-
-
[原创]一种简单屏蔽nmi中断的方法
-
发表于: 2022-9-19 23:32
-
一种非常简单的屏蔽方法
NMI处理例程为KiProcessNMI
其中有对当前核NMI是否正在处理的判断,如判断为真则直接返回
将该变量对应的每个核都置位则nmi回调不会被调用,实现代码如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | uint8_t* KiNmiInProgress = NULL; if (dwBuildNumber < 22000) //win10 { KiNmiInProgress = reinterpret_cast<uint8_t*>(FindPatternInSectionAtKernel((char*)".text", ntoskrnlAddr, (PUCHAR)"\x81\x25\x00\x00\x00\x00\x00\x00\x00\x00\xB9\x00\x00\x00\x00", (char*)"xx????????x????")); } else //win11 { KiNmiInProgress = reinterpret_cast<uint8_t*>(FindPatternInSectionAtKernel((char*)".text", ntoskrnlAddr, (PUCHAR)"\x81\x25\x00\x00\x00\x00\x00\x00\x00\x00\x8D\x00\x00", (char*)"xx????????x??")); } if (KiNmiInProgress) { uint8_t uTemp = this->read_virtual<uint8_t>((void*)KiNmiInProgress); while (uTemp != 0x48) { ++KiNmiInProgress; uTemp = this->read_virtual<uint8_t>((void*)KiNmiInProgress); } KiNmiInProgress = reinterpret_cast<uint8_t*>(ResolveRelativeAddress(KiNmiInProgress, 3, 7)); ULONG nCoreNum = this->v_ctx->kn_KeQueryActiveProcessorCountEx(0); if (nCoreNum) { for (int i = 0; i < nCoreNum; i++) { this->v_ctx->kn_KeInterlockedSetProcessorAffinityEx((__int64)KiNmiInProgress, i); } } return true; } return false; |
[培训]科锐软件逆向54期预科班、正式班开始火爆招生报名啦!!!
hzqst
