-
-
[求助]小白自建调试体系 课程问题 求解答
-
发表于:
2018-7-24 15:07
4410
-
NTSTATUS
NtCreateDebugObject_lisaisai(
OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags
)
{
NTSTATUS Status;
HANDLE Handle;
KPROCESSOR_MODE PreviousMode, PreviousMode_linshi;
PDEBUG_OBJECT DebugObject;
PAGED_CODE();
//if (ams_zhongduanjici == 1)
//{
// _asm{int 3}
// ams_zhongduanjici = ams_zhongduanjici - 1;
//}
PreviousMode = KeGetPreviousMode_lisaisai();
//PreviousMode_linshi = KeGetPreviousMode();
//KdPrint(("KeGetPreviousMode %x\n", (ULONG)KeGetPreviousMode));
//KdPrint(("ObCreateObject_lisaisai%x ObInsertObject_lisaisai %x n", ObCreateObject_lisaisai, ObInsertObject_lisaisai));
//KdPrint(("KeGetPreviousMode_lisaisai%x n", KeGetPreviousMode_lisaisai));
//return STATUS_SUCCESS;
try {
if (PreviousMode != KernelMode) {
ProbeForWriteHandle(DebugObjectHandle);
}
*DebugObjectHandle = NULL;
} except(ExSystemExceptionFilter()) { // If previous mode is kernel then don't handle the exception
return GetExceptionCode();
}
if (Flags & ~DEBUG_KILL_ON_CLOSE) {
return STATUS_INVALID_PARAMETER;
}
Status = (ULONG)ObCreateObject(PreviousMode, //双机调试每次到ObCreateObject 这个函数就蓝屏 了 自己用函数指针也不行 怎么办
DbgkDebugObjectType,
ObjectAttributes,
PreviousMode,
NULL,
sizeof (DEBUG_OBJECT),
0,
0,
&DebugObject);
if (!NT_SUCCESS(Status)) {
return Status;
}
ExInitializeFastMutex(&DebugObject->Mutex);
InitializeListHead(&DebugObject->EventList);
KeInitializeEvent(&DebugObject->EventsPresent, NotificationEvent, FALSE);
PEPROCESS CurrentProcess;
CurrentProcess = PsGetCurrentProcess();
DbgPrint("NewNtCreateDebugObject当前进程%08x", CurrentProcess);
if (Flags & DEBUG_KILL_ON_CLOSE) {
DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE;
}
else {
DebugObject->Flags = 0;
}
//
// Insert the object into the handle table
//
Status = ((PObInsertObject)ObInsertObject_lisaisai)(DebugObject,
NULL,
DesiredAccess,
0,
NULL,
&Handle);
if (!NT_SUCCESS(Status)) {
return Status;
}
try {
*DebugObjectHandle = Handle;
} except(ExSystemExceptionFilter()) {
//
// The caller changed the page protection or deleted the memory for the handle.
// No point closing the handle as process rundown will do that and we don't know its still the same handle
//
Status = GetExceptionCode();
}
return Status;
}ObCreateObject 我双机调试了下 一到这个 函数就 蓝屏 怎么回事 xp3系统 小白的教程 替换 NtDebugActiveProcess这个成功
NtCreateDebugObject 替换这个函数出问题了 需要怎么解决 大神门
QQ群582865430 过游戏驱动保护 研究 修改内核 写外挂 交流
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2018-8-17 11:46
被神大蛇编辑
,原因:
