[求助]WIN7调用KeUserModeCallback蓝屏-编程技术-看雪-安全社区|安全招聘|kanxue.com

[求助]WIN7调用KeUserModeCallback蓝屏

发表于: 2014-4-27 21:14 9610

[求助]WIN7调用KeUserModeCallback蓝屏

iceway

2014-4-27 21:14

9610

代码基本上是抄V大的了 XP下什么问题都没有的
ApiIndex也没错
user32.dll!ClientLoadLibrary 用IDA分析过了参数也没错啊
求指导菜鸟一个

extern "C"
NTSYSAPI NTSTATUS NTAPI 
KeUserModeCallback(
				   IN ULONG ApiNumber,
				   IN PVOID InputBuffer,
				   IN ULONG InputLength,
				   OUT PVOID *OutputBuffer,
				   IN PULONG OutputLength
				   );



typedef struct _CLientLoadLibraryParam
{
	DWORD dwSize;//+0
	DWORD dwStringLength; //+4
	DWORD ReservedZero1;//+8
	DWORD ReservedZero2;//+C
	DWORD ReservedZero3;//+10
	DWORD ReservedZero4;//+14
	DWORD ReservedZero5;//+18 () +1A () //不需要！
	DWORD ptrDllString;//+1C
	DWORD ReservedZero6;//+20
	DWORD ptrApiString;//+24
	WCHAR szDllName[MAX_PATH];
	WCHAR szApiName[MAX_PATH];
}CLientLoadLibraryParam,*PCLientLoadLibraryParam;




NTSTATUS InjectDll(LPCWSTR lpszDll,LPCWSTR lpszApi)
{
	PVOID Return;
	ULONG RetLen;
	PVOID BaseAddress = NULL;
	SIZE_T size = sizeof(CLientLoadLibraryParam);
	NTSTATUS ns;
	ns = ZwAllocateVirtualMemory(NtCurrentProcess(),
		&BaseAddress,
		0,
		&size,
		MEM_COMMIT,
		PAGE_EXECUTE_READWRITE);
	if (NT_SUCCESS(ns))
	{
		PCLientLoadLibraryParam p = (PCLientLoadLibraryParam)BaseAddress;
		RtlZeroMemory(p,sizeof(CLientLoadLibraryParam));
		p->dwSize = sizeof(CLientLoadLibraryParam);
		//p->ReservedZero4 = 1;//这样子就是平滑模式了!
		wcsncpy(p->szApiName,lpszApi,MAX_PATH);
		wcsncpy(p->szDllName,lpszDll,MAX_PATH);
		p->ptrApiString = (DWORD)p->szApiName;
		p->ptrDllString = (DWORD)p->szDllName;

		RTL_OSVERSIONINFOW verInfo;
		RtlGetVersion(&verInfo);

		ULONG uFuncIndex = 0x00;//xp
		if ( verInfo.dwMajorVersion == 5 )
		{
			switch (verInfo.dwMinorVersion)
			{
			case 1://xp
				{
					uFuncIndex = 0x42;
				}
				break;
			}
		}
		else if ( verInfo.dwMajorVersion == 6 )
		{
			switch (verInfo.dwMinorVersion)
			{
			case 0://2008
				{

				}
				break;
			case 1://win7x32 sp1
				{
					uFuncIndex = 0x41;
				}
				break;
			}
		}
		else//不支持
		{
			ns = STATUS_UNSUCCESSFUL;
			goto _done;
		}
		if ( uFuncIndex != 0 )
		{
			ns = KeUserModeCallback(uFuncIndex,//Win7上是0x41
				BaseAddress,
				sizeof(CLientLoadLibraryParam),
				&Return,
				&RetLen
				);
		}

	}
_done:
	if ( BaseAddress )
	{
		ZwFreeVirtualMemory(NtCurrentProcess(), &BaseAddress, &size, MEM_COMMIT);
		BaseAddress = NULL;
	}
	return ns;
}

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 1, {0, 7ffde000, ffff, 0}

Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

nt!RtlpBreakWithStatusInstruction:
83c8b110 cc              int     3
1: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

APC_INDEX_MISMATCH (1)
This is a kernel internal error. The most common reason to see this
bugcheck is when a filesystem or a driver has a mismatched number of
calls to disable and re-enable APCs. The key data item is the
Thread->KernelApcDisable field. A negative value indicates that a driver
has disabled APC calls without re-enabling them.  A positive value indicates
that the reverse is true. This check is made on exit from a system call.
Arguments:
Arg1: 00000000, address of system function (system call)
Arg2: 7ffde000, Thread->ApcStateIndex << 8 | Previous ApcStateIndex
Arg3: 0000ffff, Thread->KernelApcDisable
Arg4: 00000000, Previous KernelApcDisable

Debugging Details:
------------------


DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT

BUGCHECK_STR:  0x1

PROCESS_NAME:  explorer.exe

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from 83cef083 to 83c8b110

STACK_TEXT:  
8a5e8f3c 83cef083 00000003 66abcfbd 00000065 nt!RtlpBreakWithStatusInstruction
8a5e8f8c 83cefb81 00000003 0015e604 0015df14 nt!KiBugCheckDebugBreak+0x1c
8a5e9350 83c8f5e3 00000001 00000000 7ffde000 nt!KeBugCheck2+0x68b
8a5e937c 83e88f90 8a5e9530 8a5e9524 0015df14 nt!KiCallUserMode+0x5f
8a5e93d8 92351287 00000041 03c40000 00000438 nt!KeUserModeCallback+0xec
8a5e9538 92351331 92352db0 92352dd0 865c5030 sky!InjectDll+0x157 [g:\sys\tdifilter\helloddk\helloddk\shielder.h @ 996]
8a5e954c 83e78802 00000700 000005e4 00000001 sky!shielder_thread_notify_routine+0x61 [g:\sys\tdifilter\helloddk\helloddk\shielder.h @ 1034]
8a5e9604 83e5ebcb 8656ed48 00000040 8a5e9814 nt!PspInsertThread+0x656
8a5e97cc 83e8232f 0015e3f8 001fffff 00000000 nt!PspCreateThread+0x244
8a5e9c00 83c4e1ea 0015e3f8 001fffff 00000000 nt!NtCreateThreadEx+0x20b
8a5e9c00 770a70b4 0015e3f8 001fffff 00000000 nt!KiFastCallEntry+0x12a
0015e360 770a5734 7546bf62 0015e3f8 001fffff ntdll!KiFastSystemCallRet
0015e364 7546bf62 0015e3f8 001fffff 00000000 ntdll!NtCreateThreadEx+0xc
0015e614 761b377d ffffffff 00000000 00000000 KERNELBASE!CreateRemoteThreadEx+0x161
0015e63c 7671450f 00000000 00000000 767142ed kernel32!CreateThreadStub+0x20
0015e6ac 7671458c 7588f5b0 03b703d0 0000002a SHLWAPI!CreateThreadWorker+0x11a
0015e6c8 7588f7e4 7588f5b0 03b703d0 0000002a SHLWAPI!SHCreateThread+0x18
0015e6f0 7577944f 000100e8 002c1610 002889c4 SHELL32!SHInvokeCommandOnBackgroundThread+0xd1
0015e9b8 7577a2c9 00000000 00000000 00000000 SHELL32!CDefView::_InvokeContextMenuVerbOnSelectionWorker+0x101
0015e9d0 7577a771 00000000 00000000 0015ec44 SHELL32!CDefView::_InvokeContextMenuVerbOnSelection+0x65
0015e9e0 755894bf 002c16bc 00000000 0015f19c SHELL32!CDefView::OnActivateSelection+0x18
0015ec44 7558d3b3 0015f19c 0015f19c 002bbf50 SHELL32!CListViewHost::_OnLVNotify+0x625
0015ec5c 7558d36a 0015f19c 00000000 00000000 SHELL32!CListViewHost::_OnNotify+0x49
0015eeac 755b833c 000100ea 0000004e 00000001 SHELL32!CListViewHost::_ViewSubclassWndProc+0x34a
0015eecc 7416f5ee 000100ea 0000004e 00000001 SHELL32!CListViewHost::s_ViewSubclassWndProc+0x29
WARNING: Stack unwind information not available. Following frames may be wrong.
0015ef30 7416f490 001d08a8 000100ea 0000004e comctl32!DefSubclassProc+0x92
0015ef90 7677c4e7 000100ea 0000004e 00000001 comctl32!DPA_Sort+0x2f7
0015efbc 7677c5e7 7416f44c 000100ea 0000004e USER32!InternalCallWinProc+0x23
0015f034 76775294 00200d84 7416f44c 000100ea USER32!UserCallWinProcCheckWow+0x14b
0015f074 76775582 007b98d8 007b9840 00000001 USER32!SendMessageWorker+0x4d0
0015f094 7416c05d 000100ea 0000004e 00000001 USER32!SendMessageW+0x7c
0015f130 74237973 00294b14 ffffff8e 0015f19c comctl32!DetachScrollBars+0x1fc
0015f14c 74211688 0015f19c 00294bcc 00294ae0 comctl32!TaskDialog+0x8c67
0015f1f4 741e30df 00000001 00000021 0000007f comctl32!DPA_Merge+0x2c62d
0015f210 741e2147 00000001 00000021 0000007f comctl32!GetEffectiveClientRect+0x1ee7
0015f390 7416fe70 000100ec 00000203 00000001 comctl32!GetEffectiveClientRect+0xf4f
0015f3b8 7677c4e7 000100ec 00000203 00000001 comctl32!CCGetScrollInfo+0x312
0015f3e4 7677c5e7 7416fe38 000100ec 00000203 USER32!InternalCallWinProc+0x23
0015f45c 76771b31 00200d84 7416fe38 000100ec USER32!UserCallWinProcCheckWow+0x14b
0015f48c 76771b57 7416fe38 000100ec 00000203 USER32!CallWindowProcAorW+0x99
0015f4ac 7416f443 7416fe38 000100ec 00000203 USER32!CallWindowProcW+0x1b
0015f4c8 7416f5ee 000100ec 00000203 00000001 comctl32!DPA_Sort+0x2aa
0015f52c 7416f5a2 001d0948 000100ec 00000203 comctl32!DefSubclassProc+0x92
0015f550 755b8180 000100ec 00000203 00000001 comctl32!DefSubclassProc+0x46
0015f5b0 7416f5ee 000100ec 00000203 00000001 SHELL32!CListViewHost::s_ListViewSubclassWndProc+0x213
0015f614 7416f490 001d0948 000100ec 00000203 comctl32!DefSubclassProc+0x92
0015f674 7677c4e7 000100ec 00000203 00000001 comctl32!DPA_Sort+0x2f7
0015f6a0 7677c5e7 7416f44c 000100ec 00000203 USER32!InternalCallWinProc+0x23
0015f718 7677cc19 00200d84 7416f44c 000100ec USER32!UserCallWinProcCheckWow+0x14b
0015f778 7677cc70 7416f44c 00000000 0015f7bc USER32!DispatchMessageWorker+0x35e
0015f788 755ba46e 0015f79c 00000000 00000000 USER32!DispatchMessageW+0xf
0015f7bc 755ba2be 80000000 7555664b 002b1eb8 SHELL32!CDesktopBrowser::_PeekForAMessage+0x153
0015f7d8 75518981 04010000 0015f890 005452ca SHELL32!CDesktopBrowser::_MessageLoop+0x1e
0015f7e4 005452ca 002b1eb8 005d22cc 00000001 SHELL32!SHDesktopMessageLoop+0x29
0015f890 00551080 00520000 00000000 001d1712 Explorer!wWinMain+0x551
0015f924 761b3c45 7ffdf000 0015f970 770c37f5 Explorer!_initterm_e+0x1b1
0015f930 770c37f5 7ffdf000 77063bee 00000000 kernel32!BaseThreadInitThunk+0xe
0015f970 770c37c8 00550efa 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
0015f988 00000000 00550efa 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

SYMBOL_NAME:  ANALYSIS_INCONCLUSIVE

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: Unknown_Module

IMAGE_NAME:  Unknown_Image

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  0x1_SysCallNum_58_ANALYSIS_INCONCLUSIVE

BUCKET_ID:  0x1_SysCallNum_58_ANALYSIS_INCONCLUSIVE

Followup: MachineOwner
---------

[课程]Linux pwn 探索篇！

收藏・3

免费・0

支持

最新回复 (9)
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 2 楼 Breakpoint 2 hit win32k!ClientLoadLibrary+0xd2: 83815bec ff1578049783 call dword ptr [win32k!_imp__KeUserModeCallback (83970478)] 0: kd> dd 8b61b53c 8b61b53c 00000041(0x41) 8b61b5a4(BaseAddress) 00000098(size) 8b61b594(Return) 8b61b54c(RetLen) 8b61b598 08f9c2e1 83c48ed8 00000000 8b61b55c fe66bb78 00000000 00000000 00026161 8b61b56c 83d3bd20 00010001 8b61b5bc 00010001 8b61b57c 00010001 00000002 00010001 00000001 8b61b58c 00000000 855cbbb0 00000000 005cbbb0 8b61b59c 00000003 8b61b5a4 00000098 00000068 8b61b5ac 00000002 8b61b638 00000028 00000000 0: kd> db 8b61b5a4 8b61b5a4 98 00 00 00 68 00 00 00-02 00 00 00 38 b6 61 8b ....h.......8.a. 8b61b5b4 28 00 00 00 00 00 00 00-3e 00 40 00 30 00 00 00 (.......>.@.0... 8b61b5c4 20 00 22 00 70 00 00 00-1c 00 00 00 24 00 00 00 .".p.......$... 8b61b5d4 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o. 8b61b5e4 77 00 73 00 5c 00 73 00-79 00 73 00 74 00 65 00 w.s.\.s.y.s.t.e. 8b61b5f4 6d 00 33 00 32 00 5c 00-75 00 78 00 74 00 68 00 m.3.2.\.u.x.t.h. 8b61b604 65 00 6d 00 65 00 2e 00-64 00 6c 00 6c 00 00 00 e.m.e...d.l.l... 8b61b614 54 00 68 00 65 00 6d 00-65 00 49 00 6e 00 69 00 T.h.e.m.e.I.n.i. 2014-4-28 00:11 0
cvcvxk 雪币： 8865 活跃值： (2379) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 233 关注私信	cvcvxk 10 3 楼我想你能看懂吧~ 这代码就是这个意思： if(CurrentThread->Tcb.ApcStateIndex != 0 \|\| CurrentThread->Tcb.KernelApcDisable!=0) KeBugCheck2(.....) 上传的附件： QQ图片20140428003230.jpg （8.95kb，1次下载） 2014-4-28 00:37 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 4 楼好的我试试去 2014-4-28 00:47 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 5 楼 int __stdcall __ClientLoadLibrary(int a1) { HMODULE v1; // edi@4 const WCHAR v2; // eax@5 HMODULE v3; // esi@6 int v4; // edi@6 FARPROC v5; // eax@7 CHAR ProcName; // [sp+18h] [bp-108h]@1 char Dst; // [sp+19h] [bp-107h]@1 unsigned int v9; // [sp+11Ch] [bp-4h]@1 int v10; // [sp+120h] [bp+0h]@1 v9 = (unsigned int)&v10 ^ __security_cookie; ProcName = 0; memset(&Dst, 0, 0x103u); if ( (_DWORD )(a1 + 8) && !(_DWORD )(a1 + 0x14) ) FixupCallbackPointers(a1); v1 = LoadLibraryExW((LPCWSTR )(a1 + 0x1C), 0, 8u); if ( v1 ) { v2 = (const WCHAR *)(a1 + 0x24); if ( v2 ) { v3 = v1; v4 = WideCharToMultiByte(0, 0x400u, v2, -1, &ProcName, 260, 0, 0); if ( !v4 ) goto LABEL_16; v5 = GetProcAddress(v3, &ProcName); if ( !v5 \|\| !InitUserApiHook(v3, v5) ) // InitUserApiHook条件不成立导致Dll被马上卸载了 v4 = 0; if ( !v4 ) LABEL_16: FreeLibrary(v3); } } return XyCallbackReturn(0); // 参数1:DLL模块句柄参数2:DLL导出函数的地址 signed int __stdcall InitUserApiHook(int a1, int a2) { signed int v2; // edi@1 _UNKNOWN v3; // esi@1 unsigned int v5; // [sp+8h] [bp-68h]@1 int v6; // [sp+14h] [bp-5Ch]@7 int v7; // [sp+38h] [bp-38h]@7 int v8; // [sp+48h] [bp-28h]@7 int (__stdcall v9)(int); // [sp+5Ch] [bp-14h]@5 v2 = 0; ResetUserApiHook(&v5); v3 = &gcsUserApiHook; RtlEnterCriticalSection(&gcsUserApiHook); if ( !((int (__stdcall )(_DWORD, unsigned int ))a2)(0, &v5) \|\| v5 <= 0 \|\| v9 != ForceResetUserApiHook ) { RtlLeaveCriticalSection(&gcsUserApiHook); return 0; } if ( ghmodUserApiHook ) { if ( ghmodUserApiHook != a1 ) // 这里条件成立了函数就跳出了导致DLL被卸载这里是什么东西不明白？ goto LABEL_9; ++gcLoadUserApiHook; } else { ghmodUserApiHook = a1; memcpy(&guah, &v5, 0x64u); gpfnInitUserApi = a2; gcLoadUserApiHook = 1; gfUserApiHook = 1; CopyMsgMask((int)&unk_77D7978C, (int)&v6, &grgbDwpLiteHookMsg, 128); CopyMsgMask((int)&unk_77D797B0, (int)&v7, &grgbWndLiteHookMsg, 128); CopyMsgMask((int)&unk_77D797C0, (int)&v8, &grgbDlgLiteHookMsg, 128); v3 = &gcsUserApiHook; } v2 = 1; // 表示函数成功 LABEL_9: RtlLeaveCriticalSection(v3); if ( !v2 ) ((void (__stdcall )(signed int, _DWORD))a2)(1, 0); return v2; } 2014-4-29 15:32 0
cvcvxk 雪币： 8865 活跃值： (2379) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 233 关注私信	cvcvxk 10 6 楼这个问题DLL里做点处理就好了~ 比如DLL里再加载一个DLL~ 2014-4-29 15:53 0
xtptvvvv 雪币： 1 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 51 粉丝 0 关注私信	xtptvvvv 7 楼搭车同问，我也遇到了这个问题，XP成功WIN7蓝屏。蓝屏码也是APC_INDEX_MISMATCH，在DLL导出了函数（2个参数，跟你的帖子一样），在DLLMAIN和导出函数里也加载了一个微软的DLL，但还是蓝，求解答。 2014-4-30 13:17 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 8 楼 pKthread = KeGetCurrentThread(); PSHORT KernelApcDisable = (PSHORT)((ULONG)pKthread + 0x84); PUCHAR ApcStateIndex = (PUCHAR)((ULONG)pKthread + 0x134); Original1 = KernelApcDisable; Original2 = ApcStateIndex; KeUserModeCallback。。。。。。。。。。。。。。。 //恢复APC KernelApcDisable = Original1; ApcStateIndex = Original2; 2014-4-30 13:55 0
xtptvvvv 雪币： 1 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 51 粉丝 0 关注私信	xtptvvvv 9 楼谢谢了。此外，_CLientLoadLibraryParam这个结构体的详细成员，是用WINDBG看的吗？还是用IDA看的？或者是其它神奇的工具？ 2014-4-30 14:28 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 10 楼 IDA+WINDBG 2014-4-30 14:34 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

iceway

发帖

813

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (9)
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 2 楼 Breakpoint 2 hit win32k!ClientLoadLibrary+0xd2: 83815bec ff1578049783 call dword ptr [win32k!_imp__KeUserModeCallback (83970478)] 0: kd> dd 8b61b53c 8b61b53c 00000041(0x41) 8b61b5a4(BaseAddress) 00000098(size) 8b61b594(Return) 8b61b54c(RetLen) 8b61b598 08f9c2e1 83c48ed8 00000000 8b61b55c fe66bb78 00000000 00000000 00026161 8b61b56c 83d3bd20 00010001 8b61b5bc 00010001 8b61b57c 00010001 00000002 00010001 00000001 8b61b58c 00000000 855cbbb0 00000000 005cbbb0 8b61b59c 00000003 8b61b5a4 00000098 00000068 8b61b5ac 00000002 8b61b638 00000028 00000000 0: kd> db 8b61b5a4 8b61b5a4 98 00 00 00 68 00 00 00-02 00 00 00 38 b6 61 8b ....h.......8.a. 8b61b5b4 28 00 00 00 00 00 00 00-3e 00 40 00 30 00 00 00 (.......>.@.0... 8b61b5c4 20 00 22 00 70 00 00 00-1c 00 00 00 24 00 00 00 .".p.......$... 8b61b5d4 43 00 3a 00 5c 00 57 00-69 00 6e 00 64 00 6f 00 C.:.\.W.i.n.d.o. 8b61b5e4 77 00 73 00 5c 00 73 00-79 00 73 00 74 00 65 00 w.s.\.s.y.s.t.e. 8b61b5f4 6d 00 33 00 32 00 5c 00-75 00 78 00 74 00 68 00 m.3.2.\.u.x.t.h. 8b61b604 65 00 6d 00 65 00 2e 00-64 00 6c 00 6c 00 00 00 e.m.e...d.l.l... 8b61b614 54 00 68 00 65 00 6d 00-65 00 49 00 6e 00 69 00 T.h.e.m.e.I.n.i. 2014-4-28 00:11 0
cvcvxk 雪币： 8865 活跃值： (2379) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 233 关注私信	cvcvxk 10 3 楼我想你能看懂吧~ 这代码就是这个意思： if(CurrentThread->Tcb.ApcStateIndex != 0 \|\| CurrentThread->Tcb.KernelApcDisable!=0) KeBugCheck2(.....) 上传的附件： QQ图片20140428003230.jpg （8.95kb，1次下载） 2014-4-28 00:37 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 4 楼好的我试试去 2014-4-28 00:47 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 5 楼 int __stdcall __ClientLoadLibrary(int a1) { HMODULE v1; // edi@4 const WCHAR v2; // eax@5 HMODULE v3; // esi@6 int v4; // edi@6 FARPROC v5; // eax@7 CHAR ProcName; // [sp+18h] [bp-108h]@1 char Dst; // [sp+19h] [bp-107h]@1 unsigned int v9; // [sp+11Ch] [bp-4h]@1 int v10; // [sp+120h] [bp+0h]@1 v9 = (unsigned int)&v10 ^ __security_cookie; ProcName = 0; memset(&Dst, 0, 0x103u); if ( (_DWORD )(a1 + 8) && !(_DWORD )(a1 + 0x14) ) FixupCallbackPointers(a1); v1 = LoadLibraryExW((LPCWSTR )(a1 + 0x1C), 0, 8u); if ( v1 ) { v2 = (const WCHAR *)(a1 + 0x24); if ( v2 ) { v3 = v1; v4 = WideCharToMultiByte(0, 0x400u, v2, -1, &ProcName, 260, 0, 0); if ( !v4 ) goto LABEL_16; v5 = GetProcAddress(v3, &ProcName); if ( !v5 \|\| !InitUserApiHook(v3, v5) ) // InitUserApiHook条件不成立导致Dll被马上卸载了 v4 = 0; if ( !v4 ) LABEL_16: FreeLibrary(v3); } } return XyCallbackReturn(0); // 参数1:DLL模块句柄参数2:DLL导出函数的地址 signed int __stdcall InitUserApiHook(int a1, int a2) { signed int v2; // edi@1 _UNKNOWN v3; // esi@1 unsigned int v5; // [sp+8h] [bp-68h]@1 int v6; // [sp+14h] [bp-5Ch]@7 int v7; // [sp+38h] [bp-38h]@7 int v8; // [sp+48h] [bp-28h]@7 int (__stdcall v9)(int); // [sp+5Ch] [bp-14h]@5 v2 = 0; ResetUserApiHook(&v5); v3 = &gcsUserApiHook; RtlEnterCriticalSection(&gcsUserApiHook); if ( !((int (__stdcall )(_DWORD, unsigned int ))a2)(0, &v5) \|\| v5 <= 0 \|\| v9 != ForceResetUserApiHook ) { RtlLeaveCriticalSection(&gcsUserApiHook); return 0; } if ( ghmodUserApiHook ) { if ( ghmodUserApiHook != a1 ) // 这里条件成立了函数就跳出了导致DLL被卸载这里是什么东西不明白？ goto LABEL_9; ++gcLoadUserApiHook; } else { ghmodUserApiHook = a1; memcpy(&guah, &v5, 0x64u); gpfnInitUserApi = a2; gcLoadUserApiHook = 1; gfUserApiHook = 1; CopyMsgMask((int)&unk_77D7978C, (int)&v6, &grgbDwpLiteHookMsg, 128); CopyMsgMask((int)&unk_77D797B0, (int)&v7, &grgbWndLiteHookMsg, 128); CopyMsgMask((int)&unk_77D797C0, (int)&v8, &grgbDlgLiteHookMsg, 128); v3 = &gcsUserApiHook; } v2 = 1; // 表示函数成功 LABEL_9: RtlLeaveCriticalSection(v3); if ( !v2 ) ((void (__stdcall )(signed int, _DWORD))a2)(1, 0); return v2; } 2014-4-29 15:32 0
cvcvxk 雪币： 8865 活跃值： (2379) 能力值： ( LV12，RANK：760 ) 在线值：发帖 125 回帖 3095 粉丝 233 关注私信	cvcvxk 10 6 楼这个问题DLL里做点处理就好了~ 比如DLL里再加载一个DLL~ 2014-4-29 15:53 0
xtptvvvv 雪币： 1 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 51 粉丝 0 关注私信	xtptvvvv 7 楼搭车同问，我也遇到了这个问题，XP成功WIN7蓝屏。蓝屏码也是APC_INDEX_MISMATCH，在DLL导出了函数（2个参数，跟你的帖子一样），在DLLMAIN和导出函数里也加载了一个微软的DLL，但还是蓝，求解答。 2014-4-30 13:17 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 8 楼 pKthread = KeGetCurrentThread(); PSHORT KernelApcDisable = (PSHORT)((ULONG)pKthread + 0x84); PUCHAR ApcStateIndex = (PUCHAR)((ULONG)pKthread + 0x134); Original1 = KernelApcDisable; Original2 = ApcStateIndex; KeUserModeCallback。。。。。。。。。。。。。。。 //恢复APC KernelApcDisable = Original1; ApcStateIndex = Original2; 2014-4-30 13:55 0
xtptvvvv 雪币： 1 活跃值： (14) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 51 粉丝 0 关注私信	xtptvvvv 9 楼谢谢了。此外，_CLientLoadLibraryParam这个结构体的详细成员，是用WINDBG看的吗？还是用IDA看的？或者是其它神奇的工具？ 2014-4-30 14:28 0
iceway 雪币： 19 活跃值： (1086) 能力值： ( LV2，RANK：10 ) 在线值：发帖 88 回帖 813 粉丝 5 关注私信	iceway 10 楼 IDA+WINDBG 2014-4-30 14:34 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复