-
-
[旧帖] 用mdl hook ssdt 蓝屏。。帮我看看。。。。 0.00雪花
-
发表于: 2012-1-20 17:22
-
dump显示 是 MmProbeAndLockPages 这个函数导致了page fault in nonpaged area
READ_ADDRESS: GetUlongFromAddress: unable to read from 83d6b718
Unable to read MiSystemVaType memory at 83d4b160
83f7f000
FAULTING_IP:
nt!MmProbeAndLockPages+4cc
83c7ab5b 8a0f mov cl,[edi]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 939250e7 to 83c7ab5b
TRAP_FRAME: 8bf1bb1c -- (.trap ffffffff8bf1bb1c)
ErrCode = 00000000
eax=00000000 ebx=007ffff8 ecx=866a6c50 edx=00000860 esi=8597aa70 edi=83f7f000
eip=83c7ab5b esp=8bf1bb90 ebp=8bf1bc38 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!MmProbeAndLockPages+0x4cc:
83c7ab5b 8a0f mov cl,[edi] ds:0023:83f7f000=00
Resetting default scope
8bf1bc38 939250e7 866a6000 00000000 00000001 nt!MmProbeAndLockPages+0x4cc
8bf1bca4 939258b7 83c453a8 00000800 8597aad0 SSDT!UnHookService+0xe7 [c:\users\15eeth\documents\visual studio 2010\projects\ssdt\drivermod\ssdt_hook_struct.h @ 203]
8bf1bcc4 83da4463 85c3ef38 8beb7a00 8597aa70 SSDT!MyWdmUnload+0x47 [c:\users\15eeth\documents\visual studio 2010\projects\ssdt\drivermod\ssdt.cpp @ 827]
8bf1bd00 83c7106b 8beb7a00 00000000 8597aa70 nt!IopLoadUnloadDriver+0x1e
8bf1bd50 83e11a55 00000001 a66d8117 00000000 nt!ExpWorkerThread+0x10d
8bf1bd90 83cc3219 83c70f5e 00000001 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
我用了个mdl 描述了Mainssdt 表 然后更改ZwSetInformation的地址 然后释放了mdl
成功了啊 ZwSetInformation也成功更改了 但是接下来
UnHookService 是在驱动的 unload函数中调用的
改回去的时候 再次分配一个mdl描述 Mainssdt表 修改
但是 到了 MmProbeAndLockPages 就蓝屏 page fault in nonpaged area
整个unhookservice 都已经在非分页内存中了 还出现换页错误
这个函数到底乍么回事啊
READ_ADDRESS: GetUlongFromAddress: unable to read from 83d6b718
Unable to read MiSystemVaType memory at 83d4b160
83f7f000
FAULTING_IP:
nt!MmProbeAndLockPages+4cc
83c7ab5b 8a0f mov cl,[edi]
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 939250e7 to 83c7ab5b
TRAP_FRAME: 8bf1bb1c -- (.trap ffffffff8bf1bb1c)
ErrCode = 00000000
eax=00000000 ebx=007ffff8 ecx=866a6c50 edx=00000860 esi=8597aa70 edi=83f7f000
eip=83c7ab5b esp=8bf1bb90 ebp=8bf1bc38 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
nt!MmProbeAndLockPages+0x4cc:
83c7ab5b 8a0f mov cl,[edi] ds:0023:83f7f000=00
Resetting default scope
8bf1bc38 939250e7 866a6000 00000000 00000001 nt!MmProbeAndLockPages+0x4cc
8bf1bca4 939258b7 83c453a8 00000800 8597aad0 SSDT!UnHookService+0xe7 [c:\users\15eeth\documents\visual studio 2010\projects\ssdt\drivermod\ssdt_hook_struct.h @ 203]
8bf1bcc4 83da4463 85c3ef38 8beb7a00 8597aa70 SSDT!MyWdmUnload+0x47 [c:\users\15eeth\documents\visual studio 2010\projects\ssdt\drivermod\ssdt.cpp @ 827]
8bf1bd00 83c7106b 8beb7a00 00000000 8597aa70 nt!IopLoadUnloadDriver+0x1e
8bf1bd50 83e11a55 00000001 a66d8117 00000000 nt!ExpWorkerThread+0x10d
8bf1bd90 83cc3219 83c70f5e 00000001 00000000 nt!PspSystemThreadStartup+0x9e
00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x19
#pragma code_seg()
void MyWdmUnload(PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pNextObj;
KdPrint(("enter Driver unload"));
#if DBG
{
KIRQL uIrql = KeGetCurrentIrql();
KdPrint(("%s is run on level: %x\n", __FUNCTION__, uIrql));
}
#endif
pNextObj=pDriverObject->DeviceObject;
UnHookService((ULONG)ZwSetInformationFile);
while(pNextObj!=NULL)
{
PMY_DEVICE_EXTENSION pDevExt=(PMY_DEVICE_EXTENSION)pNextObj->DeviceExtension;
UNICODE_STRING pLinkName=pDevExt->UserSymbolicName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj=pNextObj->NextDevice;
IoDeleteDevice(pDevExt->pDevbj);
}
}
NTSTATUS UnHookService(IN ULONG _Zw_Functions OldService)
{
if(HAS_HOOK==UNHOOKED || HAS_HOOK==FIRSTTIME)
{
KdPrint(("HAS NOT HOOK , PLEASE HOOK IT AT FIRST !"));
return STATUS_UNSUCCESSFUL;
}
#if DBG
{
KIRQL uIrql = KeGetCurrentIrql();
KdPrint(("%s is run on level: %x\n", __FUNCTION__, uIrql));
}
#endif
PUCHAR pKthread=(PUCHAR)KeGetCurrentThread();
PULONG pServiceDescriptorTable=(PULONG)*((PULONG)(pKthread+0x0bc));
PSERVICE_DESCRIPTOR_TABLE SerDesTable=(PSERVICE_DESCRIPTOR_TABLE)pServiceDescriptorTable;
PULONG pMainSSDT =SerDesTable->ntoskrnl.Base;
ULONG AddressNumber=(ULONG)SerDesTable->ntoskrnl.Number;
PMDL pMyMdl=IoAllocateMdl(pMainSSDT,(size_t)(AddressNumber*4),NULL,FALSE,NULL);
if(!pMyMdl)
{
KdPrint((" Allocate mdl failed"));
return STATUS_UNSUCCESSFUL;
}
NTSTATUS Status;
ULONG ExceptCode;
__try
{
MmProbeAndLockPages(pMyMdl,KernelMode,IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{ ExceptCode=(ULONG)GetExceptionCode();
KdPrint(("Exception Code %08X",ExceptCode));
IoFreeMdl(pMyMdl);
return STATUS_UNSUCCESSFUL;}
PULONG pNewMainSSDTAddress=(PULONG)MmGetSystemAddressForMdlSafe(pMyMdl,HighPagePriority);
if(!pNewMainSSDTAddress)
{
Status=STATUS_INSUFFICIENT_RESOURCES;
MmUnlockPages(pMyMdl);
IoFreeMdl(pMyMdl);
return STATUS_UNSUCCESSFUL;
}
*(pNewMainSSDTAddress+ SERVICE_ID(OldService))=OldServiceAddressTable[SERVICE_ID(OldService)];
if(pMyMdl)
{
if (pMyMdl->MdlFlags & MDL_PAGES_LOCKED)
{
KdPrint(("unlockpages"));
MmUnlockPages(pMyMdl);
}
IoFreeMdl(pMyMdl); }
KdPrint(("UnHookService success ! "));
HAS_HOOK=UNHOOKED;
return STATUS_SUCCESS;
}
我用了个mdl 描述了Mainssdt 表 然后更改ZwSetInformation的地址 然后释放了mdl
成功了啊 ZwSetInformation也成功更改了 但是接下来
UnHookService 是在驱动的 unload函数中调用的
改回去的时候 再次分配一个mdl描述 Mainssdt表 修改
但是 到了 MmProbeAndLockPages 就蓝屏 page fault in nonpaged area
整个unhookservice 都已经在非分页内存中了 还出现换页错误
这个函数到底乍么回事啊
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
