-
-
[求助]Hook IDT 03 的问题。
-
发表于: 2010-5-14 14:08 3809
-
用MyTrap03例程hook了IDT 03。MyTrap03只是简单的将产生中断的指令0xCC (int 3) 改写成 0x90 (nop),然后恢复运行。然后编译一个简单对话框程序,其中程序的前面有一条int 3 指令。第一次运行这个对话框程序时,可以产生异常并进入MyTrap03处理,顺利显示出对话框。以后再运行时,却不会产生异常(没有进入MyTrap03),并顺利运行显示出对话框。仿佛MyTrap03的一次改写影响了以后每次对话框的运行。如何让它每次运行都进MyTrap03?以下是内存改写的代码。
typedef struct _PTE_{
ULONG Valid : 1;
ULONG Write : 1;
ULONG Owner : 1;
ULONG WriteThrough : 1;
ULONG CacheDisable : 1;
ULONG Accessed : 1;
ULONG Dirty : 1;
ULONG LargePage : 1;
ULONG Global : 1;
ULONG CopyOnWrite : 1;
ULONG Prototype : 1;
ULONG reserved : 1;
ULONG PageFrameNumber : 20;
} PTE, *PPTE;
ULONG MoveMemory (
IN PCHAR Destination,
IN PCHAR Source,
)
{
PVOID Address1;
ULONG_PTR Opaque;
if (!MmIsAddressValid (Source))
return NULL;
Address1 = WriteCheck((PVOID)Destination, (PPTE)&Opaque);
if (Address1 == NULL)
return NULL;
*(PCHAR)Address1 = *(PCHAR)Source;
ReleaseAddress((PVOID)Destination, (PPTE)&Opaque);
return 1;
}
PVOID WriteCheck (
IN PVOID VirtualAddress,
IN PPTE Opaque
)
{
PTE PteContents;
PPTE PointerPte;
Opaque->PageFrameNumber = 0;
if (!MmIsAddressValid (VirtualAddress)) {
return NULL;
}
PointerPte = (PPTE)MiGetPdeAddress(VirtualAddress);
if (PointerPte->Write == 0)
{
//
// PTE is not writable, make it so.
//
PteContents = *PointerPte;
*Opaque = PteContents;
//
// Modify the PTE to ensure write permissions.
//
PteContents.Write = 1;
*PointerPte = PteContents;
// Fill TB entry.
__asm
{
mov eax, VirtualAddress;
invlpg [eax];
}
}
return VirtualAddress;
}
VOID ReleaseAddress (
IN PVOID VirtualAddress,
IN PPTE Opaque
)
{
PTE TempPte;
PPTE PointerPte;
ASSERT (MmIsAddressValid (VirtualAddress));
if (Opaque->PageFrameNumber != 0)
{
PointerPte = (PPTE)MiGetPdeAddress(VirtualAddress);
TempPte = *Opaque;
TempPte.Dirty = 1;
*PointerPte = TempPte;
// Fill TB entry.
__asm
{
mov eax, VirtualAddress;
invlpg [eax];
}
}
return;
}
typedef struct _PTE_{
ULONG Valid : 1;
ULONG Write : 1;
ULONG Owner : 1;
ULONG WriteThrough : 1;
ULONG CacheDisable : 1;
ULONG Accessed : 1;
ULONG Dirty : 1;
ULONG LargePage : 1;
ULONG Global : 1;
ULONG CopyOnWrite : 1;
ULONG Prototype : 1;
ULONG reserved : 1;
ULONG PageFrameNumber : 20;
} PTE, *PPTE;
ULONG MoveMemory (
IN PCHAR Destination,
IN PCHAR Source,
)
{
PVOID Address1;
ULONG_PTR Opaque;
if (!MmIsAddressValid (Source))
return NULL;
Address1 = WriteCheck((PVOID)Destination, (PPTE)&Opaque);
if (Address1 == NULL)
return NULL;
*(PCHAR)Address1 = *(PCHAR)Source;
ReleaseAddress((PVOID)Destination, (PPTE)&Opaque);
return 1;
}
PVOID WriteCheck (
IN PVOID VirtualAddress,
IN PPTE Opaque
)
{
PTE PteContents;
PPTE PointerPte;
Opaque->PageFrameNumber = 0;
if (!MmIsAddressValid (VirtualAddress)) {
return NULL;
}
PointerPte = (PPTE)MiGetPdeAddress(VirtualAddress);
if (PointerPte->Write == 0)
{
//
// PTE is not writable, make it so.
//
PteContents = *PointerPte;
*Opaque = PteContents;
//
// Modify the PTE to ensure write permissions.
//
PteContents.Write = 1;
*PointerPte = PteContents;
// Fill TB entry.
__asm
{
mov eax, VirtualAddress;
invlpg [eax];
}
}
return VirtualAddress;
}
VOID ReleaseAddress (
IN PVOID VirtualAddress,
IN PPTE Opaque
)
{
PTE TempPte;
PPTE PointerPte;
ASSERT (MmIsAddressValid (VirtualAddress));
if (Opaque->PageFrameNumber != 0)
{
PointerPte = (PPTE)MiGetPdeAddress(VirtualAddress);
TempPte = *Opaque;
TempPte.Dirty = 1;
*PointerPte = TempPte;
// Fill TB entry.
__asm
{
mov eax, VirtualAddress;
invlpg [eax];
}
}
return;
}
赞赏
他的文章
- [求助]反反硬件断点 5749
- [求助]Hook IDT 03 的问题。 3810
- [求助]如何手动flush instruction cache ? 3283
- [求助]内核堆栈的个数 4628
- [求助]ring3下怎么打开没有符号链接的device? 2566
看原图
赞赏
雪币:
留言: