kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053ea02, The address that the exception occurred at
Arg3: ee8f6cf0, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx
FAULTING_IP:
nt!KiServiceExit2+0
8053ea02 fa cli
TRAP_FRAME: ee8f6cf0 -- (.trap 0xffffffffee8f6cf0)
ErrCode = 00000000
eax=00000000 ebx=7ffda000 ecx=00000003 edx=00000008 esi=001a1f18 edi=001a1ea4
eip=8053ea02 esp=ee8f6d64 ebp=ee8f6d64 iopl=0 nv up ei ng nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
nt!KiServiceExit2:
8053ea02 fa cli
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: irptrace.exe
CLI_FAULT_INSTR:
nt!KiServiceExit2+0
8053ea02 fa cli
LAST_CONTROL_TRANSFER: from 7c92120f to 8053ea02
STACK_TEXT:
ee8f6d64 7c92120f badb0d00 00000008 0100a5f0 nt!KiServiceExit2
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006fc94 00000000 00000000 00000000 00000000 0x7c92120f
STACK_COMMAND: kb
FOLLOWUP_IP:
nt!KiServiceExit2+0
8053ea02 fa cli
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nt!KiServiceExit2+0
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: hardware
DEBUG_FLR_IMAGE_TIMESTAMP: 0
MODULE_NAME: hardware
FAILURE_BUCKET_ID: CLI_FAULT
BUCKET_ID: CLI_FAULT
Followup: MachineOwner
---------
ULONG uAddrOfInt3;
#pragma PAGEDCODE
ULONG __stdcall GeneralHandler(IN ULONG iInt,IN PULONG Stacklocation )
{
//#ifndef AMD64
//check the current priviledge level
DbgPrint("Welcome to my int handler. (I need to find out how this instruction gets me in ring0)\n");
DbgPrint("Processid=%d (%x)\n",PsGetCurrentProcessId(),PsGetCurrentProcessId());
ULONG result=0; //by default do handle the interrupt by the os
// ULONG DR_0,DR_1,DR_2,DR_3,ef;
// DebugReg6 DR_6;
// DebugReg7 DR_7;
PEPROCESS EP;
EP = PsGetCurrentProcess();
if (strcmp((PTSTR)((ULONG)EP+0x174),"notepad.exe")==0)
{
//需要保护的进程 直接蓝屏
KdPrint(("\n 蓝屏 蓝屏 蓝屏 \n"));
__asm retn 1000h
}
/*
DbgPrint("Int1: CPUnr=%d",cpunr());
*/
return result;
}
//这里是我们自己的int 3 rountine函数
#pragma PAGEDCODE
__declspec(naked) void MyProc(void)
{
__asm{
//iretd //return
//保存状态 -- >必须保存 不然你无法调用内核API 像PsGetCurrentProcess 否则BSOD
//具体的代码可以参考Cheat Engine的驱动代码
//下面顺便贴上代码参考
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack //参数2 原来的堆栈控件
PUSH 3 //int 3 identifier //参数1 中断号
CALL GeneralHandler //call my regular int handler //调用自己的handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
//这里跳到原来函数的下面继续执行
push 0
mov word ptr [esp+2], 0
mov eax,uAddrOfInt3
add eax,9
jmp eax
Exit:
//恢复寄存器
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
}
}
