📄 cmd_trace.asm
字号:
.gbCX:
.giCX:
mov edx,[ebp+CRS.ECX]
retn
.gbDX:
.giDX:
mov edx,[ebp+CRS.EDX]
retn
.gbBX:
.giBX:
mov edx,[ebp+CRS.EBX]
retn
.gbSP:
.giSP:
mov edx,[ebp+CRS.ESP]
retn
.gbBP:
mov edx,[eax+1]
sub ecx,byte 4
retn
.gbBPB:
movsx edx,byte [eax+1]
add edx,[ebp+CRS.EBP]
sub ecx,byte 1
retn
.gbBPD:
mov edx,[eax+1]
add edx,[ebp+CRS.EBP]
sub ecx,byte 4
retn
.giBP:
mov edx,[ebp+CRS.EBP]
retn
.gi:
xor edx,edx
retn
.gbSI:
.giSI:
mov edx,[ebp+CRS.ESI]
retn
.gbDI:
.giDI:
mov edx,[ebp+CRS.EDI]
retn
.si1:
mov edx,[esp+4]
retn 4
.si2:
mov edx,[esp+4]
shl edx,1
retn 4
.si4:
mov edx,[esp+4]
shl edx,2
retn 4
.si8:
mov edx,[esp+4]
shl edx,3
retn 4
.protect_end:
segment _LDATA
align 4
.getBaseS:
dd .gbAX
dd .gbCX
dd .gbDX
dd .gbBX
dd .gbSP
dd .gbBP
dd .gbSI
dd .gbDI
.getBaseSB:
dd .gbAX
dd .gbCX
dd .gbDX
dd .gbBX
dd .gbSP
dd .gbBPB
dd .gbSI
dd .gbDI
.getBaseSD:
dd .gbAX
dd .gbCX
dd .gbDX
dd .gbBX
dd .gbSP
dd .gbBPD
dd .gbSI
dd .gbDI
.getIndex:
dd .giAX
dd .giCX
dd .giDX
dd .giBX
dd .gi
dd .giBP
dd .giSI
dd .giDI
.scaleIndex:
dd .si1
dd .si2
dd .si4
dd .si8
.Jumptable:
dd .ga32AX
dd .ga32CX
dd .ga32DX
dd .ga32BX
dd .ga32S
dd .ga32DD
dd .ga32SI
dd .ga32DI
dd .ga32AXB
dd .ga32CXB
dd .ga32DXB
dd .ga32BXB
dd .ga32SB
dd .ga32BPB
dd .ga32SIB
dd .ga32DIB
dd .ga32AXD
dd .ga32CXD
dd .ga32DXD
dd .ga32BXD
dd .ga32SD
dd .ga32BPD
dd .ga32SID
dd .ga32DID
times 8 dd .ill
segment _LTEXT
;-------------------------------------------------------------------------------
; decide if winice should pop up or continue tracing
;
; EBX: VMCB
; EDI: R0TCB
; ESI: R0TCB->TDS (TranceInfo)
; EBP: Client Registers
;
; stc if will not break in
;-------------------------------------------------------------------------------
BreakIn:
mov eax,[ebp+CRS.EIP]
cmp eax,[esi+TraceInfo.EIPlow]
jae @F
stc
retn
@@
cmp eax,[esi+TraceInfo.EIPhigh]
jbe @F
stc
retn
@@
cmp byte [OT.OLastbutone],'D'
jz @F
cmp byte [OT.OBranch],'E'
jz @F
cmp byte [OT.OAll],'E'
jz @F
push ebx
push ecx
push edx
mov eax,[esi+TraceInfo.lastEIP]
mov ecx,[esi+TraceInfo.lastCS]
mov ebx,[esi+TraceInfo.lastESP]
mov edx,[esi+TraceInfo.lastSS]
Trace_Out "ICEDUMP: LOG: CS:EIP: #cx:#eax, SS:ESP: #dx:#ebx, R0TCB: #edi"
mov eax,[esi+TraceInfo.TickCount]
mov edx,[esi+TraceInfo.TickCount+4]
Trace_Out "ICEDUMP: LOG: instruction count: #edx:#eax, R0TCB: #edi"
pop edx
pop ecx
pop ebx
@@
.ignore_range:
; test and set internal winice flag
pushfd
cli
mov eax,[fPAGEIN_InProgress] ; test internal Winice flag
cmp dword [eax],byte 1
mov dword [eax],1 ; set internal Winice flag to 1
jnz @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: PAGEIN already in progress, cannot break in, R0TCB: #edi"
debug_end
popfd
stc
retn
@@
popfd
; save client registers (winice will restore them)
mov eax,[pINT3_CleanupForPAGEIN]
%if WINICE_VERSION <= 0x405
mov eax,[eax+0xC]
%else
%error please validate version WINICE_VERSION
%endif
push dword [ebp+CRS.EAX]
pop dword [eax]
push dword [ebp+CRS.EBX]
pop dword [eax+0x04]
push dword [ebp+CRS.ECX]
pop dword [eax+0x08]
push dword [ebp+CRS.EDX]
pop dword [eax+0x0C]
push dword [ebp+CRS.ESI]
pop dword [eax+0x10]
push dword [ebp+CRS.EDI]
pop dword [eax+0x14]
push dword [ebp+CRS.EBP]
pop dword [eax+0x18]
push dword [ebp+CRS.ESP]
pop dword [eax+0x1C]
push dword [ebp+CRS.EIP]
pop dword [eax+0x20]
btr word [ebp+CRS.EFlags],8
push dword [ebp+CRS.EFlags]
pop dword [eax+0x24]
push dword [ebp+CRS.CS]
pop dword [eax+0x28]
push dword [ebp+CRS.DS]
pop dword [eax+0x2C]
push dword [ebp+CRS.SS]
pop dword [eax+0x30]
push dword [ebp+CRS.ES]
pop dword [eax+0x34]
push dword [ebp+CRS.FS]
pop dword [eax+0x38]
push dword [ebp+CRS.GS]
pop dword [eax+0x3C]
push edx
mov edx,cr2
push edx
pop dword [eax+0x40]
mov edx,cr3
push edx
pop dword [eax+0x44]
pop edx
; setup final INT3
mov eax,.oINT3+4
sub eax,[wSelector_WINICE_Code]
push eax
push eax
mov eax,[oPAGEIN_INT3] ; set address of final INT3
pop dword [eax]
; set up CS:EIP
; !! this is NOT suitable for V86 mode threads !!
pop dword [ebp+CRS.EIP]
mov eax,[wSelector_WINICE_Code] ; set client CS:EIP
movzx eax,word [eax]
mov [ebp+CRS.CS],eax
call TracerFree
clc
retn
.oINT3:
int3
;-------------------------------------------------------------------------------
; hook VWIN32 Get/Set Thread Context VxD APIs
;-------------------------------------------------------------------------------
HookGetSetThreadContext:
GetDeviceServiceOrdinal eax, _VWIN32_Get_Thread_Context
mov esi,HookedGetThreadContext
VMMCall Hook_Device_Service
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: Hook_Get_Thread_Context failed"
debug_end
stc
retn
@@
GetDeviceServiceOrdinal eax, _VWIN32_Set_Thread_Context
mov esi,HookedSetThreadContext
VMMCall Hook_Device_Service
jc @F
clc
retn
@@
GetDeviceServiceOrdinal eax, _VWIN32_Get_Thread_Context
mov esi,HookedGetThreadContext
VMMCall Unhook_Device_Service
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: Hook_Set_Thread_Context failed"
debug_end
stc
retn
;-------------------------------------------------------------------------------
; unhook VWIN32 Get/Set Thread Context VxD APIs
;-------------------------------------------------------------------------------
UnhookGetSetThreadContext:
GetDeviceServiceOrdinal eax, _VWIN32_Get_Thread_Context
mov esi,HookedGetThreadContext
VMMCall Unhook_Device_Service
GetDeviceServiceOrdinal eax, _VWIN32_Set_Thread_Context
mov esi,HookedSetThreadContext
VMMCall Unhook_Device_Service
clc
retn
;-------------------------------------------------------------------------------
;
;-------------------------------------------------------------------------------
jmp short HookedGetThreadContext
jmp [OrgGetThreadContext]
HookedGetThreadContext:
push esi
push edi
push dword [esp+16] ; CONTEXT
push dword [esp+16] ; R0TCB, can be NULL
call [OrgGetThreadContext]
pop edi ; oh yeah, these little undoc tricks ;-)
pop esi
add edi,[TDS]
mov edi,[edi] ; TraceInfo
or edi,edi
jz @F
test dword [esi+CONTEXT.cx_ContextFlags],CONTEXT_CONTROL & ~CONTEXT_i386
jz @F
cmp dword [edi+TraceInfo.State0],byte ST0_SELFTRACEOFF
jnz @F
btr word [esi+CONTEXT.cx_EFlags],8
@@
pop edi
pop esi
retn
segment _LDATA
align 4
OrgGetThreadContext: dd 0
segment _LTEXT
;-------------------------------------------------------------------------------
;
;-------------------------------------------------------------------------------
jmp short HookedSetThreadContext
jmp [OrgSetThreadContext]
HookedSetThreadContext:
push eax
push ebx
push esi
push edi
push ebp
push dword [esp+28] ; CONTEXT
push dword [esp+28] ; R0TCB, can be NULL
call [OrgSetThreadContext]
pop edi
pop esi
mov esi,[TDS]
mov esi,[esi+edi] ; TraceInfo
or esi,esi
jz .ret
mov ebx,[edi+TCB_VMHandle]
mov ebp,[edi+TCB_ClientPtr]
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
mov eax,[ebp+CRS.EFlags]
Trace_Out "ICEDUMP: HookedSetThreadContext: EFLAGS: #eax"
debug_end
call TrReinforce
.ret:
pop ebp
pop edi
pop esi
pop ebx
pop eax
retn
segment _LDATA
align 4
OrgSetThreadContext: dd 0
segment _LTEXT
;-------------------------------------------------------------------------------
; hook VWIN32 Get/Set Thread Context W32 APIs
;-------------------------------------------------------------------------------
HookW32GetSetThreadContext:
push ecx
call GetVWIN32W32ServiceTable
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: failed to look up VWIN32's W32 service table"
debug_end
pop ecx
stc
retn
.error:
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: failed to find W32GetThreadContext"
debug_end
pop ecx
stc
retn
@@
mov eax,[VWIN32W32ServiceTable]
mov ecx,[eax] ; W32 API count
sub ecx,byte 4
add eax,byte 4 ; walk the parameter count list
.next:
add eax,byte 8
cmp [eax],byte 2
loopnz .next
jecxz .error
cmp [eax+8],byte 2
jnz .next
cmp [eax+8+8],byte 5
jnz .next
cmp [eax+8+8+8],byte 5
jnz .next
sub eax,[VWIN32W32ServiceTable]
shr eax,3
mov [VWIN32_W32_SetThreadContext],eax
dec eax
mov [VWIN32_W32_GetThreadContext],eax
add eax,byte 6
mov [VWIN32_W32_ResumeThread],eax
inc eax
mov [VWIN32_W32_SuspendThread],eax
mov eax,[VWIN32_W32_GetThreadContext]
shl eax,3
add eax,byte 8
add eax,[VWIN32W32ServiceTable]
push dword [eax]
pop dword [OrgW32GetThreadContext]
mov dword [eax],HookedW32GetThreadContext
mov eax,[VWIN32_W32_SetThreadContext]
shl eax,3
add eax,byte 8
add eax,[VWIN32W32ServiceTable]
push dword [eax]
pop dword [OrgW32SetThreadContext]
mov dword [eax],HookedW32SetThreadContext
pop ecx
clc
retn
;-------------------------------------------------------------------------------
; unhook VWIN32 Get/Set Thread Context W32 APIs
;-------------------------------------------------------------------------------
UnhookW32GetSetThreadContext:
mov eax,[VWIN32_W32_GetThreadContext]
shl eax,3
add eax,byte 8
add eax,[VWIN32W32ServiceTable]
push dword [OrgW32GetThreadContext]
pop dword [eax]
mov eax,[VWIN32_W32_SetThreadContext]
shl eax,3
add eax,byte 8
add eax,[VWIN32W32ServiceTable]
push dword [OrgW32SetThreadContext]
pop dword [eax]
clc
retn
;-------------------------------------------------------------------------------
;
;-------------------------------------------------------------------------------
GetVWIN32W32ServiceTable:
push ecx
mov eax,VWIN32_Device_ID
VMMCall Get_DDB ; get Win32 Services Table pointer
mov eax,[ecx+DDB_Win32_Service_Table]
mov [VWIN32W32ServiceTable],eax
sub eax,byte 1 ; stc if eax == 0
pop ecx
retn
segment _LDATA
align 4
VWIN32W32ServiceTable: dd 0
VWIN32_W32_GetThreadContext: dd 0
VWIN32_W32_SetThreadContext: dd 0
VWIN32_W32_ResumeThread: dd 0
VWIN32_W32_SuspendThread: dd 0
OrgW32GetThreadContext: dd 0
OrgW32SetThreadContext: dd 0
segment _LTEXT
;-------------------------------------------------------------------------------
;
;-------------------------------------------------------------------------------
HookedW32GetThreadContext:
push esi
push edi
push dword [esp+24] ; CONTEXT
push dword [esp+24] ; R0TCB, can be NULL
push dword [esp+24]
push dword [esp+24]
call [OrgW32GetThreadContext]
mov esi,[esp+24]
test dword [esi+CONTEXT.cx_ContextFlags],CONTEXT_CONTROL & ~CONTEXT_i386
jz @F
mov edi,[esp+20]
test edi,edi
jnz @F
VMMCall Get_Cur_Thread_Handle
@@
add edi,[TDS]
mov edi,[edi] ; TraceInfo
or edi,edi
jz @F
cmp dword [edi+TraceInfo.State0],byte ST0_SELFTRACEOFF
jnz @F
btr word [esi+CONTEXT.cx_EFlags],8
@@
pop edi
pop esi
retn 16
;-------------------------------------------------------------------------------
;
;-------------------------------------------------------------------------------
HookedW32SetThreadContext:
push eax
push ebx
push esi
push edi
push ebp
push dword [esp+36] ; CONTEXT
push dword [esp+36] ; R0TCB, can be NULL
push dword [esp+36]
push dword [esp+36]
call [OrgW32SetThreadContext]
mov edi,[esp+32] ; R0TCB
test edi,edi
jnz @F
VMMCall Get_Cur_Thread_Handle
@@
mov esi,[TDS]
mov esi,[esi+edi] ; TraceInfo
or esi,esi
jz .ret
mov ebx,[edi+TCB_VMHandle]
mov ebp,[edi+TCB_ClientPtr]
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
mov eax,[ebp+CRS.EFlags]
Trace_Out "ICEDUMP: HookedW32SetThreadContext: EFLAGS: #eax"
debug_end
call TrReinforce
.ret:
pop ebp
pop edi
pop esi
pop ebx
pop eax
retn 16
segment _LTEXT
;-------------------------------------------------------------------------------
; hook fault handlers which eventually call win32 SEH
;-------------------------------------------------------------------------------
HookPMFaults:
push ecx
push esi
push edi
mov ecx,(HookedPMFaults.end-HookedPMFaults)/PMFaultHook_size
mov edi,HookedPMFaults-PMFaultHook_size
@@
add edi,byte PMFaultHook_size
movzx eax,byte [edi+PMFaultHook.id]
mov esi,[edi+PMFaultHook.new]
VMMCall Hook_PM_Fault
jc @F
loop @B
pop edi
pop esi
pop ecx
clc
retn
@@
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: Hook_PM_Fault failed for INT #eax"
debug_end
pop edi
pop esi
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -