KEXCEPTION_FRAME ExceptionFrame,IN PEXCEPTION_RECORD ExceptionRecord,IN PCONTEXT ContextRecord,IN KPROCESSOR_MODE PreviousMode,IN BOOLEAN SecondChanceException);
//这里做一个跳转
VOID ModifyKdpTrap(PVOID myaddress,PVOID targetaddress) {
KIRQL irql;
ULONGLONG myfun;
UCHAR jmp_code[] = "\x48\xB8\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\xFF\xE0\x00\x00";//mov rax xxx,jmp rax
myfun = (ULONGLONG)myaddress;//替换成自己的函数地址
RtlCopyMemory(jmp_code + 2, &myfun, 8);
//debg();
irql = WPOFFx64();
RtlCopyMemory(targetaddress, jmp_code, 12);
WPONx64(irql);
}
//这里完成hook
NTSTATUS HookKdpTrap(
IN PKTRAP_FRAME TrapFrame,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PEXCEPTION_RECORD ExceptionRecord,
IN PCONTEXT ContextRecord,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN SecondChanceException){
PEPROCESS hp = PsGetCurrentProcess();
if (!_stricmp((char *)PsGetProcessImageFileName(hp), "TASLogin.exe")){
return STATUS_SUCCESS;
}
return hdbktrap(TrapFrame, ExceptionFrame, ExceptionRecord, ContextRecord, PreviousMode, SecondChanceException);
}
//这里做一个还原
void UnHookKdpTrap() {
KIRQL irql;
UCHAR orignal_code[] = "\x48\x89\x5c\x24\x08\x48\x89\x54\x24\x10\x57\x48\x83\xec\x40";//mov rax xxx,jmp rax
irql = WPOFFx64();
RtlCopyMemory(orgkdt, orignal_code, 15);
WPONx64(irql);
}
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//2、 防止安全组件加载失败
VOID DisableKdDebuggerEnabled() {
SharedUserData->KdDebuggerEnabled = FALSE; //防止安全组件加载失败
}
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//3、TP会清零KdDebuggerEnabled,这里做一个每隔一秒的定时器
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//4、断链隐藏 kdcom,防止kdcom内存被清空导致和windbg通讯不了
/*
0: kd> dt _eprocess
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x2e0 ProcessLock : _EX_PUSH_LOCK
+0x2e8 UniqueProcessId : Ptr64 Void
+0x2f0 ActiveProcessLinks : _LIST_ENTRY
*/
PDRIVER_OBJECT pDriverObject = NULL;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
PVOID GpValue;
ULONG UnKnow;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused5;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
