|
这是产生中断的指令, KiUserExceptionDispatcher函数是系统从内核模式调用到用户模式的回调方法之一。以下是它的签名:
- VOID NTAPI KiUserExceptionDispatcher(
- PEXCEPTION_RECORD pExcptRec,
- PCONTEXT ContextFrame
- );
下面就是避开了应用KiUserExceptionDispatcher函数钩子的硬件断点检查的代码:
- typedef VOID (NTAPI *pfnKiUserExceptionDispatcher)(
- PEXCEPTION_RECORD pExcptRec,
- PCONTEXT ContextFrame
- );
- pfnKiUserExceptionDispatcher g_origKiUserExceptionDispatcher = NULL;
- VOID NTAPI HandleKiUserExceptionDispatcher(PEXCEPTION_RECORD pExcptRec, PCONTEXT ContextFrame)
- {
- if (ContextFrame && (CONTEXT_DEBUG_REGISTERS & ContextFrame->ContextFlags))
- {
- ContextFrame->Dr0 = 0;
- ContextFrame->Dr1 = 0;
- ContextFrame->Dr2 = 0;
- ContextFrame->Dr3 = 0;
- ContextFrame->Dr6 = 0;
- ContextFrame->Dr7 = 0;
- ContextFrame->ContextFlags &= ~CONTEXT_DEBUG_REGISTERS;
- }
- }
- __declspec(naked) VOID NTAPI HookKiUserExceptionDispatcher()
- // Params: PEXCEPTION_RECORD pExcptRec, PCONTEXT ContextFrame
- {
- __asm
- {
- mov eax, [esp + 4]
- mov ecx, [esp]
- push eax
- push ecx
- call HandleKiUserExceptionDispatcher
- jmp g_origKiUserExceptionDispatcher
- }
- }
- int main()
- {
- HMODULE hNtDll = LoadLibrary(TEXT("ntdll.dll"));
- g_origKiUserExceptionDispatcher = (pfnKiUserExceptionDispatcher)GetProcAddress(hNtDll, "KiUserExceptionDispatcher");
- Mhook_SetHook((PVOID*)&g_origKiUserExceptionDispatcher, HookKiUserExceptionDispatcher);
- return 0;
- }
在这个例子中,DRx寄存器的值在HookKiUserExceptionDispatcher函数中被复位,即在VEH处理程序调用之前。
NtSetInformationThread —从调试器隐藏线程 (编辑:西安站长网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
