📄 cmd_trace.asm
字号:
pop ecx
stc
retn
;-------------------------------------------------------------------------------
; unhook our fault handlers
;-------------------------------------------------------------------------------
UnhookPMFaults:
push ecx
push esi
push edi
clc
pushfd
mov ecx,(HookedPMFaults.end-HookedPMFaults)/PMFaultHook_size
mov edi,HookedPMFaults-PMFaultHook_size
.next:
add edi,byte PMFaultHook_size
movzx eax,byte [edi+PMFaultHook.id]
mov esi,[edi+PMFaultHook.new]
VMMCall Unhook_PM_Fault
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: Unhook_PM_Fault failed for INT #eax"
debug_end
or byte [esp],1 ; stc
@@
loop .next
popfd
pop edi
pop esi
pop ecx
retn
struc PMFaultHook
.id: resd 1
.new: resd 1
.old: resd 1
endstruc
segment _LDATA
align 4
HookedPMFaults:
.int00: dd 0x00, HookedPMFault_INT00, 0
.int01: dd 0x01, HookedPMFault_INT01, 0
.int03: dd 0x03, HookedPMFault_INT03, 0
.int04: dd 0x04, HookedPMFault_INT04, 0
.int05: dd 0x05, HookedPMFault_INT05, 0
.int06: dd 0x06, HookedPMFault_INT06, 0
.int0B: dd 0x0B, HookedPMFault_INT0B, 0
.int0C: dd 0x0C, HookedPMFault_INT0C, 0
.int0D: dd 0x0D, HookedPMFault_INT0D, 0
.int0E: dd 0x0E, HookedPMFault_INT0E, 0
.end:
segment _LTEXT
;-------------------------------------------------------------------------------
; EBX: VMCB
; EBP: Client Registers
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT00; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int00+PMFaultHook.old]
HookedPMFault_INT00:
push dword [HookedPMFaults.int00+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT03; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int03+PMFaultHook.old]
HookedPMFault_INT03:
push dword [HookedPMFaults.int03+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT04; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int04+PMFaultHook.old]
HookedPMFault_INT04:
push dword [HookedPMFaults.int04+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT05; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int05+PMFaultHook.old]
HookedPMFault_INT05:
push dword [HookedPMFaults.int05+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT06; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int06+PMFaultHook.old]
HookedPMFault_INT06:
push dword [HookedPMFaults.int06+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT0B; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int0B+PMFaultHook.old]
HookedPMFault_INT0B:
push dword [HookedPMFaults.int0B+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT0C; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int0C+PMFaultHook.old]
HookedPMFault_INT0C:
push dword [HookedPMFaults.int0C+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT0D; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int0D+PMFaultHook.old]
HookedPMFault_INT0D:
push dword [HookedPMFaults.int0D+PMFaultHook.old]
jmp short HookedPMFault_stub
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT0E; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int0E+PMFaultHook.old]
HookedPMFault_INT0E:
push dword [HookedPMFaults.int0E+PMFaultHook.old]
;-------------------------------------------------------------------------------
HookedPMFault_stub:
push eax
push ecx
push edx
push esi
push edi
VMMCall Get_Cur_Thread_Handle
mov esi,[TDS]
mov esi,[esi+edi] ; TraceInfo
cmp esi,byte 0
jnz @F
pop edi
pop esi
pop edx
pop ecx
pop eax
retn ; chain to old
@@
imul eax,[esi+TraceInfo.State0],byte ST1_SIZE*IN_SIZE
imul edx,[esi+TraceInfo.State1],byte IN_SIZE
lea eax,[eax+edx+IN_EXCEPTION_IN]
call [Transitions+4*eax]
cmp eax,byte PASSDOWN
jz .passdown
cmp eax,byte DONTPASS
jz .dontpass
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: INTxxHook: error tracing thread, giving up... R0TCB: #edi"
debug_end
cmp [esi+TraceInfo.State0],byte ST0_SELFTRACEON
jz @F
call StopTracing
@@
call TracerFree
pop edi
pop esi
pop edx
pop ecx
pop eax
retn ; chain to old
.passdown:
push esi
push edi
mov eax,[esp+24]
mov ecx,[esp+20]
mov edx,[esp+16]
mov esi,[esp+12]
mov edi,[esp+8]
call [esp+28] ; chain to old
pop edi
pop esi
.dontpass:
imul eax,[esi+TraceInfo.State0],byte ST1_SIZE*IN_SIZE
imul edx,[esi+TraceInfo.State1],byte IN_SIZE
lea eax,[eax+edx+IN_EXCEPTION_OUT]
call [Transitions+4*eax]
call RecordAndLog
pop edi
pop esi
pop edx
pop ecx
pop eax
add esp,byte 4
retn
;-------------------------------------------------------------------------------
; this mess simulates a HOOK_PROC
;-------------------------------------------------------------------------------
jmp short HookedPMFault_INT01; *MUST* assemble to EB,06 or EB,0A
jmp [HookedPMFaults.int01+PMFaultHook.old]
;-------------------------------------------------------------------------------
; the heart of the tracer engine
;
; EBX: VMCB
; EBP: Client Registers
;
; 1. detect traced thread
; 2. check EIP for being in the specified range
; 3. emulate certain instructions
; 4. handle SEH
;-------------------------------------------------------------------------------
HookedPMFault_INT01:
push eax
push ecx
push edx
push esi
push edi
VMMCall Get_Cur_Thread_Handle
mov esi,[TDS]
mov esi,[esi+edi] ; TraceInfo
cmp esi,byte 0
jnz @F
pop edi
pop esi
pop edx
pop ecx
pop eax
jmp [HookedPMFaults.int01+PMFaultHook.old]
@@
; send first input to the state machine
imul eax,[esi+TraceInfo.State0],byte ST1_SIZE*IN_SIZE
imul edx,[esi+TraceInfo.State1],byte IN_SIZE
lea eax,[eax+edx+IN_DEBUG_BS]
call [Transitions+4*eax]
cmp eax,byte PASSDOWN
jz .passdown
cmp eax,byte DONTPASS
jz .dontpass
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: INT01Hook: error tracing thread, giving up... R0TCB: #edi"
debug_end
cmp [esi+TraceInfo.State0],byte ST0_SELFTRACEON
jz @F
call StopTracing
@@
call TracerFree
pop edi
pop esi
pop edx
pop ecx
pop eax
jmp [HookedPMFaults.int01+PMFaultHook.old]
.passdown:
push esi
push edi
mov eax,[esp+24]
mov ecx,[esp+20]
mov edx,[esp+16]
mov esi,[esp+12]
mov edi,[esp+8]
call [HookedPMFaults.int01+PMFaultHook.old]
pop edi
pop esi
.dontpass:
imul eax,[esi+TraceInfo.State0],byte ST1_SIZE*IN_SIZE
imul edx,[esi+TraceInfo.State1],byte IN_SIZE
lea eax,[eax+edx+IN_EXCEPTION_OUT]
call [Transitions+4*eax]
call RecordAndLog
pop edi
pop esi
pop edx
pop ecx
pop eax
retn
segment _LDATA
align 4
TDS: dd 0
segment _LTEXT
;-------------------------------------------------------------------------------
; EDI: R0TCB
; ESI: R0TCB->TDS (TranceInfo)
; EBP: Client Registers
;-------------------------------------------------------------------------------
RecordAndLog:
push eax
push ebx
push ecx
push edx
cmp byte [OT.OAll],'E'
jz .log
cmp byte [OT.OBranch],'D'
jz .record
VMMCall Get_Cur_VM_Handle
call GetLinearCSEIP
jc .record
call SkipPrefixes
jc .record
call CanChangeFlow
jc .record
.log:
mov eax,[ebp+CRS.EIP]
movzx ecx,word [ebp+CRS.CS]
mov ebx,[ebp+CRS.ESP]
movzx edx,word [ebp+CRS.SS]
Trace_Out "ICEDUMP: LOG: CS:EIP: #cx:#eax, SS:ESP: #dx:#ebx, R0TCB: #edi"
.record:
push dword [ebp+CRS.EIP]
pop dword [esi+TraceInfo.lastEIP]
movzx eax,word [ebp+CRS.CS]
push eax
pop dword [esi+TraceInfo.lastCS]
push dword [ebp+CRS.ESP]
pop dword [esi+TraceInfo.lastESP]
movzx eax,word [ebp+CRS.SS]
push eax
pop dword [esi+TraceInfo.lastSS]
@@
pop edx
pop ecx
pop ebx
pop eax
retn
;-------------------------------------------------------------------------------
; eax: client EIP, after known prefixes
; ecx: max length for real opcode (considering the 15 byte limit)
;
; stc: if instruction cannot change execution flow
;-------------------------------------------------------------------------------
CanChangeFlow:
push esi
mov esi,eax
.protect_start:
movzx eax,byte [esi]
bt [FlowChangersXXno],eax
jc .no_change
bt [FlowChangersXXyes],eax
jnc .change
dec ecx
jecxz .no_change
movzx eax,byte [esi+1]
.protect_end:
cmp al,0x0F
jnz @F
bt [FlowChangers0F],eax
jc .no_change
jmp short .change
@@
cmp al,0xFF
jnz .no_change
bt [FlowChangers0F],eax
jc .no_change
.change:
.EH:
pop esi
clc
retn
.no_change:
pop esi
stc
retn
segment _LDATA
align 4
FlowChangersXXno:
;11111111111111110000000000000000
;FEDCBA9876543210FEDCBA9876543210
dd 11111111111111110111111111111111b ; 1F-00
dd 11111111111111111111111111111111b ; 3F-20
dd 11111111111111111111111111111111b ; 5F-40
dd 00000000000000001111111111111111b ; 7F-60
dd 11111011111111111111111111111111b ; 9F-80
dd 11111111111111111111111111111111b ; BF-A0
dd 11111111111111110000001111110011b ; DF-C0
dd 01111111111111011111000011110000b ; FF-E0
dd 0
FlowChangersXXyes:
;11111111111111110000000000000000
;FEDCBA9876543210FEDCBA9876543210
dd 11111111111111111111111111111111b ; 1F-00
dd 11111111111111111111111111111111b ; 3F-20
dd 11111111111111111111111111111111b ; 5F-40
dd 00000000000000001111111111111111b ; 7F-60
dd 11111011111111111111111111111111b ; 9F-80
dd 11111111111111111111111111111111b ; BF-A0
dd 11111111111111110000001111110011b ; DF-C0
dd 11111111111111011111000011110000b ; FF-E0
dd 0
FlowChangers0F:
;11111111111111110000000000000000
;FEDCBA9876543210FEDCBA9876543210
dd 11111111111111111110001101001111b ; 1F-00
dd 00000000000011111111111101011111b ; 3F-20
dd 11110011111111111111111111111111b ; 5F-40
dd 11000000111111111100111111111111b ; 7F-60
dd 11111111111111110000000000000000b ; 9F-80
dd 11111100111111111111111111111111b ; BF-A0
dd 11111111101011101111111111110111b ; DF-C0
dd 01110111111011101111111110111111b ; FF-E0
dd 0
FlowChangersFF:
;11111111111111110000000000000000
;FEDCBA9876543210FEDCBA9876543210
dd 00000000000000001111111111111111b ; 1F-00
dd 11111111111111110000000000000000b ; 3F-20
dd 00000000000000001111111111111111b ; 5F-40
dd 11111111111111110000000000000000b ; 7F-60
dd 00000000000000001111111111111111b ; 9F-80
dd 11111111111111110000000000000000b ; BF-A0
dd 00000000000000001111111111111111b ; DF-C0
dd 11111111111111110000000000000000b ; FF-E0
dd 0
segment _LTEXT
;-------------------------------------------------------------------------------
; 1. hook PM faults
; 2. hook VWIN32's Get/Set Thread Context related APIs (VxD/W32)
; 2. allocate TDS
; 3. init TDS in all existing threads
;-------------------------------------------------------------------------------
TracerSysDynamicDeviceInit:
push ebx
push ecx
push edi
call InstallExceptionHandlers
jb .error
call HookPMFaults
jb .error_remove_exception_handlers
call HookGetSetThreadContext
jb .error_unhook_fault
call HookW32GetSetThreadContext
jb .error_unhook_threadcontext
VMMCall _AllocateThreadDataSlot
or eax,eax
jz .error_unhook_w32threadcontext
mov [TDS],eax
VMMCall Get_Sys_VM_Handle
VMMCall Get_Initial_Thread_Handle
mov ebx,edi
mov ecx,[TDS]
xor eax,eax
@@
mov [edi+ecx],eax
VMMCall Get_Next_Thread_Handle
cmp ebx,edi
jnz @B
pop edi
pop ecx
pop ebx
clc
retn
.error_unhook_w32threadcontext:
call UnhookW32GetSetThreadContext
.error_unhook_threadcontext:
call UnhookGetSetThreadContext
.error_unhook_fault:
call UnhookPMFaults
.error_remove_exception_handlers:
call RemoveExceptionHandlers
.error:
pop edi
pop ecx
pop ebx
stc
retn
;-------------------------------------------------------------------------------
;
;-------------------------------------------------------------------------------
InstallExceptionHandlers:
push esi
mov esi,EHS_SkipPrefixes
VMMCall Install_Exception_Handler
jc @F
mov esi,EHS_TrReinforce
VMMCall Install_Exception_Handler
jc @F
mov esi,EHS_CanChangeFlow
VMMCall Install_Exception_Handler
jc @F
mov esi,EHS_GetLenAndAddr
VMMCall Install_Exception_Handler
jc @F
pop esi
clc
retn
@@
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: InstallExceptionHandlers: failed to install exception handler"
debug_end
pop esi
stc
retn
;-------------------------------------------------------------------------------
;
;-------------------------------------------------------------------------------
RemoveExceptionHandlers:
push esi
mov esi,EHS_SkipPrefixes
cmp dword [esi+EHS_Reserved],byte 0
jz @F
VMMCall Remove_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: RemoveExceptionHandlers: failed for SkipPrefixes"
debug_end
@@
mov esi,EHS_TrReinforce
cmp dword [esi+EHS_Reserved],byte 0
jz @F
VMMCall Remove_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: RemoveExceptionHandlers: failed for TrReinforce"
debug_end
@@
mov esi,EHS_CanChangeFlow
cmp dword [esi+EHS_Reserved],byte 0
jz @F
VMMCall Remove_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: RemoveExceptionHandlers: failed for CanChangeFlow"
debug_end
@@
mov esi,EHS_GetLenAndAddr
cmp dword [esi+EHS_Reserved],byte 0
jz @F
VMMCall Remove_Exception_Handler
jnc @F
debug_start sdata+DebugFlags, ICEDUMP_DEBUG_TRACE
Trace_Out "ICEDUMP: RemoveExceptionHandlers: failed for GetLenAndAddr"
debug_end
@@
pop esi
clc
retn
segment _LDATA
align 4
EHS_SkipPrefixes:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd SkipPrefixes.protect_start
at EHS_End_EIP, dd SkipPrefixes.protect_end
at EHS_Handler, dd SkipPrefixes.EH
iend
EHS_TrReinforce:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd TrReinforce.protect_start
at EHS_End_EIP, dd TrReinforce.protect_end
at EHS_Handler, dd TrReinforce.EH
iend
EHS_CanChangeFlow:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd CanChangeFlow.protect_start
at EHS_End_EIP, dd CanChangeFlow.protect_end
at EHS_Handler, dd CanChangeFlow.EH
iend
EHS_GetLenAndAddr:
istruc Exception_Handler_Struc
at EHS_Reserved, dd 0
at EHS_Start_EIP, dd GetLenAndAddr.protect_start
at EHS_End_EIP, dd GetLenAndAddr.protect_end
at EHS_Handler, dd GetLenAndAddr.EH
iend
segment _LTEXT
;-------------------------------------------------------------------------------
; clean up all tracer structures
;-------------------------------------------------------------------------------
TracerSysDynamicDeviceExit:
push ebx
push ecx
push edi
VMMCall Get_Sys_VM_Handle
VMMCall Get_Initial_Thread_Handle
mov ebx,edi
mov ecx,[TDS]
.loop:
mov eax,[ecx+edi]
or eax,eax
jz .next
cmp [eax+TraceInfo.State0],byte ST0_SELFTRACEON
jz @F
call StopTracing
@@
call TracerFree
.next:
VMMCall Get_Next_Thread_Handle
cmp ebx,edi
jnz .loop
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -