📄 dbkdrvr.c.svn-base
字号:
ULONG address;
UCHAR paramcount;
} *poutp;
int table;
int nr;
pinp=Irp->AssociatedIrp.SystemBuffer;
table=pinp->table;
nr=pinp->nr;
poutp=Irp->AssociatedIrp.SystemBuffer;
if (table==0)
{
poutp->address=(ULONG)(KeServiceDescriptorTable->ServiceTable[nr]);
poutp->paramcount=(UCHAR)(KeServiceDescriptorTable->ArgumentTable[nr]);
}
else if (table==1)
{
poutp->address=(ULONG)(KeServiceDescriptorTableShadow->ServiceTable[nr]);
poutp->paramcount=(UCHAR)(KeServiceDescriptorTableShadow->ArgumentTable[nr]);
}
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETCR0:
{
ULONG cr0reg=0;
__asm
{
mov eax,cr0
mov cr0reg,eax
}
*(ULONG*)Irp->AssociatedIrp.SystemBuffer=cr0reg;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETCR4:
{
//seems CR4 isn't seen as a register...
ULONG cr4reg=0;
cr4reg=getCR4();
*(ULONG*)Irp->AssociatedIrp.SystemBuffer=cr4reg;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_SETCR4:
{
//seems CR4 isn't seen as a register...
ULONG cr4reg=*(ULONG*)Irp->AssociatedIrp.SystemBuffer;
setCR4(cr4reg);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETCR3:
{
#ifndef AMD64
ULONG cr3reg=0;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
//switch context to the selected process. (processid is stored in the systembuffer)
if (PsLookupProcessByProcessId((PVOID)(*(ULONG*)Irp->AssociatedIrp.SystemBuffer),&selectedprocess)==STATUS_SUCCESS)
{
__try
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess((PVOID)selectedprocess,&apc_state);
__try
{
cr3reg=getCR3();
}
__finally
{
KeUnstackDetachProcess(&apc_state);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
}
*(ULONG*)Irp->AssociatedIrp.SystemBuffer=cr3reg;
#else
ntStatus=STATUS_UNSUCCESSFUL; //not supported yet
#endif
break;
}
case IOCTL_CE_SETCR3:
{
#ifndef AMD64
struct input
{
ULONG ProcessID;
ULONG NewCR3;
} *pinp;
ULONG cr3reg;
PEPROCESS selectedprocess;
ntStatus=STATUS_SUCCESS;
pinp=Irp->AssociatedIrp.SystemBuffer;
cr3reg=pinp->NewCR3;
//switch context to the selected process. (processid is stored in the systembuffer)
if (PsLookupProcessByProcessId((PVOID)(pinp->ProcessID),&selectedprocess)==STATUS_SUCCESS)
{
__try
{
KAPC_STATE apc_state;
RtlZeroMemory(&apc_state,sizeof(apc_state));
KeStackAttachProcess((PKPROCESS)selectedprocess,&apc_state);
__try
{
__asm
{
mov eax,cr3reg
mov CR3,eax
}
}
__finally
{
KeUnstackDetachProcess(&apc_state);
}
}
__except(1)
{
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
}
#else
ntStatus=STATUS_UNSUCCESSFUL; //not supported yet
#endif
break;
}
case IOCTL_CE_GETSDT:
{
//returns the address of KeServiceDescriptorTable
ntStatus=STATUS_SUCCESS;
*(UINT_PTR*)Irp->AssociatedIrp.SystemBuffer=(UINT_PTR)KeServiceDescriptorTable;
break;
}
case IOCTL_CE_GETIDT:
{
//returns the address of the IDT of the current CPU
IDT idt;
RtlZeroMemory(&idt,sizeof(IDT));
GetIDT(&idt);
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&idt,sizeof(IDT)); //copy idt
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETGDT:
{
//returns the address of the IDT of the current CPU
GDT gdt;
RtlZeroMemory(&gdt,sizeof(GDT));
GetGDT(&gdt);
RtlCopyMemory(Irp->AssociatedIrp.SystemBuffer,&gdt,sizeof(GDT)); //copy gdt
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_HOOKINTS:
{
IDT idt;
BYTE Processor;
GetIDT(&idt);
//DbgPrint("IOCTL_CE_HOOKINTS\n");
Processor=*(PCHAR)Irp->AssociatedIrp.SystemBuffer;
ntStatus=STATUS_SUCCESS;
if (IDTAddresses[Processor]==0)
{
//DbgPrint("Stored the IDT of this cpu\n");
IDTAddresses[Processor]=(UINT_PTR)idt.vector;
}
//DbgPrint("Calling HookInt1()\n");
if (HookInt1() /*&& HookInt3()*/)
ntStatus=STATUS_SUCCESS;
else
ntStatus=STATUS_UNSUCCESSFUL;
break;
}
case IOCTL_CE_ISUSINGALTERNATEMETHOD:
{
*(PBOOLEAN)(Irp->AssociatedIrp.SystemBuffer)=UsesAlternateMethod;
break;
}
case IOCTL_CE_USEALTERNATEMETHOD:
{
struct output
{
ULONG int1apihook; //address of the in1apihook function
ULONG OriginalInt1handler; //space to write the int1 handler
} *poutp;
DbgPrint("IOCTL_CE_USEALTERNATEMETHOD: (ULONG)int1apihook=%x (ULONG)OriginalInt1handler=%x",(ULONG)int1apihook,(ULONG)OriginalInt1handler);
poutp=Irp->AssociatedIrp.SystemBuffer;
poutp->int1apihook=(ULONG)int1apihook;
poutp->OriginalInt1handler=(ULONG)OriginalInt1handler;
UsesAlternateMethod=TRUE;
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_SETGLOBALDEBUGSTATE:
{
struct intput
{
ULONG newstate;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
globaldebug=pinp->newstate;
}
case IOCTL_CE_STOPDEBUGGING:
{
StopDebugging();
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_STOP_DEBUGPROCESS_CHANGEREG:
{
struct input
{
int debugreg;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
StopChangeRegOnBP(pinp->debugreg);
break;
}
case IOCTL_CE_DEBUGPROCESS_CHANGEREG:
{
struct input
{
DWORD ProcessID;
int debugreg;
ChangeReg CR;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
ChangeRegOnBP(pinp->ProcessID, pinp->debugreg, &(pinp->CR));
ntStatus=STATUS_SUCCESS; //always succeeds, else the memory was unwritable and thus a blue screen of death
break;
}
case IOCTL_CE_DEBUGPROCESS:
{
struct input
{
DWORD ProcessID;
DWORD Address;
BYTE Length;
BYTE RWE;
} *pinp;
pinp=Irp->AssociatedIrp.SystemBuffer;
if (DebugProcess(pinp->ProcessID, pinp->Address, pinp->Length,pinp->RWE))
{
ntStatus=STATUS_SUCCESS;
}
else
{
ntStatus=STATUS_UNSUCCESSFUL;
}
break;
}
case IOCTL_CE_RETRIEVEDEBUGDATA:
{
*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=BufferSize;
RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&DebugEvents[0],BufferSize*sizeof(DebugEvent));
BufferSize=0; //there's room for new events
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_STARTPROCESSWATCH:
{
KIRQL OldIrql;
KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
ProcessEventCount=0;
KeReleaseSpinLock(&ProcesslistSL,OldIrql);
DbgPrint("IOCTL_CE_STARTPROCESSWATCH\n");
if (CreateProcessNotifyRoutineEnabled==FALSE)
{
DbgPrint("calling PsSetCreateProcessNotifyRoutine\n");
CreateProcessNotifyRoutineEnabled=(PsSetCreateProcessNotifyRoutine(CreateProcessNotifyRoutine,FALSE)==STATUS_SUCCESS);
CreateThreadNotifyRoutineEnabled=(PsSetCreateThreadNotifyRoutine(CreateThreadNotifyRoutine)==STATUS_SUCCESS);
}
ntStatus=(CreateProcessNotifyRoutineEnabled) ? STATUS_SUCCESS : STATUS_UNSUCCESSFUL;
if (ntStatus==STATUS_SUCCESS)
DbgPrint("CreateProcessNotifyRoutineEnabled worked\n");
else
DbgPrint("CreateProcessNotifyRoutineEnabled failed\n");
break;
}
case IOCTL_CE_GETPROCESSEVENTS:
{
KIRQL OldIrql;
KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=ProcessEventCount;
RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&ProcessEventdata[0],ProcessEventCount*sizeof(ProcessEventdta));
ProcessEventCount=0; //there's room for new events
KeReleaseSpinLock(&ProcesslistSL,OldIrql);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_GETTHREADEVENTS:
{
KIRQL OldIrql;
KeAcquireSpinLock(&ProcesslistSL,&OldIrql);
*(PUCHAR)Irp->AssociatedIrp.SystemBuffer=ThreadEventCount;
RtlCopyMemory((PVOID)((UINT_PTR)Irp->AssociatedIrp.SystemBuffer+1),&ThreadEventData[0],ThreadEventCount*sizeof(ThreadEventDta));
ThreadEventCount=0; //there's room for new events
KeReleaseSpinLock(&ProcesslistSL,OldIrql);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_CREATEAPC:
{
struct input
{
ULONG threadid;
PVOID addresstoexecute;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
CreateRemoteAPC(inp->threadid,inp->addresstoexecute);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_SUSPENDTHREAD:
{
struct input
{
ULONG threadid;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("CE_SUSPENDTHREAD\n");
DBKSuspendThread(inp->threadid);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_RESUMETHREAD:
{
struct input
{
ULONG threadid;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("CE_RESUMETHREAD\n");
DBKResumeThread(inp->threadid);
ntStatus=STATUS_SUCCESS;
break;
}
case IOCTL_CE_SUSPENDPROCESS:
{
struct input
{
ULONG processid;
} *inp;
inp=Irp->AssociatedIrp.SystemBuffer;
DbgPrint("IOCTL_CE_SUSPENDPROCESS\n");
DBKSuspendProcess(inp->processid);
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -