Win DBG 错误信息如下
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ccccccc3, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 8a8d5128, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
下面是出错代码位置
FAULTING_SOURCE_CODE:
92: __asm{
93: push ebx
94: push eax
95: mov ebx,int3proc_addr
> 96: mov byte ptr ds:[ebx],0xE9
97: mov eax,jmpaddr
98: mov dword ptr ds:[ebx+1],eax
99: pop eax
100: pop ebx
说的是引用地址无效 应该是int3proc_addr 的值错了 请高手帮忙看下到底哪里写错了 初学找网上的例子打得
PIDT_ENTRY Pidt_info = (PIDT_ENTRY)ReadIDTBase; //获得IDT 地址
ReadIDTBase的定义
//取IDT 的基地址
ULONG ReadIDTBase(){
IDTR idtr;
PIDT_ENTRY pIdt;
// KdPrint("IDT size %d\n",sizeof(PIDT_ENTRY));
_asm sidt idtr; //获得IDT基地址
//KdPrint("IDT BASE =%x\n",idtr.base);
pIdt = (PIDT_ENTRY)idtr.base;
return idtr.base;
}
VOID _declspec(naked) myInt3Proc(){
PEPROCESS EP; //进程对象指针 这个结构是未公开的
__asm{
pushad //依次将寄存器压入栈
pushfd //依次将标志位压入栈
}
//添加自己的条件过滤代码
//获得进程上下文
EP = PsGetCurrentProcess();//获得当前进程对象
if(strcmp((PTSTR)((ULONG)EP+0x174),"notepad.exe")==0){
__asm retn 100;
}
__asm{
//还原标志位 寄存器 后入先出
popfd;
popad;
}
__asm {
push 0
mov word ptr [esp+2],0
//前条需要回复的指令站2个字节
jmp jmpaddr_int3proc_9
}
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!