D053-测试HOOK过保护读内存

2021在线班
郁金香灬老师 QQ 150330575
交流群:158280115
学习目标 
      D053-测试HOOK过保护读内存
	 00000000FFF500F0
	 
	 
	 #include"pch.h"
#include"驱动接口.h"
 
/*
0000000077B24252 | E8 E9D10000      | call <ntdll.ZwQueryInformationProcess>         |
*/
//BOOL hookapi(PVOID *oldApi/*要HOOK的地址 变量*/, PVOID newApi/*新的函数地址*/);//安装HOOK
//BOOL unhookapi(PVOID *oldApi, PVOID newApi);//卸载HOOK
 
typedef  BOOL(WINAPI*CALL_ReadProcessMemory)(
	_In_ HANDLE hProcess,
	_In_ LPCVOID lpBaseAddress,
	_Out_writes_bytes_to_(nSize, *lpNumberOfBytesRead) LPVOID lpBuffer,
	_In_ SIZE_T nSize,
	_Out_opt_ SIZE_T* lpNumberOfBytesRead
	);;

CALL_ReadProcessMemory old_ReadProcessMemory = (CALL_ReadProcessMemory)ReadProcessMemory;//kernel32.dll  ReadProcessMemory

BOOL WINAPI r0_ReadProcessMemory(
	_In_ HANDLE hProcess,
	_In_ LPCVOID lpBaseAddress,//rdx
	_Out_writes_bytes_to_(nSize, *lpNumberOfBytesRead) LPVOID lpBuffer,//r8
	_In_ SIZE_T nSize,//r9
	_Out_opt_ SIZE_T* lpNumberOfBytesRead //rsp+20
)
{
	//在这里直接调用驱动读内存
	 
	if (!hProcess||hProcess == (HANDLE)-1)
	{
		return old_ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead);
	}
	//这里走驱动接口 来读内存
	return TR0API::ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead);
};


BOOL HookReadProcessMemory(BOOL isHook)
{
	if (isHook)
	{
		hookapi((PVOID*)&old_ReadProcessMemory, r0_ReadProcessMemory);
	}
	else
	{
		unhookapi((PVOID*)&old_ReadProcessMemory, r0_ReadProcessMemory);
	}
	return 1;
}