我只是 截了 我代码中的 关键片段~至于 详细的 你们自己想
控制是否 恢复DR的是 DR7和dbgactive这两个 或者patch相关字节~
VOID T_KiRestoreDebugRegisterState(){
PEPROCESS Process=NULL;
PETHREAD Thread=NULL;
PPROCESS_List PlIST = NULL;;
PTHREAD_dr_List TList = NULL;
ULONG64 UDR = NULL;
PLARGE_INTEGER PDR = &UDR;
Thread = PsGetCurrentThread();
if (Thread!=NULL)
{
Process = IoThreadToProcess(Thread);
if (Process != NULL){
PlIST = Dr_FindProcessList(Process);
if (PlIST != NULL)
{
TList = Dr_FindThreadContextByThreadList(PlIST, Thread);
if (TList != NULL)
{
PDR->LowPart = TList->Dr0;
PDR->HighPart = 0x00000000;
__writedr(0, UDR);
PDR->LowPart = TList->Dr1;
PDR->HighPart = 0x00000000;
__writedr(1, UDR);
PDR->LowPart = TList->Dr2;
PDR->HighPart = 0x00000000;
__writedr(2, UDR);
PDR->LowPart = TList->Dr3;
PDR->HighPart = 0x00000000;
__writedr(3, UDR);
PDR->LowPart = TList->Dr6;
PDR->HighPart = 0x00000000;
__writedr(6, UDR);
PDR->LowPart = TList->Dr7;
PDR->HighPart = 0x00000000;
__writedr(7, UDR);
}
}
}
}
return 0;
}
if (contex->Dr7 != NULL)
{
*(UCHAR*)(Thread + 0x3) = 0x40;
}
mycontex.Dr0 = contex->Dr0;
mycontex.Dr1 = contex->Dr1;
mycontex.Dr2 = contex->Dr2;
mycontex.Dr3 = contex->Dr3;
mycontex.Dr6 = contex->Dr6;
mycontex.Dr7 = contex->Dr7;
mycontex.EFlags = contex->EFlags;
contex->Dr0 = ((PLARGE_INTEGER)(&pframe->Dr0))->LowPart;
contex->Dr1 = ((PLARGE_INTEGER)(&pframe->Dr1))->LowPart;
contex->Dr2 = ((PLARGE_INTEGER)(&pframe->Dr2))->LowPart;
contex->Dr3 = ((PLARGE_INTEGER)(&pframe->Dr3))->LowPart;
contex->Dr6 = ((PLARGE_INTEGER)(&pframe->Dr6))->LowPart;
// contex->Dr7 = ((PLARGE_INTEGER)(&pframe->Dr7))->LowPart;
// contex->EFlags = pframe->EFlags;
博客嘎嘎:http://blog.csdn.net/qq_18942885
实现 内核切用户层恢复DR
[课程]FART 脱壳王!加量不加价!FART作者讲授!
