📄 dbkfunc.c.svn-base
字号:
DbgPrint("edx=%x\n",Stacklocation[-3]);
DbgPrint("esi=%x\n",Stacklocation[-7]);
DbgPrint("edi=%x\n",Stacklocation[-8]);
DbgPrint("ebp=%x\n",Stacklocation[-6]);
DbgPrint("esp=%x\n",Stacklocation[3]);
DbgPrint("eip=%x\n",Stacklocation[0]); //it was a break
DbgPrint("DR0=%x\n",DR_0);
DbgPrint("DR1=%x\n",DR_1);
DbgPrint("DR2=%x\n",DR_2);
DbgPrint("DR3=%x\n",DR_3);
DbgPrint("DR6=%x\n",DR_6);
DbgPrint("DR7=%x\n",DR_7);
DbgPrint("DR_7.L3=%d\nDR_6.B3=%d\nDR_3=%x\n",DR_7.L3,DR_6.B3,DR_3);
*/
DbgPrint("Stacklocation=%p\n",Stacklocation);
DbgPrint("-3=%x\n",Stacklocation[-3]);
DbgPrint("-2=%x\n",Stacklocation[-2]);
DbgPrint("-1=%x\n",Stacklocation[-1]);
DbgPrint("0=%x\n",Stacklocation[0]);
DbgPrint("1=%x\n",Stacklocation[1]);
DbgPrint("2=%x\n",Stacklocation[2]);
DbgPrint("3=%x\n",Stacklocation[3]);
DbgPrint("4=%x\n",Stacklocation[4]);
DbgPrint("5=%x\n",Stacklocation[5]);
DbgPrint("6=%x\n",Stacklocation[6]);
DbgPrint("7=%x\n",Stacklocation[7]);
DbgPrint("8=%x\n",Stacklocation[8]);
DbgPrint("9=%x\n",Stacklocation[9]);
DbgPrint("10=%x\n",Stacklocation[10]);
DbgPrint("11=%x\n",Stacklocation[11]);
DbgPrint("12=%x\n",Stacklocation[12]);
if (ChangeRegistersOnBP)
{
int i;
//see if the breakpoint occurred on one of the
for (i=0;i<4;i++)
{
if (ChangeRegs[i].Active)
{
if (
((DR_7.L0) && (DR_6.B0) && (DR_0==ChangeRegs[i].BreakAddress) ) ||
((DR_7.L1) && (DR_6.B1) && (DR_1==ChangeRegs[i].BreakAddress) ) ||
((DR_7.L2) && (DR_6.B2) && (DR_2==ChangeRegs[i].BreakAddress) ) ||
((DR_7.L3) && (DR_6.B3) && (DR_3==ChangeRegs[i].BreakAddress) )
)
{
//if (ChangeRegs[i].changeAF)
PEFLAGS x;
x=(PEFLAGS)(&Stacklocation[2]);
DbgPrint("This is one caused by me. Changing the registers\n");
DbgPrint("2=%x\n",Stacklocation[2]);
DbgPrint("eax=%x\n",Stacklocation[-1]);
DbgPrint("ebx=%x\n",Stacklocation[-4]);
DbgPrint("EIP=%x\n",Stacklocation[0]);
DbgPrint("PEFLAGS=%p\nEFLAGS=%x\n",x,*x);
DbgPrint("------\n");
DbgPrint("DR_7.L0=%d\n",DR_7.L0);
DbgPrint("DR_7.L1=%d\n",DR_7.L1);
DbgPrint("DR_7.L2=%d\n",DR_7.L2);
DbgPrint("DR_7.L3=%d\n",DR_7.L3);
DbgPrint("DR_6.B0=%d\n",DR_6.B0);
DbgPrint("DR_6.B1=%d\n",DR_6.B1);
DbgPrint("DR_6.B2=%d\n",DR_6.B2);
DbgPrint("DR_6.B3=%d\n",DR_6.B3);
DbgPrint("BP number = %d",i);
if (ChangeRegs[i].changeAF) { DbgPrint("Changing AF from %d to %d",x->AF,ChangeRegs[i].newAF); x->AF=ChangeRegs[i].newAF; }
if (ChangeRegs[i].changeCF) { DbgPrint("Changing CF from %d to %d",x->CF,ChangeRegs[i].newCF); x->CF=ChangeRegs[i].newCF; }
if (ChangeRegs[i].changeOF) { DbgPrint("Changing OF from %d to %d",x->OF,ChangeRegs[i].newOF); x->OF=ChangeRegs[i].newOF; }
if (ChangeRegs[i].changePF) { DbgPrint("Changing PF from %d to %d",x->PF,ChangeRegs[i].newPF); x->PF=ChangeRegs[i].newPF; }
if (ChangeRegs[i].changeSF) { DbgPrint("Changing SF from %d to %d",x->SF,ChangeRegs[i].newSF); x->SF=ChangeRegs[i].newSF; }
if (ChangeRegs[i].changeZF) { DbgPrint("Changing ZF from %d to %d",x->ZF,ChangeRegs[i].newZF); x->ZF=ChangeRegs[i].newZF; }
if (ChangeRegs[i].changeEAX) { DbgPrint("Changing EAX from %x to %x",Stacklocation[-1],ChangeRegs[i].newEAX); Stacklocation[-1]=ChangeRegs[i].newEAX; }
if (ChangeRegs[i].changeEBX) { DbgPrint("Changing EBX from %x to %x",Stacklocation[-4],ChangeRegs[i].newEBX); Stacklocation[-4]=ChangeRegs[i].newEBX; }
if (ChangeRegs[i].changeECX) { DbgPrint("Changing ECX from %x to %x",Stacklocation[-2],ChangeRegs[i].newECX); Stacklocation[-2]=ChangeRegs[i].newECX; }
if (ChangeRegs[i].changeEDX) { DbgPrint("Changing EDX from %x to %x",Stacklocation[-3],ChangeRegs[i].newEDX); Stacklocation[-3]=ChangeRegs[i].newEDX; }
if (ChangeRegs[i].changeESI) { DbgPrint("Changing ESI from %x to %x",Stacklocation[-7],ChangeRegs[i].newESI); Stacklocation[-7]=ChangeRegs[i].newESI; }
if (ChangeRegs[i].changeEDI) { DbgPrint("Changing EDI from %x to %x",Stacklocation[-8],ChangeRegs[i].newEDI); Stacklocation[-8]=ChangeRegs[i].newEDI; }
if (ChangeRegs[i].changeEBP) { DbgPrint("Changing EBP from %x to %x",Stacklocation[-6],ChangeRegs[i].newEBP); Stacklocation[-6]=ChangeRegs[i].newEBP; }
if (ChangeRegs[i].changeESP) { DbgPrint("Changing ESP from %x to %x",Stacklocation[3],ChangeRegs[i].newESP); Stacklocation[3]=ChangeRegs[i].newESP; }
if (ChangeRegs[i].changeEIP) { DbgPrint("Changing EIP from %x to %x",Stacklocation[0],ChangeRegs[i].newEIP); Stacklocation[0]=ChangeRegs[i].newEIP; }
DbgPrint("Setting the resume flag and continue\n");
x->RF=1; //resume flag
//x->TF=1;
//reset bp
switch (i)
{
case 0:
DR_6.B0=0;
break;
case 1:
DR_6.B1=0;
break;
case 2:
DR_6.B2=0;
break;
case 3:
DR_6.B3=0;
}
__asm
{
mov eax,DR_6
mov dr6,eax
}
if (globaldebug)
{
__asm
{
mov eax,DR_7
mov dr7,eax //don't touch debug regs after this
}
}
return 1;
}
}
}
}
if (
((DR_7.L0) && (DR_6.B0) && (DR_0>=DebuggedAddress) && (DR_0<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L1) && (DR_6.B1) && (DR_1>=DebuggedAddress) && (DR_1<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L2) && (DR_6.B2) && (DR_2>=DebuggedAddress) && (DR_2<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L3) && (DR_6.B3) && (DR_3>=DebuggedAddress) && (DR_3<=DebuggedAddress+DebuggedAddressLength))
)
{
WORD this_ss;
__asm
{
mov ax,ss
mov [this_ss],ax
}
DbgPrint("this ss=%x\n",this_ss);
DbgPrint("I'm going to handle this! The OS won't know what happened!\n");
result=1;
DR_6.B0=0;
DR_6.B1=0;
DR_6.B2=0;
DR_6.B3=0;
__asm
{
mov eax,DR_6
mov dr6,eax
}
if (BufferSize<50)
{
int spot;
spot=BufferSize;
BufferSize++;
DebugEvents[spot].EAX=Stacklocation[-1];
DebugEvents[spot].EBX=Stacklocation[-4];
DebugEvents[spot].ECX=Stacklocation[-2];
DebugEvents[spot].EDX=Stacklocation[-3];
DebugEvents[spot].ESI=Stacklocation[-7];
DebugEvents[spot].EDI=Stacklocation[-8];
DebugEvents[spot].EBP=Stacklocation[-6];
DebugEvents[spot].ESP=Stacklocation[3];
DebugEvents[spot].EIP=Stacklocation[0];
}
}
else
{
DbgPrint("It was a debug event, but not one that I expected. I'll just let it go through\n");
}
//reset the GD flag of DR7 on exit (GD is a detection of the DebugRegs being modified
if (DR_6.BS)
{
//single step
//if the previous instruction was a debugreg access then save the current debugregs values to ownprocessdebugregs (in case is was a write access)
//then put my own debugregs back
}
if (DR_6.BD)
{
//the debugregs got accesses
//save the current debugregs
//set the ownprocessdebugregs back to the debugregs
//do a single step (set the step flag in eflags
//set the debugregs back to what the program put them to
DbgPrint("The debugregs got accessed\n");
}
if (globaldebug)
{
__asm
{
mov eax,DR_7
mov dr7,eax //don't touch debug regs after this
}
}
}
}
else
{
if (!globaldebug)
return 0; //handle original
DbgPrint("Int1 in other process\n");
//not the process we want it to be, check if it is caused by us or not:
if (
((DR_7.L0) && (DR_6.B0) && (DR_0>=DebuggedAddress) && (DR_0<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L1) && (DR_6.B1) && (DR_1>=DebuggedAddress) && (DR_1<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L2) && (DR_6.B2) && (DR_2>=DebuggedAddress) && (DR_2<=DebuggedAddress+DebuggedAddressLength)) ||
((DR_7.L3) && (DR_6.B3) && (DR_3>=DebuggedAddress) && (DR_3<=DebuggedAddress+DebuggedAddressLength))
)
{
DbgPrint("Caused by driver, ignore int1\n");
DR_6.B0=0;
DR_6.B1=0;
DR_6.B2=0;
DR_6.B3=0;
__asm
{
mov eax,DR_6
mov dr6,eax
mov eax,DR_7
mov dr7,eax //don't touch debug regs after this
}
return 1; //don't handle the original handler
}
}
if (globaldebug)
{
__asm
{
mov eax,DR_7
mov dr7,eax
}
}
return result;
#else
return 0;
#endif
}
#ifndef AMD64
_declspec( naked ) void interrupt1( void )
{
__asm{
//cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
//je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 1 //int 1 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
//Original:
JMP [Int1Address]
Exit:
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
_declspec( naked ) void interrupt3( void )
{
__asm{
//iretd //return
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 3 //int 3 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
JMP [Int3Address]
Exit:
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
_declspec( naked ) void interruptD1( void )
{
__asm{
//iretd //return
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 0xD1 //int d1 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
je Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
JMP [IntD1Address]
Exit:
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
//int1 hook section
//int1 gets rewritten with a jmp to int1apihook declared down here
//OriginalInt1handler gets the auto assembled code to do the original bytes followed by a jmp to the code after the jmp in the original int1 code
_declspec( naked ) void OriginalInt1handler(void)
{
__asm
{
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
} //200 bytes should be enough for the original code+jmp back
_declspec( naked ) void int1apihook(void)
{
//if 1 do not handle, else do handle
__asm
{
cmp [DebuggedProcessID],0 //there's currently no debugging gong on so quit
je Original
PUSHAD //32
push ds //4
push es //4
push gs //4
push fs //4
mov ax,0x23
mov ds,ax
mov es,ax
mov gs,ax
mov ax,0x30
mov fs,ax
mov eax,esp
add eax,48
push eax //the location of the original stack
PUSH 0x1 //int 1 identifier
CALL GeneralHandler //call my regular int handler
cmp eax,1 //if 1 then do no handle the original handler
;je Exit
jmp Exit
pop fs
pop gs
pop es
pop ds
POPAD
Original:
//all back to the original state, so lets continue with the original call
JMP OriginalInt1handler
Exit:
//don't execute the original code and just exit. Restore all registers and return to the caller
pop fs
pop gs
pop es
pop ds
POPAD
IRETD
};
}
#endif
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -