VOID hkDbgkSendSystemDllMessages(
PETHREAD Thread,
PDEBUG_OBJECT DebugObject,
PDBGKM_APIMSG ApiMsg
)
{
PMYEPROCESS Process;
DBGKM_LOAD_DLL* LoadDllInfo;
PSYSTEM_DLL_INFO SystemDllInfo;
PTEB teb;
BOOLEAN Flags;
KAPC_STATE ApcState;
PIMAGE_NT_HEADERS NtHeaders;
PMYETHREAD CurrentThread;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
NTSTATUS status;
if (Thread)
{
Process = (PMYEPROCESS)Thread->Process;
}
else
{
Process = (PMYEPROCESS)PsGetCurrentThread()->ApcState.Process;
}
LoadDllInfo = &ApiMsg->u.LoadDll;
for (int i = 0; i < 6; ++i)
{
SystemDllInfo = (PSYSTEM_DLL_INFO)pPsQuerySystemDllInfo(i);
if (!SystemDllInfo)
{
continue;
}
if (i > 0)
{
if (!SystemDllInfo->Flags ||
!Process->WoW64Process ||
i != (unsigned int)pPsWow64GetProcessNtdllType((PEPROCESS)Process))
{
continue;
}
}
memset(LoadDllInfo, 0, sizeof(DBGKM_LOAD_DLL));
teb = NULL;
LoadDllInfo->BaseOfDll = SystemDllInfo->pDllBase;
if (Thread && i)
{
//只有第一次循环不会附加到进程
Flags = TRUE;
KeStackAttachProcess((PEPROCESS)Process, &ApcState);
}
else
{
Flags = FALSE;
}
__try
{
NtHeaders = RtlImageNtHeader(LoadDllInfo->BaseOfDll);
if (NtHeaders)
{
LoadDllInfo->DebugInfoFileOffset = NtHeaders->FileHeader.PointerToSymbolTable;
LoadDllInfo->DebugInfoSize = NtHeaders->FileHeader.NumberOfSymbols;
}
if (!Thread)
{
CurrentThread = (PMYETHREAD)PsGetCurrentThread();
if (CurrentThread->Tcb.SystemThread != 0 || CurrentThread->Tcb.ApcStateIndex == 1)
{
teb = NULL;
}
else {
teb = (PTEB)CurrentThread->Tcb.Teb;
}
if (teb)
{
RtlStringCbCopyW(teb->StaticUnicodeBuffer, sizeof(teb->StaticUnicodeBuffer), (NTSTRSAFE_PCWSTR)SystemDllInfo->StaticUnicodeBuffer);
teb->NtTib.ArbitraryUserPointer = (UINT64)teb->StaticUnicodeBuffer;
LoadDllInfo->NamePointer = &teb->NtTib.ArbitraryUserPointer;
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER){
LoadDllInfo->DebugInfoFileOffset = 0;
LoadDllInfo->DebugInfoSize = 0;
LoadDllInfo->NamePointer = NULL;
}
if (Flags)
{
KeUnstackDetachProcess(&ApcState);
}
ObjectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
ObjectAttributes.RootDirectory = NULL;
ObjectAttributes.ObjectName = SystemDllInfo->szDllFullName;
ObjectAttributes.Attributes = OBJ_FORCE_ACCESS_CHECK | OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE;
ObjectAttributes.SecurityDescriptor = NULL;
ObjectAttributes.SecurityQualityOfService = NULL;
status = ZwOpenFile(
&LoadDllInfo->FileHandle,
GENERIC_READ | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_VALID_FLAGS,
FILE_SYNCHRONOUS_IO_NONALERT
);
if (!NT_SUCCESS(status))
{
LoadDllInfo->FileHandle = NULL;
}
ApiMsg->h.u1.Length = 0x500028;
ApiMsg->h.u2.ZeroInit = 0x8;
ApiMsg->ApiNumber = DbgKmLoadDllApi;
if (Thread)
{
status = pDbgkpQueueMessage((PEPROCESS)Process, Thread, ApiMsg, DEBUG_EVENT_NOWAIT, DebugObject);
if (!NT_SUCCESS(status) && LoadDllInfo->FileHandle)
{
ObCloseHandle(LoadDllInfo->FileHandle, KernelMode);
}
}
else
{
pDbgkpSendApiMessage((PEPROCESS)Process, DEBUG_EVENT_NOWAIT | DEBUG_EVENT_READ, ApiMsg);
if (LoadDllInfo->FileHandle)
ObCloseHandle(LoadDllInfo->FileHandle, KernelMode);
__try
{
if (teb)
teb->NtTib.ArbitraryUserPointer = NULL;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
}
}
}
}
