这可以在虚拟机中的 Windows 11 24h2 上运行吗？

[FortuneDan]

这可以在虚拟机的Windows 11 24h2 上用吗？我试了build这个驱动，然后在 24h2 上加载了，但是我为什么还是可以访问test.txt文件呀

[KHook::Initialize] ssdt call back ptr is 0xFFFFF8037D7042AC 
[KHook::Initialize] build number is 26100 
[KHook::Initialize] ntoskrnl address is 0xFFFFF803E4E00000 
[KHook::Initialize] etwp debugger data is 0xFFFFF803E5C0E768 
[KHook::Initialize] etwp debugger data silo is 0xFFFFBE8614851500 
[KHook::Initialize] ckcl wmi logger context is 0xFFFFBE8614792040 
[KHook::Initialize] get cpu clock is 0x0000000000000003 
[KHook::Initialize] syscall table is 0xFFFFF803E548C000 
[KHook::Initialize] HvlpReferenceTscPage is 0xFFFFF803E5DC4D88 
[KHook::Initialize] HvlpReferenceTscPage Value Is 0x0 
[KHook::Initialize] HvlGetQpcBias Is 0xFFFFF803E5DC0270 
[KHook::Initialize] HvlGetQpcBias Value Is 0x0 
[KHook::Initialize] HvlGetReferenceTimeUsingTscPage Is 0xFFFFF803E5DC0108 
[KHook::Initialize] HvlGetReferenceTimeUsingTscPage Value Is 0x0 
[KHook::Initialize] HalpPerformanceCounter Is 0xFFFFF803E5DC2170 
[KHook::Initialize] HalpPerformanceCounter Value is 0xFFFFF7E4800091B0 
[KHook::Initialize] HalpOriginalPerformanceCounter Is 0xFFFFF803E5DC2168 
[KHook::Initialize] HalpOriginalPerformanceCounter Value Is 0xFFFFF7E480000110 
[KHook::Start] Update GetCpuClock Is 0000000000000002 
[KHook::Start] Update HvlpGetReferenceTimeUsingTscPage Value : FFFFF8037D7022A4 
[KHook::Start] Original HalpPerformanceCounterType Value : 1
[KHook::Start] Update HvlGetQpcBias Value is FFFFF8037D703C90 
[KHook::Start] Detect Routine Thread ID Is 1700 
[KHook::Start] Detect Routine Thread Object Is FFFFBE86198EC500 

没有 “Deny Access File” 日志

[zhutingxf]

我这边虚拟机测试是OK的，24H2版本的我只在物理机上测试过，其中虚拟机的中逻辑和物理机上是不一样的，可能有区别，你调试看看

[FortuneDan]

这解决了

+            if (m_BuildNumber >= 22600) {
+                KUtils::Sleep(3000);
+            }
             // Only proceed with patching if we're on a physical machine
-            if (*m_HalpPerformanceCounterType == HALP_PERFORMANCE_COUNTER_TYPE_PHYSICAL_MACHINE) {
+            //if (*m_HalpPerformanceCounterType == HALP_PERFORMANCE_COUNTER_TYPE_PHYSICAL_MACHINE) {
                 // Read type check instruction from HalpTimerQueryHostPerformanceCounter to determine VM vs physical
                 // Reference:
                 //     if (*(DWORD*)(HalpPerformanceCounter + 0xE4) != 7)
@@ -477,7 +490,7 @@ namespace KHook
                     DbgPrintEx(0, 0, "[%s] m_QpcPointer MmMapLockedPagesSpecifyCache Failed!\n", __FUNCTION__);
                     return false;
                 }
-            }
+            //}