📄 tracer.cpp
字号:
or al, al
jz next_check
mov eax, CountOfCommand // increment CountOfCommand
inc eax // if some instruction was emulated
mov CountOfCommand, eax
cmp eax, NumberOfTracedCommand
jae bad_message
next_check:
cmp EipWhenPRET, -1 // if we do not need execute "P" command
je trace_next_command
mov eax, [esp + 0x2C]
cmp byte ptr [eax], 0xE8
je direct_call
cmp word ptr [eax], 0x15FF
jne trace_next_command
mov eax, [eax + 2]
push eax
call CheckAddressAndMakePageIn
mov eax, [eax]
jmp compare_eip
direct_call:
add eax, [eax + 1]
add eax, 5
compare_eip:
cmp eax, EipWhenPRET
jae make_p_command
trace_next_command:
// cmp Int0Installed, 1
// je int0_installed
// push 0x8E
// push offset Int00Handler
// push 0x0
// call SetInterruptHandler
// mov OldInt0, eax
// cli
// mov Int0Installed, 1
//
//int0_installed:
mov eax, dword ptr [esp + 0x2C]
mov dword ptr [PreLastEIPValue], eax
pop es
pop ds
pop fs
popad
mov esp, OldInterruptStack // restore original interrupt stack pointer
or dword ptr [esp + 8], 100h
iretd
make_p_command:
call ExecutePCommand
mov TracerCallBack, 0
pop es
pop ds
pop fs
popad
mov esp, OldInterruptStack // restore original interrupt stack pointer
and dword ptr [esp + 8], not 100h
jmp [OldInt1]
good_message:
inc CountOfCommand
push CountOfCommand
push offset szGood
call DbgPrint
add esp, 8
jmp stop_trace
bad_message:
push offset szBad
call DbgPrint
add esp, 4
stop_trace:
mov TracerCallBack, 0
mov CountOfCommand, 0
mov CR3ForOurProcess, 0
mov NumberOfTracedCommand, 0
mov EipWhenPRET, -1
pop es
pop ds
pop fs
popad
mov esp, OldInterruptStack // restore original interrupt stack pointer
do_not_trace:
pushad
call bpr_ActivateAll
or eax, eax
jz normal_exit
mov eax, si_TraceFlag // in trace mode
cmp byte ptr [eax], 0
jne normal_exit
popad
and dword ptr [esp + 8], not 100h // turn TF flag off
iretd // do not pass control to the system handler
normal_exit:
popad
jmp cs:[OldInt1]
}
}
///////////////////////////////////////////////////////////////////////
//
// Int 06 handler
//
///////////////////////////////////////////////////////////////////////
void __declspec(naked) Int06Handler(void)
{
__asm
{
cmp cs:[TracerCallBack], 0
je next_handler
pushad
push fs
push ds
push es
mov eax, 30h
mov fs, ax
mov eax, 23h
mov ds, ax
mov es, ax
push dword ptr [esp + 0x2C]
push offset szInvalidInst
call DbgPrint
add esp, 8
pop es
pop ds
pop fs
popad
next_handler:
jmp cs:[OldInt6]
}
}
///////////////////////////////////////////////////////////////////////
//
// Int 0D handler
//
///////////////////////////////////////////////////////////////////////
void __declspec(naked) Int0DHandler(void)
{
__asm
{
cmp cs:[TracerCallBack], 0
je next_handler
pushad
push fs
push ds
push es
mov eax, 30h
mov fs, ax
mov eax, 23h
mov ds, ax
mov es, ax
push dword ptr [esp + 0x30]
push offset szException
call DbgPrint
add esp, 8
pop es
pop ds
pop fs
popad
next_handler:
jmp cs:[OldIntD]
}
}
///////////////////////////////////////////////////////////////////////
//
// Int 10 handler
//
///////////////////////////////////////////////////////////////////////
void __declspec(naked) Int10Handler(void)
{
__asm
{
cmp cs:[TracerCallBack], 0
je next_handler
pushad
push fs
push ds
push es
mov eax, 30h
mov fs, ax
mov eax, 23h
mov ds, ax
mov es, ax
push dword ptr [esp + 0x2C]
push offset szFPUInst
call DbgPrint
add esp, 8
pop es
pop ds
pop fs
popad
next_handler:
jmp cs:[OldInt10]
}
}
///////////////////////////////////////////////////////////////////////
//
// InitTracer
//
// Hooks INT 01 and prepare other stuff for tracer.
//
///////////////////////////////////////////////////////////////////////
NTSTATUS InitTracer()
{
//-----------------------------------------------------------------------
// Install tracer's handlers
//-----------------------------------------------------------------------
OldInt1 = SetInterruptHandler(0x01, Int01Handler, 0x8E);
DbgPrint("OldINT 0x1: %08X\n", OldInt1);
//not need to set on this interrupts ...yet
//OldInt6 = SetInterruptHandler(0x06, Int06Handler, 0x8E);
//DbgPrint("OldINT 0x6: %08X\n", OldInt6);
//OldIntD = SetInterruptHandler(0x0D, Int0DHandler, 0x8E);
//DbgPrint("OldINT 0xD: %08X\n", OldIntD);
//OldInt10 = SetInterruptHandler(0x10, Int10Handler, 0x8E);
//DbgPrint("OldINT 0x10: %08X\n", OldInt10);
return STATUS_SUCCESS;
}
///////////////////////////////////////////////////////////////////////
//
// TracerDone
//
// Unhooks INT 01.
//
///////////////////////////////////////////////////////////////////////
void DoneTracer()
{
// Uninstall tracer's handlers
if ( (GetInterruptHandler(0x0) == &Int00Handler) && OldInt0 )
{
SetInterruptHandler(0x00, OldInt0);
OldInt0 = 0;
}
if (OldInt1)
{
SetInterruptHandler(0x01, OldInt1);
OldInt1 = 0;
}
//if (OldInt6)
//{
// SetInterruptHandler(0x06, OldInt6);
// OldInt6 = 0;
//}
//
//if (OldIntD)
//{
// SetInterruptHandler(0x0D, OldIntD);
// OldIntD = 0;
//}
//
//if (OldInt10)
//{
// SetInterruptHandler(0x10, OldInt10);
// OldInt10 = 0;
//}
}
///////////////////////////////////////////////////////////////////////
//
// function CheckAddressAndMakePageIn - make "PAGEIN"
//
// this version of function use other stack arrea, that
// changed in the beggining of int1 handler
//
///////////////////////////////////////////////////////////////////////
__declspec(naked) void* CheckAddressAndMakePageIn(void *address)
{
UNREFERENCED_PARAMETER(address);
static int saved_user_bytes = 0;
static int saved_esp_end = 0;
__asm
{
pushad
push fs
push ds
push es
push gs
cmp dword ptr [esp + 0x34], 0x1000
jb bad_pointer
cmp dword ptr [esp + 0x34], NT_HIGHEST_USER_ADDRESS
jb make_page_in
mov eax, dword ptr [esp + 0x34] //check pde
mov ebx, eax
push eax
call GetPde
mov eax, dword ptr [eax]
test al, 1
jz bad_pointer
push ebx //check pte
call GetPte
mov eax, dword ptr [eax]
test al, 1
jnz page_in_memory
// here need to make PAGEIN for page in range > NT_HIGHEST_USER_ADDRESS
// not support yet...
bad_pointer:
pop gs
pop es
pop ds
pop fs
popad
xor eax, eax
ret 4
make_page_in:
mov eax, dword ptr [esp + 0x34] //get [address] parameter
mov ebx, eax
push eax //check pde
call GetPde
mov eax, dword ptr [eax]
test al, 1
jz bad_pointer
push ebx //check pte
call GetPte
mov eax, dword ptr [eax]
test al, 1
jnz page_in_memory
mov eax, OldInterruptStack //if the current code is ring0
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -