首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[求助]关于修改DebugPort一文,总是蓝屏
发表于: 2010-10-30 17:11 16341

[求助]关于修改DebugPort一文,总是蓝屏

sidyh 活跃值
2010-10-30 17:11
16341
参阅http://bbs.pediy.com/showthread.php?t=80971大牛的文章,虽然很老了
前一阵子又想起来这个方法,用于对抗DebugPort清零,结合找到的2003WRK,再次尝试
奈何还是失败
在论坛里面搜索了一下,有一个关于IRQL太高的问题,可是我用WinDbg调试的结果却不是这样
关键函数还是DbgkpQueueMessage,除了这个函数其余的全部修改,没事,只是OD附加不了
这个可以再说,但是只要上述函数一修改,刷新一下都会出错
驱动代码:
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
	PVOID KernelBase = NULL, pTmp = NULL;
	PLONG DebugValue = NULL;
	KernelBase = KernelGetModuleBase( pDriverObj, "ntkrnlup.exe" );
	if (!KernelBase)
	{
		KernelBase = KernelGetModuleBase( pDriverObj, "ntkrnlpa.exe" );
	}
	if (!KernelBase)
	{
		KernelBase = KernelGetModuleBase( pDriverObj, "ntoskrnl.exe" );
	}
	if (!KernelBase)
	{
		DbgPrint("Not Find The KernelBase Address\n");
		return STATUS_UNSUCCESSFUL;
	}
	DbgPrint( "The KernelBase Address : 0x%08X", KernelBase );
	MDSystemCall = MmCreateMdl( NULL, KernelBase, 0x200000 );
	if(!MDSystemCall) STATUS_UNSUCCESSFUL;
	MmBuildMdlForNonPagedPool(MDSystemCall);
	MDSystemCall->MdlFlags = MDSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
	MappedSCT = (PLONG)MmMapLockedPages(MDSystemCall, KernelMode);
	//修改
	DebugValue = (PLONG)( (LONG)MappedSCT + PspCreateProcess_Debug_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + MmCreatePeb_Debug_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + DbgkCreateThread_DebugPort_OffSet );
	InterlockedExchange( DebugValue, -MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + KiDispatchException_DebugPort_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + DbgkForwardException_DebugPort_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + DbgkpQueueMessage_DebugPort_OffSet );//就是这里了
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + DbgkMapViewOfSection_DebugPort_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + DbgkUnMapViewOfSection_DebugPort_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + DbgkpSetProcessDebugObject_DebugPort_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	DebugValue = (PLONG)( (LONG)MappedSCT + DbgkpMarkProcessPeb_DebugPort_OffSet );
	InterlockedExchange( DebugValue, MyDebugPort );
	pTmp = (PVOID)( (LONG)MappedSCT + DbgkForwardException_PS_CROSS_THREAD_FLAGS_HIDEFROMDBG );
	memset( pTmp, 0x90, 6 );
	pTmp = (PVOID)( (LONG)MappedSCT + DbgkMapViewOfSection_PS_CROSS_THREAD_FLAGS_HIDEFROMDBG );
	memset( pTmp, 0x90, 6 );
	pTmp = (PVOID)( (LONG)MappedSCT + DbgkUnMapViewOfSection_PS_CROSS_THREAD_FLAGS_HIDEFROMDBG );
	memset( pTmp, 0x90, 2 );
	//END
	MmUnmapLockedPages(MappedSCT, MDSystemCall);
	IoFreeMdl(MDSystemCall);

	pDriverObj->DriverUnload = DriverUnload;
	return STATUS_SUCCESS;
}


再附上WinDbg的错误信息:
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: D:\LocalSymbols;srv*D:\LocalSymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp_sp3_gdr.080814-1236
Kernel base = 0x80800000 PsLoadedModuleList = 0x808841c0
System Uptime: not available
Physical Address: 1000     Length: 9e000
Physical Address: 100000     Length: 1fef0000
Total Physical Memory: 536403968 (1ff8e000)
Modified-> Physical Memory Pages: 130958 (1ff8e)
Physical Address: 1000     Length: 9e000
Physical Address: 100000     Length: 1fef0000
Total Physical Memory: 536403968 (1ff8e000)
Modified-> Physical Memory Pages: 130958 (1ff8e)
Physical Address: 1000     Length: 9e000
Physical Address: 100000     Length: 1fef0000
Total Physical Memory: 536403968 (1ff8e000)
Modified-> Physical Memory Pages: 130958 (1ff8e)
Enter DriverEntry(82B96910,800928A0)
Required extension size: max: 3045652 Min: 54464
The KernelBase Address : 0x80800000
Access violation - code c0000005 (!!! second chance !!!)
hal!ExAcquireFastMutex+0xc:
80a18134 ff09            dec     dword ptr [ecx]
kd> !analyze -v
Connected to Windows XP 2600 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
...........................................................................................................................
Loading User Symbols
.............................................................................
Loading unloaded module list
............................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Unknown bugcheck code (0)
Unknown bugcheck description
Arguments:
Arg1: 00000000
Arg2: 00000000
Arg3: 00000000
Arg4: 00000000

Debugging Details:
------------------

PROCESS_NAME:  explorer.exe

FAULTING_IP:
hal!ExAcquireFastMutex+c
80a18134 ff09            dec     dword ptr [ecx]

EXCEPTION_RECORD:  f4e8e498 -- (.exr 0xfffffffff4e8e498)
ExceptionAddress: 7c812aeb (kernel32!RaiseException+0x00000053)
   ExceptionCode: 000006ba
  ExceptionFlags: 00000001
NumberParameters: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - "0x%08lx"

WRITE_ADDRESS:  7ce7cc40

BUGCHECK_STR:  ACCESS_VIOLATION

DEFAULT_BUCKET_ID:  CODE_CORRUPTION

TRAP_FRAME:  f4e8e824 -- (.trap 0xfffffffff4e8e824)
ErrCode = 00000000
eax=0007dcd4 ebx=00000001 ecx=00000000 edx=00000000 esi=00000000 edi=5fdd4398
eip=7c812aeb esp=0007dcd0 ebp=0007dd24 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
kernel32!RaiseException+0x53:
001b:7c812aeb 5e              pop     esi
Resetting default scope

LAST_CONTROL_TRANSFER:  from 80983316 to 80a18134

STACK_TEXT:  
f4e8df34 80983316 00000000 82aecfe8 00000000 hal!ExAcquireFastMutex+0xc
f4e8e000 809844dd 82aecda0 82aecb28 f4e8e038 nt!DbgkpQueueMessage+0x11f
f4e8e024 80939c91 f4e8e038 00000001 f4e8e824 nt!DbgkpSendApiMessage+0x45
f4e8e0b0 8082c113 f4e8e498 00000001 00000000 nt!DbgkForwardException+0x8f
f4e8e470 8082c3fc f4e8e498 00000000 f4e8e824 nt!KiDispatchException+0x1f4
f4e8e7f4 8080b06b 0007dcd4 0007d9f0 00000000 nt!KiRaiseException+0x175
f4e8e810 808077ec 0007dcd4 0007d9f0 00000001 nt!NtRaiseException+0x31
f4e8e810 7c812aeb 0007dcd4 0007d9f0 00000001 nt!KiFastCallEntry+0xf8
0007dd24 77e80462 000006ba 00000001 00000000 kernel32!RaiseException+0x53
0007dd3c 77e80750 000006ba 0007e148 0007e12c RPCRT4!RpcpRaiseException+0x24
0007dd4c 77ed460b 0007dd98 0000003c 00115110 RPCRT4!NdrGetBuffer+0x40
0007e12c 5fdd9204 5fdd4398 5fdd7fea 0007e148 RPCRT4!NdrClientCall2+0x195
0007e140 5fdd917d 00000000 0007e168 ffffffff NETAPI32!NetrShareEnum+0x1b
0007e1a0 769625b0 00000000 000001f6 7696c004 NETAPI32!NetShareEnum+0x6c
0007e1d8 76962b92 0007e448 7696c024 7696c00c ntshrui!CShareCache::RefreshNoCritSec+0x2d
0007e1ec 7696166a 0007e448 00000001 0007e448 ntshrui!CShareCache::IsPathShared+0x29
0007e204 7d5c0c41 0007e448 00000001 77d2929a ntshrui!IsPathSharedW+0x2a
0007e428 7d677b02 0007e448 00000001 00007103 SHELL32!IsShared+0x9c
0007e654 7d67b5af 00000100 000e1108 000e1108 SHELL32!CDefView::_ReloadListviewContent+0x55
0007e684 7d67b66b 00000001 000e1108 00000000 SHELL32!CDefView::_ReloadContent+0xc6
0007e6b4 7d67c7c2 000e1108 77d2929a 00000000 SHELL32!CDefView::Refresh+0xa4
0007ebcc 7d5cbe2d 00000000 00007103 00000000 SHELL32!CDefView::_OnCommand+0x8c5
0007ed48 7d5c44ff 00010082 00000111 00007103 SHELL32!CDefView::WndProc+0x7aa
0007ed8c 77d18734 00010082 00000111 00007103 SHELL32!CDefView::s_WndProc+0x72
0007edb8 77d18816 7d5c44a9 00010082 00000111 USER32!InternalCallWinProc+0x28
0007ee20 77d2927b 0009d2c8 7d5c44a9 00010082 USER32!UserCallWinProcCheckWow+0x150
0007ee5c 77d292e3 00598ae8 00598a50 00007103 USER32!SendMessageWorker+0x4a5
0007ee7c 7d6fe878 00010082 00000111 00007103 USER32!SendMessageW+0x7f
0007ee9c 7d6fe4bf 000de158 0007f204 20000000 SHELL32!CContextMenuOnHMENU::InvokeCommand+0x3b
0007eeb8 7d675d63 00102bb8 0007f204 0007f244 SHELL32!CContextMenuOnContextMenuArray::InvokeCommand+0x44
0007f1e8 7d678d11 00102bb8 0007f204 77d29930 SHELL32!CDefView::_InvokeContextMenu+0xb0
0007f4f0 7d67bb46 00102bb8 00000000 0000018c SHELL32!CDefView::_DoContextMenuPopup+0x37e
0007f53c 7d5cbe9e 00010011 00000000 000e1108 SHELL32!CDefView::ContextMenu+0x1e4
0007f6b0 7d5c44ff 00010082 0000007b 00010084 SHELL32!CDefView::WndProc+0x840
0007f6f4 77d18734 00010082 0000007b 00010084 SHELL32!CDefView::s_WndProc+0x72
0007f720 77d18816 7d5c44a9 00010082 0000007b USER32!InternalCallWinProc+0x28
0007f788 77d28ea0 0009d2c8 7d5c44a9 00010082 USER32!UserCallWinProcCheckWow+0x150
0007f7dc 77d28eec 00598ae8 0000007b 00010084 USER32!DispatchClientMessage+0xa3
0007f804 7c92e453 0007f814 00000018 00598ae8 USER32!__fnDWORD+0x24
0007f804 8080bb1c 0007f814 00000018 00598ae8 ntdll!KiUserCallbackDispatcher+0x13
f4e8ead8 8088fb60 f4e8eb94 f4e8eb98 f4e8eb68 nt!KiCallUserMode+0x4
f4e8eb34 bf813d1b 00000002 f4e8eb78 00000018 nt!KeUserModeCallback+0x87
f4e8ebb8 bf813eb1 bbe38ae8 0000007b 00010084 win32k!SfnDWORD+0xa8
f4e8ec00 bf8140a3 00e38ae8 0000007b 00010084 win32k!xxxSendMessageToClient+0x176
f4e8ec4c bf80ec46 bbe38ae8 0000007b 00010084 win32k!xxxSendMessageTimeout+0x1a6
f4e8ec70 bf80b169 bbe38ae8 0000007b 00010084 win32k!xxxSendMessage+0x1b
f4e8ecd4 bf80ec0c bbe38b98 0000007b 00010084 win32k!xxxRealDefWindowProc+0xaeb
f4e8ecec bf8209e7 bbe38b98 0000007b 00010084 win32k!xxxWrapRealDefWindowProc+0x16
f4e8ed08 bf80ee53 bbe38b98 0000007b 00010084 win32k!NtUserfnNCDESTROY+0x27
f4e8ed40 808077ec 00010084 0000007b 00010084 win32k!NtUserMessageCall+0xae
f4e8ed40 7c92e4f4 00010084 0000007b 00010084 nt!KiFastCallEntry+0xf8
0007f804 7c92e453 0007f814 00000018 00598ae8 ntdll!KiFastSystemCallRet
0007f828 77d194be 77d28e0d 00010084 0000007b ntdll!KiUserCallbackDispatcher+0x13
0007f87c 77d28dd9 00010084 0000007b 00010084 USER32!NtUserMessageCall+0xc
0007f898 5adc1af6 00010084 0000007b 00010084 USER32!RealDefWindowProcW+0x47
0007f8f0 5adc1b3d 00000000 00000000 00010084 UxTheme!_ThemeDefWindowProc+0x16e
0007f90c 77d294ed 00010084 0000007b 00010084 UxTheme!ThemeDefWindowProcW+0x18
0007f954 771d0d82 00010084 0000007b 00010084 USER32!DefWindowProcW+0x6b
0007fac0 77d18734 00010084 0000007b 00010084 comctl32!ListView_WndProc+0xf0
0007faec 77d18816 771d0c92 00010084 0000007b USER32!InternalCallWinProc+0x28
0007fb54 77d2927b 0009d2c8 771d0c92 00010084 USER32!UserCallWinProcCheckWow+0x150
0007fb90 77d292e3 00598b98 00594f38 00010084 USER32!SendMessageWorker+0x4a5
0007fbb0 771d0a7e 00010084 0000007b 00010084 USER32!SendMessageW+0x7f
0007fc30 771d0ab6 00010084 00000000 0000018c comctl32!ListView_HandleMouse+0x57b
0007fc50 771d14e9 0009f630 00000000 0000018c comctl32!ListView_OnButtonDown+0x1b
0007fdc0 77d18734 00010084 00000204 00000002 comctl32!ListView_WndProc+0x857
0007fdec 77d18816 771d0c92 00010084 00000204 USER32!InternalCallWinProc+0x28
0007fe54 77d189cd 0009d2c8 771d0c92 00010084 USER32!UserCallWinProcCheckWow+0x150
0007feb4 77d18a10 0007fed4 00000000 0007fef0 USER32!DispatchMessageWorker+0x306
0007fec4 7d5c4bcf 0007fed4 000d3a30 00010084 USER32!DispatchMessageW+0xf
0007fef0 7d5c4a64 7c80932e 000d3a30 000d3a30 SHELL32!CDesktopBrowser::_PeekForAMessage+0x66
0007ff08 7d5dd034 00000000 0007ff5c 01013256 SHELL32!CDesktopBrowser::_MessageLoop+0x14
0007ff14 01013256 000d3a30 7ffd9000 0007ffc0 SHELL32!SHDesktopMessageLoop+0x24
0007ff5c 0101a5c7 00000000 00000000 000205e2 Explorer!ExplorerWinMain+0x2db
0007ffc0 7c817067 00000010 000810c0 7ffd9000 Explorer!ModuleEntry+0x6d

STACK_COMMAND:  kb

CHKIMG_EXTENSION: !chkimg -lo 50 -d !nt
    80801fd7 - nt!KiXMMIZeroPage+73
        [ fb:90 ]
    80801fdd-80801fe0  4 bytes - nt!KiXMMIZeroPage+79 (+0x06)
        [ 5c ff ff ff:a2 a0 19 02 ]
    808023b6-808023ba  5 bytes - nt!ExAcquireResourceSharedLite+10 (+0x3d9)
        [ fa 8b 75 08 33:e9 d4 8d 14 02 ]
    80807773-80807779  7 bytes - nt!KiFastCallEntry+7f (+0x53bd)
        [ c7 45 08 00 0d db ba:e9 15 49 19 02 cc cc ]
    808077fd-80807801  5 bytes - nt!KiServiceExit (+0x8a)
        [ fa f7 45 70 00:e9 a8 39 14 02 ]
    808078eb-808078ed  3 bytes - nt!KiSystemCallExitBranch+2 (+0xee)
        [ 5a 59 9d:c8 02 04 ]
    8080805c-80808060  5 bytes - nt!KiExceptionExit (+0x771)
        [ fa f7 45 70 00:e9 7c 31 14 02 ]
    8080a6f0-8080a6f4  5 bytes - nt!KiTrap0E+a4 (+0x2694)
        [ fb f7 45 70 00:90 e9 04 0b 14 ]
    8080be1d-8080be20  4 bytes - nt!ExfInterlockedInsertHeadList+1 (+0x172d)
        [ fa 8b 01 89:e9 1a 02 19 ]
    8080be35-8080be3a  6 bytes - nt!ExfInterlockedInsertTailList+1 (+0x18)
        [ fa 8b 41 04 89 0a:e9 25 02 19 02 cc ]
    8080be51-8080be52  2 bytes - nt!ExfInterlockedRemoveHeadList+1 (+0x1c)
        [ fa 8b:e9 be ]
    8080be54-8080be55  2 bytes - nt!ExfInterlockedRemoveHeadList+4 (+0x03)
        [ 3b c1:19 02 ]
    8080c5db-8080c5df  5 bytes - nt!ExAcquireResourceExclusiveLite+7 (+0x787)
        [ 64 a1 24 01 00:e9 74 eb 13 02 ]
    8080c5fe-8080c602  5 bytes - nt!ExAcquireResourceExclusiveLite+47 (+0x23)
        [ 89 46 1c 66 89:e9 6f eb 13 02 ]
    80811a15-80811a1a  6 bytes - nt!ExAcquireSharedWaitForExclusive+10 (+0x5417)
        [ fa 8b 75 08 33 db:e9 a2 a6 18 02 cc ]
    80811a34 - nt!ExAcquireSharedWaitForExclusive+ae (+0x1f)
        [ fb:90 ]
    80811a39-80811a40  8 bytes - nt!ExAcquireSharedWaitForExclusive+ef (+0x05)
        [ c2 08 00 90 90 90 90 90:0f c7 c8 02 03 c2 08 00 ]
    8081638c-80816392  7 bytes - nt!CcGetActiveVacb+5 (+0x4953)
        [ fa 8b 45 08 8b 48 48:e9 3a 5d 18 02 cc cc ]
    8081a34c-8081a353  8 bytes - nt!CcSetActiveVacb+7 (+0x3fc0)
        [ fa 8b 45 08 83 78 48 00:e9 cf 1d 18 02 cc cc cc ]
    8081a36f-8081a37c  14 bytes - nt!CcSetActiveVacb+a3 (+0x23)
        [ 8b 0a 89 48 48 89 58 50:e9 9c 1d 18 02 e9 8b 1d ]
//后面就是我修改的东西了
    8082c0df - nt!KiDispatchException+189 (+0x11d70)
        [ bc:70 ]
    808a65df-808a65e4  6 bytes - nt!DbgkMapViewOfSection+39
        [ 0f 85 d6 36 09 00:90 90 90 90 90 90 ]
    808a65e7 - nt!DbgkMapViewOfSection+41 (+0x08)
        [ bc:70 ]
    808a6642-808a6643  2 bytes - nt!DbgkUnMapViewOfSection+2d (+0x5b)
        [ 75 0d:90 90 ]
    808a6646 - nt!DbgkUnMapViewOfSection+31 (+0x04)
        [ bc:70 ]
    808a9cc7 - nt!MmCreatePeb+d8 (+0x3681)
        [ bc:70 ]
    808b0e34-808b0e39  6 bytes - nt!DbgkForwardException+38 (+0x716d)
        [ 0f 85 08 8e 08 00:90 90 90 90 90 90 ]
    808b0e3c - nt!DbgkForwardException+40 (+0x08)
        [ bc:70 ]
    808fdb56 - nt!DbgkCreateThread+159 (+0x4cd1a)
        [ 44:90 ]
    80923631 - nt!PspCreateProcess+1ab (+0x25adb)
        [ bc:70 ]
    80982f89 - nt!DbgkpMarkProcessPeb+44 (+0x5f958)
        [ bc:70 ]
    80983274 - nt!DbgkpQueueMessage+7d (+0x2eb)
        [ bc:70 ]
    80984007 - nt!DbgkpSetProcessDebugObject+58 (+0xd93)
        [ bc:70 ]
127 errors : !nt (80801fd7-80984007)

MODULE_NAME: memory_corruption

IMAGE_NAME:  memory_corruption

FOLLOWUP_NAME:  memory_corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MEMORY_CORRUPTOR:  LARGE

FAILURE_BUCKET_ID:  MEMORY_CORRUPTION_LARGE

BUCKET_ID:  MEMORY_CORRUPTION_LARGE

Followup: memory_corruption
---------

请大家帮我看看,或者指点一下,我试了好几次了,找不到原因,疯了……

还有源代码

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

上传的附件:
收藏
免费 0
支持
分享
最新回复 (13)
sidyh
雪    币: 160
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
PspExitThread
DbgkExitThread
DbgkExitProcess
这三个函数我没修改,用于发送调试信息的,想一步一步来,不知道是不是和这个有关系?
望大家指点一二
2010-10-30 17:15
0
sidyh
雪    币: 160
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
没人理我,貌似我的问题比较低级……
2010-10-30 19:02
0
sidyh
雪    币: 160
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
不是吧,没有一个人理我……
2010-10-31 03:22
0
cvcvxk
雪    币: 8835
活跃值: (2404)
能力值: ( LV12,RANK:760 )
在线值:
发帖
回帖
粉丝
私信
5
问题太高级了.有dump有windbg难道不能找出来问题么~

u一下你改后的DbgkpQueueMessage看看,可能改错了~
2010-10-31 10:14
0
imdemon
雪    币: 53
活跃值: (12)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
我也在DbgkpQueueMessage这里蓝过。。没得到解决。。
2010-11-1 11:02
0
sidyh
雪    币: 160
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
问题已经解决了(先清零后转移DebugPort),但是新的问题又来了
修改0x78或者0x70已经失效了
而其他成员又不能随意占用,所以我就想改造EPROCESS
在PspCreateProcess代码里(参阅WRK)
有一个ObCreateObject,传入的大小是sizeof(EPROCESS),反汇编是0x260
内核文件是ntkrnlpa.exe,找到对应代码push 0x260,修改为0x270(扩大了16个字节)
替换内核文件并重新启动,这个时候EPROCESS的大小就是0x270了
然后把需要修改的函数全部改,改成0x265(应该可以吧)
加载驱动,没问题,一旦启动新的程序,系统直接卡死
分析dump文件,还是卡在了DbgkpQueueMessage这个函数上面
请大家帮我指点一下,需要的话我再附上dump文件
错误信息好像是和原来的错误一样
还是不明白什么意思……
2010-11-2 10:16
0
cvcvxk
雪    币: 8835
活跃值: (2404)
能力值: ( LV12,RANK:760 )
在线值:
发帖
回帖
粉丝
私信
8
自己重新hook
ZwCreateDebugObject
ZwWaitXXX
ZwContinue
ZwXXX,KiDispatchException等一堆东西弄个简单的调试机制就可以了~
2010-11-2 10:35
0
Bennn
雪    币: 108
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
你过的是啥保护啊?TP?
2010-11-2 14:27
0
sidyh
雪    币: 160
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
谢谢,希望大家能告诉我尽量多的函数,windbg调试看的乱七八糟的
调试后经过的函数,暂停,断点等等……
知道函数之后我去实验HOOK

感谢楼上帮助我的朋友们
2010-11-2 16:06
0
cvcvxk
雪    币: 8835
活跃值: (2404)
能力值: ( LV12,RANK:760 )
在线值:
发帖
回帖
粉丝
私信
11
老外有个叫opendbg的开源物体就是说自己实现调试机制的~
2010-11-22 23:38
0
jieqn
雪    币: 20
活跃值: (62)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
12
楼主过了TP吗,有QQ吗能交友下吗
2011-1-29 05:20
0
wxhanshan
雪    币: 225
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
up
dingge
顶个
2011-1-29 20:25
0
无泪城
雪    币: 193
活跃值: (64)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
14
实际上不用麻烦,你都能找到清零的代码了,然后在找对监视这个代码的代码,把监视代码NOP掉,然后在把清零代码NOP掉,就行了
2011-2-20 11:32
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//