17 内存取证：Rootkit

内存取证volatility⼯具使⽤title：内存取证⼯具 volatility 使⽤说明date: 2021-5-22tags: CTF,基础categories:CTF基础内存取证⼯具 volatility 使⽤说明命令格式volatility [plugin] -f [image] --profile=[profile]在分析之前，需要先判断当前的镜像信息，分析出是哪个操作系统volatility imageinfo -f file.raw知道镜像后，就可以在 –profile 中带上对应的操作系统常见的插件查看当前展⽰的 notepad ⽂本volatility notepad -f file.raw --profile=WinXPSP2x86查看当前操作系统中的 password hash，例如 Windows 的 SAM ⽂件内容volatility hashdump -f file.raw --profile=WinXPSP2x86查看所有进程volatility psscan -f file.raw --profile=WinXPSP2x86扫描所有的⽂件列表volatility filescan -f file.raw --profile=WinXPSP2x86扫描 Windows 的服务volatility svcscan -f file.raw --profile=WinXPSP2x86查看⽹络连接volatility connscan -f file.raw --profile=WinXPSP2x86查看命令⾏上的操作volatility cmdscan -f file.raw --profile=WinXPSP2x86根据进程的 pid dump出指定进程到指定的⽂件夹dump_dirvolatility memdump -p 120 -f file.raw --profile=WinXPSP2x86 --dump-dir=dump_dirdump 出来的进程⽂件，可以使⽤ foremost 来分离⾥⾯的⽂件，⽤ binwak -e 经常会有问题，需要重新修复⽂件⽀持的各种插件Plugins_______amcache - Print AmCache informationapihooks - Detect API hooks in process and kernel memoryatoms - Print session and window station atom tablesatomscan - Pool scanner for atom tablesauditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEvbigpools - Dump the big page pools using BigPagePoolScannerbioskbd - Reads the keyboard buffer from Real Mode memorycachedump - Dumps cached domain hashes from memorycallbacks - Print system-wide notification routinesclipboard - Extract the contents of the windows clipboardcmdline - Display process command-line argumentscmdscan - Extract command history by scanning for _COMMAND_HISTORYconnections - Print list of open connections [Windows XP and 2003 Only]connscan - Pool scanner for tcp connectionsconsoles - Extract command history by scanning for _CONSOLE_INFORMATIONcrashinfo - Dump crash-dump informationdeskscan - Poolscaner for tagDESKTOP (desktops)devicetree - Show device treedlldump - Dump DLLs from a process address spacedlllist - Print list of loaded dlls for each processdriverirp - Driver IRP hook detectiondrivermodule - Associate driver objects to kernel modulesdrivermodule - Associate driver objects to kernel modulesdriverscan - Pool scanner for driver objectsdumpcerts - Dump RSA private and public SSL keysdumpfiles - Extract memory mapped and cached filesdumpregistry - Dumps registry files out to diskeditbox - Displays information about Edit controls. (Listbox experimental.)envars - Display process environment variableseventhooks - Print details on windows event hooksevtlogs - Extract Windows Event Logs (XP/2003 only)filescan - Pool scanner for file objectsgahti - Dump the USER handle type informationgditimers - Print installed GDI timers and callbacksgdt - Display Global Descriptor Tablegetservicesids - Get the names of services in the Registry and return Calculated SID getsids - Print the SIDs owning each processhandles - Print list of open handles for each processhashdump - Dumps passwords hashes (LM/NTLM) from memoryhibinfo - Dump hibernation file informationhivedump - Prints out a hivehivelist - Print list of registry hives.hivescan - Pool scanner for registry hiveshpakextract - Extract physical memory from an HPAK filehpakinfo - Info on an HPAK fileidt - Display Interrupt Descriptor Tableiehistory - Reconstruct Internet Explorer cache / historyimagecopy - Copies a physical address space out as a raw DD imageimageinfo - Identify information for the imageimpscan - Scan for calls to imported functionsjoblinks - Print process job link informationkdbgscan - Search for and dump potential KDBG valueskpcrscan - Search for and dump potential KPCR valuesldrmodules - Detect unlinked DLLslimeinfo - Dump Lime file format informationlinux_apihooks - Checks for userland apihookslinux_arp - Print the ARP tablelinux_aslr_shift - Automatically detect the Linux ASLR shiftlinux_banner - Prints the Linux banner informationlinux_bash - Recover bash history from bash process memorylinux_bash_env - Recover a process' dynamic environment variableslinux_bash_hash - Recover bash hash table from bash process memorylinux_check_afinfo - Verifies the operation function pointers of network protocolslinux_check_creds - Checks if any processes are sharing credential structureslinux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking linux_check_fop - Check file operation structures for rootkit modificationslinux_check_idt - Checks if the IDT has been alteredlinux_check_inline_kernel - Check for inline kernel hookslinux_check_modules - Compares module list to sysfs info, if availablelinux_check_syscall - Checks if the system call table has been alteredlinux_check_syscall_arm - Checks if the system call table has been alteredlinux_check_tty - Checks tty devices for hookslinux_cpuinfo - Prints info about each active processorlinux_dentry_cache - Gather files from the dentry cachelinux_dmesg - Gather dmesg bufferlinux_dump_map - Writes selected memory mappings to disklinux_dynamic_env - Recover a process' dynamic environment variableslinux_elfs - Find ELF binaries in process mappingslinux_enumerate_files - Lists files referenced by the filesystem cachelinux_find_file - Lists and recovers files from memorylinux_getcwd - Lists current working directory of each processlinux_hidden_modules - Carves memory to find hidden kernel moduleslinux_ifconfig - Gathers active interfaceslinux_info_regs - It's like 'info registers' in GDB. It prints out all thelinux_iomem - Provides output similar to /proc/iomemlinux_kernel_opened_files - Lists files that are opened from within the kernellinux_keyboard_notifiers - Parses the keyboard notifier call chainlinux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl linux_library_list - Lists libraries loaded into a processlinux_librarydump - Dumps shared libraries in process memory to disklinux_list_raw - List applications with promiscuous socketslinux_lsmod - Gather loaded kernel moduleslinux_lsof - Lists file descriptors and their pathlinux_malfind - Looks for suspicious process mappingslinux_malfind - Looks for suspicious process mappingslinux_memmap - Dumps the memory map for linux taskslinux_moddump - Extract loaded kernel moduleslinux_mount - Gather mounted fs/deviceslinux_mount_cache - Gather mounted fs/devices from kmem_cachelinux_netfilter - Lists Netfilter hookslinux_netscan - Carves for network connection structureslinux_netstat - Lists open socketslinux_pidhashtable - Enumerates processes through the PID hash tablelinux_pkt_queues - Writes per-process packet queues out to disklinux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED imageslinux_proc_maps - Gathers process memory mapslinux_proc_maps_rb - Gathers process maps for linux through the mappings red-black treelinux_procdump - Dumps a process's executable image to disklinux_process_hollow - Checks for signs of process hollowinglinux_psaux - Gathers processes along with full command line and start timelinux_psenv - Gathers processes along with their static environment variableslinux_pslist - Gather active tasks by walking the task_struct->task listlinux_pslist_cache - Gather tasks from the kmem_cachelinux_psscan - Scan physical memory for processeslinux_pstree - Shows the parent/child relationship between processeslinux_psxview - Find hidden processes with various process listingslinux_recover_filesystem - Recovers the entire cached file system from memorylinux_route_cache - Recovers the routing cache from memorylinux_sk_buff_cache - Recovers packets from the sk_buff kmem_cachelinux_slabinfo - Mimics /proc/slabinfo on a running machinelinux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)linux_threads - Prints threads of processeslinux_tmpfs - Recovers tmpfs filesystems from memorylinux_truecrypt_passphrase - Recovers cached Truecrypt passphraseslinux_vma_cache - Gather VMAs from the vm_area_struct cachelinux_volshell - Shell in the memory imagelinux_yarascan - A shell in the Linux memory imagelsadump - Dump (decrypted) LSA secrets from the registrymac_adium - Lists Adium messagesmac_apihooks - Checks for API hooks in processesmac_apihooks_kernel - Checks to see if system call and kernel functions are hookedmac_arp - Prints the arp tablemac_bash - Recover bash history from bash process memorymac_bash_env - Recover bash's environment variablesmac_bash_hash - Recover bash hash table from bash process memorymac_calendar - Gets calendar events from Calendar.appmac_check_fop - Validate File Operation Pointersmac_check_mig_table - Lists entires in the kernel's MIG tablemac_check_syscall_shadow - Looks for shadow system call tablesmac_check_syscalls - Checks to see if system call table entries are hookedmac_check_sysctl - Checks for unknown sysctl handlersmac_check_trap_table - Checks to see if mach trap table entries are hookedmac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pagesmac_contacts - Gets contact names from Contacts.appmac_dead_procs - Prints terminated/de-allocated processesmac_dead_sockets - Prints terminated/de-allocated network socketsmac_dead_vnodes - Lists freed vnode structuresmac_devfs - Lists files in the file cachemac_dmesg - Prints the kernel debug buffermac_dump_file - Dumps a specified filemac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap mac_dyld_maps - Gets memory maps of processes from dyld data structuresmac_find_aslr_shift - Find the ASLR shift value for 10.8+ imagesmac_get_profile - Automatically detect Mac profilesmac_ifconfig - Lists network interface information for all devicesmac_interest_handlers - Lists IOKit Interest Handlersmac_ip_filters - Reports any hooked IP filtersmac_kernel_classes - Lists loaded c++ classes in the kernelmac_kevents - Show parent/child relationship of processesmac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdlmac_librarydump - Dumps the executable of a processmac_list_files - Lists files in the file cachemac_list_kauth_listeners - Lists Kauth Scope listenersmac_list_kauth_scopes - Lists Kauth Scopes and their statusmac_list_raw - List applications with promiscuous socketsmac_list_raw - List applications with promiscuous socketsmac_list_sessions - Enumerates sessionsmac_list_zones - Prints active zonesmac_lsmod - Lists loaded kernel modulesmac_lsmod_iokit - Lists loaded kernel modules through IOkitmac_lsmod_kext_map - Lists loaded kernel modulesmac_lsof - Lists per-process opened filesmac_machine_info - Prints machine information about the samplemac_malfind - Looks for suspicious process mappingsmac_memdump - Dump addressable memory pages to a filemac_moddump - Writes the specified kernel extension to diskmac_mount - Prints mounted device informationmac_netstat - Lists active per-process network connectionsmac_network_conns - Lists network connections from kernel network structuresmac_notesapp - Finds contents of Notes messagesmac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)mac_orphan_threads - Lists threads that don't map back to known modules/processesmac_pgrp_hash_table - Walks the process group hash tablemac_pid_hash_table - Walks the pid hash tablemac_print_boot_cmdline - Prints kernel boot argumentsmac_proc_maps - Gets memory maps of processesmac_procdump - Dumps the executable of a processmac_psaux - Prints processes with arguments in user land (**argv)mac_psenv - Prints processes with environment in user land (**envp)mac_pslist - List Running Processesmac_pstree - Show parent/child relationship of processesmac_psxview - Find hidden processes with various process listingsmac_recover_filesystem - Recover the cached filesystemmac_route - Prints the routing tablemac_socket_filters - Reports socket filtersmac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose) mac_tasks - List Active Tasksmac_threads - List Process Threadsmac_threads_simple - Lists threads along with their start time and prioritymac_timers - Reports timers set by kernel driversmac_trustedbsd - Lists malicious trustedbsd policiesmac_version - Prints the Mac versionmac_vfsevents - Lists processes filtering file system eventsmac_volshell - Shell in the memory imagemac_yarascan - Scan memory for yara signaturesmachoinfo - Dump Mach-O file format informationmalfind - Find hidden and injected codembrparser - Scans for and parses potential Master Boot Records (MBRs)memdump - Dump the addressable memory for a processmemmap - Print the memory mapmessagehooks - List desktop and thread window message hooksmftparser - Scans for and parses potential MFT entriesmoddump - Dump a kernel driver to an executable file samplemodscan - Pool scanner for kernel modulesmodules - Print list of loaded modulesmultiscan - Scan for various objects at oncemutantscan - Pool scanner for mutex objectsnetscan - Scan a Vista (or later) image for connections and socketsnotepad - List currently displayed notepad textobjtypescan - Scan for Windows object type objectspatcher - Patches memory based on page scanspoolpeek - Configurable pool scanner pluginpooltracker - Show a summary of pool tag usageprintkey - Print a registry key, and its subkeys and valuesprivs - Display process privilegesprocdump - Dump a process to an executable file samplepslist - Print all running processes by following the EPROCESS listspsscan - Pool scanner for process objectspstree - Print process list as a treepsxview - Find hidden processes with various process listingsqemuinfo - Dump Qemu informationraw2dmp - Converts a physical memory sample to a windbg crash dumpscreenshot - Save a pseudo-screenshot based on GDI windowsservicediff - List Windows services (ala Plugx)sessions - List details on _MM_SESSION_SPACE (user logon sessions)shellbags - Prints ShellBags infoshimcache - Parses the Application Compatibility Shim Cache registry keyshimcache - Parses the Application Compatibility Shim Cache registry keyshutdowntime - Print ShutdownTime of machine from registrysockets - Print list of open socketssockscan - Pool scanner for tcp socket objectsssdt - Display SSDT entriesstrings - Match physical offsets to virtual addresses (may take a while, VERY verbose)svcscan - Scan for Windows servicessymlinkscan - Pool scanner for symlink objectsthrdscan - Pool scanner for thread objectsthreads - Investigate _ETHREAD and _KTHREADstimeliner - Creates a timeline from various artifacts in memorytimers - Print kernel timers and associated module DPCstruecryptmaster - Recover TrueCrypt 7.1a Master Keystruecryptpassphrase - TrueCrypt Cached Passphrase Findertruecryptsummary - TrueCrypt Summaryunloadedmodules - Print list of unloaded modulesuserassist - Print userassist registry keys and informationuserhandles - Dump the USER handle tablesvaddump - Dumps out the vad sections to a filevadinfo - Dump the VAD infovadtree - Walk the VAD tree and display in tree formatvadwalk - Walk the VAD treevboxinfo - Dump virtualbox informationverinfo - Prints out the version information from PE imagesvmwareinfo - Dump VMware VMSS/VMSN informationvolshell - Shell in the memory imagewin10cookie - Find the ObHeaderCookie value for Windows 10windows - Print Desktop Windows (verbose details)wintree - Print Z-Order Desktop Windows Treewndscan - Pool scanner for window stationsyarascan - Scan process or kernel memory with Yara signatures好久没打CTF了，这⼏天打了个强⽹杯给我打⾃闭了，发现还有好多东西都没掌握，先从取证开始复习吧。

doi：10.3969/j.issn.1671-1122.2020.11.005基于Rootkit隐藏行为特征的Linux恶意代码取证方法文伟平，陈夏润，杨法偿（北京大学软件与微电子学院，北京 102600）摘 要：近年来，在互联网不断发展的同时，网络安全问题也层出不穷，而在对抗网络安全威胁时，取证问题一直是个难题。

尤其是针对Linux平台，目前主流的Linux开源取证工具多数存在滞后、效率低、无法对隐蔽性强的木马进行取证等问题。

在Linux取证研究中，Rootkit木马具有隐蔽性强、危害性大的特点，传统检测方法难以进行有效检测。

为解决上述问题，文章从Rootkit的行为和实现技术出发，对其启动机制和内存驻留机制进行研究分析，提炼恶意代码行为作为检测特征，提出一种基于Rootkit隐藏行为特征的Linux恶意代码取证方法。

实验表明，文章提出的取证方法对各类Linux恶意代码具有很好的检出效果和取证效果，相较传统取证方法在检测效果上具有明显优势。

关键词：计算机取证；Rootkit；恶意代码；Linux系统中图分类号：TP309 文献标志码： A 文章编号：1671-1122（2020）11-0032-11中文引用格式：文伟平，陈夏润，杨法偿.基于Rootkit隐藏行为特征的Linux恶意代码取证方法[J].信息网络安全，2020，20（11）：32-42.英文引用格式：WEN Weiping, CHEN Xiarun, YANG Fachang. Malicious Code Forensics Method Based on Hidden Behavior Characteristics of Rootkit on Linux[J]. Netinfo Security, 2020, 20(11): 32-42.Malicious Code Forensics Method Based on Hidden BehaviorCharacteristics of Rootkit on LinuxWEN Weiping, CHEN Xiarun, YANG Fachang(School of Software and Microelectronics, Peking University, Beijing 102600, China)Abstract: In recent years, with the continuous development of the Internet, network security problems emerge endlessly. When fighting against network security threats, forensicshas always been a big problem. Especially for Linux platform, most mainstream Linux opensource forensics tools are currently lagging behind, inefficient and unable to obtain evidencefrom the hidden Trojans. In the research of Linux forensics, because the Rootkit Trojan hasthe characteristics of strong concealment and great harm, traditional detection methods aredifficult to carry out effective detection. In order to solve the above problems, starting fromthe behavior and implementation technology of Rootkit, this paper studies and analyzes its收稿日期：2020-7-8基金项目：国家自然科学基金[61872011]作者简介：文伟平（1976—），男，湖南，教授，博士，主要研究方向为系统与网络安全、大数据与云安全、智能计算安全；陈夏润（1997—），男，江西，硕士研究生，主要研究方向为网络与系统安全、漏洞挖掘；杨法偿（1995—），男，河南，硕士研究生，主要研究方向为系统安全、计算机取证。

本栏目责任编辑：冯蕾网络通讯及安全Computer Knowledge And Technology 电脑知识与技术2008年第4卷第4期（总第31期）RootKit 攻防和检测技术张贵强1，李兰兰2（1.兰州石化职业技术学院，甘肃兰州730060；2.兰州大学，甘肃兰州730030）摘要：随着计算机网络技术的发展，网络安全问题越来越多的受到人们的关注，同时，也出现了各种类型的计算机病毒和木马程序。

最近，出现了一种特殊木马程序———Rootkit ，该文详细的介绍了Rootkit 的隐藏技术和检测方法。

关键词：Rootkit ；木马程序；网络安全；隐藏；检测中图分类号：TP393文献标识码：A 文章编号：1009-3044(2008)31-0838-02Defence and Detection Technology Against RootKitZHANG Gui-qiang 1,LI Lan-lan 2(Lanzhou Petrochemical College of Vocational Technology,Lanzhou 730060,China;nzhou University,Lanzhou 730030,China)Abstract:With the development of computer network,security of network attracts more and more attention.Meanwhile,all kinds of computer viruses and Trojan programs arised,inluding a special Trojan program:RootKit.A detailed introduction of hidden technology and detection method of RootKit has been put forward in this paper.Key words:rootkit;trojan program;network security;hidden technology;detection众所周知，木马病毒是指寄生于用户计算机系统中，盗窃用户信息，并通过网络发送给作者的一类病毒程序。

Rootkit的类型、功能及主要技术Rootkit 的类型小结1.固化Rootkits和BIOS Rootkits固化程序是存于ROM中，通常很小，使用系统硬件和BIOS 创建顽固的软件镜像。

将制定的代码植入到BIOS 中，刷新BIOS，在BIOS 初始化的末尾获得运行机会。

重启无用、格式化无用，在硬盘上无法探测，现有的安全软件将大部分的扫描时间用在了对硬盘的扫描上。

本文整理：（第三方信息安全网）/2 内核级Rootkits内核级Rootkits(Kernelland Rootkits)是通过修改内核、增加额外的代码、直接修改系统调用表、系统调用跳转(Syscall Jump)，并能够替换一个操作系统的部分功能，包括内核和相关的设备驱动程序。

现在的操作系统大多没有强化内核和驱动程序的不同特性。

许多内核模式的Rootkit 是作为设备驱动程序而开发，或者作为可加载模块，如Linux 中的可加载模块或Windows 中的设备驱动程序，这类Rootkit 极其危险，它可获得不受限制的安全访问权。

如果代码中有任何一点错误，那么内核级别的任何代码操作都将对整个系统的稳定性产生深远的影响。

特点：无进程；无端口。

与用户级Rootkit 相比，与操作系统处于同一级别，可以修改或破坏由其它软件所发出的任何请求。

3 用户态Rootkits用户态Rootkits(Userland Rootkits)是运行在Ring3 级的Rootkit，由于Ring3 级就是用户应用级的程序，而且信任级别低，每一个程序运行，操作系统给这一层的最小权限。

用户态Rootkit使用各种方法隐藏进程、文件，注入模块、修改注册表等。

4 应用级Rootkits应用级Rootkits 通过具有特洛伊木马特征的伪装代码来替换普通的应用程序的二进制代码，也可以使用Hook、补丁、注入代码或其它方式来修改现有应用程序的行为。

5 代码库Rootkits代码库Rootkits 用隐藏攻击者信息的方法进行补丁、Hook、替换系统调用。

Rootkit技术rootkit的主要分类早期的rootkit主要为应用级rootkit，应用级rootkit主要通过替换login、ps、ls、netstat 等系统工具，或修改.rhosts等系统配置文件等实现隐藏及后门；硬件级rootkit主要指bios rootkit，可以在系统加载前获得控制权，通过向磁盘中写入文件，再由引导程序加载该文件重新获得控制权，也可以采用虚拟机技术，使整个操作系统运行在rootkit掌握之中；目前最常见的rootkit是内核级rootkit。

内核级rootkit又可分为lkm rootkit、非lkm rootkit。

lkm rootkit主要基于lkm技术，通过系统提供的接口加载到内核空间，成为内核的一部分，进而通过hook系统调用等技术实现隐藏、后门功能。

非lkm rootkit主要是指在系统不支持lkm机制时修改内核的一种方法，主要通过/dev/mem、/dev/kmem设备直接操作内存，从而对内核进行修改。

非lkm rootkit要实现对内核的修改，首先需要获得内核空间的内存，因此需要调用kmalloc分配内存，而kmalloc是内核空间的调用，无法在用户空间直接调用该函数，因此想到了通过int 0x80调用该函数的方法。

先选择一个不常见的系统调用号，在sys_call_table 中找到该项，通过写/dev/mem直接将其修改为kmalloc函数的地址，这样当我们在用户空间调用该系统调用时，就能通过int 0x80进入内核空间，执行kmalloc函数分配内存，并将分配好的内存地址由eax寄存器返回，从而我们得到了一块属于内核地址空间的内存，接着将要hack的函数写入该内存，并再次修改系统调用表，就能实现hook系统调用的功能。

rootkit的常见功能隐藏文件：通过strace ls可以发现ls命令其实是通过sys_getdents64获得文件目录的，因此可以通过修改sys_getdents64系统调用或者更底层的readdir实现隐藏文件及目录，还有对ext2文件系统直接进行修改的方法，不过实现起来不够方便，也有一些具体的限制。

一.Rootkit例子Rootkit 嵌入到MBR,Mebroot利用rootkit下载一个450KB的文件,将自身存储在硬盘的最后几个扇区,将自举管理程序写入MBR,实现隐藏磁盘访问，内核中实现，覆盖DISK.sys,调用DISK.sys,创建看门狗线程，如果没有安装，进行安装.查找NDIS隐藏和文档中未出现的函数,与NDIS通信,构造TCP/IP协义栈。

Rootkit一般有两种类型：用户模式和内核模式,用户模式的rootkit如HackerDefender100r容易被发现,但holy_father提供了HxDef的修改版本，命名为Silver andGold并开始销售,也能够防止系统级别的进程,内核模式的rootkit的运行级别与驱动程序是一个级别,内核rootkit不能工作于所有版本的Windows,增加了操作系统的不稳定性,每个rootkit都可以被探测到，但是准确探测的难度和时间超过了结果的价值二.钩子的艺术2.1 软钩子进程附加操作,对INT3中断指令的使用以截获程序流,FireFox挂钩,在PR_Write上设下一个钩子,当钩子命中时，读取栈上第二个参数所指向的ASCII字符串,如果这一字符串与我们之前定下的pattern变量相匹配时，它将被输出至控制台.如果将软钩子施加于调用频繁的函数身上时,目标进程的运行状态可能会极慢,或者会崩溃,因为软钩子所依赖的INT 3指令会导致中断处理例程接过控制权,直到相应的钩子代码执行完毕交还目标进程的控制权,若这一过程每秒钟需要发生上千次的话,大量的性能损失将不可能避免.2.2 硬钩子以硬编码形式向目标进程写入一条跳转指令,以使得同样使用汇编编写而成的钩子代码能够得以执行,软钩子适用于拦截那些调用次数少的函数,而调用次数多的函数，为了对目标进程施加最小的影响，硬钩子成为不二选择，硬钩子首要拦截对象是调用频繁的堆管理例程以及高密度的文件I/O操作。