dbkfunc.c

一个用于按键模拟的驱动 利用 port I/O

			}
			else
			{
                //DbgPrint("It was a debug event, but not one that I expected. I'll just let it go through\n");
			}

			//reset the GD flag of DR7 on exit (GD is a detection of the DebugRegs being modified

            if (DR_6.BS)
			{
				//single step 
				//if the previous instruction was a debugreg access then save the current debugregs values to ownprocessdebugregs (in case is was a write access)
				//then put my own debugregs back
			}

			if (DR_6.BD)
			{
				//the debugregs got accesses
				//save the current debugregs
				//set the ownprocessdebugregs back to the debugregs
                //do a single step (set the step flag in eflags	
				

				//set the debugregs back to what the program put them to
				//DbgPrint("The debugregs got accessed\n");


			}
			

		}
		else	 
		if (iInt==3)  //duh... what else could it be.....
		{
			//gues what!!! Handle int 3
			/*DbgPrint("Hello from int3\n");
			DbgPrint("eax=%x\n",Stacklocation[-2]);
			DbgPrint("ebx=%x\n",Stacklocation[-5]);
			DbgPrint("ecx=%x\n",Stacklocation[-3]);
			DbgPrint("edx=%x\n",Stacklocation[-4]);
			DbgPrint("esi=%x\n",Stacklocation[-8]);
			DbgPrint("edi=%x\n",Stacklocation[-9]);			
			DbgPrint("ebp=%x\n",Stacklocation[-7]);
			DbgPrint("esp=%x\n",Stacklocation[3]);
			DbgPrint("eip=%x\n",Stacklocation[0]-1); //it was a break			
			
			DbgPrint("0=%x\n",Stacklocation[0]);
			DbgPrint("1=%x\n",Stacklocation[1]);
			DbgPrint("2=%x\n",Stacklocation[2]);
			DbgPrint("3=%x\n",Stacklocation[3]);
			DbgPrint("4=%x\n",Stacklocation[4]);
			DbgPrint("5=%x\n",Stacklocation[5]);
			DbgPrint("6=%x\n",Stacklocation[6]);
			DbgPrint("7=%x\n",Stacklocation[7]);
			DbgPrint("8=%x\n",Stacklocation[8]);
			DbgPrint("9=%x\n",Stacklocation[9]);
			DbgPrint("10=%x\n",Stacklocation[10]);
			DbgPrint("11=%x\n",Stacklocation[11]);
			DbgPrint("12=%x\n",Stacklocation[12]);*/

			//DbgPrint("Result=1\n");
			
			
			if ((Stacklocation[0]-1)==DebuggedAddress)
			{
				result=1;
				//KeGetCurrentThread()->KernelApcDisable -= 1;
				//handle my code here. Not implemented right now, but might be usefull if I add debugging of code
			}



		}
	}

	if (iInt==0xd1)
	{
		/*int i;
		for (i=0; i<32;i++)
            if (IDTAddresses[i]!=0)
			{
				if (((PINT_VECTOR)(IDTAddresses[i]))[1].wHighOffset!=NewInt1.wHighOffset)
				{					
					//rehook (in front of the current hook)
					Int1Address=((PINT_VECTOR)(IDTAddresses[i]))[1].wLowOffset+(((PINT_VECTOR)(IDTAddresses[i]))[1].wHighOffset << 16); //save the original address of the int3 handler
				
					NewInt1.wLowOffset=(WORD)&interrupt1;
					NewInt1.wHighOffset=(WORD)((DWORD)&interrupt1 >> 16);

					((PINT_VECTOR)(IDTAddresses[i]))[1]=NewInt1;				
				}
			}	*/	
	}

	return result;
#else
	return 0;
#endif
}

#ifndef AMD64
_declspec( naked ) void interrupt1( void )
{

	__asm{ 
		nop
		cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
		nop
		je Original
		nop
		
		PUSHAD	//32		
		push ds //4
		push es //4
		push gs //4
		push fs //4

		mov ax,0x23
		mov ds,ax
		mov es,ax
		mov gs,ax
		mov ax,0x30
		mov fs,ax

		mov eax,esp
		add eax,48
		push eax //the location of the original stack
		PUSH 1 
		CALL GeneralHandler //call my regular int handler
		cmp eax,1 //if 1 then do no handle the original handler
		je Exit
		pop fs
		pop gs
		pop es
		pop ds
		POPAD
Original:
	    JMP [Int1Address]

Exit:
		pop fs	
		pop gs
		pop es
		pop ds
		POPAD
		
		IRETD
	};

} 

_declspec( naked ) void interrupt3( void )
{
	__asm{ 
		//iretd //return

		cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
		je Original

		PUSHAD	//32		
		push ds //4
		push es //4
		push gs //4
		push fs //4

		mov ax,0x23
		mov ds,ax
		mov es,ax
		mov gs,ax
		mov ax,0x30
		mov fs,ax

		mov eax,esp
		add eax,48
		push eax //the location of the original stack
		PUSH 3 //int 3 identifier
	    CALL GeneralHandler //call my regular int handler
		cmp eax,1 //if 1 then do no handle the original handler
		je Exit
		pop fs
		pop gs
		pop es
		pop ds
		POPAD
Original:
	    JMP [Int3Address]

Exit:
		pop fs	
		pop gs
		pop es
		pop ds
		POPAD		
		IRETD
	};

}

_declspec( naked ) void interruptD1( void )
{
	__asm{ 
		//iretd //return

		cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
		je Original

		PUSHAD	//32		
		push ds //4
		push es //4
		push gs //4
		push fs //4

		mov ax,0x23
		mov ds,ax
		mov es,ax
		mov gs,ax
		mov ax,0x30
		mov fs,ax

		mov eax,esp
		add eax,48
		push eax //the location of the original stack
		PUSH 0xD1 //int d1 identifier
	    CALL GeneralHandler //call my regular int handler
		cmp eax,1 //if 1 then do no handle the original handler
		je Exit
		pop fs
		pop gs
		pop es
		pop ds
		POPAD
Original:
	    JMP [IntD1Address]

Exit:
		pop fs	
		pop gs
		pop es
		pop ds
		POPAD		
		IRETD
	};

}


//int1 hook section
//int1 gets rewritten with a jmp to int1apihook declared down here
//OriginalInt1handler gets the auto assembled code to do the original bytes followed by a jmp to the code after the jmp in the original int1 code
_declspec( naked ) void OriginalInt1handler(void)
{
	__asm
	{
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
		nop
	}
}  //200 bytes should be enough for the original code+jmp back

_declspec( naked ) void int1apihook(void)
{
    //if 1 do not handle, else do handle
	__asm
	{
	

		cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
		je Original

		PUSHAD	//32		
		push ds //4
		push es //4
		push gs //4
		push fs //4

		mov ax,0x23
		mov ds,ax
		mov es,ax
		mov gs,ax
		mov ax,0x30
		mov fs,ax

		mov eax,esp
		add eax,48
		push eax //the location of the original stack
		PUSH 0x1 //int 1 identifier
	    CALL GeneralHandler //call my regular int handler
		cmp eax,1 //if 1 then do no handle the original handler
		;je Exit
		jmp Exit

		pop fs
		pop gs
		pop es
		pop ds
		POPAD
Original:
		//all back to the original state, so lets continue with the original call
	    JMP OriginalInt1handler

Exit:
		//don't execute the original code and just exit. Restore all registers and return to the caller
		pop fs	
		pop gs
		pop es
		pop ds
		POPAD		
		IRETD
	};

}

#endif