心血来潮,想hook下内核中的memset,通过 MmGetSystemRoutineAddress("memset")取得memset地址,然后像地址里面写入0xe9无限蓝屏,蓝屏代码如下:
*** Fatal System Error: 0x000000d1
(0x0EF20299,0x0000001F,0x00000008,0x0EF20299)
通过0xd1怀疑是IRQL问题,然后通过!irql命令在单步写入e9的时候得知IRQL=0,于是KeRaiseIrqlToDpcLevel()提高IRQL,测试还是0xd1蓝屏,源代码如下:
void HookMemset()
{
_asm int 3
ULONG JmpOffset;
KIRQL irql;
Oldmemset =取导出函数地址("memset"); //
Oldmemset=
83e5de40
/*u 83e5de40
nt!memset:
83e5de40 8b54240c mov edx,dword ptr [esp+0Ch]
83e5de44 8b4c2404 mov ecx,dword ptr [esp+4]
83e5de48 85d2 test edx,edx
83e5de4a 744f je nt!memset+0x5b (83e5de9b)
*/
if (Oldmemset==0)
{
DbgPrint("memset error =0");
return;
}
JmpOffset =(ULONG)Mymemset - Oldmemset - 5;
关闭内存保护();
irql=KeRaiseIrqlToDpcLevel();
_asm
{
mov eax,Oldmemset
mov [eax], 0xe9 //运行到此处蓝屏
mov ebx, JmpOffset
mov [eax+1],ebx
}
KeLowerIrql(irql);
打开内存保护();
}
下面是单步记录:
kd> p
DriverEntry!HookMemset+0x70:
8f5a63d0 ff1508805a8f call dword ptr [DriverEntry!_imp__KeRaiseIrqlToDpcLevel (8f5a8008)]
0: kd> p
DriverEntry!HookMemset+0x79:
8f5a63d9 ff1504805a8f call dword ptr [DriverEntry!_imp__KeGetCurrentIrql (8f5a8004)]
0: kd> p
CurrnIrql=2DriverEntry!HookMemset+0x90:
8f5a63f0 a12c905a8f mov eax,dword ptr [DriverEntry!Oldmemset (8f5a902c)]
0: kd> t
DriverEntry!HookMemset+0x95:
8f5a63f5 c600e9 mov byte ptr [eax],0E9h
0: kd> !irql
Debugger saved IRQL for processor 0x0 -- 2 (DISPATCH_LEVEL)
0: kd> r eax
eax=83e5de40
0: kd> t
*** Fatal System Error: 0x000000d1
(0x0EF20299,0x0000001F,0x00000008,0x0EF20299)
请教下这是哪里错误? 系统win7 32位
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
