首页
社区
课程
招聘
[求助]关于idt inline hook蓝屏的问题
发表于: 2013-12-10 15:21 4485

[求助]关于idt inline hook蓝屏的问题

2013-12-10 15:21
4485
我用inline hook的方式勾住了
int 3中断的rountine
当跳到我的函数的时候
代码如下

就蓝屏了

当我把函数开头注释的
//         __asm
//         {
//                 mov ax,30h
//                 mov fs,ax
//         }

这段代码取消注释后
BSOD没有了
但是我打开OD
发现不能正常的调试其他程序
别人都说HOOK IDT要在开头初始化寄存器
有人懂的吗
谢谢

void  MyProc()
{
// 	__asm
// 	{
// 		mov ax,30h
// 		mov fs,ax
// 	}
	PEPROCESS EP;
	EP = PsGetCurrentProcess();
	if (strcmp((PTSTR)((ULONG)EP+0x174),"notepad.exe")==0)
	{
		//需要保护的进程 直接蓝屏
		KdPrint(("\n 蓝屏 蓝屏 蓝屏 \n"));
		__asm iretd
	}

	__asm
	{
		push 0
			mov word ptr [esp+2], 0
			mov eax,uAddrOfInt3
			add eax,9
			jmp eax
	}
	
}


附上DUMP
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck.  Usually the exception address pinpoints
the driver/function that caused the problem.  Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003.  This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG.  This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG.  This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8053ea02, The address that the exception occurred at
Arg3: ee8f6cf0, Trap Frame
Arg4: 00000000

Debugging Details:
------------------


EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - 0x%08lx

FAULTING_IP: 
nt!KiServiceExit2+0
8053ea02 fa              cli

TRAP_FRAME:  ee8f6cf0 -- (.trap 0xffffffffee8f6cf0)
ErrCode = 00000000
eax=00000000 ebx=7ffda000 ecx=00000003 edx=00000008 esi=001a1f18 edi=001a1ea4
eip=8053ea02 esp=ee8f6d64 ebp=ee8f6d64 iopl=0         nv up ei ng nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
nt!KiServiceExit2:
8053ea02 fa              cli
Resetting default scope

CUSTOMER_CRASH_COUNT:  1

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x8E

PROCESS_NAME:  irptrace.exe

CLI_FAULT_INSTR: 
nt!KiServiceExit2+0
8053ea02 fa              cli

LAST_CONTROL_TRANSFER:  from 7c92120f to 8053ea02

STACK_TEXT:  
ee8f6d64 7c92120f badb0d00 00000008 0100a5f0 nt!KiServiceExit2
WARNING: Frame IP not in any known module. Following frames may be wrong.
0006fc94 00000000 00000000 00000000 00000000 0x7c92120f


STACK_COMMAND:  kb

FOLLOWUP_IP: 
nt!KiServiceExit2+0
8053ea02 fa              cli

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  nt!KiServiceExit2+0

FOLLOWUP_NAME:  MachineOwner

IMAGE_NAME:  hardware

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: hardware

FAILURE_BUCKET_ID:  CLI_FAULT

BUCKET_ID:  CLI_FAULT

Followup: MachineOwner
---------

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (2)
雪    币: 227
活跃值: (66)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
2
首先要用naked声明函数:
__declspec(naked) void  MyProc()

然后汇编码执行前:
pushad
pushfd
恢复时:
popfd
popad

最好整个MyProc()用纯ASM实现,中间加C代码会弄乱寄存器
2013-12-10 17:15
0
雪    币: 19
活跃值: (1086)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
谢谢我解决了
主要是没有保存有关寄存器的东西
我参考了CE的驱动代码 解决了我的问题
我就直接复制黏贴来用了
ULONG uAddrOfInt3;




#pragma PAGEDCODE

ULONG __stdcall GeneralHandler(IN ULONG iInt,IN PULONG Stacklocation )
{
//#ifndef AMD64
	//check the current priviledge level
	DbgPrint("Welcome to my int handler. (I need to find out how this instruction gets me in ring0)\n");
	DbgPrint("Processid=%d (%x)\n",PsGetCurrentProcessId(),PsGetCurrentProcessId());

 	ULONG result=0;	//by default do handle the interrupt by the os
// 	ULONG DR_0,DR_1,DR_2,DR_3,ef;
// 	DebugReg6 DR_6;
// 	DebugReg7 DR_7;

	PEPROCESS EP;
	EP = PsGetCurrentProcess();


	if (strcmp((PTSTR)((ULONG)EP+0x174),"notepad.exe")==0)
	{
		//需要保护的进程 直接蓝屏
		KdPrint(("\n 蓝屏 蓝屏 蓝屏 \n"));
		__asm retn 1000h
	}

	/*
	DbgPrint("Int1: CPUnr=%d",cpunr());	
	*/
	return result;
}


//这里是我们自己的int 3 rountine函数
#pragma PAGEDCODE

__declspec(naked) void MyProc(void)
{
	__asm{ 
		//iretd //return

		//保存状态 -- >必须保存 不然你无法调用内核API 像PsGetCurrentProcess 否则BSOD
		//具体的代码可以参考Cheat Engine的驱动代码
		//下面顺便贴上代码参考
		PUSHAD	//32		
		push ds //4
		push es //4
		push gs //4
		push fs //4

		mov ax,0x23
		mov ds,ax
		mov es,ax
		mov gs,ax
		mov ax,0x30
		mov fs,ax

		mov eax,esp
		add eax,48
		push eax //the location of the original stack //参数2 原来的堆栈控件
		PUSH 3 //int 3 identifier //参数1 中断号
		CALL GeneralHandler //call my regular int handler //调用自己的handler
		cmp eax,1 //if 1 then do no handle the original handler
		je Exit
		pop fs
		pop gs
		pop es
		pop ds
		POPAD
Original:
		//这里跳到原来函数的下面继续执行
		push 0
		mov word ptr [esp+2], 0
		mov eax,uAddrOfInt3
		add eax,9
		jmp eax

Exit:
		//恢复寄存器
		pop fs	
		pop gs
		pop es
		pop ds
		POPAD		
		IRETD
	}

	
}
2013-12-10 18:17
0
游客
登录 | 注册 方可回帖
返回
//