VOID hkDbgkSendSystemDllMessages(
PETHREAD Thread,
PDEBUG_OBJECT DebugObject,
PDBGKM_APIMSG ApiMsg
)
{
PMYEPROCESS Process;
DBGKM_LOAD_DLL
*
LoadDllInfo;
PSYSTEM_DLL_INFO SystemDllInfo;
PTEB teb;
BOOLEAN Flags;
KAPC_STATE ApcState;
PIMAGE_NT_HEADERS NtHeaders;
PMYETHREAD CurrentThread;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
NTSTATUS status;
if
(Thread)
{
Process
=
(PMYEPROCESS)Thread
-
>Process;
}
else
{
Process
=
(PMYEPROCESS)PsGetCurrentThread()
-
>ApcState.Process;
}
LoadDllInfo
=
&ApiMsg
-
>u.LoadDll;
for
(
int
i
=
0
; i <
6
;
+
+
i)
{
SystemDllInfo
=
(PSYSTEM_DLL_INFO)pPsQuerySystemDllInfo(i);
if
(!SystemDllInfo)
{
continue
;
}
if
(i >
0
)
{
if
(!SystemDllInfo
-
>Flags ||
!Process
-
>WoW64Process ||
i !
=
(unsigned
int
)pPsWow64GetProcessNtdllType((PEPROCESS)Process))
{
continue
;
}
}
memset(LoadDllInfo,
0
, sizeof(DBGKM_LOAD_DLL));
teb
=
NULL;
LoadDllInfo
-
>BaseOfDll
=
SystemDllInfo
-
>pDllBase;
if
(Thread && i)
{
/
/
只有第一次循环不会附加到进程
Flags
=
TRUE;
KeStackAttachProcess((PEPROCESS)Process, &ApcState);
}
else
{
Flags
=
FALSE;
}
__try
{
NtHeaders
=
RtlImageNtHeader(LoadDllInfo
-
>BaseOfDll);
if
(NtHeaders)
{
LoadDllInfo
-
>DebugInfoFileOffset
=
NtHeaders
-
>FileHeader.PointerToSymbolTable;
LoadDllInfo
-
>DebugInfoSize
=
NtHeaders
-
>FileHeader.NumberOfSymbols;
}
if
(!Thread)
{
CurrentThread
=
(PMYETHREAD)PsGetCurrentThread();
if
(CurrentThread
-
>Tcb.SystemThread !
=
0
|| CurrentThread
-
>Tcb.ApcStateIndex
=
=
1
)
{
teb
=
NULL;
}
else
{
teb
=
(PTEB)CurrentThread
-
>Tcb.Teb;
}
if
(teb)
{
RtlStringCbCopyW(teb
-
>StaticUnicodeBuffer, sizeof(teb
-
>StaticUnicodeBuffer), (NTSTRSAFE_PCWSTR)SystemDllInfo
-
>StaticUnicodeBuffer);
teb
-
>NtTib.ArbitraryUserPointer
=
(UINT64)teb
-
>StaticUnicodeBuffer;
LoadDllInfo
-
>NamePointer
=
&teb
-
>NtTib.ArbitraryUserPointer;
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER){
LoadDllInfo
-
>DebugInfoFileOffset
=
0
;
LoadDllInfo
-
>DebugInfoSize
=
0
;
LoadDllInfo
-
>NamePointer
=
NULL;
}
if
(Flags)
{
KeUnstackDetachProcess(&ApcState);
}
ObjectAttributes.Length
=
sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory
=
NULL;
ObjectAttributes.ObjectName
=
SystemDllInfo
-
>szDllFullName;
ObjectAttributes.Attributes
=
OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor
=
NULL;
ObjectAttributes.SecurityQualityOfService
=
NULL;
status
=
ZwOpenFile(
&LoadDllInfo
-
>FileHandle,
GENERIC_READ | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_VALID_FLAGS,
FILE_SYNCHRONOUS_IO_NONALERT
);
if
(!NT_SUCCESS(status))
{
LoadDllInfo
-
>FileHandle
=
NULL;
}
ApiMsg
-
>h.u1.Length
=
0x500028
;
ApiMsg
-
>h.u2.ZeroInit
=
0x8
;
ApiMsg
-
>ApiNumber
=
DbgKmLoadDllApi;
if
(Thread)
{
status
=
pDbgkpQueueMessage((PEPROCESS)Process, Thread, ApiMsg, DEBUG_EVENT_NOWAIT, DebugObject);
if
(!NT_SUCCESS(status) && LoadDllInfo
-
>FileHandle)
{
ObCloseHandle(LoadDllInfo
-
>FileHandle, KernelMode);
}
}
else
{
pDbgkpSendApiMessage((PEPROCESS)Process, DEBUG_EVENT_NOWAIT | DEBUG_EVENT_READ, ApiMsg);
if
(LoadDllInfo
-
>FileHandle)
ObCloseHandle(LoadDllInfo
-
>FileHandle, KernelMode);
__try
{
if
(teb)
teb
-
>NtTib.ArbitraryUserPointer
=
NULL;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
}
}
}