首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[求助]DbgkpSendApiMessage蓝屏
发表于: 2017-4-12 09:50 3027

[求助]DbgkpSendApiMessage蓝屏

feint 活跃值
2017-4-12 09:50
3027

HOOK了DbgkForwardException发现个问题 

执行到DbgkpSendApiMessage发生访问错误蓝屏  

地址定位没问题

nt!DbgkpSendApiMessage+0x2b:

fffff800`0422d82b c7462c03010000  mov     dword ptr [rsi+2Ch],103h

1: kd> r

rax=0000000000000000 rbx=0000000000000000 rcx=fffff880049bdff0

rdx=0000000000000001 rsi=0000000000000001 rdi=00000000049bdff0

rip=fffff8000422d82b rsp=fffff880049bdf60 rbp=fffff880049be790

 r8=0000000000000065  r9=0000000000000003 r10=7373654d69704164

r11=000000000000000c r12=fffff880049be120 r13=000000000010005f

r14=fffff880049be900 r15=0000000001f1fc78

iopl=0         nv up ei pl zr na po nc

cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246

nt!DbgkpSendApiMessage+0x2b:

fffff800`0422d82b c7462c03010000  mov     dword ptr [rsi+2Ch],103h ds:002b:00000000`0000002d=????????


好像是第二个参数不对  应该是个指针

系统win7 x64

有大神来看看么?


下面是代码  地址定位没问题

typedef NTSTATUS(*DbgkpSendApiMessage)(IN OUT PDBGKM_APIMSG ApiMsg,IN BOOLEAN SuspendProcess);

DbgkpSendApiMessage dbgkpSendApiMessage;

BOOLEAN

OnDbgkForwardException(

IN PEXCEPTION_RECORD ExceptionRecord,

IN BOOLEAN DebugException,

IN BOOLEAN SecondChance

)

{

PEPROCESS Process;

PVOID Port;

DBGKM_APIMSG m;

PDBGKM_EXCEPTION args;

NTSTATUS st;

BOOLEAN LpcPort;

PAGED_CODE();

args = &m.u.Exception;

DBGKM_FORMAT_API_MSG(m, DbgKmExceptionApi, sizeof(*args));

Process = PsGetCurrentProcess();

if (DebugException) {

if (*(ULONG*)((ULONG64)PsGetCurrentThread()+0x450)&PS_CROSS_THREAD_FLAGS_HIDEFROMDBG) 

{

Port = NULL;

}

else {

Port = *(ULONG64*)((ULONG64)Process + 0x1f0);//调试端口

}

LpcPort = FALSE;

}

else {

Port = *(ULONG64*)((ULONG64)Process + 0x1f8);//异常端口

m.h.u2.ZeroInit = LPC_EXCEPTION;

LpcPort = TRUE;

}

if (Port == NULL) {

return FALSE;

}

args->ExceptionRecord = *ExceptionRecord;

args->FirstChance = !SecondChance;

if (LpcPort) {

st = dbgkpSendApiMessageLpc(&m, Port, DebugException);

}

else {

st = dbgkpSendApiMessage(&m, DebugException);

}

if (!NT_SUCCESS(st) ||

((DebugException) &&

(m.ReturnedStatus == DBG_EXCEPTION_NOT_HANDLED || !NT_SUCCESS(m.ReturnedStatus)))) {

return FALSE;

}

else {

return TRUE;

}

}



被wrk坑了 dbgkpSendApiMessage两个参数要反过来


[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//