-
-
[原创]开源-自写调试器 Win32 VEH 硬件CR7 实现读写访问异常
-
-
[原创]开源-自写调试器 Win32 VEH 硬件CR7 实现读写访问异常
#define ntid() (HANDLE)-2
enum class HwBpType : BYTE {
Execute = 0,
Write = 1,
Access = 3
};
enum class HwBpSize : BYTE {
Size1 = 0,
Size2 = 1,
Size4 = 3,
Size8 = 2
};
struct BpRecord {
DWORD_PTR address;
DWORD_PTR rip;
DWORD drIndex;
bool hit;
};
static volatile BpRecord g_lastHit = {};
static volatile int g_stepping = 0;
static volatile DWORD_PTR g_savedDR7 = 0;
LONG CALLBACK HwBpVEH(EXCEPTION_POINTERS* ep) {
PCONTEXT ctx = ep->ContextRecord;
if (ep->ExceptionRecord->ExceptionCode != STATUS_SINGLE_STEP)
return EXCEPTION_CONTINUE_SEARCH;
if (g_stepping == 0) {
DWORD dr6 = (DWORD)ctx->Dr6;
DWORD drIndex = 0xFFFF;
if (dr6 & 0x1) drIndex = 0;
else if (dr6 & 0x2) drIndex = 1;
else if (dr6 & 0x4) drIndex = 2;
else if (dr6 & 0x8) drIndex = 3;
else return EXCEPTION_CONTINUE_SEARCH;
g_lastHit.rip = ctx->Rip;
g_lastHit.drIndex = drIndex;
g_lastHit.hit = true;
switch (drIndex) {
case 0: g_lastHit.address = ctx->Dr0; break;
case 1: g_lastHit.address = ctx->Dr1; break;
case 2: g_lastHit.address = ctx->Dr2; break;
case 3: g_lastHit.address = ctx->Dr3; break;
}
printf("[!] DR%d HIT | RIP: 0x%p | Watched Addr: 0x%p\n",
drIndex, (void*)ctx->Rip, (void*)g_lastHit.address);
g_savedDR7 = ctx->Dr7;
ctx->Dr7 = 0;
ctx->EFlags |= 0x100;
ctx->Dr6 = 0;
g_stepping = 1;
return EXCEPTION_CONTINUE_EXECUTION;
}
else {
ctx->Dr7 = g_savedDR7;
ctx->Dr6 = 0;
g_stepping = 0;
return EXCEPTION_CONTINUE_EXECUTION;
}
}
bool SetHardwareBreakpoint(
DWORD drIndex,
void* address,
HwBpType type,
HwBpSize size
) {
if (drIndex > 3) return false;
CONTEXT ctx = {};
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
HANDLE hThread = ntid();
NTSTATUS status = ntGetContextThread(hThread, &ctx);
if (status != 0) {
printf("[-] ntGetContextThread failed: 0x%08X\n", status);
return false;
}
switch (drIndex) {
case 0: ctx.Dr0 = (DWORD_PTR)address; break;
case 1: ctx.Dr1 = (DWORD_PTR)address; break;
case 2: ctx.Dr2 = (DWORD_PTR)address; break;
case 3: ctx.Dr3 = (DWORD_PTR)address; break;
}
DWORD_PTR clearMask = 0;
clearMask |= (DWORD_PTR)0x3 << (drIndex * 2);
clearMask |= (DWORD_PTR)0xF << (16 + drIndex * 4);
ctx.Dr7 &= ~clearMask;
ctx.Dr7 |= (DWORD_PTR)1 << (drIndex * 2);
ctx.Dr7 |= (DWORD_PTR)((BYTE)type) << (16 + drIndex * 4);
ctx.Dr7 |= (DWORD_PTR)((BYTE)size) << (18 + drIndex * 4);
status = ntSetContextThread(hThread, &ctx);
if (status != 0) {
printf("[-] ntSetContextThread failed: 0x%08X\n", status);
return false;
}
printf("[+] DR%d set | Addr: 0x%p | Type: %d | Size: %d\n",
drIndex, address, (int)type, (int)size);
return true;
}
bool RemoveHardwareBreakpoint(DWORD drIndex) {
if (drIndex > 3) return false;
CONTEXT ctx = {};
ctx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
HANDLE hThread = ntid();
ntGetContextThread(hThread, &ctx);
switch (drIndex) {
case 0: ctx.Dr0 = 0; break;
case 1: ctx.Dr1 = 0; break;
case 2: ctx.Dr2 = 0; break;
case 3: ctx.Dr3 = 0; break;
}
DWORD_PTR clearMask = 0;
clearMask |= (DWORD_PTR)0x3 << (drIndex * 2);
clearMask |= (DWORD_PTR)0xF << (16 + drIndex * 4);
ctx.Dr7 &= ~clearMask;
ctx.Dr6 = 0;
ntSetContextThread(hThread, &ctx);
printf("[+] DR%d removed\n", drIndex);
return true;
}
volatile DWORD g_testValue = 0xDEAD;
int test() {
PVOID veh = rtlAddVectoredExceptionHandler(1, HwBpVEH);
if (!veh) {
printf("[-] AddVectoredExceptionHandler failed\n");
return 1;
}
printf("[*] VEH registered\n");
SetHardwareBreakpoint(
0,
(void*)&g_testValue,
HwBpType::Write,
HwBpSize::Size4
);
printf("\n[*] Writing 0xBEEF...\n");
g_testValue = 0xBEEF;
printf("[*] Value after write: 0x%X\n", g_testValue);
printf("\n[*] Writing 0xCAFE...\n");
g_testValue = 0xCAFE;
printf("[*] Value after write: 0x%X\n", g_testValue);
printf("\n[*] Writing 0x1337...\n");
g_testValue = 0x1337;
printf("[*] Value after write: 0x%X\n", g_testValue);
RemoveHardwareBreakpoint(0);
printf("\n[*] Writing after removal...\n");
g_testValue = 0x9999;
printf("[*] No hit. Value: 0x%X\n", g_testValue);
rtlRemoveVectoredExceptionHandler(veh);
printf("\n[*] Done.\n");
return 0;
}
[内核课程]《Windows内核攻防实战》!从零到实战,融合AI与Windows内核攻防全技术栈,打造具备自动化能力的内核开发高手。
最后于 3小时前
被KsaNL编辑
,原因:
