Let’s talk about using the Windows page protection mechanism for function hooking

Summary

Guard Pages is a memory protection mechanism in the operating system, used to detect and prevent illegal access to memory. In Windows operating systems, Guard Pages are usually located at the end of memory pages, which are usually unallocated or inaccessible. The main function of Guard Pages is to improve the security of the system and prevent malicious programs or errors from accessing the memory, thus protecting the system from potential risks and security vulnerabilities. By using Guard Pages, the operating system can promptly detect and prevent illegal operations on memory, ensuring the stability and security of the system.

When a program attempts to access the Guard Page, the operating system will immediately recognize and trigger an exception, usually an access violation exception. The generation of this exception helps the program detect memory access errors in time, and then take appropriate measures, such as terminating the program or recording error information, to prevent potential security vulnerabilities from being exploited. In this way, the system can maintain control over memory access and ensure the stability and security of program operation. The setting of Guard Page provides the system with an effective mechanism for monitoring and protecting memory access, so that any potential problems can be discovered and dealt with in time, thus improving the stability and security of the system. Through exception triggering, the program can quickly respond when an error occurs, effectively preventing memory access problems that may lead to serious consequences.

Guard Pages are widely used in Windows Hooking to monitor and intercept access to specific memory areas. Through this technology, system functions can be modified or monitored, providing strong support for areas such as software debugging, security research, and malware analysis. Guard Pages feature the ability to detect access to protected memory and trigger appropriate handlers when access occurs. This mechanism is useful for protecting critical data or code from unauthorized access and potential security vulnerabilities. By properly configuring Guard Pages, you can improve the security and stability of the system and ensure that the system

Implementation process

The overall code is as follows:

#include 
#include 

// Hook函数功能
HANDLE hook(LPSECURITY_ATTRIBUTES rcx, SIZE_T rdx, LPTHREAD_START_ROUTINE r8, LPVOID r9, DWORD stck1, LPDWORD stck2) {
MessageBoxA(0, "CreateThread() was called!", "YAY!", 0);
MessageBoxA(0, "Hooked CreateThread", "YAY!", 0);
// 这里调用原始CreateThread函数
//return CreateThread(rcx, rdx, r8, r9, stck1, stck2);
 return NULL;
}

LONG WINAPI handler(EXCEPTION_POINTERS * ExceptionInfo) {
 if (ExceptionInfo->ExceptionRecord->ExceptionCode == STATUS_GUARD_PAGE_VIOLATION) {
if (ExceptionInfo->ContextRecord->Rip == (DWORD64) &CreateThread) {
 printf("[!] Exception (%#llx)!" , ExceptionInfo->ExceptionRecord->ExceptionAddress);
printf("nClick a key to continue...n");
 getchar();
 ExceptionInfo->ContextRecord->Rip = (DWORD64) &hook;
printf("Modified RIP Points to: %#llxn", ExceptionInfo->ContextRecord->Rip);
printf("Hook Function = %#llxn", (DWORD64) &hook);
}
return EXCEPTION_CONTINUE_EXECUTION;
 }
 return EXCEPTION_CONTINUE_SEARCH;
}

int main() {
 DWORD old = 0;
DWORD param = 5000;
 AddVectoredExceptionHandler(1, &handler);
 VirtualProtect(&CreateThread, 1, PAGE_EXECUTE_READ | PAGE_GUARD, &old);
 printf("CreateThread addr = %#pn", &CreateThread);
 
 HANDLE hThread = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) &Sleep, ¶m, 0, 0);
 WaitForSingleObject(hThread, param);
 printf("YEP!n");

 return 0;
}

Header file part:

The code starts by including the necessary header files, including and , which provide functions and definitions for the Windows API and standard I/O operations respectively.

Hook function:

This code defines a hook function hook, which is used to intercept the CreateThread API function that creates threads in Windows applications. Inside the hook function, two message boxes are displayed to prompt the call of the CreateThread function and indicate that it has been hooked. It should be noted that in this code, the original CreateThread function is not actually called, but is intercepted.

Exception handling

Define a handler function and set it as an exception handler using AddVectoredExceptionHandler. This function is designed to handle exceptions, specifically STATUS_GUARD_PAGE_VIOLATION, which occurs when trying to execute code on a protected memory page. abnormal. If the exception code is STATUS_GUARD_PAGE_VIOLATION and the instruction pointer (Rip) points to the CreateThread function, it will display a message and modify the Rip to point to the hook function. Any attempt to call the CreateThread function will be redirected to the hook function.

Main function

Inside the main function, a variable old is declared but is not used. A param variable is set to 5000 and the AddVectoredExceptionHandler function is called to register the handler function as an exception handler. Use VirtualProtect to set up a guard page on the CreateThread function. This will trigger the handler function if you try to execute it. Using printf shows the address of the CreateThread function. A new thread is created using CreateThread, but that doesn't seem to serve any real purpose as the thread just sleeps for 5000 milliseconds. After waiting for the thread to end, print "YEP!".

test

Compile the code and execute it, the effect is as follows:

picture

The above is the detailed content of Let’s talk about using the Windows page protection mechanism for function hooking. For more information, please follow other related articles on the PHP Chinese website!