📄 dbkfunc.c
字号:
//set the ownprocessdebugregs back to the debugregs
//do a single step (set the step flag in eflags
//set the debugregs back to what the program put them to
DbgPrint("The debugregs got accessed\n");
}
}
else
if (iInt==3) //duh... what else could it be.....
{
//gues what!!! Handle int 3
/*DbgPrint("Hello from int3\n");
DbgPrint("eax=%x\n",Stacklocation[-2]);
DbgPrint("ebx=%x\n",Stacklocation[-5]);
DbgPrint("ecx=%x\n",Stacklocation[-3]);
DbgPrint("edx=%x\n",Stacklocation[-4]);
DbgPrint("esi=%x\n",Stacklocation[-8]);
DbgPrint("edi=%x\n",Stacklocation[-9]);
DbgPrint("ebp=%x\n",Stacklocation[-7]);
DbgPrint("esp=%x\n",Stacklocation[3]);
DbgPrint("eip=%x\n",Stacklocation[0]-1); //it was a break
DbgPrint("0=%x\n",Stacklocation[0]);
DbgPrint("1=%x\n",Stacklocation[1]);
DbgPrint("2=%x\n",Stacklocation[2]);
DbgPrint("3=%x\n",Stacklocation[3]);
DbgPrint("4=%x\n",Stacklocation[4]);
DbgPrint("5=%x\n",Stacklocation[5]);
DbgPrint("6=%x\n",Stacklocation[6]);
DbgPrint("7=%x\n",Stacklocation[7]);
DbgPrint("8=%x\n",Stacklocation[8]);
DbgPrint("9=%x\n",Stacklocation[9]);
DbgPrint("10=%x\n",Stacklocation[10]);
DbgPrint("11=%x\n",Stacklocation[11]);
DbgPrint("12=%x\n",Stacklocation[12]);*/
//DbgPrint("Result=1\n");
if ((Stacklocation[0]-1)==DebuggedAddress)
{
result=1;
//KeGetCurrentThread()->KernelApcDisable -= 1;
//handle my code here. Not implemented right now, but might be usefull if I add debugging of code
}
}
}
if (iInt==0xd1)
{
/*int i;
for (i=0; i<32;i++)
if (IDTAddresses[i]!=0)
{
if (((PINT_VECTOR)(IDTAddresses[i]))[1].wHighOffset!=NewInt1.wHighOffset)
{
//rehook (in front of the current hook)
Int1Address=((PINT_VECTOR)(IDTAddresses[i]))[1].wLowOffset+(((PINT_VECTOR)(IDTAddresses[i]))[1].wHighOffset << 16); //save the original address of the int3 handler
NewInt1.wLowOffset=(WORD)&interrupt1;
NewInt1.wHighOffset=(WORD)((DWORD)&interrupt1 >> 16);
((PINT_VECTOR)(IDTAddresses[i]))[1]=NewInt1;
}
} */
}
return result;
#else
return 0;
#endif
}
#ifndef AMD64
_declspec( naked ) void interrupt1( void )
{
__asm{
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 1 //int 3 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
JMP [Int1Address]
Exit:
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
_declspec( naked ) void interrupt3( void )
{
__asm{
//iretd //return
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 3 //int 3 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
JMP [Int3Address]
Exit:
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
_declspec( naked ) void interruptD1( void )
{
__asm{
//iretd //return
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 0xD1 //int d1 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
JMP [IntD1Address]
Exit:
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
//int1 hook section
//int1 gets rewritten with a jmp to int1apihook declared down here
//OriginalInt1handler gets the auto assembled code to do the original bytes followed by a jmp to the code after the jmp in the original int1 code
_declspec( naked ) void OriginalInt1handler(void)
{
__asm
{
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
} //200 bytes should be enough for the original code+jmp back
_declspec( naked ) void int1apihook(void)
{
//if 1 do not handle, else do handle
__asm
{
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 0x1 //int 1 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
;je Exit
jmp Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
//all back to the original state, so lets continue with the original call
JMP OriginalInt1handler
Exit:
//don't execute the original code and just exit. Restore all registers and return to the caller
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
#endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -