能力值:
( LV2,RANK:10 )
|
-
-
26 楼
呵呵,理解错误,还以为是Myint1函数,原来是Setint1Hook函数。
|
能力值:
( LV2,RANK:10 )
|
-
-
27 楼
不过我这里的版本还是没有这个问题:
.text:00011EAE SetInt1Hook_11EAE proc near ; CODE XREF: sub_12016+2Dp
.text:00011EAE ; sub_1209A+21p ...
.text:00011EAE
.text:00011EAE var_1C = dword ptr -1Ch
.text:00011EAE var_18 = dword ptr -18h
.text:00011EAE var_10 = dword ptr -10h
.text:00011EAE var_4 = dword ptr -4
.text:00011EAE arg_0 = dword ptr 8
.text:00011EAE arg_4 = byte ptr 0Ch
.text:00011EAE arg_8 = dword ptr 10h
.text:00011EAE
.text:00011EAE push ebp
.text:00011EAF mov ebp, esp
.text:00011EB1 push 0FFFFFFFFh
.text:00011EB3 push offset unk_12978
.text:00011EB8 push offset loc_12814
.text:00011EBD mov eax, large fs:0
.text:00011EC3 push eax
.text:00011EC4 mov large fs:0, esp
.text:00011ECB sub esp, 0Ch
.text:00011ECE push ebx
.text:00011ECF push esi
.text:00011ED0 push edi
.text:00011ED1 mov [ebp+var_18], esp
.text:00011ED4 and [ebp+var_4], 0
.text:00011ED8 movzx eax, [ebp+arg_4]
.text:00011EDC mov ecx, [ebp+arg_0]
.text:00011EDF mov ecx, [ecx+2]
.text:00011EE2 lea eax, [ecx+eax*8]
.text:00011EE5 mov [ebp+var_1C], eax
.text:00011EE8 mov edx, [eax]
.text:00011EEA mov ecx, [ebp+arg_8]
.text:00011EED mov [ecx], edx
.text:00011EEF mov eax, [eax+4]
.text:00011EF2 mov [ecx+4], eax
.text:00011EF5 or [ebp+var_4], 0FFFFFFFFh
.text:00011EF9 push 1
.text:00011EFB pop eax
.text:00011EFC jmp short loc_11F0B
.text:00011EFE ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00011EFE
.text:00011EFE loc_11EFE: ; DATA XREF: .rdata:0001297Co
.text:00011EFE push 1
.text:00011F00 pop eax
.text:00011F01 retn
.text:00011F02 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00011F02
.text:00011F02 loc_11F02: ; DATA XREF: .rdata:00012980o
.text:00011F02 mov esp, [ebp-18h]
.text:00011F05 or dword ptr [ebp-4], 0FFFFFFFFh
.text:00011F09 xor eax, eax
.text:00011F0B
.text:00011F0B loc_11F0B: ; CODE XREF: SetInt1Hook_11EAE+4Ej
.text:00011F0B mov ecx, [ebp+var_10]
.text:00011F0E mov large fs:0, ecx
.text:00011F15 pop edi
.text:00011F16 pop esi
.text:00011F17 pop ebx
.text:00011F18 leave
.text:00011F19 retn 0Ch
.text:00011F19 SetInt1Hook_11EAE endp
|
能力值:
( LV2,RANK:10 )
|
-
-
28 楼
大家还需要注意一个地方:
.text:0001219A Int1HookCheck_1219A proc near ; CODE XREF: sub_112AE+32Fp
.text:0001219A
.text:0001219A arg_0 = dword ptr 8
.text:0001219A
.text:0001219A push ebp
.text:0001219B mov ebp, esp
.text:0001219D push esi
.text:0001219E push edi
.text:0001219F mov edi, offset Int1Hook_11F8E
.text:000121A4 mov eax, edi
.text:000121A6 mov esi, edi
.text:000121A8 inc eax
.text:000121A9 push eax
.text:000121AA mov al, [esi]
.text:000121AC push eax
.text:000121AD push edi
.text:000121AE call CheckInlineHook_1222E
.text:000121B3 test eax, eax
.text:000121B5 jnz short loc_121CD
.text:000121B7 mov eax, [ebp+arg_0]
.text:000121BA push 19h
.text:000121BC pop ecx
.text:000121BD mov [eax+0E4h], edi
.text:000121C3 lea edi, [eax+74h]
.text:000121C6 push 4
.text:000121C8 rep movsd
.text:000121CA pop eax
.text:000121CB jmp short loc_121E2
.text:000121CD ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:000121CD
.text:000121CD loc_121CD: ; CODE XREF: Int1HookCheck_1219A+1Bj
.text:000121CD mov ecx, [ebp+arg_0]
.text:000121D0 push 19h
.text:000121D2 mov esi, eax
.text:000121D4 mov [ecx+0E4h], eax
.text:000121DA lea edi, [ecx+74h]
.text:000121DD pop ecx
.text:000121DE xor eax, eax
.text:000121E0 rep movsd
.text:000121E2
.text:000121E2 loc_121E2: ; CODE XREF: Int1HookCheck_1219A+31j
.text:000121E2 pop edi
.text:000121E3 pop esi
.text:000121E4 pop ebp
.text:000121E5 retn 4
.text:000121E5 Int1HookCheck_1219A endp
.text:0001222E CheckInlineHook_1222E proc near ; CODE XREF: sub_112AE+ABCp
.text:0001222E ; Int1HookCheck_1219A+14p ...
.text:0001222E
.text:0001222E arg_0 = dword ptr 8
.text:0001222E arg_4 = byte ptr 0Ch
.text:0001222E arg_8 = dword ptr 10h
.text:0001222E
.text:0001222E push ebp
.text:0001222F mov ebp, esp
.text:00012231 mov eax, [ebp+arg_8]
.text:00012234 cmp [ebp+arg_4], 0E9h
.text:00012238 mov eax, [eax]
.text:0001223A jz short loc_12248
.text:0001223C cmp [ebp+arg_4], 0EAh
.text:00012240 jz short loc_12253
.text:00012242 cmp [ebp+arg_4], 0E8h
.text:00012246 jnz short loc_12251
.text:00012248
.text:00012248 loc_12248: ; CODE XREF: CheckInlineHook_1222E+Cj
.text:00012248 mov ecx, [ebp+arg_0]
.text:0001224B lea eax, [eax+ecx+5]
.text:0001224F jmp short loc_12253
.text:00012251 ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?
.text:00012251
.text:00012251 loc_12251: ; CODE XREF: CheckInlineHook_1222E+18j
.text:00012251 xor eax, eax
.text:00012253
.text:00012253 loc_12253: ; CODE XREF: CheckInlineHook_1222E+12j
.text:00012253 ; CheckInlineHook_1222E+21j
.text:00012253 pop ebp
.text:00012254 retn 0Ch
.text:00012254 CheckInlineHook_1222E endp
|
能力值:
( LV12,RANK:760 )
|
-
-
29 楼
.text:00011C0C pushf
.text:00011C0D cli
.text:00011C0E mov ecx, [ebp+arg_pSelector]
.text:00011C11 mov edx, [ecx]
.text:00011C13 mov [eax], edx
.text:00011C15 mov ecx, [ecx+4]
.text:00011C18 mov [eax+4], ecx
.text:00011C1B popf
有pushf和popf,cli之后popf,不用sti啦~
是个常见的小技巧啊~
|
能力值:
( LV2,RANK:10 )
|
-
-
30 楼
"有pushf和popf,cli之后popf,不用sti啦~"
受教了!
|
能力值:
( LV9,RANK:490 )
|
-
-
31 楼
没往那方面想。晕
KfLowerIrql( KeRaiseIrqlToDpcLevel());是怎么回事呢?
|
能力值:
( LV2,RANK:10 )
|
-
-
32 楼
:显然在当降低irql的时候检查是比较合适的,nt降低irql的途径
主要是通过三个函数:
HalpEndSystemInterrupt
HalpEndSoftwareInterrupt
KfLowerIrql
在其中会针对每个比当前irql高的delayed interrupt事件,通过
SWInterruptHandlerTable派发,对apc和dpc两个软件中断来说,
会直接派发到HalpApcInterrupt和HalpDispatchInterrupt;而对于
其它也就是硬件中断产生的delayed interrupt,实际上会被派发
到一个stub函数,这个函数里只包含一个int xx指令,其中xx=
interrupt vector + PRIMARY_VECTOR_BASE(0x30)。这样我们
顺便知道idt中从0x30到0x3f的作用了----用来仿真一个delayed
hardware interrupt。这个话题延伸开去,就是idt的布局问题了,
也是一个比较有意思的话题,不过牵涉到的硬件部分暂时不是
很熟悉,暂且打住。
google
|
能力值:
( LV2,RANK:10 )
|
-
-
33 楼
http://ext2fsd.sourceforge.net/documents/irql.htm
恢复中断level
|
能力值:
( LV2,RANK:10 )
|
-
-
34 楼
楼主确实厉害
|
能力值:
( LV2,RANK:10 )
|
-
-
35 楼
强帖
做个标记先~~~
|