PAGE_GUARD HOOK 与内存扫描规避技术详解<\/h1>

1. PAGE_GUARD 基础概念<\/h2>
PAGE_GUARD 是 Windows 内存页的一种特殊属性，它为内存提供一次性警报机制：<\/p>
当访问被 PAGE_GUARD 修饰的内存地址时，会触发 STATUS_GUARD_PAGE_VIOLATION 异常<\/li>
触发后，系统会自动移除该内存页的 PAGE_GUARD 属性<\/li>
这种特性常被用于调试和内存保护机制<\/li> <\/ul>
基本使用示例<\/h3>
#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> <windows.h><\/span>
<\/span><\/span><\/span>#include<\/span> "loader.h"<\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    LPVOID lpMem =<\/span> VirtualAlloc(0<\/span>, sizeof<\/span>(shellcode), MEM_COMMIT, PAGE_GUARD |<\/span> PAGE_EXECUTE_READWRITE);
<\/span><\/span>    memcpy(lpMem, shellcode, sizeof<\/span>(shellcode));  \/\/ 第一次写入会触发异常
<\/span><\/span><\/span><\/span>    memcpy(lpMem, shellcode, sizeof<\/span>(shellcode));  \/\/ 第二次写入成功
<\/span><\/span><\/span><\/span>    printf("%p<\/span>\n<\/span>"<\/span>, lpMem);
<\/span><\/span>    ((void<\/span>(*<\/span>)(void<\/span>))lpMem)();
<\/span><\/span>    system("pause"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>注意<\/strong>：在调试环境下异常会被处理，直接运行程序会导致崩溃。<\/p>
2. 基于 PAGE_GUARD 的 Hook 技术<\/h2>
2.1 基本原理<\/h3>
利用 PAGE_GUARD 和单步异常(SINGLE_STEP)实现可持续的 Hook：<\/p>

为目标函数地址设置 PAGE_GUARD 属性<\/li>
当函数被调用时触发异常<\/li>
在异常处理中修改执行流程（实现 Hook）<\/li>
利用单步异常恢复 PAGE_GUARD 属性<\/li>
<\/ol>
2.2 关键数据结构<\/h3>
typedef<\/span> struct<\/span> _CIntelligentHookedFunction<\/span> {
<\/span><\/span>    void<\/span>*<\/span> from;     \/\/ 原函数地址
<\/span><\/span><\/span><\/span>    void<\/span>*<\/span> to;       \/\/ 目标函数地址
<\/span><\/span><\/span><\/span>    void<\/span>**<\/span> original; \/\/ 保存原函数指针
<\/span><\/span><\/span><\/span>} CIntelligentHookedFunction;
<\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _CHooks<\/span> {
<\/span><\/span>    CIntelligentHookedFunction*<\/span> hookedFunctions;
<\/span><\/span>    size_t count;
<\/span><\/span>    size_t capacity;
<\/span><\/span>} CHooks;
<\/span><\/span>
<\/span><\/span>CHooks g_hooks =<\/span> { NULL, 0<\/span>, 0<\/span> };
<\/span><\/span><\/code><\/pre>2.3 异常处理回调<\/h3>
LONG NTAPI ExceptionCallBack<\/span>(struct<\/span> _EXCEPTION_POINTERS<\/span>*<\/span> ExceptionInfo) {
<\/span><\/span>    LPVOID ExceptionAddress =<\/span> ExceptionInfo-><\/span>ExceptionRecord-><\/span>ExceptionAddress;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (ExceptionInfo-><\/span>ExceptionRecord-><\/span>ExceptionCode ==<\/span> EXCEPTION_GUARD_PAGE) {
<\/span><\/span>        \/\/ 处理PAGE_GUARD异常
<\/span><\/span><\/span><\/span>        #ifdef _WIN64
<\/span><\/span><\/span><\/span>        uintptr_t ip =<\/span> (uintptr_t)ExceptionInfo-><\/span>ContextRecord-><\/span>Rip;
<\/span><\/span>        #else
<\/span><\/span><\/span><\/span>        uintptr_t ip =<\/span> (uintptr_t)ExceptionInfo-><\/span>ContextRecord-><\/span>Eip;
<\/span><\/span>        #endif
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        \/\/ 查找匹配的Hook
<\/span><\/span><\/span><\/span>        size_t count;
<\/span><\/span>        const<\/span> CIntelligentHookedFunction*<\/span> funcs =<\/span> CHooks_GetHookedFunctions(&<\/span>count);
<\/span><\/span>        for<\/span> (size_t i =<\/span> 0<\/span>; i <<\/span> count; ++<\/span>i) {
<\/span><\/span>            if<\/span> (ip ==<\/span> (uintptr_t)funcs[i].from) {
<\/span><\/span>                \/\/ 修改执行流程
<\/span><\/span><\/span><\/span>                #ifdef _WIN64
<\/span><\/span><\/span><\/span>                *<\/span>funcs[i].original =<\/span> (void<\/span>*<\/span>)ExceptionInfo-><\/span>ContextRecord-><\/span>Rip;
<\/span><\/span>                ExceptionInfo-><\/span>ContextRecord-><\/span>Rip =<\/span> (uintptr_t)funcs[i].to;
<\/span><\/span>                #else
<\/span><\/span><\/span><\/span>                *<\/span>funcs[i].original =<\/span> (void<\/span>*<\/span>)ExceptionInfo-><\/span>ContextRecord-><\/span>Eip;
<\/span><\/span>                ExceptionInfo-><\/span>ContextRecord-><\/span>Eip =<\/span> (uintptr_t)funcs[i].to;
<\/span><\/span>                #endif
<\/span><\/span><\/span><\/span>                break<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/\/ 设置单步异常标志
<\/span><\/span><\/span><\/span>        ExceptionInfo-><\/span>ContextRecord-><\/span>EFlags |=<\/span> 0x100<\/span>;
<\/span><\/span>        return<\/span> EXCEPTION_CONTINUE_EXECUTION;
<\/span><\/span>    }
<\/span><\/span>    else<\/span> if<\/span> (ExceptionInfo-><\/span>ExceptionRecord-><\/span>ExceptionCode ==<\/span> EXCEPTION_SINGLE_STEP) {
<\/span><\/span>        \/\/ 处理单步异常，恢复PAGE_GUARD
<\/span><\/span><\/span><\/span>        #ifdef _WIN64
<\/span><\/span><\/span><\/span>        uintptr_t ip =<\/span> (uintptr_t)ExceptionInfo-><\/span>ContextRecord-><\/span>Rip;
<\/span><\/span>        #else
<\/span><\/span><\/span><\/span>        uintptr_t ip =<\/span> (uintptr_t)ExceptionInfo-><\/span>ContextRecord-><\/span>Eip;
<\/span><\/span>        #endif
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        size_t count;
<\/span><\/span>        const<\/span> CIntelligentHookedFunction*<\/span> funcs =<\/span> CHooks_GetHookedFunctions(&<\/span>count);
<\/span><\/span>        for<\/span> (size_t i =<\/span> 0<\/span>; i <<\/span> count; ++<\/span>i) {
<\/span><\/span>            if<\/span> (ip ==<\/span> (uintptr_t)funcs[i].from) {
<\/span><\/span>                AddPageGuardProtect(funcs[i].from);
<\/span><\/span>                break<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        return<\/span> EXCEPTION_CONTINUE_EXECUTION;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> EXCEPTION_CONTINUE_SEARCH;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.4 辅助函数<\/h3>
\/\/ 添加PAGE_GUARD保护
<\/span><\/span><\/span><\/span>static<\/span> void<\/span> AddPageGuardProtect<\/span>(void<\/span>*<\/span> addr) {
<\/span><\/span>    DWORD oldProtect;
<\/span><\/span>    MEMORY_BASIC_INFORMATION mbi;
<\/span><\/span>    SYSTEM_INFO sysInfo;
<\/span><\/span>    
<\/span><\/span>    GetSystemInfo(&<\/span>sysInfo);
<\/span><\/span>    VirtualQuery(addr, &<\/span>mbi, sizeof<\/span>(MEMORY_BASIC_INFORMATION));
<\/span><\/span>    VirtualProtect(addr, sysInfo.dwPageSize, mbi.Protect |<\/span> PAGE_GUARD, &<\/span>oldProtect);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 初始化Hook系统
<\/span><\/span><\/span><\/span>void<\/span> CHooks_Init<\/span>() {
<\/span><\/span>    g_hooks.hookedFunctions =<\/span> NULL;
<\/span><\/span>    g_hooks.count =<\/span> 0<\/span>;
<\/span><\/span>    g_hooks.capacity =<\/span> 0<\/span>;
<\/span><\/span>    AddVectoredExceptionHandler(1<\/span>, &<\/span>ExceptionCallBack);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 添加Hook
<\/span><\/span><\/span><\/span>void<\/span> CHooks_AddHook<\/span>(void<\/span>*<\/span> _Function, void<\/span>*<\/span> _Hooked, void<\/span>**<\/span> _Original) {
<\/span><\/span>    if<\/span> (g_hooks.count ==<\/span> g_hooks.capacity) {
<\/span><\/span>        g_hooks.capacity =<\/span> g_hooks.capacity ==<\/span> 0<\/span> ?<\/span> 4<\/span> :<\/span> g_hooks.capacity *<\/span> 2<\/span>;
<\/span><\/span>        g_hooks.hookedFunctions =<\/span> (CIntelligentHookedFunction*<\/span>)realloc(
<\/span><\/span>            g_hooks.hookedFunctions, 
<\/span><\/span>            g_hooks.capacity *<\/span> sizeof<\/span>(CIntelligentHookedFunction));
<\/span><\/span>        if<\/span> (!<\/span>g_hooks.hookedFunctions) {
<\/span><\/span>            exit(1<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    AddPageGuardProtect(_Function);
<\/span><\/span>    CIntelligentHookedFunction hook =<\/span> { _Function, _Hooked, _Original };
<\/span><\/span>    g_hooks.hookedFunctions[g_hooks.count++<\/span>] =<\/span> hook;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 使用示例<\/h3>
typedef<\/span> int<\/span>(WINAPI*<\/span> pMessageBoxW)(_In_opt_ HWND hWnd, _In_opt_ LPCWSTR lpText, 
<\/span><\/span>                                 _In_opt_ LPCWSTR lpCaption, _In_ UINT uType);
<\/span><\/span>pMessageBoxW oriMessageBoxW =<\/span> MessageBoxW;
<\/span><\/span>
<\/span><\/span>int<\/span> WINAPI myMessageBoxW<\/span>(_In_opt_ HWND hWnd, _In_opt_ LPCWSTR lpText, 
<\/span><\/span>                        _In_opt_ LPCWSTR lpCaption, _In_ UINT uType) {
<\/span><\/span>    return<\/span> oriMessageBoxW(hWnd, L<\/span>"Hooked"<\/span>, lpCaption, uType);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    CHooks_Init();
<\/span><\/span>    CHooks_AddHook(MessageBoxW, myMessageBoxW, (void<\/span>**<\/span>)&<\/span>oriMessageBoxW);
<\/span><\/span>    
<\/span><\/span>    \/\/ 测试代码
<\/span><\/span><\/span><\/span>    MessageBoxW(NULL, L<\/span>"Original"<\/span>, L<\/span>"Test"<\/span>, MB_OK);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 内存扫描规避技术<\/h2>
3.1 基本原理<\/h3>
通过 Hook 内存分配函数，为敏感内存区域自动添加 PAGE_GUARD 属性：<\/p>

Hook ZwAllocateVirtualMemory<\/li>
检测内存分配请求<\/li>
对符合条件的分配添加 PAGE_GUARD 属性<\/li>
通过 VEH 处理异常<\/li>
<\/ol>
3.2 实现代码<\/h3>
\/\/ 修改后的异常处理
<\/span><\/span><\/span><\/span>LONG NTAPI ExceptionCallBack<\/span>(struct<\/span> _EXCEPTION_POINTERS<\/span>*<\/span> ExceptionInfo) {
<\/span><\/span>    if<\/span> (ExceptionInfo-><\/span>ExceptionRecord-><\/span>ExceptionCode ==<\/span> EXCEPTION_GUARD_PAGE) {
<\/span><\/span>        lastGuardAddress =<\/span> (LPVOID)ExceptionInfo-><\/span>ExceptionRecord-><\/span>ExceptionInformation[1<\/span>];
<\/span><\/span>        ExceptionInfo-><\/span>ContextRecord-><\/span>EFlags |=<\/span> 0x100<\/span>;
<\/span><\/span>        return<\/span> EXCEPTION_CONTINUE_EXECUTION;
<\/span><\/span>    }
<\/span><\/span>    else<\/span> if<\/span> (ExceptionInfo-><\/span>ExceptionRecord-><\/span>ExceptionCode ==<\/span> EXCEPTION_SINGLE_STEP) {
<\/span><\/span>        if<\/span> (lastGuardAddress !=<\/span> nullptr<\/span>) {
<\/span><\/span>            AddPageGuardProtect(lastGuardAddress);
<\/span><\/span>            lastGuardAddress =<\/span> nullptr<\/span>;
<\/span><\/span>        }
<\/span><\/span>        return<\/span> EXCEPTION_CONTINUE_EXECUTION;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> EXCEPTION_CONTINUE_SEARCH;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ Hook ZwAllocateVirtualMemory
<\/span><\/span><\/span><\/span>HMODULE hNtdll =<\/span> GetModuleHandle(L<\/span>"ntdll.dll"<\/span>);
<\/span><\/span>pZwAllocateVirtualMemory ZwAllocateVirtualMemory =<\/span> 
<\/span><\/span>    (pZwAllocateVirtualMemory)(GetProcAddress(hNtdll, "ZwAllocateVirtualMemory"<\/span>));
<\/span><\/span>pZwAllocateVirtualMemory oriZwAllocateVirtualMemory =<\/span> ZwAllocateVirtualMemory;
<\/span><\/span>
<\/span><\/span>NTSTATUS NTAPI myZwAllocateVirtualMemory<\/span>(
<\/span><\/span>    _In_ HANDLE ProcessHandle,
<\/span><\/span>    _Inout_ _At_(*<\/span>BaseAddress, _Readable_bytes_(*<\/span>RegionSize) _Writable_bytes_(*<\/span>RegionSize) _Post_readable_byte_size_(*<\/span>RegionSize)) PVOID*<\/span> BaseAddress,
<\/span><\/span>    _In_ ULONG_PTR ZeroBits,
<\/span><\/span>    _Inout_ PSIZE_T RegionSize,
<\/span><\/span>    _In_ ULONG AllocationType,
<\/span><\/span>    _In_ ULONG Protect) {
<\/span><\/span>    
<\/span><\/span>    NTSTATUS status =<\/span> oriZwAllocateVirtualMemory(
<\/span><\/span>        ProcessHandle, BaseAddress, ZeroBits, RegionSize, AllocationType, Protect);
<\/span><\/span>    
<\/span><\/span>    do<\/span> {
<\/span><\/span>        if<\/span> (status !=<\/span> 0<\/span>) break<\/span>;
<\/span><\/span>        if<\/span> (ProcessHandle !=<\/span> GetCurrentProcess()) break<\/span>;
<\/span><\/span>        if<\/span> (AllocationType !=<\/span> MEM_COMMIT) break<\/span>;
<\/span><\/span>        if<\/span> (Protect !=<\/span> PAGE_EXECUTE_READWRITE) break<\/span>;
<\/span><\/span>        
<\/span><\/span>        \/\/ 符合条件的分配添加PAGE_GUARD
<\/span><\/span><\/span><\/span>        status =<\/span> oriZwAllocateVirtualMemory(
<\/span><\/span>            ProcessHandle, BaseAddress, ZeroBits, RegionSize, 
<\/span><\/span>            AllocationType, Protect |<\/span> PAGE_GUARD);
<\/span><\/span>    } while<\/span> (false);
<\/span><\/span>    
<\/span><\/span>    return<\/span> status;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 初始化
<\/span><\/span><\/span><\/span>void<\/span> VEH_init<\/span>() {
<\/span><\/span>    AddVectoredExceptionHandler(1<\/span>, &<\/span>ExceptionCallBack);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 安装Hook
<\/span><\/span><\/span><\/span>DetourTransactionBegin();
<\/span><\/span>DetourUpdateThread(GetCurrentThread());
<\/span><\/span>DetourAttach(&<\/span>(PVOID&<\/span>)oriZwAllocateVirtualMemory, myZwAllocateVirtualMemory);
<\/span><\/span>DetourTransactionCommit();
<\/span><\/span><\/code><\/pre>3.3 优化建议<\/h3>


扩展保护范围<\/strong>：除了 Hook ZwAllocateVirtualMemory，还可以 Hook NtProtectVirtualMemory，对任何修改为可执行的内存添加 PAGE_GUARD<\/p>
<\/li>

条件筛选<\/strong>：可以根据内存大小、分配模式等进一步筛选需要保护的内存区域<\/p>
<\/li>

性能考虑<\/strong>：频繁的异常处理会影响性能，需要权衡保护强度和性能开销<\/p>
<\/li>
<\/ol>
4. 技术限制与注意事项<\/h2>


调试环境差异<\/strong>：调试器会处理某些异常，导致行为与直接运行不同<\/p>
<\/li>

完整性保护<\/strong>：某些安全软件会检测和阻止这类 Hook 技术<\/p>
<\/li>

兼容性问题<\/strong>：不同 Windows 版本可能有细微的行为差异<\/p>
<\/li>

性能影响<\/strong>：异常处理会带来一定的性能开销<\/p>
<\/li>
<\/ol>
5. 参考资源<\/h2>

Hooks: Hooking using PAGE_GUARD<\/a><\/li>
Microsoft Docs: PAGE_GUARD<\/a><\/li>
Microsoft Docs: Vectored Exception Handling<\/a><\/li>
<\/ol>
PAGE_GUARD HOOK 与内存扫描规避技术详解<\/h1>

3. 内存扫描规避技术<\/h2>

5. 参考资源<\/h2> Hooks: Hooking using PAGE_GUARD<\/a><\/li> Microsoft Docs: PAGE_GUARD<\/a><\/li> Microsoft Docs: Vectored Exception Handling<\/a><\/li> <\/ol>

5. 参考资源<\/h2>

Hooks: Hooking using PAGE_GUARD<\/a><\/li>
Microsoft Docs: PAGE_GUARD<\/a><\/li>
Microsoft Docs: Vectored Exception Handling<\/a><\/li> <\/ol>
