二进制安全C/C++汇编 [2019]R3下无痕API hook的一种方法 The setup is pretty easy just pass a pointer to a callback structure to NtSetInformationProcess with the PROCESS_INFORMATION_CLASS 0x28. This sets the InstrumentationCallback field in the KPROCESS structure. Then push all general purpose registers to the stack, make some space on the stack, fill the fastcall registers that you're gonna use for your hook and then call your hook. After that restore the stack and restore the registers and jump to R10 which contains the return address of the syscall. RAX contains the return value of the syscall. https://github.com/secrary/Hooking-via-InstrumentationCallback 阅读全文 2020-03-27 huoji 0 条评论
