-
-
[求助]无法存取 kthread 结构的 trapframe
-
发表于:
2014-7-9 17:36
6940
-
[求助]无法存取 kthread 结构的 trapframe
请问大家!
kthread里头的trapframe是无法存取的吗?
我只要一读取 立刻蓝屏 错误代号 0x50 ...
不知道各位有没有碰过这个问题?
而且更奇怪的是 我可以用windbg查看trapframe.eip 我的驱动却无法存取
kthread这样重要的对象 应当是在非分页的内存吧?
查看trapframe.eip 的地址的页表项 正常 (attach之后)
尝试过提升irql为 1 和2 依然蓝屏 好头痛...
附上我的代码:
void DriverUnload(PDRIVER_OBJECT pDriverObj);
NTSTATUS DriverEntry( IN PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath )
{
char SuspendCount;
ULONG CrossThreadFlags;
char* pekthread;
int* pCurrentEPROCESS,pEPROCESS,pEPROCESSOfServices;
char services[]="services.exe";
NTSTATUS status;
ULONG i,c,b;
theDriverObject->DriverUnload=DriverUnload;
_asm
{
_emit 0xcc
}
//=====================取得 service.exe 的 EPROCESS================================================
pCurrentEPROCESS = (int*)PsGetCurrentProcess();
pEPROCESS = pCurrentEPROCESS;
do
{
DbgPrint("PID:%d ImageName:%s ", *((int*)(pEPROCESS+EPROCESS_PID_OFFSET)), pEPROCESS+EPROCESS_IMAGENAME_OFFSET );
if( strcmp(pEPROCESS+EPROCESS_IMAGENAME_OFFSET,services)==0 )
{
DbgPrint("found service.exe's pEPROCESS=%X\n",pEPROCESS);
pEPROCESSOfServices=pEPROCESS;
break;
}
pEPROCESS= *((int*)(pEPROCESS+EPROCESS_FLINK_OFFSET))-EPROCESS_FLINK_OFFSET;
DbgPrint("next pEPROCESS=%X\n",pEPROCESS);
}while(pCurrentEPROCESS!=pEPROCESS);
//遍历trapframe.eip====================================
pekthread=((*((ULONG*)(pEPROCESSOfServices+0x190)))-0x22c);
do
{
SuspendCount = *(char*)(((ULONG)pekthread) + 0x1b9);
CrossThreadFlags = *(ULONG*)(((ULONG)pekthread) + 0x248);
if( !SuspendCount && !(CrossThreadFlags & 0x13) )
{
if( *((char*)(pekthread+0x02d))!=4 && *((char*)(pekthread+0x02d))!=0 )
{
DbgPrint("original EIP:%X", *((ULONG*)(*((ULONG*)(pekthread+0x134))+0x68)) ); //蓝屏,代码0x50 存取trapframe.eip时发生
}
}
pekthread= (*((ULONG*)(pekthread+0x22c)))-0x22c;
}while( ((*((ULONG*)(pEPROCESSOfServices+0x190)))-0x22c)!=pekthread );
return status;
}
void DriverUnload(PDRIVER_OBJECT pDriverObj)
{
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
