[求助]HOOK NtWaitForDebugEvent 遇到诡异事件-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (9)
Captains 雪币： 305 活跃值： (61) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 38 粉丝 0 关注私信	Captains 2 楼亲，我想你需要这个，去下载ReactOS的源码吧。以下是从 ReactOS\ntoskrnl\dbgk\dbgkobj.c 查到 NTSTATUS NTAPI NtWaitForDebugEvent(IN HANDLE DebugHandle, IN BOOLEAN Alertable, IN PLARGE_INTEGER Timeout OPTIONAL, OUT PDBGUI_WAIT_STATE_CHANGE StateChange) { KPROCESSOR_MODE PreviousMode = ExGetPreviousMode(); LARGE_INTEGER SafeTimeOut; PEPROCESS Process; LARGE_INTEGER StartTime; PETHREAD Thread; BOOLEAN GotEvent; LARGE_INTEGER NewTime; PDEBUG_OBJECT DebugObject; DBGUI_WAIT_STATE_CHANGE WaitStateChange; NTSTATUS Status = STATUS_SUCCESS; PDEBUG_EVENT DebugEvent = NULL, DebugEvent2; PLIST_ENTRY ListHead, NextEntry, NextEntry2; PAGED_CODE(); DBGKTRACE(DBGK_OBJECT_DEBUG, "Handle: %p\n", DebugHandle); /* Clear the initial wait state change structure / RtlZeroMemory(&WaitStateChange, sizeof(WaitStateChange)); / Protect probe in SEH / _SEH_TRY { / Check if we came with a timeout / if (Timeout) { / Check if the call was from user mode / if (PreviousMode != KernelMode) { / Probe it / ProbeForReadLargeInteger(Timeout); } / Make a local copy / SafeTimeOut = Timeout; Timeout = &SafeTimeOut; /* Query the current time / KeQuerySystemTime(&StartTime); } / Check if the call was from user mode / if (PreviousMode != KernelMode) { / Probe the state change structure / ProbeForWrite(StateChange, sizeof(StateChange), sizeof(ULONG)); } } _SEH_HANDLE { /* Get the exception code / Status = _SEH_GetExceptionCode(); } _SEH_END; if (!NT_SUCCESS(Status)) return Status; / Get the debug object / Status = ObReferenceObjectByHandle(DebugHandle, DEBUG_OBJECT_WAIT_STATE_CHANGE, DbgkDebugObjectType, PreviousMode, (PVOID)&DebugObject, NULL); if (!NT_SUCCESS(Status)) return Status; /* Clear process and thread / Process = NULL; Thread = NULL; / Wait on the debug object given to us / while (TRUE) { Status = KeWaitForSingleObject(DebugObject, Executive, PreviousMode, Alertable, Timeout); if (!NT_SUCCESS(Status) \|\| (Status == STATUS_TIMEOUT) \|\| (Status == STATUS_ALERTED) \|\| (Status == STATUS_USER_APC)) { / Break out the wait / break; } / Lock the object / GotEvent = FALSE; ExAcquireFastMutex(&DebugObject->Mutex); / Check if a debugger is connected / if (DebugObject->DebuggerInactive) { / Not connected / Status = STATUS_DEBUGGER_INACTIVE; } else { / Loop the events / ListHead = &DebugObject->EventList; NextEntry = ListHead->Flink; while (ListHead != NextEntry) { / Get the debug event / DebugEvent = CONTAINING_RECORD(NextEntry, DEBUG_EVENT, EventList); DBGKTRACE(DBGK_PROCESS_DEBUG, "DebugEvent: %p Flags: %lx\n", DebugEvent, DebugEvent->Flags); / Check flags / if (!(DebugEvent->Flags & (4 \| 1))) { / We got an event / GotEvent = TRUE; / Loop the list internally / NextEntry2 = DebugObject->EventList.Flink; while (NextEntry2 != NextEntry) { / Get the debug event / DebugEvent2 = CONTAINING_RECORD(NextEntry2, DEBUG_EVENT, EventList); / Try to match process IDs / if (DebugEvent2->ClientId.UniqueProcess == DebugEvent->ClientId.UniqueProcess) { / Found it, break out / DebugEvent->Flags \|= 4; DebugEvent->BackoutThread = NULL; GotEvent = FALSE; break; } / Move to the next entry / NextEntry2 = NextEntry2->Flink; } / Check if we still have a valid event / if (GotEvent) break; } / Move to the next entry / NextEntry = NextEntry->Flink; } / Check if we have an event / if (GotEvent) { / Save and reference the process and thread / Process = DebugEvent->Process; Thread = DebugEvent->Thread; ObReferenceObject(Process); ObReferenceObject(Thread); / Convert to user-mode structure / DbgkpConvertKernelToUserStateChange(&WaitStateChange, DebugEvent); / Set flag / DebugEvent->Flags \|= 1; } else { / Unsignal the event / KeClearEvent(&DebugObject->EventsPresent); } / Set success / Status = STATUS_SUCCESS; } / Release the mutex / ExReleaseFastMutex(&DebugObject->Mutex); if (!NT_SUCCESS(Status)) break; / Check if we got an event / if (!GotEvent) { / Check if we can wait again / if (SafeTimeOut.QuadPart < 0) { / Query the new time / KeQuerySystemTime(&NewTime); / Substract times / SafeTimeOut.QuadPart += (NewTime.QuadPart - StartTime.QuadPart); StartTime = NewTime; / Check if we've timed out / if (SafeTimeOut.QuadPart > 0) { / We have, break out of the loop / Status = STATUS_TIMEOUT; break; } } } else { / Open the handles and dereference the objects / DbgkpOpenHandles(&WaitStateChange, Process, Thread); ObDereferenceObject(Process); ObDereferenceObject(Thread); break; } } / We're done, dereference the object / ObDereferenceObject(DebugObject); / Protect write with SEH / _SEH_TRY { / Return our wait state change structure / RtlCopyMemory(StateChange, &WaitStateChange, sizeof(DBGUI_WAIT_STATE_CHANGE)); } _SEH_EXCEPT(_SEH_ExSystemExceptionFilter) { / Get SEH Exception code / Status = _SEH_GetExceptionCode(); } _SEH_END; / Return status */ return Status; } 2013-3-23 05:15 0
淡定疯着雪币： 297 活跃值： (120) 能力值： ( LV5，RANK：60 ) 在线值：发帖 31 回帖 445 粉丝 1 关注私信	淡定疯着 3 楼 ReactOS给力啊,不知道ReactOS,怎么能进行源码级调试啊? 2013-3-23 12:32 0
yimingqpa 雪币： 6524 活跃值： (4316) 能力值： ( LV10，RANK：163 ) 在线值：发帖 35 回帖 499 粉丝 51 关注私信	yimingqpa 1 4 楼 -.- ReactOS直接开源的. 2013-3-23 12:38 0
房有亮雪币： 773 活跃值： (442) 能力值： ( LV9，RANK：200 ) 在线值：发帖 100 回帖 655 粉丝 21 关注私信	房有亮 3 5 楼楼上的楼上的楼上的哥们跟那个没关系我调用的是系统API 不是重写噢，就是 OD调用我驱动里的系统 API 然后我把结果传递给OD，这个代码XP 2K3 都是没问题的 2013-3-27 18:58 0
cvcvxk 雪币： 8835 活跃值： (2404) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 234 关注私信	cvcvxk 10 6 楼 Win7是因为参数问题和Mode问题导致的。XP下不用切换Mode执行也没大问题，Win7开始UserMode必须的，没有就死啦死啦的要！~ PreviousMode~~ 2013-3-29 11:25 0
房有亮雪币： 773 活跃值： (442) 能力值： ( LV9，RANK：200 ) 在线值：发帖 100 回帖 655 粉丝 21 关注私信	房有亮 3 7 楼 XP 也的切 KERNEL ,不切不好使，WIN7 我早就切了，试验了好多方法就是不行 2013-3-30 22:02 0
cvcvxk 雪币： 8835 活跃值： (2404) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 234 关注私信	cvcvxk 10 8 楼切成kernel更不成~~必须usermode 2013-3-30 22:36 0
房有亮雪币： 773 活跃值： (442) 能力值： ( LV9，RANK：200 ) 在线值：发帖 100 回帖 655 粉丝 21 关注私信	房有亮 3 9 楼又试验了几次，XP 切 UserMode 调试器就死掉了，切KernelMode 才能正常工作，WIN7 不管你切啥都死 2013-3-31 13:15 0
cvcvxk 雪币： 8835 活跃值： (2404) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 234 关注私信	cvcvxk 10 10 楼代码贴出来看看，估计是参数弄错尿~ 2013-3-31 16:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

Captains

雪币： 305

活跃值： (61)

能力值：

( LV2，RANK：10 )

在线值：

发帖

3

回帖

38

粉丝

0

关注

私信

Captains: 2 楼

亲，我想你需要这个，去下载ReactOS的源码吧。以下是从 ReactOS\ntoskrnl\dbgk\dbgkobj.c 查到

NTSTATUS
NTAPI
NtWaitForDebugEvent(IN HANDLE DebugHandle,
                    IN BOOLEAN Alertable,
                    IN PLARGE_INTEGER Timeout OPTIONAL,
                    OUT PDBGUI_WAIT_STATE_CHANGE StateChange)
{
    KPROCESSOR_MODE PreviousMode = ExGetPreviousMode();
    LARGE_INTEGER SafeTimeOut;
    PEPROCESS Process;
    LARGE_INTEGER StartTime;
    PETHREAD Thread;
    BOOLEAN GotEvent;
    LARGE_INTEGER NewTime;
    PDEBUG_OBJECT DebugObject;
    DBGUI_WAIT_STATE_CHANGE WaitStateChange;
    NTSTATUS Status = STATUS_SUCCESS;
    PDEBUG_EVENT DebugEvent = NULL, DebugEvent2;
    PLIST_ENTRY ListHead, NextEntry, NextEntry2;
    PAGED_CODE();
    DBGKTRACE(DBGK_OBJECT_DEBUG, "Handle: %p\n", DebugHandle);

    /* Clear the initial wait state change structure */
    RtlZeroMemory(&WaitStateChange, sizeof(WaitStateChange));

    /* Protect probe in SEH */
    _SEH_TRY
    {
        /* Check if we came with a timeout */
        if (Timeout)
        {
            /* Check if the call was from user mode */
            if (PreviousMode != KernelMode)
            {
                /* Probe it */
                ProbeForReadLargeInteger(Timeout);
            }

            /* Make a local copy */
            SafeTimeOut = *Timeout;
            Timeout = &SafeTimeOut;

            /* Query the current time */
            KeQuerySystemTime(&StartTime);
        }

        /* Check if the call was from user mode */
        if (PreviousMode != KernelMode)
        {
            /* Probe the state change structure */
            ProbeForWrite(StateChange, sizeof(*StateChange), sizeof(ULONG));
        }
    }
    _SEH_HANDLE
    {
        /* Get the exception code */
        Status = _SEH_GetExceptionCode();
    }
    _SEH_END;
    if (!NT_SUCCESS(Status)) return Status;

    /* Get the debug object */
    Status = ObReferenceObjectByHandle(DebugHandle,
                                       DEBUG_OBJECT_WAIT_STATE_CHANGE,
                                       DbgkDebugObjectType,
                                       PreviousMode,
                                       (PVOID*)&DebugObject,
                                       NULL);
    if (!NT_SUCCESS(Status)) return Status;

    /* Clear process and thread */
    Process = NULL;
    Thread = NULL;

    /* Wait on the debug object given to us */
    while (TRUE)
    {
        Status = KeWaitForSingleObject(DebugObject,
                                       Executive,
                                       PreviousMode,
                                       Alertable,
                                       Timeout);
        if (!NT_SUCCESS(Status) ||
            (Status == STATUS_TIMEOUT) ||
            (Status == STATUS_ALERTED) ||
            (Status == STATUS_USER_APC))
        {
            /* Break out the wait */
            break;
        }

        /* Lock the object */
        GotEvent = FALSE;
        ExAcquireFastMutex(&DebugObject->Mutex);

        /* Check if a debugger is connected */
        if (DebugObject->DebuggerInactive)
        {
            /* Not connected */
            Status = STATUS_DEBUGGER_INACTIVE;
        }
        else
        {
            /* Loop the events */
            ListHead = &DebugObject->EventList;
            NextEntry =  ListHead->Flink;
            while (ListHead != NextEntry)
            {
                /* Get the debug event */
                DebugEvent = CONTAINING_RECORD(NextEntry,
                                               DEBUG_EVENT,
                                               EventList);
                DBGKTRACE(DBGK_PROCESS_DEBUG, "DebugEvent: %p Flags: %lx\n",
                          DebugEvent, DebugEvent->Flags);

                /* Check flags */
                if (!(DebugEvent->Flags & (4 | 1)))
                {
                    /* We got an event */
                    GotEvent = TRUE;

                    /* Loop the list internally */
                    NextEntry2 = DebugObject->EventList.Flink;
                    while (NextEntry2 != NextEntry)
                    {
                        /* Get the debug event */
                        DebugEvent2 = CONTAINING_RECORD(NextEntry2,
                                                        DEBUG_EVENT,
                                                        EventList);

                        /* Try to match process IDs */
                        if (DebugEvent2->ClientId.UniqueProcess ==
                            DebugEvent->ClientId.UniqueProcess)
                        {
                            /* Found it, break out */
                            DebugEvent->Flags |= 4;
                            DebugEvent->BackoutThread = NULL;
                            GotEvent = FALSE;
                            break;
                        }

                        /* Move to the next entry */
                        NextEntry2 = NextEntry2->Flink;
                    }

                    /* Check if we still have a valid event */
                    if (GotEvent) break;
                }

                /* Move to the next entry */
                NextEntry = NextEntry->Flink;
            }

            /* Check if we have an event */
            if (GotEvent)
            {
                /* Save and reference the process and thread */
                Process = DebugEvent->Process;
                Thread = DebugEvent->Thread;
                ObReferenceObject(Process);
                ObReferenceObject(Thread);

                /* Convert to user-mode structure */
                DbgkpConvertKernelToUserStateChange(&WaitStateChange,
                                                    DebugEvent);

                /* Set flag */
                DebugEvent->Flags |= 1;
            }
            else
            {
                /* Unsignal the event */
                KeClearEvent(&DebugObject->EventsPresent);
            }

            /* Set success */
            Status = STATUS_SUCCESS;
        }

        /* Release the mutex */
        ExReleaseFastMutex(&DebugObject->Mutex);
        if (!NT_SUCCESS(Status)) break;

        /* Check if we got an event */
        if (!GotEvent)
        {
            /* Check if we can wait again */
            if (SafeTimeOut.QuadPart < 0)
            {
                /* Query the new time */
                KeQuerySystemTime(&NewTime);

                /* Substract times */
                SafeTimeOut.QuadPart += (NewTime.QuadPart - StartTime.QuadPart);
                StartTime = NewTime;

                /* Check if we've timed out */
                if (SafeTimeOut.QuadPart > 0)
                {
                    /* We have, break out of the loop */
                    Status = STATUS_TIMEOUT;
                    break;
                }
            }
        }
        else
        {
            /* Open the handles and dereference the objects */
            DbgkpOpenHandles(&WaitStateChange, Process, Thread);
            ObDereferenceObject(Process);
            ObDereferenceObject(Thread);
            break;
        }
    }

    /* We're done, dereference the object */
    ObDereferenceObject(DebugObject);

    /* Protect write with SEH */
    _SEH_TRY
    {
        /* Return our wait state change structure */
        RtlCopyMemory(StateChange,
                      &WaitStateChange,
                      sizeof(DBGUI_WAIT_STATE_CHANGE));
    }
    _SEH_EXCEPT(_SEH_ExSystemExceptionFilter)
    {
        /* Get SEH Exception code */
        Status = _SEH_GetExceptionCode();
    }
    _SEH_END;

    /* Return status */
    return Status;
}

2013-3-23 05:15

0