-
-
X64 Hook IDT 1号的问题..
-
发表于:
2017-2-27 14:48
5967
-
typedef NTSTATUS(NTAPI *_KeSetAffinityThread)
(
IN PKTHREAD Thread,
IN KAFFINITY Affinity
);
#pragma pack(1)
typedef struct{
USHORT limit;
ULONG64 BASE;
}IDT_INFO, *PIDT_INFO;
typedef union _KIDTENTRY64
{
struct
{
USHORT OffsetLow;
USHORT Selector;
USHORT IstIndex : 3;
USHORT Reserved0 : 5;
USHORT Type : 5;
USHORT Dpl : 2;
USHORT Present : 1;
USHORT OffsetMiddle;
ULONG OffsetHigh;
ULONG Reserved1;
};
UINT64 Alignment;
} KIDTENTRY64, *PKIDTENTRY64;
#pragma pack()
NTSTATUS NTAPI HOOKIDT(ULONG IDTID, PVOID NewfcuncAddress, __out PVOID * oldTRAP1)
{
KIRQL oldIrql;
ULONG lowpart;
KAFFINITY processOrs;
PKTHREAD thread;
LONG i;
IDT_INFO idtinfo;
ULONG_PTR oldTrap = 0;
ULONG_PTR newTrap;
KIDTENTRY64*idt_entry;
UNICODE_STRING ustrKeSetAffinityThread;
_KeSetAffinityThread KeSetAffinityThread;
RtlInitUnicodeString(&ustrKeSetAffinityThread, L"KeSetAffinityThread");
KeSetAffinityThread = (_KeSetAffinityThread)MmGetSystemRoutineAddress(&ustrKeSetAffinityThread);
processOrs = KeQueryActiveProcessors();
thread = KeGetCurrentThread();
newTrap = (ULONG_PTR)NewfcuncAddress;
if (!MmIsAddressValid(oldTRAP1))
{
return 1;
}
for (i = 0; i < 32; i++)
{
KAFFINITY curProc = processOrs &(1 << i);
if (curProc != 0){
KeSetAffinityThread(thread, curProc);
__sidt(&idtinfo);
idt_entry = (KIDTENTRY64 *)idtinfo.BASE;
oldTrap = (ULONG_PTR)((((ULONGLONG)idt_entry[IDTID].OffsetHigh) << 32) | (ULONGLONG)(((idt_entry[IDTID].OffsetMiddle << 16) | idt_entry[IDTID].OffsetLow) & 0x00000000ffffffff));
if (*oldTRAP1 == NULL)
{
*oldTRAP1 = (PVOID)oldTrap;
}
KeRaiseIrql(HIGH_LEVEL, &oldIrql);
lowpart = (ULONG)((ULONGLONG)(newTrap));
idt_entry[IDTID].OffsetLow = (USHORT)lowpart;
idt_entry[IDTID].OffsetMiddle = (USHORT)(lowpart >> 16);
idt_entry[IDTID].OffsetHigh = (ULONG)((ULONGLONG)newTrap >> 32);
KeLowerIrql(oldIrql);
}
}
KeSetAffinityThread(thread, processOrs);
return STATUS_SUCCESS;
}
ULONG KiDebugTrapOrFault()
{
KdPrint((".....\n"));
//__asm int 3
return 0;
}
PVOID OldTrap0333 = NULL;
VOID __declspec(naked) MyKiDebugTrapOrFault()
{
__asm
{
push rbp
mov rbp, rsp
sub rsp, 200
push rax
push rcx
push rdx
push rbx
push rsi
push rdi
push r8
push r9
push r10
push r11
push r12
push r13
push r14
push r15
pushfq
call KiDebugTrapOrFault
popfq
pop r15
pop r14
pop r13
pop r12
pop r11
pop r10
pop r9
pop r8
pop rdi
pop rsi
pop rbx
pop rdx
pop rcx
pop rax
mov rsp, rbp
pop rbp
jmp OldTrap0333
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
////设置分发函数和卸载例程
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload; //不给卸载
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj, 0, &ustrDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj);
if (!NT_SUCCESS(status))return status;
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(pDevObj);
return status;
}
HOOKIDT(0x1, MyKiDebugTrapOrFault, &OldTrap0333);
return STATUS_SUCCESS;
}
现在的问题是..代理函数就一条打印代码。我屏蔽了的话。一直都正常..如果放开就挂了。这是为什么?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
