代码抄的Tesla.Angela 的win64驱动教程,能成功hook PsLookUpProcessByProcessId
但是 hook IoAllocateMdl 失败了。求助下大佬。感谢!!
已经修改了IoAllocateMdl 前面几个byte,能跳转到我的中继函数,但是在多执行几次IoAllocateMdl 之后就蓝了。
代码如下
PVOID add = GetFunctionAddr(L"IoAllocateMdl");
pslp_head_n_byte = HookKernelApi(add,
(PVOID)newIoAllocateMdl,
&ori_mdl,
&pslp_patch_size);
PMDL newIoAllocateMdl(
__in_opt PVOID VirtualAddress,
__in ULONG Length,
__in BOOLEAN SecondaryBuffer,
__in BOOLEAN ChargeQuota,
__inout_opt PIRP Irp OPTIONAL)
{
if (VirtualAddress == KdEnteredDebugger)
{
//DbgPrint("[KdEnteredDebugger] address: %p\n", KdEnteredDebugger);
VirtualAddress = (PUCHAR)KdEnteredDebugger + 0x30;
}
return ((IOALLOCATEMDL)ori_mdl)
(VirtualAddress, Length, SecondaryBuffer, ChargeQuota, Irp);
}
//传入:待HOOK函数地址,代理函数地址,接收原始函数地址的指针,接收补丁长度的指针;返回:原来头N字节的数据
PVOID HookKernelApi(IN PVOID ApiAddress, IN PVOID Proxy_ApiAddress, OUT PVOID *Original_ApiAddress, OUT ULONG *PatchSize)
{
DbgBreakPoint();
KIRQL irql;
UINT64 tmpv;
PVOID head_n_byte, ori_func;
UCHAR jmp_code[] = "\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
UCHAR jmp_code_orifunc[] = "\xFF\x25\x00\x00\x00\x00\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF";
//How many bytes shoule be patch
*PatchSize = GetPatchSize((PUCHAR)ApiAddress);
//step 1: Read current data
head_n_byte = kmalloc(*PatchSize);
irql = WPOFFx64();
memcpy(head_n_byte, ApiAddress, *PatchSize);
WPONx64(irql);
//step 2: Create ori function
ori_func = kmalloc(*PatchSize + 14); //原始机器码+跳转机器码
RtlFillMemory(ori_func, *PatchSize + 14, 0x90);
tmpv = (ULONG64)ApiAddress + *PatchSize; //跳转到没被打补丁的那个字节
memcpy(jmp_code_orifunc + 6, &tmpv, 8);
memcpy((PUCHAR)ori_func, head_n_byte, *PatchSize);
memcpy((PUCHAR)ori_func + *PatchSize, jmp_code_orifunc, 14);
*Original_ApiAddress = ori_func;
//step 3: fill jmp code
tmpv = (UINT64)Proxy_ApiAddress;
memcpy(jmp_code + 6, &tmpv, 8);
DbgBreakPoint();
//step 4: Fill NOP and hook
irql = WPOFFx64();
RtlFillMemory(ApiAddress, *PatchSize, 0x90);
memcpy(ApiAddress, jmp_code, 14);
WPONx64(irql);
//return ori code
return head_n_byte;
}
Dump如下
IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 0000000002bff428, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000000, bitfield :
bit 0 : value 0 = read operation, 1 = write operation
bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: fffff80003e67788, address which referenced memory
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 7601.23714.amd64fre.win7sp1_ldr.170307-1800
DUMP_TYPE: 0
BUGCHECK_P1: 2bff428
BUGCHECK_P2: 2
BUGCHECK_P3: 0
BUGCHECK_P4: fffff80003e67788
READ_ADDRESS: 0000000002bff428
CURRENT_IRQL: 2
FAULTING_IP:
nt!IoBuildPartialMdl+58
fffff800`03e67788 418b5328 mov edx,dword ptr [r11+28h]
CPU_COUNT: 2
CPU_MHZ: 63c
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 45
CPU_STEPPING: 1
CPU_MICROCODE: 6,45,1,0 (F,M,S,R) SIG: 1D'00000000 (cache) 1D'00000000 (init)
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xA
PROCESS_NAME: csrss.exe
ANALYSIS_SESSION_HOST: SU
ANALYSIS_SESSION_TIME: 10-25-2017 21:33:19.0216
ANALYSIS_VERSION: 10.0.16299.15 amd64fre
DPC_STACK_BASE: FFFFF80000BA0FB0
TRAP_FRAME: fffff80000b9f8e0 -- (.trap 0xfffff80000b9f8e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=000000000000000e
rdx=fffffa8003f1b000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80003e67788 rsp=fffff80000b9fa70 rbp=fffffa800510fd40
r8=fffffa8003f1b018 r9=000000000000000e r10=fffffa8003f1c010
r11=0000000002bff400 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe cy
nt!IoBuildPartialMdl+0x58:
fffff800`03e67788 418b5328 mov edx,dword ptr [r11+28h] ds:00000000`02bff428=????????
Resetting default scope
EXCEPTION_RECORD: fffff880060a7390 -- (.exr 0xfffff880060a7390)
ExceptionAddress: 0000000000000161
ExceptionCode: 00000000
ExceptionFlags: 0000023b
NumberParameters: 223526
Parameter[0]: fffff900c00ef280
Parameter[1]: fffff960002070e5
Parameter[2]: 000000000001003b
Parameter[3]: fffffa8004342b50
Parameter[4]: 0000000000000161
Parameter[5]: fffff900c0196d60
Parameter[6]: 0000000000000000
Parameter[7]: fffff96000036628
Parameter[8]: fffffa80041d9ef0
Parameter[9]: 0000000000000161
Parameter[10]: fffff900c00ef280
Parameter[11]: 0000000000000000
Parameter[12]: fffff900c00ef280
Parameter[13]: fffff80003ed50a7
Parameter[14]: fffffa80041d9ef0
LAST_CONTROL_TRANSFER: from fffff80003f7b502 to fffff80003e81270
STACK_TEXT:
fffff800`00b9f028 fffff800`03f7b502 : 00000000`02bff428 fffffa80`04342b50 00000000`00000065 fffff800`03ec5bfc : nt!DbgBreakPointWithStatus
fffff800`00b9f030 fffff800`03f7c2ee : 00000000`00000003 00000000`00000000 fffff800`03ec6460 00000000`0000000a : nt!KiBugCheckDebugBreak+0x12
fffff800`00b9f090 fffff800`03e89544 : 00000000`00000100 fffffa80`0433a780 fffffa80`00000001 fffff800`03f05952 : nt!KeBugCheck2+0x71e
fffff800`00b9f760 fffff800`03e889e9 : 00000000`0000000a 00000000`02bff428 00000000`00000002 00000000`00000000 : nt!KeBugCheckEx+0x104
fffff800`00b9f7a0 fffff800`03e87660 : fffffa80`03f19024 00000000`00000000 fffffa80`0510fd40 fffffa80`03f1b018 : nt!KiBugCheckDispatch+0x69
fffff800`00b9f8e0 fffff800`03e67788 : 00000000`00000000 fffffa80`0510fe70 00000000`00000000 fffffa80`0400cb30 : nt!KiPageFault+0x260
fffff800`00b9fa70 fffff880`016d121c : fffffa80`03f1b018 fffffa80`0400cb30 00000000`000000c9 fffff880`0170b600 : nt!IoBuildPartialMdl+0x58
fffff800`00b9fab0 fffff880`0161895e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!NdisAllocateCloneNetBufferList+0x23c
fffff800`00b9fbc0 fffff880`018972d5 : 00000000`00000000 00000000`00000000 00000000`0000001c fffffa80`0400ca00 : NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+0x3e
fffff800`00b9fbf0 fffff880`018858b7 : 00000000`00000000 fffffa80`0400ca00 fffffa80`0400ca00 00000000`00000001 : tcpip!WfpPreprocessInboundMcastBcastIndication+0x35
fffff800`00b9fc20 fffff880`01860188 : fffffa80`00000011 fffff800`00ba0002 fffffa80`04fb6c07 00000000`000025f0 : tcpip!WfpProcessInTransportStackIndication+0x207
fffff800`00b9fdb0 fffff880`01889cc9 : 00000000`00000018 fffffa80`02ef42f0 00000000`00000000 fffff880`0188a9b4 : tcpip!InetInspectReceiveDatagram+0x1d8
fffff800`00b9fe50 fffff880`0188a3d4 : fffffa80`04aa13d0 fffffa80`039ab160 fffffa80`048b9a00 fffffa80`030cb080 : tcpip!UdpBeginMessageIndication+0x89
fffff800`00b9ff70 fffff880`018844de : fffffa80`0357b000 00000000`00000018 fffffa80`00000000 fffff800`00ba00a0 : tcpip!UdpDeliverDatagrams+0x2f4
fffff800`00ba0050 fffff880`0185ba57 : fffffa80`032806b0 fffffa80`0395b101 00000000`00000000 fffff880`00000005 : tcpip!UdpReceiveDatagrams+0x18f
fffff800`00ba0130 fffff880`0185b56a : 00000000`00000000 fffff880`0196ea10 fffff800`00ba02f0 00000000`00000000 : tcpip!IppDeliverListToProtocol+0xf7
fffff800`00ba01f0 fffff880`0185ab21 : fffff880`0196ea10 fffffa80`0400dd40 00000000`00000011 fffff800`00ba02e0 : tcpip!IppProcessDeliverList+0x5a
fffff800`00ba0290 fffff880`018587ff : fffffa80`faffffef fffff880`0196ea10 00000000`00000000 00000000`00000000 : tcpip!IppReceiveHeaderBatch+0x232
fffff800`00ba0390 fffff880`01844c42 : fffffa80`03b1c5a0 00000000`00000000 00000000`00000001 fffff880`00000004 : tcpip!IpFlcReceivePackets+0x64f
fffff800`00ba0590 fffff880`018567d2 : fffffa80`03b1c5a0 fffffa80`032806b0 00000000`00000011 00000000`00000011 : tcpip!IpFlcReceivePreValidatedPackets+0x992
fffff800`00ba06f0 fffff800`03e95e78 : fffffa80`0400d7f0 00000000`00004800 fffffa80`04342b50 00000000`00000000 : tcpip!FlReceiveNetBufferListChainCalloutRoutine+0xa2
fffff800`00ba0740 fffff880`01856f02 : fffff880`01856730 00000000`00000000 00000000`00000002 fffff800`00bb8200 : nt!KeExpandKernelStackAndCalloutEx+0xd8
fffff800`00ba0820 fffff880`017870eb : fffffa80`03b20010 00000000`00000000 fffffa80`0395b1a0 00000000`00026100 : tcpip!FlReceiveNetBufferListChain+0xb2
fffff800`00ba0890 fffff880`01750ad6 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ndis!ndisMIndicateNetBufferListsToOpen+0xdb
fffff800`00ba0900 fffff880`016c9aa1 : fffffa80`0395b1a0 00000000`00000003 00000000`00000040 fffffa80`0400ca00 : ndis!ndisMDispatchReceiveNetBufferLists+0x1d6
fffff800`00ba0d80 fffff880`05200776 : 00000000`00000000 00000000`00000040 00000000`00000001 00000000`00000000 : ndis!NdisMIndicateReceiveNetBufferLists+0xc1
fffff800`00ba0dd0 fffff880`052003d1 : 07b407d0`07d00701 fffffa80`0401ea00 00000000`00000000 fffffa80`0363d000 : E1G6032E!RxProcessReceiveInterrupts+0x13a
fffff800`00ba0e40 fffff880`016c9986 : fffffa80`04023580 00000000`00000000 fffffa80`0395b1a0 fffff800`03ed4706 : E1G6032E!E1000HandleInterrupt+0x91
fffff800`00ba0e70 fffff800`03e948fc : fffffa80`040235a8 fffffa80`00000000 00000000`00000000 fffff800`04008e80 : ndis!ndisInterruptDpc+0x1b6
fffff800`00ba0f00 fffff800`03e8bf65 : 00000000`00000000 fffffa80`04342b50 00000000`00000000 fffff880`016c97d0 : nt!KiRetireDpcList+0x1bc
fffff800`00ba0fb0 fffff800`03e8bd7c : 00000000`00000010 00000000`00000282 fffff880`060a70c8 00000000`00000018 : nt!KyRetireDpcList+0x5
fffff880`060a70a0 fffff800`03ed54b3 : fffff800`03e859c0 fffff800`03e85a2c fffffa80`03896000 00000000`00000801 : nt!KiDispatchInterruptContinue
fffff880`060a70d0 fffff800`03e85a2c : fffffa80`03896000 00000000`00000801 00000001`0034f46f 20206f49`00310430 : nt!KiDpcInterruptBypass+0x13
fffff880`060a70e0 fffff880`05406476 : fffff880`060a7390 fffff880`052480d1 00000000`0000015e fffffa80`0465b000 : nt!KiInterruptDispatchNoLock+0x1fc
fffff880`060a7270 fffff880`0527bd54 : fffffa80`0465b000 00000000`00000000 fffff880`060a7390 00000000`00000000 : vm3dmp+0x6476
fffff880`060a72c0 fffff880`052aadb1 : fffffa80`0465b000 fffffa80`0465b000 00000000`00000b01 fffff880`060a7390 : dxgkrnl!DXGADAPTER::DdiSetPointerPosition+0x50
fffff880`060a72f0 fffff960`00670ac9 : 00000000`00000000 fffff900`c00cb020 00000000`0000023e fffff900`c00dccd8 : dxgkrnl!DxgkCddSetPointerPosition+0x151
fffff880`060a7370 fffff960`00036926 : fffff900`c00ef280 fffff960`002070e5 00000000`0001003b fffffa80`04342b50 : cdd!DrvMovePointer+0xf9
fffff880`060a73b0 fffff960`00036628 : fffffa80`041d9ef0 00000000`00000161 fffff900`c00ef280 00000000`00000000 : win32k!vMovePointer+0x76
fffff880`060a73f0 fffff960`0011e7ab : fffffa80`042d8ae0 fffffa80`04bf6a00 8fd2f78b`00000161 59cc907b`b0391094 : win32k!GreMovePointer+0x17c
fffff880`060a7480 fffff960`0011d11d : fffff900`c0196dec 00000000`00034c5a fffff900`c0196d60 00000000`00034c5a : win32k!xxxMoveEventAbsolute+0x203
fffff880`060a7510 fffff960`0011cf74 : fffff900`c0196d60 00000161`0000023e fffff880`060a7ae0 00000000`00000246 : win32k!ProcessMouseInput+0x195
fffff880`060a7580 fffff800`03e7d47d : fffffa80`042d8b10 00000000`00000000 00000000`20707249 00000000`57050884 : win32k!InputApc+0x7c
fffff880`060a75b0 fffff800`03e8e97d : fffffa80`04342c10 00000000`00000000 fffff960`0011cef8 00000000`00000000 : nt!KiDeliverApc+0x21d
fffff880`060a7630 fffff800`03e8dc8a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiCommitThreadWait+0x3dd
fffff880`060a76c0 fffff960`000bb678 : fffff900`00000002 fffffa80`0324f390 fffff900`00000001 fffff880`0000000d : nt!KeWaitForMultipleObjects+0x272
fffff880`060a7980 fffff960`000bc69b : 00000000`00000000 fffff900`c0177010 fffff960`00317780 00000000`00000004 : win32k!xxxMsgWaitForMultipleObjects+0x108
fffff880`060a7a00 fffff960`00075278 : fffffa80`00000001 fffffa80`0000000c fffffa80`04342b50 fffff6fc`400302d8 : win32k!xxxDesktopThread+0x253
fffff880`060a7a80 fffff960`000f7c9a : fffffa80`00000001 fffff960`00317780 00000000`00000020 00000000`00000000 : win32k!xxxCreateSystemThreads+0x64
fffff880`060a7ab0 fffff800`03e886d3 : fffffa80`04342b50 00000000`00000004 000007ff`fff9e000 00000000`00000000 : win32k!NtUserCallNoParam+0x36
fffff880`060a7ae0 000007fe`fcc91f1a : 000007fe`fcc93759 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0111ff28 000007fe`fcc93759 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : winsrv!ZwUserCallNoParam+0xa
00000000`0111ff30 00000000`7708241c : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : winsrv!StartCreateSystemThreads+0x19
00000000`0111ff60 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x25
THREAD_SHA1_HASH_MOD_FUNC: 7b66b0083e9203ccb4f42707bdd12bb3265ba4f8
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 983f474a58bde96ea49ec6fa8321e5e0c2a10caf
THREAD_SHA1_HASH_MOD: e5c79a5affd764a9470f67e8161db622376384a1
FOLLOWUP_IP:
NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e
fffff880`0161895e 488bd8 mov rbx,rax
FAULT_INSTR_CODE: 48d88b48
SYMBOL_STACK_INDEX: 8
SYMBOL_NAME: NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: NETIO
IMAGE_NAME: NETIO.SYS
DEBUG_FLR_IMAGE_TIMESTAMP: 577e6d2f
STACK_COMMAND: .thread ; .cxr ; kb
FAILURE_BUCKET_ID: X64_0xA_NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e
BUCKET_ID: X64_0xA_NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e
PRIMARY_PROBLEM_CLASS: X64_0xA_NETIO!NetioAllocateAndReferenceCloneNetBufferListEx+3e
TARGET_TIME: 2017-10-25T13:23:14.000Z
OSBUILD: 7601
OSSERVICEPACK: 1000
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 7
OSEDITION: Windows 7 WinNt (Service Pack 1) TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2017-03-07 20:58:06
BUILDDATESTAMP_STR: 170307-1800
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)