📄 dbkfunc.c
字号:
//#include "C:\WINDDK\3790\inc\ifs\w2k\ntifs.h"
#include "DBKFunc.h"
#ifndef AMD64
void interrupt3( void );
void interruptD1( void );
#endif
ULONG Int1Address;
ULONG Int3Address;
ULONG IntD1Address;
INT_VECTOR NewInt1;
INT_VECTOR NewIntD1;
ULONG getCR4(void)
{
#ifndef AMD64
ULONG cr4reg=0;
__try
{
__asm
{
__emit 0x0f //-|
__emit 0x20 //-|-mov eax,cr4
__emit 0xe0 //-|
mov cr4reg,eax
}
}
__except(1)
{
//DbgPrint("Error getting CR4\n");
}
return cr4reg;
#else
return 0;
#endif
}
void StopDebugging(void)
{
DebuggedProcessID=0;
ChangeRegs[0].Active=FALSE;
ChangeRegs[1].Active=FALSE;
ChangeRegs[2].Active=FALSE;
ChangeRegs[3].Active=FALSE;
ChangeRegistersOnBP=FALSE;
//DbgPrint("Stopped the debugger\n");
//the int hooks can stay, they don't hurt anyhow
}
void StopChangeRegOnBP(int DebugRegNR)
{
int i;
//DbgPrint("DBKKERNEL:StopChangeRegOnBP %d\n",DebugRegNR);
ChangeRegs[DebugRegNR].Active=FALSE;
ChangeRegs[DebugRegNR].BreakAddress=0;
for(i=0; i<4; i++)
{
if (ChangeRegs[DebugRegNR].Active)
{
ChangeRegistersOnBP=TRUE;
//DbgPrint("Still one debugreg active, so keep changing others\n" );
return;
}
}
ChangeRegistersOnBP=FALSE;
}
BOOLEAN ChangeRegOnBP(DWORD ProcessID, int DebugRegNR, PChangeReg CR)
{
//This gets called just before the usermode app sets the debugreg
//CR->Active ignored in this case, becomes true
//DbgPrint("Going to enable the debugger to set a change reg breakpoint on ProcessID %d(%x) for debugreg %d",ProcessID,ProcessID,DebugRegNR);
CR->Active=TRUE;
ChangeRegs[DebugRegNR]=*CR;
ChangeRegs[DebugRegNR].Active=TRUE;
DebuggedProcessID=ProcessID;
ChangeRegistersOnBP=TRUE;
return TRUE; //always
}
BOOLEAN DebugProcess(DWORD ProcessID, DWORD Address, BYTE Length, BYTE RWE)
{
//DbgPrint("Going to debug a process for 1 process+debug address\nProcessID=%d (%x)\n",ProcessID,ProcessID);
//EventsMissed=0;
DebuggedProcessID=ProcessID;
DebuggedAddress=Address;
DebuggedAddressLength=Length;
DebuggedAddressRWE=RWE;
//DbgPrint("DebuggedAddress=%x\n",DebuggedAddress);
/*
setting the debug registers in the context will be done from usermode (unless I figure out how to call
NtSetContextThread which doesn't seem to be in ntos so requires user32.sys which is fucking buggy to use
but, the threadid's can be retrieved using a toolhelpsnapshot, (or a notify routine for created threads)
and can be opened using OpenThread (win2k+ but I dont give a shit about that...)
*/
//DbgPrint("Still here so I gues it works!\n");
return TRUE;
}
void GetTR(PIDT pIdt) //pidt since it's the same type of structure
{
//I should do this for each logical processor
#ifndef AMD64
__asm
{
MOV EAX, [pIdt]
STR [EAX]
}
#endif;
}
void GetIDT(PIDT pIdt)
{
//I should do this for each logical processor
#ifndef AMD64
__asm
{
MOV EAX, [pIdt]
SIDT [EAX]
}
#endif;
}
void SetIDT(PIDT pIdt)
{
__asm
{
MOV EAX, [pIdt]
LIDT [EAX]
}
}
BOOLEAN HookInt1(void)
{
#ifndef AMD64
IDT idt;
//DbgPrint("Going to hook int1\n");
GetIDT(&idt);
__try
{
if (OriginalInt1.wHighOffset==0)
{
//DbgPrint("New hook, so storing the original Int1Handler\n");
OriginalInt1=idt.vector[1];
NewInt1=idt.vector[1];
NewIntD1=idt.vector[0xd1];
Int1Address=idt.vector[1].wLowOffset+(idt.vector[1].wHighOffset << 16); //save the original address of the int3 handler
NewInt1.wLowOffset=(WORD)AddressOfInterrupt1Handler;
NewInt1.wHighOffset=(WORD)((DWORD)AddressOfInterrupt1Handler >> 16);
IntD1Address=idt.vector[0xd1].wLowOffset+(idt.vector[0xd1].wHighOffset << 16); //save the original address of the int3 handler
NewIntD1.wLowOffset=(WORD)&interruptD1;
NewIntD1.wHighOffset=(WORD)((DWORD)&interruptD1 >> 16);
__asm
{
cli
}
idt.vector[0xd1]=NewIntD1;
__asm
{
sti
}
}
//now overwrite the vector so it points to my handler
//DbgPrint("Changing the vector to point to my handler\n");
__asm
{
PUSHFD //no idea why, I doubt it's usefull, but let's use it too....
CLI
}
idt.vector[1]=NewInt1;
__asm
{
STI
POPFD
}
return TRUE;
}
__except(1)
{
//DbgPrint("Exception while hooking int1\n");
return FALSE;
}
#else
return FALSE;
#endif
}
BOOLEAN HookInt3(void)
{
#ifndef AMD64
IDT idt;
//DbgPrint("Going to hook int3\n");
GetIDT(&idt);
__try
{
OriginalInt3=idt.vector[3];
Int3Address=idt.vector[3].wLowOffset+(idt.vector[3].wHighOffset << 16); //save the original address of the int3 handler
//now overwrite the vector so it points to my handler
__asm
{
PUSHFD //no idea why, I doubt it's usefull, but let's use it too....
CLI
}
idt.vector[3].wLowOffset=(WORD)&interrupt3;
idt.vector[3].wHighOffset=(WORD)((DWORD)&interrupt3 >> 16);
__asm
{
STI
POPFD
}
//DbgPrint("Hooking int3 was successful\n");
return TRUE;
}
__except(1)
{
//DbgPrint("Exception while hooking int3\n");
return FALSE;
}
#else
return FALSE;
#endif
}
ULONG r1,r2;
ULONG __stdcall GeneralHandler(IN ULONG iInt,IN PULONG Stacklocation )
{
#ifndef AMD64
/* //check the current priviledge level
DbgPrint("Welcome to my int handler. (I need to find out how this instruction gets me in ring0)\n");
DbgPrint("Processid=%d (%x)\n",PsGetCurrentProcessId(),PsGetCurrentProcessId());
*/
ULONG result=2; //by default dont handle the interrupt
if (iInt==1)
//DbgPrint("int1 by %d ( %d )",PsGetCurrentProcessId(),PsGetCurrentThreadId());
if ((ULONG)PsGetCurrentProcessId()==DebuggedProcessID)
{
//this is inside my debugged process
if (iInt==1)
{
ULONG DR_0,DR_1,DR_2,DR_3;
DebugReg6 DR_6;
DebugReg7 DR_7;
__asm{
mov eax,dr0
mov DR_0,eax
mov eax,dr1
mov DR_1,eax
mov eax,dr2
mov DR_2,eax
mov eax,dr3
mov DR_3,eax
mov eax,dr6
mov DR_6,eax
mov eax,dr7
mov DR_7,eax
};
/*
DbgPrint("Hello from int1\n");
DbgPrint("eax=%x\n",Stacklocation[-1]);
DbgPrint("ebx=%x\n",Stacklocation[-4]);
DbgPrint("ecx=%x\n",Stacklocation[-2]);
DbgPrint("edx=%x\n",Stacklocation[-3]);
DbgPrint("esi=%x\n",Stacklocation[-7]);
DbgPrint("edi=%x\n",Stacklocation[-8]);
DbgPrint("ebp=%x\n",Stacklocation[-6]);
DbgPrint("esp=%x\n",Stacklocation[3]);
DbgPrint("eip=%x\n",Stacklocation[0]); //it was a break
DbgPrint("DR0=%x\n",DR_0);
DbgPrint("DR1=%x\n",DR_1);
DbgPrint("DR2=%x\n",DR_2);
DbgPrint("DR3=%x\n",DR_3);
DbgPrint("DR6=%x\n",DR_6);
DbgPrint("DR7=%x\n",DR_7);
DbgPrint("DR_7.L3=%d\nDR_6.B3=%d\nDR_3=%x\n",DR_7.L3,DR_6.B3,DR_3);
DbgPrint("-3=%x\n",Stacklocation[-3]);
DbgPrint("-2=%x\n",Stacklocation[-2]);
DbgPrint("-1=%x\n",Stacklocation[-1]);
DbgPrint("0=%x\n",Stacklocation[0]);
DbgPrint("1=%x\n",Stacklocation[1]);
DbgPrint("2=%x\n",Stacklocation[2]);
DbgPrint("3=%x\n",Stacklocation[3]);
DbgPrint("4=%x\n",Stacklocation[4]);
DbgPrint("5=%x\n",Stacklocation[5]);
DbgPrint("6=%x\n",Stacklocation[6]);
DbgPrint("7=%x\n",Stacklocation[7]);
DbgPrint("8=%x\n",Stacklocation[8]);
DbgPrint("9=%x\n",Stacklocation[9]);
DbgPrint("10=%x\n",Stacklocation[10]);
DbgPrint("11=%x\n",Stacklocation[11]);
DbgPrint("12=%x\n",Stacklocation[12]);*/
if (ChangeRegistersOnBP)
{
int i;
//see if the breakpoint occurred on one of the
for (i=0;i<4;i++)
{
if (ChangeRegs[i].Active)
{
if (
((DR_7.L0) && (DR_6.B0) && (DR_0==ChangeRegs[i].BreakAddress) ) ||
((DR_7.L1) && (DR_6.B1) && (DR_1==ChangeRegs[i].BreakAddress) ) ||
((DR_7.L2) && (DR_6.B2) && (DR_2==ChangeRegs[i].BreakAddress) ) ||
((DR_7.L3) && (DR_6.B3) && (DR_3==ChangeRegs[i].BreakAddress) )
)
{
//if (ChangeRegs[i].changeAF)
PEFLAGS x;
PULONG xx;
x=(PEFLAGS)(&Stacklocation[2]);
xx=(PULONG)Stacklocation[3];
/*
DbgPrint("This is one caused by me. Changing the registers\n");
DbgPrint("2=%x\n",Stacklocation[2]);
DbgPrint("eax=%x\n",Stacklocation[-1]);
DbgPrint("ebx=%x\n",Stacklocation[-4]);
DbgPrint("ecx=%x\n",Stacklocation[-2]);
DbgPrint("edx=%x\n",Stacklocation[-3]);
DbgPrint("esi=%x\n",Stacklocation[-7]);
DbgPrint("edi=%x\n",Stacklocation[-8]);
DbgPrint("ebp=%x\n",Stacklocation[-6]);
DbgPrint("esp=%x\n",Stacklocation[3]);
DbgPrint("[esp]=%x\n",*xx);
DbgPrint("EIP=%x\n",Stacklocation[0]);
DbgPrint("PEFLAGS=%p\nEFLAGS=%x\n",x,*x);
DbgPrint("------\n");
DbgPrint("DR_7.L0=%d\n",DR_7.L0);
DbgPrint("DR_7.L1=%d\n",DR_7.L1);
DbgPrint("DR_7.L2=%d\n",DR_7.L2);
DbgPrint("DR_7.L3=%d\n",DR_7.L3);
DbgPrint("DR_6.B0=%d\n",DR_6.B0);
DbgPrint("DR_6.B1=%d\n",DR_6.B1);
DbgPrint("DR_6.B2=%d\n",DR_6.B2);
DbgPrint("DR_6.B3=%d\n",DR_6.B3);
DbgPrint("BP number = %d",i);
*/
if (ChangeRegs[i].changeAF) {
//DbgPrint("Changing AF from %d to %d",x->AF,ChangeRegs[i].newAF);
x->AF=ChangeRegs[i].newAF; }
if (ChangeRegs[i].changeCF) {
//DbgPrint("Changing CF from %d to %d",x->CF,ChangeRegs[i].newCF);
x->CF=ChangeRegs[i].newCF; }
if (ChangeRegs[i].changeOF) {
//DbgPrint("Changing OF from %d to %d",x->OF,ChangeRegs[i].newOF);
x->OF=ChangeRegs[i].newOF; }
if (ChangeRegs[i].changePF) {
//DbgPrint("Changing PF from %d to %d",x->PF,ChangeRegs[i].newPF);
x->PF=ChangeRegs[i].newPF; }
if (ChangeRegs[i].changeSF) {
//DbgPrint("Changing SF from %d to %d",x->SF,ChangeRegs[i].newSF);
x->SF=ChangeRegs[i].newSF; }
if (ChangeRegs[i].changeZF) {
//DbgPrint("Changing ZF from %d to %d",x->ZF,ChangeRegs[i].newZF);
x->ZF=ChangeRegs[i].newZF; }
if (ChangeRegs[i].changeEAX) {
//DbgPrint("Changing EAX from %x to %x",Stacklocation[-1],ChangeRegs[i].newEAX);
Stacklocation[-1]=ChangeRegs[i].newEAX; }
if (ChangeRegs[i].changeEBX) {
//DbgPrint("Changing EBX from %x to %x",Stacklocation[-4],ChangeRegs[i].newEBX);
Stacklocation[-4]=ChangeRegs[i].newEBX; }
if (ChangeRegs[i].changeECX) {
//DbgPrint("Changing ECX from %x to %x",Stacklocation[-2],ChangeRegs[i].newECX);
Stacklocation[-2]=ChangeRegs[i].newECX; }
if (ChangeRegs[i].changeEDX) {
//DbgPrint("Changing EDX from %x to %x",Stacklocation[-3],ChangeRegs[i].newEDX);
Stacklocation[-3]=ChangeRegs[i].newEDX; }
if (ChangeRegs[i].changeESI) {
//DbgPrint("Changing ESI from %x to %x",Stacklocation[-7],ChangeRegs[i].newESI);
Stacklocation[-7]=ChangeRegs[i].newESI; }
if (ChangeRegs[i].changeEDI) {
//DbgPrint("Changing EDI from %x to %x",Stacklocation[-8],ChangeRegs[i].newEDI);
Stacklocation[-8]=ChangeRegs[i].newEDI; }
if (ChangeRegs[i].changeEBP) {
//DbgPrint("Changing EBP from %x to %x",Stacklocation[-6],ChangeRegs[i].newEBP);
Stacklocation[-6]=ChangeRegs[i].newEBP; }
if (ChangeRegs[i].changeESP) {
//DbgPrint("Changing ESP from %x to %x",Stacklocation[3],ChangeRegs[i].newESP);
Stacklocation[3]=ChangeRegs[i].newESP; }
if (ChangeRegs[i].changeEIP) {
//DbgPrint("Changing EIP from %x to %x",Stacklocation[0],ChangeRegs[i].newEIP);
Stacklocation[0]=ChangeRegs[i].newEIP; }
//DbgPrint("Setting the resume flag and continue\n");
x->RF=1; //resume flag
//x->TF=1;
//reset bp
switch (i)
{
case 0:
DR_6.B0=0;
break;
case 1:
DR_6.B1=0;
break;
case 2:
DR_6.B2=0;
break;
case 3:
DR_6.B3=0;
}
__asm
{
mov eax,DR_6
mov dr6,eax
}
return 1;
}
}
}
}
if (
((DR_7.L0) && (DR_6.B0) && (DR_0>=DebuggedAddress) && (DR_0<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L1) && (DR_6.B1) && (DR_1>=DebuggedAddress) && (DR_1<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L2) && (DR_6.B2) && (DR_2>=DebuggedAddress) && (DR_2<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L3) && (DR_6.B3) && (DR_3>=DebuggedAddress) && (DR_3<=DebuggedAddress+DebuggedAddressLength))
)
{
//DbgPrint("I'm going to handle this! The OS won't know what happened!\n");
result=1;
DR_6.B0=0;
DR_6.B1=0;
DR_6.B2=0;
DR_6.B3=0;
__asm
{
mov eax,DR_6
mov dr6,eax
}
if (BufferSize<50)
{
int spot;
spot=BufferSize;
BufferSize++;
DebugEvents[spot].EAX=Stacklocation[-1];
DebugEvents[spot].EBX=Stacklocation[-4];
DebugEvents[spot].ECX=Stacklocation[-2];
DebugEvents[spot].EDX=Stacklocation[-3];
DebugEvents[spot].ESI=Stacklocation[-7];
DebugEvents[spot].EDI=Stacklocation[-8];
DebugEvents[spot].EBP=Stacklocation[-6];
DebugEvents[spot].ESP=Stacklocation[3];
DebugEvents[spot].EIP=Stacklocation[0];
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -