#pragma warning(disable: 4100)
#include "UnexDriver.h" // includes print() and GetKernelProcAddress()
LONGLONG someFunction() {
return 10;
}
typedef NTSTATUS(_stdcall* ZwProtectVirtualMemory_t)(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) {
UNREFERENCED_PARAMETER(pRegistryPath);
pDriverObject->DriverUnload = UnloadDriver;
ZwProtectVirtualMemory_t ZwProtectVirtualMemory = (ZwProtectVirtualMemory_t)GetKernelProcAddress(L"ZwProtectVirtualMemory");
char bytes[] = { 0x48, 0xc7, 0xc0, 0x01, 0x00, 0x00, 0x00, 0xc3};
ULONG cp = 0;
SIZE_T sz = sizeof(bytes);
PVOID baseAddr = (PVOID)&someFunction;
ZwProtectVirtualMemory(NtCurrentProcess(), &baseAddr, &sz, PAGE_EXECUTE_READWRITE, &cp);
memcpy((void*)&someFunction, bytes, sizeof(bytes));
ZwProtectVirtualMemory(NtCurrentProcess(), &baseAddr, &sz, cp, &cp);
print("%lld", someFunction());
return STATUS_SUCCESS;
}
NTSTATUS UnloadDriver(PDRIVER_OBJECT pDriverObject) {
UNREFERENCED_PARAMETER(pDriverObject);
return STATUS_SUCCESS;
}
我正在尝试制作这样的基本钩子,但我总是遇到名为“ATTEMPT_TO_WRITE_READONLY_MEMORY”的崩溃,所以我认为更改内存地址的保护存在一些问题。我搜索了一个函数来更改内核上的内存保护,但我找不到任何函数。有人知道吗?