CLRCALL_PURE_OR_CDECL _Xinvalid_argument(_In_z_ char const*) 84 | { 85 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 86 | } 87 | 88 | [[noreturn]] DECLSPEC_NORETURN void __CLRCALL_PURE_OR_CDECL _Xlength_error(_In_z_ char const*) 89 | { 90 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 91 | } 92 | 93 | [[noreturn]] DECLSPEC_NORETURN void __CLRCALL_PURE_OR_CDECL _Xout_of_range(_In_z_ char const*) 94 | { 95 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 96 | } 97 | 98 | [[noreturn]] DECLSPEC_NORETURN void __CLRCALL_PURE_OR_CDECL _Xoverflow_error(_In_z_ char const*) 99 | { 100 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 101 | } 102 | 103 | [[noreturn]] DECLSPEC_NORETURN void __CLRCALL_PURE_OR_CDECL _Xruntime_error(_In_z_ char const*) 104 | { 105 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 106 | } 107 | 108 | [[noreturn]] DECLSPEC_NORETURN void __CLRCALL_PURE_OR_CDECL _Xbad_function_call() 109 | { 110 | raise_exception(KMODE_EXCEPTION_NOT_HANDLED); 111 | } 112 | 113 | void(__CRTDECL* _Raise_handler)(std::exception const&); 114 | } 115 | 116 | using _PVFV = void(__CRTDECL*)(void); // PVFV = Pointer to Void Func(Void) 117 | using _PIFV = int(__CRTDECL*)(void); // PIFV = Pointer to Int Func(Void) 118 | 119 | extern "C" 120 | { 121 | int _fltused = 0; 122 | 123 | float _ceilf(float _X) 124 | { 125 | return static_cast(static_cast(_X + 1)); 126 | } 127 | 128 | int __CRTDECL __init_on_exit_array() 129 | { 130 | return 0; 131 | } 132 | 133 | int __CRTDECL atexit(_PVFV) 134 | { 135 | return 0; 136 | } 137 | } 138 | 139 | 140 | #define _CRTALLOC(x) __declspec(allocate(x)) 141 | 142 | #pragma section(".CRT$XIA", long, read) 143 | _CRTALLOC(".CRT$XIA") _PIFV __xi_a[] = { 0 }; 144 | #pragma section(".CRT$XIZ", long, read) 145 | _CRTALLOC(".CRT$XIZ") _PIFV __xi_z[] = { 0 }; 146 | 147 | // C++ initializers: 148 | #pragma section(".CRT$XCA", long, read) 149 | _CRTALLOC(".CRT$XCA") _PVFV __xc_a[] = { 0 }; 150 | #pragma section(".CRT$XCZ", long, read) 151 | _CRTALLOC(".CRT$XCZ") _PVFV __xc_z[] = { 0 }; 152 | 153 | // C pre-terminators: 154 | #pragma section(".CRT$XPA", long, read) 155 | _CRTALLOC(".CRT$XPA") _PVFV __xp_a[] = { 0 }; 156 | #pragma section(".CRT$XPZ", long, read) 157 | _CRTALLOC(".CRT$XPZ") _PVFV __xp_z[] = { 0 }; 158 | 159 | // C terminators: 160 | #pragma section(".CRT$XTA", long, read) 161 | _CRTALLOC(".CRT$XTA") _PVFV __xt_a[] = { 0 }; 162 | #pragma section(".CRT$XTZ", long, read) 163 | _CRTALLOC(".CRT$XTZ") _PVFV __xt_z[] = { 0 }; 164 | 165 | 166 | #pragma data_seg() 167 | 168 | #pragma comment(linker, "/merge:.CRT=.rdata") 169 | 170 | #pragma warning(default: 4996) 171 | #pragma warning(default: 4100) 172 | #pragma warning(default: 4595) 173 | -------------------------------------------------------------------------------- /PageTableHook/hde/LICENSE: -------------------------------------------------------------------------------- 1 | The source code contained in this directory is Copyright (c) 2008-2009, 2 | Vyacheslav Patkov. It has been modified for integration with the parent 3 | project. 4 | 5 | =============================================================================== 6 | 7 | License agreement 8 | 9 | Hacker Disassembler Engine 32 C 10 | Copyright (c) 2008-2009, Vyacheslav Patkov. 11 | All rights reserved. 12 | 13 | Redistribution and use in source and binary forms, with or without 14 | modification, are permitted provided that the following conditions 15 | are met: 16 | 17 | 1. Redistributions of source code must retain the above copyright 18 | notice, this list of conditions and the following disclaimer. 19 | 2. Redistributions in binary form must reproduce the above copyright 20 | notice, this list of conditions and the following disclaimer in the 21 | documentation and/or other materials provided with the distribution. 22 | 23 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 25 | TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 26 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR 27 | CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 28 | EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 29 | PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 | 35 | =============================================================================== 36 | 37 | License agreement 38 | 39 | Hacker Disassembler Engine 64 C 40 | Copyright (c) 2008-2009, Vyacheslav Patkov. 41 | All rights reserved. 42 | 43 | Redistribution and use in source and binary forms, with or without 44 | modification, are permitted provided that the following conditions 45 | are met: 46 | 47 | 1. Redistributions of source code must retain the above copyright 48 | notice, this list of conditions and the following disclaimer. 49 | 2. Redistributions in binary form must reproduce the above copyright 50 | notice, this list of conditions and the following disclaimer in the 51 | documentation and/or other materials provided with the distribution. 52 | 53 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 54 | "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 55 | TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 56 | PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR 57 | CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 58 | EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 59 | PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 60 | PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 61 | LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 62 | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 63 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 64 | -------------------------------------------------------------------------------- /PageTableHook/hde/hde.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // 4 | // The maximum amount of bytes the disassembler will read from the code buffer 5 | // before failing. 6 | // 7 | // NOTE This number was taken from the 'Hacker Disassembler Engine 64 C 0.04 8 | // FINAL' manual and has not been verified. 9 | // 10 | #define HDE_BUFFER_READ_SIZE_MAX 26 11 | 12 | #if defined(_WIN64) 13 | #include "hde64.h" 14 | 15 | typedef hde64s HDE_DISASSEMBLY; 16 | 17 | #define HdeDisassemble hde64_disasm 18 | #else 19 | #include "hde32.h" 20 | 21 | typedef hde32s HDE_DISASSEMBLY; 22 | 23 | #define HdeDisassemble hde32_disasm 24 | #endif 25 | -------------------------------------------------------------------------------- /PageTableHook/hde/hde32.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 32 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #include "hde32.h" 9 | 10 | #include 11 | 12 | #include "table32.h" 13 | 14 | #pragma warning(push) 15 | #pragma warning(disable:4701) 16 | 17 | unsigned int hde32_disasm(const void *code, hde32s *hs) 18 | { 19 | uint8_t x, c, *p = (uint8_t *)code, cflags, opcode, pref = 0; 20 | uint8_t *ht = hde32_table, m_mod, m_reg, m_rm, disp_size = 0; 21 | 22 | __stosb((unsigned char*)hs, 0, sizeof(hde32s)); 23 | 24 | for (x = 16; x; x--) 25 | switch (c = *p++) { 26 | case 0xf3: 27 | hs->p_rep = c; 28 | pref |= PRE_F3; 29 | break; 30 | case 0xf2: 31 | hs->p_rep = c; 32 | pref |= PRE_F2; 33 | break; 34 | case 0xf0: 35 | hs->p_lock = c; 36 | pref |= PRE_LOCK; 37 | break; 38 | case 0x26: case 0x2e: case 0x36: 39 | case 0x3e: case 0x64: case 0x65: 40 | hs->p_seg = c; 41 | pref |= PRE_SEG; 42 | break; 43 | case 0x66: 44 | hs->p_66 = c; 45 | pref |= PRE_66; 46 | break; 47 | case 0x67: 48 | hs->p_67 = c; 49 | pref |= PRE_67; 50 | break; 51 | default: 52 | goto pref_done; 53 | } 54 | pref_done: 55 | 56 | hs->flags = (uint32_t)pref << 23; 57 | 58 | if (!pref) 59 | pref |= PRE_NONE; 60 | 61 | if ((hs->opcode = c) == 0x0f) { 62 | hs->opcode2 = c = *p++; 63 | ht += DELTA_OPCODES; 64 | } else if (c >= 0xa0 && c <= 0xa3) { 65 | if (pref & PRE_67) 66 | pref |= PRE_66; 67 | else 68 | pref &= ~PRE_66; 69 | } 70 | 71 | opcode = c; 72 | cflags = ht[ht[opcode / 4] + (opcode % 4)]; 73 | 74 | if (cflags == C_ERROR) { 75 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 76 | cflags = 0; 77 | if ((opcode & -3) == 0x24) 78 | cflags++; 79 | } 80 | 81 | x = 0; 82 | if (cflags & C_GROUP) { 83 | uint16_t t; 84 | t = *(uint16_t *)(ht + (cflags & 0x7f)); 85 | cflags = (uint8_t)t; 86 | x = (uint8_t)(t >> 8); 87 | } 88 | 89 | if (hs->opcode2) { 90 | ht = hde32_table + DELTA_PREFIXES; 91 | if (ht[ht[opcode / 4] + (opcode % 4)] & pref) 92 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 93 | } 94 | 95 | if (cflags & C_MODRM) { 96 | hs->flags |= F_MODRM; 97 | hs->modrm = c = *p++; 98 | hs->modrm_mod = m_mod = c >> 6; 99 | hs->modrm_rm = m_rm = c & 7; 100 | hs->modrm_reg = m_reg = (c & 0x3f) >> 3; 101 | 102 | if (x && ((x << m_reg) & 0x80)) 103 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 104 | 105 | if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) { 106 | uint8_t t = opcode - 0xd9; 107 | if (m_mod == 3) { 108 | ht = hde32_table + DELTA_FPU_MODRM + t*8; 109 | t = ht[m_reg] << m_rm; 110 | } else { 111 | ht = hde32_table + DELTA_FPU_REG; 112 | t = ht[t] << m_reg; 113 | } 114 | if (t & 0x80) 115 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 116 | } 117 | 118 | if (pref & PRE_LOCK) { 119 | if (m_mod == 3) { 120 | hs->flags |= F_ERROR | F_ERROR_LOCK; 121 | } else { 122 | uint8_t *table_end, op = opcode; 123 | if (hs->opcode2) { 124 | ht = hde32_table + DELTA_OP2_LOCK_OK; 125 | table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; 126 | } else { 127 | ht = hde32_table + DELTA_OP_LOCK_OK; 128 | table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; 129 | op &= -2; 130 | } 131 | for (; ht != table_end; ht++) 132 | if (*ht++ == op) { 133 | if (!((*ht << m_reg) & 0x80)) 134 | goto no_lock_error; 135 | else 136 | break; 137 | } 138 | hs->flags |= F_ERROR | F_ERROR_LOCK; 139 | no_lock_error: 140 | ; 141 | } 142 | } 143 | 144 | if (hs->opcode2) { 145 | switch (opcode) { 146 | case 0x20: case 0x22: 147 | m_mod = 3; 148 | if (m_reg > 4 || m_reg == 1) 149 | goto error_operand; 150 | else 151 | goto no_error_operand; 152 | case 0x21: case 0x23: 153 | m_mod = 3; 154 | if (m_reg == 4 || m_reg == 5) 155 | goto error_operand; 156 | else 157 | goto no_error_operand; 158 | } 159 | } else { 160 | switch (opcode) { 161 | case 0x8c: 162 | if (m_reg > 5) 163 | goto error_operand; 164 | else 165 | goto no_error_operand; 166 | case 0x8e: 167 | if (m_reg == 1 || m_reg > 5) 168 | goto error_operand; 169 | else 170 | goto no_error_operand; 171 | } 172 | } 173 | 174 | if (m_mod == 3) { 175 | uint8_t *table_end; 176 | if (hs->opcode2) { 177 | ht = hde32_table + DELTA_OP2_ONLY_MEM; 178 | table_end = ht + sizeof(hde32_table) - DELTA_OP2_ONLY_MEM; 179 | } else { 180 | ht = hde32_table + DELTA_OP_ONLY_MEM; 181 | table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; 182 | } 183 | for (; ht != table_end; ht += 2) 184 | if (*ht++ == opcode) { 185 | if (*ht++ & pref && !((*ht << m_reg) & 0x80)) 186 | goto error_operand; 187 | else 188 | break; 189 | } 190 | goto no_error_operand; 191 | } else if (hs->opcode2) { 192 | switch (opcode) { 193 | case 0x50: case 0xd7: case 0xf7: 194 | if (pref & (PRE_NONE | PRE_66)) 195 | goto error_operand; 196 | break; 197 | case 0xd6: 198 | if (pref & (PRE_F2 | PRE_F3)) 199 | goto error_operand; 200 | break; 201 | case 0xc5: 202 | goto error_operand; 203 | } 204 | goto no_error_operand; 205 | } else 206 | goto no_error_operand; 207 | 208 | error_operand: 209 | hs->flags |= F_ERROR | F_ERROR_OPERAND; 210 | no_error_operand: 211 | 212 | c = *p++; 213 | if (m_reg <= 1) { 214 | if (opcode == 0xf6) 215 | cflags |= C_IMM8; 216 | else if (opcode == 0xf7) 217 | cflags |= C_IMM_P66; 218 | } 219 | 220 | switch (m_mod) { 221 | case 0: 222 | if (pref & PRE_67) { 223 | if (m_rm == 6) 224 | disp_size = 2; 225 | } else 226 | if (m_rm == 5) 227 | disp_size = 4; 228 | break; 229 | case 1: 230 | disp_size = 1; 231 | break; 232 | case 2: 233 | disp_size = 2; 234 | if (!(pref & PRE_67)) 235 | disp_size <<= 1; 236 | } 237 | 238 | if (m_mod != 3 && m_rm == 4 && !(pref & PRE_67)) { 239 | hs->flags |= F_SIB; 240 | p++; 241 | hs->sib = c; 242 | hs->sib_scale = c >> 6; 243 | hs->sib_index = (c & 0x3f) >> 3; 244 | if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1)) 245 | disp_size = 4; 246 | } 247 | 248 | p--; 249 | switch (disp_size) { 250 | case 1: 251 | hs->flags |= F_DISP8; 252 | hs->disp.disp8 = *p; 253 | break; 254 | case 2: 255 | hs->flags |= F_DISP16; 256 | hs->disp.disp16 = *(uint16_t *)p; 257 | break; 258 | case 4: 259 | hs->flags |= F_DISP32; 260 | hs->disp.disp32 = *(uint32_t *)p; 261 | } 262 | p += disp_size; 263 | } else if (pref & PRE_LOCK) 264 | hs->flags |= F_ERROR | F_ERROR_LOCK; 265 | 266 | if (cflags & C_IMM_P66) { 267 | if (cflags & C_REL32) { 268 | if (pref & PRE_66) { 269 | hs->flags |= F_IMM16 | F_RELATIVE; 270 | hs->imm.imm16 = *(uint16_t *)p; 271 | p += 2; 272 | goto disasm_done; 273 | } 274 | goto rel32_ok; 275 | } 276 | if (pref & PRE_66) { 277 | hs->flags |= F_IMM16; 278 | hs->imm.imm16 = *(uint16_t *)p; 279 | p += 2; 280 | } else { 281 | hs->flags |= F_IMM32; 282 | hs->imm.imm32 = *(uint32_t *)p; 283 | p += 4; 284 | } 285 | } 286 | 287 | if (cflags & C_IMM16) { 288 | if (hs->flags & F_IMM32) { 289 | hs->flags |= F_IMM16; 290 | hs->disp.disp16 = *(uint16_t *)p; 291 | } else if (hs->flags & F_IMM16) { 292 | hs->flags |= F_2IMM16; 293 | hs->disp.disp16 = *(uint16_t *)p; 294 | } else { 295 | hs->flags |= F_IMM16; 296 | hs->imm.imm16 = *(uint16_t *)p; 297 | } 298 | p += 2; 299 | } 300 | if (cflags & C_IMM8) { 301 | hs->flags |= F_IMM8; 302 | hs->imm.imm8 = *p++; 303 | } 304 | 305 | if (cflags & C_REL32) { 306 | rel32_ok: 307 | hs->flags |= F_IMM32 | F_RELATIVE; 308 | hs->imm.imm32 = *(uint32_t *)p; 309 | p += 4; 310 | } else if (cflags & C_REL8) { 311 | hs->flags |= F_IMM8 | F_RELATIVE; 312 | hs->imm.imm8 = *p++; 313 | } 314 | 315 | disasm_done: 316 | 317 | if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) { 318 | hs->flags |= F_ERROR | F_ERROR_LENGTH; 319 | hs->len = 15; 320 | } 321 | 322 | return (unsigned int)hs->len; 323 | } 324 | 325 | #pragma warning(pop) // 4701 326 | -------------------------------------------------------------------------------- /PageTableHook/hde/hde32.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 32 3 | * Copyright (c) 2006-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | * hde32.h: C/C++ header file 7 | * 8 | */ 9 | 10 | #pragma once 11 | 12 | #include "hde_stdint.h" 13 | 14 | #define F_MODRM 0x00000001 15 | #define F_SIB 0x00000002 16 | #define F_IMM8 0x00000004 17 | #define F_IMM16 0x00000008 18 | #define F_IMM32 0x00000010 19 | #define F_DISP8 0x00000020 20 | #define F_DISP16 0x00000040 21 | #define F_DISP32 0x00000080 22 | #define F_RELATIVE 0x00000100 23 | #define F_2IMM16 0x00000800 24 | #define F_ERROR 0x00001000 25 | #define F_ERROR_OPCODE 0x00002000 26 | #define F_ERROR_LENGTH 0x00004000 27 | #define F_ERROR_LOCK 0x00008000 28 | #define F_ERROR_OPERAND 0x00010000 29 | #define F_PREFIX_REPNZ 0x01000000 30 | #define F_PREFIX_REPX 0x02000000 31 | #define F_PREFIX_REP 0x03000000 32 | #define F_PREFIX_66 0x04000000 33 | #define F_PREFIX_67 0x08000000 34 | #define F_PREFIX_LOCK 0x10000000 35 | #define F_PREFIX_SEG 0x20000000 36 | #define F_PREFIX_ANY 0x3f000000 37 | 38 | #define PREFIX_SEGMENT_CS 0x2e 39 | #define PREFIX_SEGMENT_SS 0x36 40 | #define PREFIX_SEGMENT_DS 0x3e 41 | #define PREFIX_SEGMENT_ES 0x26 42 | #define PREFIX_SEGMENT_FS 0x64 43 | #define PREFIX_SEGMENT_GS 0x65 44 | #define PREFIX_LOCK 0xf0 45 | #define PREFIX_REPNZ 0xf2 46 | #define PREFIX_REPX 0xf3 47 | #define PREFIX_OPERAND_SIZE 0x66 48 | #define PREFIX_ADDRESS_SIZE 0x67 49 | 50 | #pragma pack(push,1) 51 | 52 | typedef struct { 53 | uint8_t len; 54 | uint8_t p_rep; 55 | uint8_t p_lock; 56 | uint8_t p_seg; 57 | uint8_t p_66; 58 | uint8_t p_67; 59 | uint8_t opcode; 60 | uint8_t opcode2; 61 | uint8_t modrm; 62 | uint8_t modrm_mod; 63 | uint8_t modrm_reg; 64 | uint8_t modrm_rm; 65 | uint8_t sib; 66 | uint8_t sib_scale; 67 | uint8_t sib_index; 68 | uint8_t sib_base; 69 | union { 70 | uint8_t imm8; 71 | uint16_t imm16; 72 | uint32_t imm32; 73 | } imm; 74 | union { 75 | uint8_t disp8; 76 | uint16_t disp16; 77 | uint32_t disp32; 78 | } disp; 79 | uint32_t flags; 80 | } hde32s; 81 | 82 | #pragma pack(pop) 83 | 84 | #ifdef __cplusplus 85 | extern "C" { 86 | #endif 87 | 88 | /* __cdecl */ 89 | unsigned int hde32_disasm(const void *code, hde32s *hs); 90 | 91 | #ifdef __cplusplus 92 | } 93 | #endif 94 | -------------------------------------------------------------------------------- /PageTableHook/hde/hde64.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #include "hde64.h" 9 | 10 | #include 11 | 12 | #include "table64.h" 13 | 14 | #pragma warning(push) 15 | #pragma warning(disable:4706) 16 | 17 | unsigned int hde64_disasm(const void *code, hde64s *hs) 18 | { 19 | uint8_t x, c = 0, *p = (uint8_t *)code, cflags, opcode, pref = 0; 20 | uint8_t *ht = hde64_table, m_mod, m_reg, m_rm, disp_size = 0; 21 | uint8_t op64 = 0; 22 | 23 | __stosb((unsigned char*)hs, 0, sizeof(hde64s)); 24 | 25 | for (x = 16; x; x--) 26 | switch (c = *p++) { 27 | case 0xf3: 28 | hs->p_rep = c; 29 | pref |= PRE_F3; 30 | break; 31 | case 0xf2: 32 | hs->p_rep = c; 33 | pref |= PRE_F2; 34 | break; 35 | case 0xf0: 36 | hs->p_lock = c; 37 | pref |= PRE_LOCK; 38 | break; 39 | case 0x26: case 0x2e: case 0x36: 40 | case 0x3e: case 0x64: case 0x65: 41 | hs->p_seg = c; 42 | pref |= PRE_SEG; 43 | break; 44 | case 0x66: 45 | hs->p_66 = c; 46 | pref |= PRE_66; 47 | break; 48 | case 0x67: 49 | hs->p_67 = c; 50 | pref |= PRE_67; 51 | break; 52 | default: 53 | goto pref_done; 54 | } 55 | pref_done: 56 | 57 | hs->flags = (uint32_t)pref << 23; 58 | 59 | if (!pref) 60 | pref |= PRE_NONE; 61 | 62 | if ((c & 0xf0) == 0x40) { 63 | hs->flags |= F_PREFIX_REX; 64 | if ((hs->rex_w = (c & 0xf) >> 3) && (*p & 0xf8) == 0xb8) 65 | op64++; 66 | hs->rex_r = (c & 7) >> 2; 67 | hs->rex_x = (c & 3) >> 1; 68 | hs->rex_b = c & 1; 69 | if (((c = *p++) & 0xf0) == 0x40) { 70 | opcode = c; 71 | goto error_opcode; 72 | } 73 | } 74 | 75 | if ((hs->opcode = c) == 0x0f) { 76 | hs->opcode2 = c = *p++; 77 | ht += DELTA_OPCODES; 78 | } else if (c >= 0xa0 && c <= 0xa3) { 79 | op64++; 80 | if (pref & PRE_67) 81 | pref |= PRE_66; 82 | else 83 | pref &= ~PRE_66; 84 | } 85 | 86 | opcode = c; 87 | cflags = ht[ht[opcode / 4] + (opcode % 4)]; 88 | 89 | if (cflags == C_ERROR) { 90 | error_opcode: 91 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 92 | cflags = 0; 93 | if ((opcode & -3) == 0x24) 94 | cflags++; 95 | } 96 | 97 | x = 0; 98 | if (cflags & C_GROUP) { 99 | uint16_t t; 100 | t = *(uint16_t *)(ht + (cflags & 0x7f)); 101 | cflags = (uint8_t)t; 102 | x = (uint8_t)(t >> 8); 103 | } 104 | 105 | if (hs->opcode2) { 106 | ht = hde64_table + DELTA_PREFIXES; 107 | if (ht[ht[opcode / 4] + (opcode % 4)] & pref) 108 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 109 | } 110 | 111 | if (cflags & C_MODRM) { 112 | hs->flags |= F_MODRM; 113 | hs->modrm = c = *p++; 114 | hs->modrm_mod = m_mod = c >> 6; 115 | hs->modrm_rm = m_rm = c & 7; 116 | hs->modrm_reg = m_reg = (c & 0x3f) >> 3; 117 | 118 | if (x && ((x << m_reg) & 0x80)) 119 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 120 | 121 | if (!hs->opcode2 && opcode >= 0xd9 && opcode <= 0xdf) { 122 | uint8_t t = opcode - 0xd9; 123 | if (m_mod == 3) { 124 | ht = hde64_table + DELTA_FPU_MODRM + t*8; 125 | t = ht[m_reg] << m_rm; 126 | } else { 127 | ht = hde64_table + DELTA_FPU_REG; 128 | t = ht[t] << m_reg; 129 | } 130 | if (t & 0x80) 131 | hs->flags |= F_ERROR | F_ERROR_OPCODE; 132 | } 133 | 134 | if (pref & PRE_LOCK) { 135 | if (m_mod == 3) { 136 | hs->flags |= F_ERROR | F_ERROR_LOCK; 137 | } else { 138 | uint8_t *table_end, op = opcode; 139 | if (hs->opcode2) { 140 | ht = hde64_table + DELTA_OP2_LOCK_OK; 141 | table_end = ht + DELTA_OP_ONLY_MEM - DELTA_OP2_LOCK_OK; 142 | } else { 143 | ht = hde64_table + DELTA_OP_LOCK_OK; 144 | table_end = ht + DELTA_OP2_LOCK_OK - DELTA_OP_LOCK_OK; 145 | op &= -2; 146 | } 147 | for (; ht != table_end; ht++) 148 | if (*ht++ == op) { 149 | if (!((*ht << m_reg) & 0x80)) 150 | goto no_lock_error; 151 | else 152 | break; 153 | } 154 | hs->flags |= F_ERROR | F_ERROR_LOCK; 155 | no_lock_error: 156 | ; 157 | } 158 | } 159 | 160 | if (hs->opcode2) { 161 | switch (opcode) { 162 | case 0x20: case 0x22: 163 | m_mod = 3; 164 | if (m_reg > 4 || m_reg == 1) 165 | goto error_operand; 166 | else 167 | goto no_error_operand; 168 | case 0x21: case 0x23: 169 | m_mod = 3; 170 | if (m_reg == 4 || m_reg == 5) 171 | goto error_operand; 172 | else 173 | goto no_error_operand; 174 | } 175 | } else { 176 | switch (opcode) { 177 | case 0x8c: 178 | if (m_reg > 5) 179 | goto error_operand; 180 | else 181 | goto no_error_operand; 182 | case 0x8e: 183 | if (m_reg == 1 || m_reg > 5) 184 | goto error_operand; 185 | else 186 | goto no_error_operand; 187 | } 188 | } 189 | 190 | if (m_mod == 3) { 191 | uint8_t *table_end; 192 | if (hs->opcode2) { 193 | ht = hde64_table + DELTA_OP2_ONLY_MEM; 194 | table_end = ht + sizeof(hde64_table) - DELTA_OP2_ONLY_MEM; 195 | } else { 196 | ht = hde64_table + DELTA_OP_ONLY_MEM; 197 | table_end = ht + DELTA_OP2_ONLY_MEM - DELTA_OP_ONLY_MEM; 198 | } 199 | for (; ht != table_end; ht += 2) 200 | if (*ht++ == opcode) { 201 | if (*ht++ & pref && !((*ht << m_reg) & 0x80)) 202 | goto error_operand; 203 | else 204 | break; 205 | } 206 | goto no_error_operand; 207 | } else if (hs->opcode2) { 208 | switch (opcode) { 209 | case 0x50: case 0xd7: case 0xf7: 210 | if (pref & (PRE_NONE | PRE_66)) 211 | goto error_operand; 212 | break; 213 | case 0xd6: 214 | if (pref & (PRE_F2 | PRE_F3)) 215 | goto error_operand; 216 | break; 217 | case 0xc5: 218 | goto error_operand; 219 | } 220 | goto no_error_operand; 221 | } else 222 | goto no_error_operand; 223 | 224 | error_operand: 225 | hs->flags |= F_ERROR | F_ERROR_OPERAND; 226 | no_error_operand: 227 | 228 | c = *p++; 229 | if (m_reg <= 1) { 230 | if (opcode == 0xf6) 231 | cflags |= C_IMM8; 232 | else if (opcode == 0xf7) 233 | cflags |= C_IMM_P66; 234 | } 235 | 236 | switch (m_mod) { 237 | case 0: 238 | if (pref & PRE_67) { 239 | if (m_rm == 6) 240 | disp_size = 2; 241 | } else 242 | if (m_rm == 5) 243 | disp_size = 4; 244 | break; 245 | case 1: 246 | disp_size = 1; 247 | break; 248 | case 2: 249 | disp_size = 2; 250 | if (!(pref & PRE_67)) 251 | disp_size <<= 1; 252 | } 253 | 254 | if (m_mod != 3 && m_rm == 4) { 255 | hs->flags |= F_SIB; 256 | p++; 257 | hs->sib = c; 258 | hs->sib_scale = c >> 6; 259 | hs->sib_index = (c & 0x3f) >> 3; 260 | if ((hs->sib_base = c & 7) == 5 && !(m_mod & 1)) 261 | disp_size = 4; 262 | } 263 | 264 | p--; 265 | switch (disp_size) { 266 | case 1: 267 | hs->flags |= F_DISP8; 268 | hs->disp.disp8 = *p; 269 | break; 270 | case 2: 271 | hs->flags |= F_DISP16; 272 | hs->disp.disp16 = *(uint16_t *)p; 273 | break; 274 | case 4: 275 | hs->flags |= F_DISP32; 276 | hs->disp.disp32 = *(uint32_t *)p; 277 | } 278 | p += disp_size; 279 | } else if (pref & PRE_LOCK) 280 | hs->flags |= F_ERROR | F_ERROR_LOCK; 281 | 282 | if (cflags & C_IMM_P66) { 283 | if (cflags & C_REL32) { 284 | if (pref & PRE_66) { 285 | hs->flags |= F_IMM16 | F_RELATIVE; 286 | hs->imm.imm16 = *(uint16_t *)p; 287 | p += 2; 288 | goto disasm_done; 289 | } 290 | goto rel32_ok; 291 | } 292 | if (op64) { 293 | hs->flags |= F_IMM64; 294 | hs->imm.imm64 = *(uint64_t *)p; 295 | p += 8; 296 | } else if (!(pref & PRE_66)) { 297 | hs->flags |= F_IMM32; 298 | hs->imm.imm32 = *(uint32_t *)p; 299 | p += 4; 300 | } else 301 | goto imm16_ok; 302 | } 303 | 304 | 305 | if (cflags & C_IMM16) { 306 | imm16_ok: 307 | hs->flags |= F_IMM16; 308 | hs->imm.imm16 = *(uint16_t *)p; 309 | p += 2; 310 | } 311 | if (cflags & C_IMM8) { 312 | hs->flags |= F_IMM8; 313 | hs->imm.imm8 = *p++; 314 | } 315 | 316 | if (cflags & C_REL32) { 317 | rel32_ok: 318 | hs->flags |= F_IMM32 | F_RELATIVE; 319 | hs->imm.imm32 = *(uint32_t *)p; 320 | p += 4; 321 | } else if (cflags & C_REL8) { 322 | hs->flags |= F_IMM8 | F_RELATIVE; 323 | hs->imm.imm8 = *p++; 324 | } 325 | 326 | disasm_done: 327 | 328 | if ((hs->len = (uint8_t)(p-(uint8_t *)code)) > 15) { 329 | hs->flags |= F_ERROR | F_ERROR_LENGTH; 330 | hs->len = 15; 331 | } 332 | 333 | return (unsigned int)hs->len; 334 | } 335 | 336 | #pragma warning(pop) // 4706 337 | -------------------------------------------------------------------------------- /PageTableHook/hde/hde64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | * hde64.h: C/C++ header file 7 | * 8 | */ 9 | 10 | #pragma once 11 | 12 | #include "hde_stdint.h" 13 | 14 | #define F_MODRM 0x00000001 15 | #define F_SIB 0x00000002 16 | #define F_IMM8 0x00000004 17 | #define F_IMM16 0x00000008 18 | #define F_IMM32 0x00000010 19 | #define F_IMM64 0x00000020 20 | #define F_DISP8 0x00000040 21 | #define F_DISP16 0x00000080 22 | #define F_DISP32 0x00000100 23 | #define F_RELATIVE 0x00000200 24 | #define F_ERROR 0x00001000 25 | #define F_ERROR_OPCODE 0x00002000 26 | #define F_ERROR_LENGTH 0x00004000 27 | #define F_ERROR_LOCK 0x00008000 28 | #define F_ERROR_OPERAND 0x00010000 29 | #define F_PREFIX_REPNZ 0x01000000 30 | #define F_PREFIX_REPX 0x02000000 31 | #define F_PREFIX_REP 0x03000000 32 | #define F_PREFIX_66 0x04000000 33 | #define F_PREFIX_67 0x08000000 34 | #define F_PREFIX_LOCK 0x10000000 35 | #define F_PREFIX_SEG 0x20000000 36 | #define F_PREFIX_REX 0x40000000 37 | #define F_PREFIX_ANY 0x7f000000 38 | 39 | #define PREFIX_SEGMENT_CS 0x2e 40 | #define PREFIX_SEGMENT_SS 0x36 41 | #define PREFIX_SEGMENT_DS 0x3e 42 | #define PREFIX_SEGMENT_ES 0x26 43 | #define PREFIX_SEGMENT_FS 0x64 44 | #define PREFIX_SEGMENT_GS 0x65 45 | #define PREFIX_LOCK 0xf0 46 | #define PREFIX_REPNZ 0xf2 47 | #define PREFIX_REPX 0xf3 48 | #define PREFIX_OPERAND_SIZE 0x66 49 | #define PREFIX_ADDRESS_SIZE 0x67 50 | 51 | #pragma pack(push,1) 52 | 53 | typedef struct { 54 | uint8_t len; 55 | uint8_t p_rep; 56 | uint8_t p_lock; 57 | uint8_t p_seg; 58 | uint8_t p_66; 59 | uint8_t p_67; 60 | uint8_t rex; 61 | uint8_t rex_w; 62 | uint8_t rex_r; 63 | uint8_t rex_x; 64 | uint8_t rex_b; 65 | uint8_t opcode; 66 | uint8_t opcode2; 67 | uint8_t modrm; 68 | uint8_t modrm_mod; 69 | uint8_t modrm_reg; 70 | uint8_t modrm_rm; 71 | uint8_t sib; 72 | uint8_t sib_scale; 73 | uint8_t sib_index; 74 | uint8_t sib_base; 75 | union { 76 | uint8_t imm8; 77 | uint16_t imm16; 78 | uint32_t imm32; 79 | uint64_t imm64; 80 | } imm; 81 | union { 82 | uint8_t disp8; 83 | uint16_t disp16; 84 | uint32_t disp32; 85 | } disp; 86 | uint32_t flags; 87 | } hde64s; 88 | 89 | #pragma pack(pop) 90 | 91 | #ifdef __cplusplus 92 | extern "C" { 93 | #endif 94 | 95 | /* __cdecl */ 96 | unsigned int hde64_disasm(const void *code, hde64s *hs); 97 | 98 | #ifdef __cplusplus 99 | } 100 | #endif 101 | -------------------------------------------------------------------------------- /PageTableHook/hde/hde_stdint.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | typedef INT8 int8_t; 6 | typedef INT16 int16_t; 7 | typedef INT32 int32_t; 8 | typedef INT64 int64_t; 9 | typedef UINT8 uint8_t; 10 | typedef UINT16 uint16_t; 11 | typedef UINT32 uint32_t; 12 | typedef UINT64 uint64_t; 13 | -------------------------------------------------------------------------------- /PageTableHook/hde/table32.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 32 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #pragma once 9 | 10 | #define C_NONE 0x00 11 | #define C_MODRM 0x01 12 | #define C_IMM8 0x02 13 | #define C_IMM16 0x04 14 | #define C_IMM_P66 0x10 15 | #define C_REL8 0x20 16 | #define C_REL32 0x40 17 | #define C_GROUP 0x80 18 | #define C_ERROR 0xff 19 | 20 | #define PRE_ANY 0x00 21 | #define PRE_NONE 0x01 22 | #define PRE_F2 0x02 23 | #define PRE_F3 0x04 24 | #define PRE_66 0x08 25 | #define PRE_67 0x10 26 | #define PRE_LOCK 0x20 27 | #define PRE_SEG 0x40 28 | #define PRE_ALL 0xff 29 | 30 | #define DELTA_OPCODES 0x4a 31 | #define DELTA_FPU_REG 0xf1 32 | #define DELTA_FPU_MODRM 0xf8 33 | #define DELTA_PREFIXES 0x130 34 | #define DELTA_OP_LOCK_OK 0x1a1 35 | #define DELTA_OP2_LOCK_OK 0x1b9 36 | #define DELTA_OP_ONLY_MEM 0x1cb 37 | #define DELTA_OP2_ONLY_MEM 0x1da 38 | 39 | unsigned char hde32_table[] = { 40 | 0xa3,0xa8,0xa3,0xa8,0xa3,0xa8,0xa3,0xa8,0xa3,0xa8,0xa3,0xa8,0xa3,0xa8,0xa3, 41 | 0xa8,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xaa,0xac,0xaa,0xb2,0xaa,0x9f,0x9f, 42 | 0x9f,0x9f,0xb5,0xa3,0xa3,0xa4,0xaa,0xaa,0xba,0xaa,0x96,0xaa,0xa8,0xaa,0xc3, 43 | 0xc3,0x96,0x96,0xb7,0xae,0xd6,0xbd,0xa3,0xc5,0xa3,0xa3,0x9f,0xc3,0x9c,0xaa, 44 | 0xaa,0xac,0xaa,0xbf,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0x90, 45 | 0x82,0x7d,0x97,0x59,0x59,0x59,0x59,0x59,0x7f,0x59,0x59,0x60,0x7d,0x7f,0x7f, 46 | 0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x9a,0x88,0x7d, 47 | 0x59,0x50,0x50,0x50,0x50,0x59,0x59,0x59,0x59,0x61,0x94,0x61,0x9e,0x59,0x59, 48 | 0x85,0x59,0x92,0xa3,0x60,0x60,0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x59,0x59, 49 | 0x59,0x59,0x9f,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xcc,0x01,0xbc,0x03,0xf0, 50 | 0x10,0x10,0x10,0x10,0x50,0x50,0x50,0x50,0x14,0x20,0x20,0x20,0x20,0x01,0x01, 51 | 0x01,0x01,0xc4,0x02,0x10,0x00,0x00,0x00,0x00,0x01,0x01,0xc0,0xc2,0x10,0x11, 52 | 0x02,0x03,0x11,0x03,0x03,0x04,0x00,0x00,0x14,0x00,0x02,0x00,0x00,0xc6,0xc8, 53 | 0x02,0x02,0x02,0x02,0x00,0x00,0xff,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0xca, 54 | 0x01,0x01,0x01,0x00,0x06,0x00,0x04,0x00,0xc0,0xc2,0x01,0x01,0x03,0x01,0xff, 55 | 0xff,0x01,0x00,0x03,0xc4,0xc4,0xc6,0x03,0x01,0x01,0x01,0xff,0x03,0x03,0x03, 56 | 0xc8,0x40,0x00,0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00, 57 | 0x00,0x00,0x00,0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00, 58 | 0x00,0xff,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 59 | 0x00,0xff,0xff,0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 60 | 0x7f,0x00,0x00,0xff,0x4a,0x4a,0x4a,0x4a,0x4b,0x52,0x4a,0x4a,0x4a,0x4a,0x4f, 61 | 0x4c,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x55,0x45,0x40,0x4a,0x4a,0x4a, 62 | 0x45,0x59,0x4d,0x46,0x4a,0x5d,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a,0x4a, 63 | 0x4a,0x4a,0x4a,0x4a,0x4a,0x61,0x63,0x67,0x4e,0x4a,0x4a,0x6b,0x6d,0x4a,0x4a, 64 | 0x45,0x6d,0x4a,0x4a,0x44,0x45,0x4a,0x4a,0x00,0x00,0x00,0x02,0x0d,0x06,0x06, 65 | 0x06,0x06,0x0e,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x00,0x06,0x06,0x02,0x06, 66 | 0x00,0x0a,0x0a,0x07,0x07,0x06,0x02,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04, 67 | 0x04,0x04,0x00,0x00,0x00,0x0e,0x05,0x06,0x06,0x06,0x01,0x06,0x00,0x00,0x08, 68 | 0x00,0x10,0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01, 69 | 0x86,0x00,0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba, 70 | 0xf8,0xbb,0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00, 71 | 0xc4,0xff,0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00, 72 | 0x13,0x09,0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07, 73 | 0xb2,0xff,0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf, 74 | 0xe7,0x08,0x00,0xf0,0x02,0x00 75 | }; 76 | -------------------------------------------------------------------------------- /PageTableHook/hde/table64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 64 C 3 | * Copyright (c) 2008-2009, Vyacheslav Patkov. 4 | * All rights reserved. 5 | * 6 | */ 7 | 8 | #pragma once 9 | 10 | #define C_NONE 0x00 11 | #define C_MODRM 0x01 12 | #define C_IMM8 0x02 13 | #define C_IMM16 0x04 14 | #define C_IMM_P66 0x10 15 | #define C_REL8 0x20 16 | #define C_REL32 0x40 17 | #define C_GROUP 0x80 18 | #define C_ERROR 0xff 19 | 20 | #define PRE_ANY 0x00 21 | #define PRE_NONE 0x01 22 | #define PRE_F2 0x02 23 | #define PRE_F3 0x04 24 | #define PRE_66 0x08 25 | #define PRE_67 0x10 26 | #define PRE_LOCK 0x20 27 | #define PRE_SEG 0x40 28 | #define PRE_ALL 0xff 29 | 30 | #define DELTA_OPCODES 0x4a 31 | #define DELTA_FPU_REG 0xfd 32 | #define DELTA_FPU_MODRM 0x104 33 | #define DELTA_PREFIXES 0x13c 34 | #define DELTA_OP_LOCK_OK 0x1ae 35 | #define DELTA_OP2_LOCK_OK 0x1c6 36 | #define DELTA_OP_ONLY_MEM 0x1d8 37 | #define DELTA_OP2_ONLY_MEM 0x1e7 38 | 39 | unsigned char hde64_table[] = { 40 | 0xa5,0xaa,0xa5,0xb8,0xa5,0xaa,0xa5,0xaa,0xa5,0xb8,0xa5,0xb8,0xa5,0xb8,0xa5, 41 | 0xb8,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xc0,0xac,0xc0,0xcc,0xc0,0xa1,0xa1, 42 | 0xa1,0xa1,0xb1,0xa5,0xa5,0xa6,0xc0,0xc0,0xd7,0xda,0xe0,0xc0,0xe4,0xc0,0xea, 43 | 0xea,0xe0,0xe0,0x98,0xc8,0xee,0xf1,0xa5,0xd3,0xa5,0xa5,0xa1,0xea,0x9e,0xc0, 44 | 0xc0,0xc2,0xc0,0xe6,0x03,0x7f,0x11,0x7f,0x01,0x7f,0x01,0x3f,0x01,0x01,0xab, 45 | 0x8b,0x90,0x64,0x5b,0x5b,0x5b,0x5b,0x5b,0x92,0x5b,0x5b,0x76,0x90,0x92,0x92, 46 | 0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x6a,0x73,0x90, 47 | 0x5b,0x52,0x52,0x52,0x52,0x5b,0x5b,0x5b,0x5b,0x77,0x7c,0x77,0x85,0x5b,0x5b, 48 | 0x70,0x5b,0x7a,0xaf,0x76,0x76,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b,0x5b, 49 | 0x5b,0x5b,0x86,0x01,0x03,0x01,0x04,0x03,0xd5,0x03,0xd5,0x03,0xcc,0x01,0xbc, 50 | 0x03,0xf0,0x03,0x03,0x04,0x00,0x50,0x50,0x50,0x50,0xff,0x20,0x20,0x20,0x20, 51 | 0x01,0x01,0x01,0x01,0xc4,0x02,0x10,0xff,0xff,0xff,0x01,0x00,0x03,0x11,0xff, 52 | 0x03,0xc4,0xc6,0xc8,0x02,0x10,0x00,0xff,0xcc,0x01,0x01,0x01,0x00,0x00,0x00, 53 | 0x00,0x01,0x01,0x03,0x01,0xff,0xff,0xc0,0xc2,0x10,0x11,0x02,0x03,0x01,0x01, 54 | 0x01,0xff,0xff,0xff,0x00,0x00,0x00,0xff,0x00,0x00,0xff,0xff,0xff,0xff,0x10, 55 | 0x10,0x10,0x10,0x02,0x10,0x00,0x00,0xc6,0xc8,0x02,0x02,0x02,0x02,0x06,0x00, 56 | 0x04,0x00,0x02,0xff,0x00,0xc0,0xc2,0x01,0x01,0x03,0x03,0x03,0xca,0x40,0x00, 57 | 0x0a,0x00,0x04,0x00,0x00,0x00,0x00,0x7f,0x00,0x33,0x01,0x00,0x00,0x00,0x00, 58 | 0x00,0x00,0xff,0xbf,0xff,0xff,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0xff,0x00, 59 | 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff,0xff, 60 | 0x00,0x00,0x00,0xbf,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x7f,0x00,0x00, 61 | 0xff,0x40,0x40,0x40,0x40,0x41,0x49,0x40,0x40,0x40,0x40,0x4c,0x42,0x40,0x40, 62 | 0x40,0x40,0x40,0x40,0x40,0x40,0x4f,0x44,0x53,0x40,0x40,0x40,0x44,0x57,0x43, 63 | 0x5c,0x40,0x60,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40,0x40, 64 | 0x40,0x40,0x64,0x66,0x6e,0x6b,0x40,0x40,0x6a,0x46,0x40,0x40,0x44,0x46,0x40, 65 | 0x40,0x5b,0x44,0x40,0x40,0x00,0x00,0x00,0x00,0x06,0x06,0x06,0x06,0x01,0x06, 66 | 0x06,0x02,0x06,0x06,0x00,0x06,0x00,0x0a,0x0a,0x00,0x00,0x00,0x02,0x07,0x07, 67 | 0x06,0x02,0x0d,0x06,0x06,0x06,0x0e,0x05,0x05,0x02,0x02,0x00,0x00,0x04,0x04, 68 | 0x04,0x04,0x05,0x06,0x06,0x06,0x00,0x00,0x00,0x0e,0x00,0x00,0x08,0x00,0x10, 69 | 0x00,0x18,0x00,0x20,0x00,0x28,0x00,0x30,0x00,0x80,0x01,0x82,0x01,0x86,0x00, 70 | 0xf6,0xcf,0xfe,0x3f,0xab,0x00,0xb0,0x00,0xb1,0x00,0xb3,0x00,0xba,0xf8,0xbb, 71 | 0x00,0xc0,0x00,0xc1,0x00,0xc7,0xbf,0x62,0xff,0x00,0x8d,0xff,0x00,0xc4,0xff, 72 | 0x00,0xc5,0xff,0x00,0xff,0xff,0xeb,0x01,0xff,0x0e,0x12,0x08,0x00,0x13,0x09, 73 | 0x00,0x16,0x08,0x00,0x17,0x09,0x00,0x2b,0x09,0x00,0xae,0xff,0x07,0xb2,0xff, 74 | 0x00,0xb4,0xff,0x00,0xb5,0xff,0x00,0xc3,0x01,0x00,0xc7,0xff,0xbf,0xe7,0x08, 75 | 0x00,0xf0,0x02,0x00 76 | }; 77 | -------------------------------------------------------------------------------- /QQ截图20221204191827.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MapleSwan/PageTableHook/85d24e4053e49306af26494d8f9357416a347342/QQ截图20221204191827.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PageTableHook 2 | 3 | ## 通过修改进程页表来实现不触发PG的Hook 4 | 5 | ![Image text](https://github.com/Rythorndoran/PageTableHook/blob/master/QQ%E6%88%AA%E5%9B%BE20221204191827.png) 6 | --------------------------------------------------------------------------------