Computer Tutorials
Computer Knowledge
Let's talk about using the Windows page protection mechanism for function hooking
Let's talk about using the Windows page protection mechanism for function hooking
Mar 26, 2024 am 09:40 AM
Summary
Guard Pages is a memory protection mechanism in the operating system, used to detect and prevent illegal access to memory. In Windows operating systems, Guard Pages are usually located at the end of memory pages, which are usually unallocated or inaccessible. The main function of Guard Pages is to improve the security of the system and prevent malicious programs or errors from accessing the memory, thus protecting the system from potential risks and security vulnerabilities. By using Guard Pages, the operating system can promptly detect and prevent illegal operations on memory, ensuring the stability and security of the system.
When a program attempts to access the Guard Page, the operating system will immediately recognize and trigger an exception, usually an access violation exception. The generation of this exception helps the program detect memory access errors in time, and then take appropriate measures, such as terminating the program or recording error information, to prevent potential security vulnerabilities from being exploited. In this way, the system can maintain control over memory access and ensure the stability and security of program operation. The setting of Guard Page provides the system with an effective mechanism for monitoring and protecting memory access, so that any potential problems can be discovered and dealt with in time, thus improving the stability and security of the system. Through exception triggering, the program can quickly respond when an error occurs, effectively preventing memory access problems that may lead to serious consequences.
Guard Pages are widely used in Windows Hooking to monitor and intercept access to specific memory areas. Through this technology, system functions can be modified or monitored, providing strong support for areas such as software debugging, security research, and malware analysis. Guard Pages feature the ability to detect access to protected memory and trigger appropriate handlers when access occurs. This mechanism is useful for protecting critical data or code from unauthorized access and potential security vulnerabilities. By properly configuring Guard Pages, you can improve the security and stability of the system and ensure that the system
Implementation process
The overall code is as follows:
#include
#include
// Hook函數(shù)功能
HANDLE hook(LPSECURITY_ATTRIBUTES rcx, SIZE_T rdx, LPTHREAD_START_ROUTINE r8, LPVOID r9, DWORD stck1, LPDWORD stck2) {
MessageBoxA(0, "CreateThread() was called!", "YAY!", 0);
MessageBoxA(0, "Hooked CreateThread", "YAY!", 0);
// 這里調(diào)用原始CreateThread函數(shù)
//return CreateThread(rcx, rdx, r8, r9, stck1, stck2);
return NULL;
}
LONG WINAPI handler(EXCEPTION_POINTERS * ExceptionInfo) {
if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION) {
if (ExceptionInfo->ContextRecord->Rip == (DWORD64) &CreateThread) {
printf("[!] Exception (%#llx)!" , ExceptionInfo->ExceptionRecord->ExceptionAddress);
printf("nClick a key to continue...n");
getchar();
ExceptionInfo->ContextRecord->Rip = (DWORD64) &hook;
printf("Modified RIP Points to: %#llxn", ExceptionInfo->ContextRecord->Rip);
printf("Hook Function = %#llxn", (DWORD64) &hook);
}
return EXCEPTION_CONTINUE_EXECUTION;
}
return EXCEPTION_CONTINUE_SEARCH;
}
int main() {
DWORD old = 0;
DWORD param = 5000;
AddVectoredExceptionHandler(1, &handler);
VirtualProtect(&CreateThread, 1, PAGE_EXECUTE_READ | PAGE_GUARD, &old);
printf("CreateThread addr = %#pn", &CreateThread);
HANDLE hThread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) &Sleep, ?m, 0, 0);
WaitForSingleObject(hThread, param);
printf("YEP!n");
return 0;
}
Header file part:The code starts by including the necessary header files, including and , which provide functions and definitions for the Windows API and standard I/O operations respectively.
Hook function:
This code defines a hook function hook, which is used to intercept the CreateThread API function that creates threads in Windows applications. Inside the hook function, two message boxes are displayed to prompt the call of the CreateThread function and indicate that it has been hooked. It should be noted that in this code, the original CreateThread function is not actually called, but is intercepted.
Exception handling
Define a handler function and set it as an exception handler using AddVectoredExceptionHandler. This function is designed to handle exceptions, specifically STATUS_GUARD_PAGE_VIOLATION, which occurs when trying to execute code on a protected memory page. abnormal. If the exception code is STATUS_GUARD_PAGE_VIOLATION and the instruction pointer (Rip) points to the CreateThread function, it will display a message and modify the Rip to point to the hook function. Any attempt to call the CreateThread function will be redirected to the hook function.
Main function
Inside the main function, a variable old is declared but is not used. A param variable is set to 5000 and the AddVectoredExceptionHandler function is called to register the handler function as an exception handler. Use VirtualProtect to set up a guard page on the CreateThread function. This will trigger the handler function if you try to execute it. Using printf shows the address of the CreateThread function. A new thread is created using CreateThread, but that doesn't seem to serve any real purpose as the thread just sleeps for 5000 milliseconds. After waiting for the thread to end, print "YEP!".
test
Compile the code and execute it, the effect is as follows:
picture
The above is the detailed content of Let's talk about using the Windows page protection mechanism for function hooking. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Windows can't access shared folder on network
Jun 30, 2025 pm 04:56 PM
When encountering the "Windowscan'taccesssharedfolderonnetwork", you can usually solve the problem through the following steps: 1. Turn on the network discovery and file sharing function and turn off password protection; 2. Make sure that the target computer is enabled to share and set the correct permissions; 3. Check the firewall rules and service status to ensure that it allows shared access; 4. Use the credential manager to add network credentials for long-term and stable connection.
Windows 'Getting Windows ready, Don't turn off your computer' stuck
Jun 30, 2025 pm 05:18 PM
When you encounter Windows stuck in the "GettingWindowsready, Don't turnoff your computer" interface, you should first confirm whether it is really stuck; 1. Observe whether the hard disk indicator light is flashing, 2. Check whether the fan sound has changed, 3. Wait at least 30 to 60 minutes to ensure that the system has enough time to complete the update operation.
How to run an app as an administrator in Windows?
Jul 01, 2025 am 01:05 AM
To run programs as administrator, you can use Windows' own functions: 1. Right-click the menu to select "Run as administrator", which is suitable for temporary privilege hike scenarios; 2. Create a shortcut and check "Run as administrator" to achieve automatic privilege hike start; 3. Use the task scheduler to configure automated tasks, suitable for running programs that require permissions on a scheduled or background basis, pay attention to setting details such as path changes and permission checks.
Windows clipboard history not working
Jun 30, 2025 pm 05:14 PM
When the Windows clipboard history is not working, you can check the following steps: 1. Confirm that the clipboard history function is enabled, the path is "Settings>System>Clipboard", and if it is not enabled, Win V will not respond; 2. Check whether the copy content type is limited, such as large images, special formats or file paths may not be saved; 3. Ensure that the system version supports it, Windows 101809 and above, and some enterprise versions or LTSC do not support it; 4. Try to restart the ClipboardUserService service or end the clipups.exe process; 5. Clear the clipboard cache or reset the settings, close and then turn on the "Clipboard History" or run the "echooff|clip" command to clean up the cache
'This operation has been cancelled due to restrictions in effect on this computer' Windows fix
Jun 30, 2025 pm 04:47 PM
The error "This operation has been cancelled because of restrictions on the computer" is usually caused by permissions or policy restrictions. Solutions include: 1. Check whether to use an administrator account, and if not, switch or change the account type; 2. Run the program as an administrator, or set a shortcut to always run as an administrator; 3. Check Group Policy restrictions, set suspicious policies to "not configured" or "disabled", but be careful that there is no Group Policy Editor for the Home Edition; 4. If registry editing is disabled, you can re-enable it by creating a .reg file; 5. Troubleshoot third-party software interference, temporarily close the security software or management startup items. Trying the above methods in order usually solves the problem.
How to fix a stuck Windows restart screen?
Jun 30, 2025 pm 05:10 PM
Don't rush to reinstall the system when the computer is stuck in the Windows restart interface. You can try the following methods first: 1. Force shutdown and then restart. Apply to the situation where the update is stuck. Repeat two or three times or can skip the lag; 2. Enter the safe mode to check, select Start repair or system restore through troubleshooting. If you can enter safe mode, it may be a driver or software conflict; 3. Use the command prompt to repair the system files, enter the three commands sfc and dism in the recovery environment to repair the damaged files; 4. Check the recently installed hardware or driver, unplug the non-essential devices or uninstall the new driver to eliminate incompatibility issues. In most cases, the above steps can solve the phenomenon of restart lag. If it really doesn’t work, consider reinstalling the system and paying attention to backing up data in advance.
Windows stuck on 'undoing changes made to your computer'
Jul 05, 2025 am 02:51 AM
The computer is stuck in the "Undo Changes made to the computer" interface, which is a common problem after the Windows update fails. It is usually caused by the stuck rollback process and cannot enter the system normally. 1. First of all, you should wait patiently for a long enough time, especially after restarting, it may take more than 30 minutes to complete the rollback, and observe the hard disk light to determine whether it is still running. 2. If there is no progress for a long time, you can force shut down and enter the recovery environment (WinRE) multiple times, and try to start repair or system restore. 3. After entering safe mode, you can uninstall the most recent update records through the control panel. 4. Use the command prompt to execute the bootrec command in the recovery environment to repair the boot file, or run sfc/scannow to check the system file. 5. The last method is to use the "Reset this computer" function
How to fix SYSTEM_SERVICE_EXCEPTION on Windows?
Jun 30, 2025 pm 05:11 PM
When encountering SYSTEM\_SERVICE\_EXCEPTION error, 1. Update or roll back the graphics card driver, try to update the driver with the device manager, download and install the official website, or use DDU to completely uninstall and reinstall; 2. Check the memory stick, detect abnormalities through the task manager and Windows memory diagnostic tool, and clean the memory stick or change the slot test if necessary; 3. Repair the system files, run the sfc/scannow and DISM commands with administrator permissions, and check Windows Update; 4. Uninstall recently installed software or updates, especially antivirus software or virtual machine tools. If the above method is invalid, it may be a hardware problem that needs further detection.
