硬件斷點的實現需要依賴于調試寄存器

DR0~DR7 ?調試寄存器

DR0~DR3-----調試地址寄存器
DR4~DR5-----保留
DR6 -----調試狀態寄存器 指示哪個調試寄存器被命中
DR7 -----調試控制寄存器

?

關于Dr7寄存器每個標志位的解釋：

?

總結如下

DR7調試控制寄存器：
R/W0~R/W3：與DR0~DR3相對應，用來指定監控地址的訪問類型，表示意義如下：
? ? ? ? ? ? ? 00：僅當執行對應的地址時中斷
? ? ? ? ? ? ? 01：僅當寫入對應的地址時中斷
? ? ? ? ? ? ? 10：基本不用
? ? ? ? ? ? ? 11：讀取對應的地址時中斷，讀取指令的指令除外

?

LEN0~LEN3：與DR0~DR3相對應，用來指定監控地址的長度，意義如下：
? ? ? ? ? ? ? ?00：一個字節長
? ? ? ? ? ? ? ?01：兩個字節長
? ? ? ? ? ? ? ?10：未定義或者代表8字節，具體視CPU而定
? ? ? ? ? ? ? ?11：四個字節長

L0~L3：與DR0~DR3相對應，意思表示僅對當前

?

接下來看看兩個Windows提供的兩個API函數，GetThreadContext和SetThreadContext來獲取或者時設置線程的上下文，什么是線程的上下文，就是線程運行時的各種寄存器的信息，比如調試寄存器，浮點寄存器，控制寄存器等等，在應用層是不能直接操作Drx寄存器的值，但可以調用這兩個api來讀寫線程的上下文，來達到設置硬件斷點的目的，如果想對某個進程設置硬件斷點，就需要對它的每個線程都調用SetThreadContext()函數，設置Drx寄存器的值。

BOOL WINAPI GetThreadContext(__in HANDLE hThread,__inout LPCONTEXT lpContext ); BOOL WINAPI SetThreadContext(__in HANDLE hThread,__in const CONTEXT *lpContext );

?在SSDT表中對應的NtGetContextThread和NtSetContextThread

NTSTATUS NtGetContextThread(__in HANDLE ThreadHandle,__inout PCONTEXT ThreadContext)

?

NTSTATUS NtSetContextThread(__in HANDLE ThreadHandle,__in PCONTEXT ThreadContext)

?

這兩個函數都是調用了PsSet/GetContextThread函數

NTSTATUS PsSetContextThread(__in PETHREAD Thread,__in PCONTEXT ThreadContext,__in KPROCESSOR_MODE Mode)NTSTATUS PsGetContextThread(__in PETHREAD Thread,__inout PCONTEXT ThreadContext,__in KPROCESSOR_MODE Mode)

?

我們可以對PsGet/SetContextTread函數Hook來達到對設置硬件斷點的一個過濾，對于目標進程獲取或者設置線程的Context進行處理。

oid __stdcall FilterSetGetContextThread(PETHREAD Thread,PCONTEXT Context,KPROCESSOR_MODE AccessMode) {__try{if (AccessMode == UserMode){//wrk 參數校驗ProbeForReadSmallStructure(Context,sizeof(CONTEXT),PROBE_ALIGNMENT(CONTEXT));}else{*Context = *Context;}if (strstr(GetProcessNameByThread(Thread),"test.exe")!=NULL){if (strstr((char*)PsGetCurrentProcess()+0x16c,"ollydbg") != NULL){return;}//如果是要獲得調試寄存器的值，將Flags 的獲得調試寄存器清零，if (Context->ContextFlags | CONTEXT_DEBUG_REGISTERS){Context->ContextFlags = ~CONTEXT_DEBUG_REGISTERS;}}}__except(EXCEPTION_EXECUTE_HANDLER){return;} }

?

typedef NTSTATUS (*PSGETCONTEXTTHREAD)(PETHREAD Thread,PCONTEXT Context,KPROCESSOR_MODE AccessMode);typedef NTSTATUS (*PSSETCONTEXTTHREAD)(PETHREAD Thread,PCONTEXT Context,KPROCESSOR_MODE AccessMode);//global PSGETCONTEXTTHREAD PsGetContextThread; PSSETCONTEXTTHREAD PsSetContextThread;ULONG g_JmpGetContextThread; UCHAR g_cGetContextCode[5]; BOOLEAN g_bHookGetContextSuccess; ULONG g_JmpSetContextThread; UCHAR g_cSetContextCode[5]; BOOLEAN g_bHookSetContextSuccess;char* GetProcessNameByThread(PETHREAD Thread) {ULONG ProcessObj;if (MmIsAddressValid(Thread)){ProcessObj = *(ULONG*)((ULONG)Thread + 0x150);return (char*)(ProcessObj+0x16C);}return 0; }void PageProtectOn() {__asm{//恢復內存保護 mov eax,cr0or eax,10000hmov cr0,eaxsti} }void PageProtectOff() {__asm{//去掉內存保護 climov eax,cr0and eax,not 10000hmov cr0,eax} }BOOLEAN Jmp_HookFunction(IN ULONG Destination,IN ULONG Source,IN UCHAR *Ori_Code) {ULONG Jmp_Offest;UCHAR Jmp_Code[5] = {0xE9};KSPIN_LOCK lock;KIRQL irql;if (Destination==0||Source==0){DbgPrint("Params error!");return FALSE;}RtlCopyMemory(Ori_Code,(PVOID)Destination,5);Jmp_Offest = Source - Destination-5;*(ULONG*)&Jmp_Code[1] = Jmp_Offest;KeInitializeSpinLock (&lock );KeAcquireSpinLock(&lock,&irql);PageProtectOff();RtlCopyMemory((PVOID)Destination,Jmp_Code,5);PageProtectOn();KeReleaseSpinLock (&lock,irql);return TRUE; }VOID Res_HookFunction(IN ULONG Destination,IN UCHAR *Ori_Code,IN ULONG Length) {KSPIN_LOCK lock;KIRQL irql;if (Destination==0||Ori_Code==0){ return; }KeInitializeSpinLock (&lock );KeAcquireSpinLock(&lock,&irql);PageProtectOff();RtlCopyMemory((PVOID)Destination,Ori_Code,Length);PageProtectOn();KeReleaseSpinLock (&lock,irql); }FORCEINLINEVOIDProbeForReadSmallStructure (IN PVOID Address,IN SIZE_T Size,IN ULONG Alignment) //wrk源碼 {ASSERT((Alignment == 1) || (Alignment == 2) ||(Alignment == 4) || (Alignment == 8) ||(Alignment == 16));if ((Size == 0) || (Size >= 0x10000)) {ASSERT(0);ProbeForRead(Address, Size, Alignment);} else {if (((ULONG_PTR)Address & (Alignment - 1)) != 0) {ExRaiseDatatypeMisalignment();}if ((PUCHAR)Address >= (UCHAR * const)MM_USER_PROBE_ADDRESS) {Address = (UCHAR * const)MM_USER_PROBE_ADDRESS;}_ReadWriteBarrier();*(volatile UCHAR *)Address;} }void __stdcall FilterSetGetContextThread(PETHREAD Thread,PCONTEXT Context,KPROCESSOR_MODE AccessMode) {__try{if (AccessMode == UserMode){//wrk 參數校驗ProbeForReadSmallStructure(Context,sizeof(CONTEXT),PROBE_ALIGNMENT(CONTEXT));}else{*Context = *Context;}if (strstr(GetProcessNameByThread(Thread),"test.exe")!=NULL){if (strstr((char*)PsGetCurrentProcess()+0x16c,"ollydbg") != NULL){return;}//如果是要獲得調試寄存器的值，將Flags 的獲得調試寄存器清零，if (Context->ContextFlags | CONTEXT_DEBUG_REGISTERS){Context->ContextFlags = ~CONTEXT_DEBUG_REGISTERS;}}}__except(EXCEPTION_EXECUTE_HANDLER){return;} }void __declspec(naked) NewGetContextThread() {__asm{mov edi,edipush ebpmov ebp,esppush [ebp+0x10]push [ebp+0xc]push [ebp+0x8]call FilterSetGetContextThreadmov esp,ebppop ebpmov edi,edipush ebpmov ebp,espjmp g_JmpGetContextThread} }void __declspec(naked) NewSetContextThread() {__asm{mov edi,edipush ebpmov ebp,esppush [ebp+0x10]push [ebp+0xc]push [ebp+0x8]call FilterSetGetContextThreadmov esp,ebppop ebpmov edi,edipush ebpmov ebp,espjmp g_JmpSetContextThread} }void HookSetGetContextThread() {g_JmpGetContextThread = (ULONG)PsGetContextThread + 0x5;g_bHookGetContextSuccess = Jmp_HookFunction((ULONG)PsGetContextThread,(ULONG)NewGetContextThread,g_cGetContextCode);g_JmpSetContextThread = (ULONG)PsSetContextThread + 0x5;g_bHookSetContextSuccess = Jmp_HookFunction((ULONG)PsSetContextThread,(ULONG)NewSetContextThread,g_cSetContextCode); }void UnHookSetGetContextThread() {if (g_bHookGetContextSuccess){Res_HookFunction((ULONG)PsGetContextThread,g_cGetContextCode,5);}if (g_bHookSetContextSuccess){Res_HookFunction((ULONG)PsSetContextThread,g_cSetContextCode,5);} }void DriverUnLoad(PDRIVER_OBJECT pDriverObject) {UnHookSetGetContextThread(); }NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING usRegistPath) {UNICODE_STRING usFuncName1,usFuncName2;RtlInitUnicodeString(&usFuncName1,L"PsGetContextThread");RtlInitUnicodeString(&usFuncName2,L"PsSetContextThread");PsGetContextThread = (PSGETCONTEXTTHREAD)MmGetSystemRoutineAddress(&usFuncName1);PsSetContextThread = (PSSETCONTEXTTHREAD)MmGetSystemRoutineAddress(&usFuncName2);HookSetGetContextThread();pDriverObject->DriverUnload = DriverUnLoad;return STATUS_SUCCESS; }

?

?

?

在ring0可以直接改變Drx寄存器的值，設置硬件斷點來達到對某個函數的hook,這里以NtOpenProcess為例。我們知道內核層產生的異常都會由RtlDispatchException函數進行分發處理，所以我們首先要InlineHook RtlDispatchException函數，在對異常進行分發時先對異常進行過濾，如果異常地址是我們設置的硬件斷點“監控”的地址，則改變EIP，達到對目標函數“hook”的目的。

先InlineHook RtlDispatchException ,RtlDispatchException未導出，在KiDispatchException中被調用，KiDispatchException也未導出，采用的方法是暴力搜索整個內核文件Ntoskrnl.exe來匹配特征碼

VOID HookRtlDispatchException() {PLDR_DATA_TABLE_ENTRY Ldr = NULL;//構建RtlDispatchException 的特征碼// nt!KiDispatchException+0x160:// 83eff040 53 push ebx// 83eff041 ff750c push dword ptr [ebp+0Ch]// 83eff044 ff7510 push dword ptr [ebp+10h]// 83eff047 ff15bc49fb83 call dword ptr [nt!KiDebugRoutine (83fb49bc)]// 83eff04d 84c0 test al,al// 83eff04f 0f859d000000 jne nt!KiDispatchException+0x211 (83eff0f2)// 83eff055 57 push edi// 83eff056 53 push ebx// 83eff057 e8 a372ffff call nt!RtlDispatchException (83ef62ff)// kd> u 83ef62ff// nt!RtlDispatchException:// 83ef62ff 8bff mov edi,edi// 83ef6301 55 push ebp// 83ef6302 8bec mov ebp,esp// 83ef6304 83e4f8 and esp,0FFFFFFF8h// 83ef6307 83ec6c sub esp,6Ch// 83ef630a 53 push ebx// 83ef630b 56 push esi// 83ef630c 57 push edi SIGNATURE_INFO SignCode[] = {{0x84,10},{0xc0,9},{0x57,2},{0x53,1},{0xE8,0}}; #ifndef _DEBUG__asm int 3 #endif g_bHookSuccess = FALSE;Ldr = SearchDriver(g_LocalDriverObj,L"ntoskrnl.exe");if (!Ldr) return;g_RtlDispatchExeceptionAddress = SearchAddressForSignFromPE((ULONG_PTR)(Ldr->DllBase),Ldr->SizeOfImage,SignCode); if (!MmIsAddressValid((PVOID)g_RtlDispatchExeceptionAddress)) return;//利用偏移轉成絕對地址 +5 過e8 a372ffff 這五個字節g_RtlDispatchExeceptionAddress = g_RtlDispatchExeceptionAddress+5 + *(ULONG_PTR*)(g_RtlDispatchExeceptionAddress+1);//過被占的前5個字節，繼續執行的代碼DbgPrint("RtlDispatchExceptionAddresss:%x",g_RtlDispatchExeceptionAddress);g_JmpOrigDispatchException = g_RtlDispatchExeceptionAddress + 5;g_bHookSuccess = Jmp_HookFunction(g_RtlDispatchExeceptionAddress,(ULONG_PTR)NewRtlDispatchException,g_cDisExceptionCode); }

?

然后將要“監控”的目標地址寫入Dr0寄存器，當目標地址被執行的時候，觸發異常，執行RtlDispatchException函數，

VOID SetMonitor(PVOID Address) {__asm{mov eax , Addressmov DR0 , eaxmov eax , 0x02 //全局的，僅當執行時產生異常 mov DR7 , eax} }VOID CancelMonitor(PVOID Address) {__asm{xor eax , eaxmov DR0 , eaxmov DR7 , eax} }

?

RtlDispatchException的過濾函數，在這里改變Eip的值，異常處理完畢以后，開始執行NewNtOpenProcess?

ULONG_PTR _stdcallFilterRtlDispatchException (IN PEXCEPTION_RECORD ExceptionRecord,IN PCONTEXT ContextRecord) {//DbgPrint("Address:%x -- ExceptionCode:%x\r\n",ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode);//如果是NtOpenProcess處的異常if (ExceptionRecord->ExceptionAddress == (PVOID)KeServiceDescriptorTable.ServiceTableBase[190]){KdPrint(("<Except addresss>:%X <seh callBack>:%X -- <Except code>:%X",ContextRecord->Eip,ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode));//將執行的下一條指令置為NewNtOpenProcess() 函數的地址，CPU接著去執行NewNtOpenProcessContextRecord->Eip = (ULONG_PTR)NewNtOpenProcess;//返回TRUE,異常不再進行派發return 1;}return 0; }

?

NewNtOpenProcess只是簡單地調用FilterNtOpenProcess進行簡單的調用，打印一些基本的信息。

void __declspec(naked) NewNtOpenProcess() {__asm{pushadpushfdcall FilterNtOpenProcesspopfdpopadmov edi , edipush espmov ebp , esp//跳過NtOpenProcess的前五個字節，//避免再次觸發異常 jmp g_JmpOrigNtOpenProcess} }

?

完整的工程代碼

#ifndef CXX_DRXHOOK_H #define CXX_DRXHOOK_H#include <ntifs.h> #include <devioctl.h> #endif typedef struct _SYSTEM_SERVICE_TABLE32 {ULONG_PTR* ServiceTableBase;ULONG_PTR* ServiceCounterTableBase;ULONG32 NumberOfServices;ULONG_PTR* ParamTableBase; } SYSTEM_SERVICE_TABLE32, *PSYSTEM_SERVICE_TABLE32;typedef struct _SYSTEM_SERVICE_TABLE64{ULONG_PTR* ServiceTableBase; ULONG_PTR* ServiceCounterTableBase; ULONG64 NumberOfServices; ULONG_PTR* ParamTableBase; } SYSTEM_SERVICE_TABLE64, *PSYSTEM_SERVICE_TABLE64;#ifndef _WIN64 #define _SYSTEM_SERVICE_TABLE _SYSTEM_SERVICE_TABLE64 #define SYSTEM_SERVICE_TABLE SYSTEM_SERVICE_TABLE64 #define PSYSTEM_SERVICE_TABLE PSYSTEM_SERVICE_TABLE64 #else #define _SYSTEM_SERVICE_TABLE _SYSTEM_SERVICE_TABLE32 #define SYSTEM_SERVICE_TABLE SYSTEM_SERVICE_TABLE32 #define PSYSTEM_SERVICE_TABLE PSYSTEM_SERVICE_TABLE32 #endif__declspec(dllimport) SYSTEM_SERVICE_TABLE KeServiceDescriptorTable;//結構聲明 typedef struct _SIGNATURE_INFO{UCHAR cSingature;int Offset; }SIGNATURE_INFO,*PSIGNATURE_INFO;typedef struct _LDR_DATA_TABLE_ENTRY // 24 elements, 0x78 bytes (sizeof) { /*0x000*/ struct _LIST_ENTRY InLoadOrderLinks; // 2 elements, 0x8 bytes (sizeof) /*0x008*/ PVOID ExceptionTable; /*0x00C*/ ULONG ExceptionTableSize;/*0x010*/ struct _LIST_ENTRY InInitializationOrderLinks; // 2 elements, 0x8 bytes (sizeof) /*0x018*/ VOID* DllBase; /*0x01C*/ VOID* EntryPoint; /*0x020*/ ULONG32 SizeOfImage; /*0x024*/ struct _UNICODE_STRING FullDllName; // 3 elements, 0x8 bytes (sizeof) /*0x02C*/ struct _UNICODE_STRING BaseDllName; // 3 elements, 0x8 bytes (sizeof) /*0x034*/ ULONG32 Flags; /*0x038*/ UINT16 LoadCount; /*0x03A*/ UINT16 TlsIndex; union // 2 elements, 0x8 bytes (sizeof) { /*0x03C*/ struct _LIST_ENTRY HashLinks; // 2 elements, 0x8 bytes (sizeof) struct // 2 elements, 0x8 bytes (sizeof) { /*0x03C*/ VOID* SectionPointer; /*0x040*/ ULONG32 CheckSum; }; }; union // 2 elements, 0x4 bytes (sizeof) { /*0x044*/ ULONG32 TimeDateStamp; /*0x044*/ VOID* LoadedImports; }; /*0x048*/ VOID* EntryPointActivationContext; /*0x04C*/ VOID* PatchInformation; /*0x050*/ struct _LIST_ENTRY ForwarderLinks; // 2 elements, 0x8 bytes (sizeof) /*0x058*/ struct _LIST_ENTRY ServiceTagLinks; // 2 elements, 0x8 bytes (sizeof) /*0x060*/ struct _LIST_ENTRY StaticLinks; // 2 elements, 0x8 bytes (sizeof) /*0x068*/ VOID* ContextInformation; /*0x06C*/ ULONG32 OriginalBase; /*0x070*/ union _LARGE_INTEGER LoadTime; // 4 elements, 0x8 bytes (sizeof) }LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;ULONG_PTR _stdcallFilterRtlDispatchException (IN PEXCEPTION_RECORD ExceptionRecord,IN PCONTEXT ContextRecord); VOID HookRtlDispatchException(); VOID UnloadDriver(PDRIVER_OBJECT DriverObject); PLDR_DATA_TABLE_ENTRY SearchDriver(PDRIVER_OBJECT pDriverObject,wchar_t *strDriverName); BOOLEAN Jmp_HookFunction(IN ULONG Destination,IN ULONG Source,IN UCHAR *Ori_Code); VOID ResumeHookFunction(IN ULONG Destination,IN UCHAR *Ori_Code,IN ULONG Length); ULONG_PTR SearchAddressForSignFromPE(ULONG_PTR uStartBase,ULONG_PTR uSearchLength,SIGNATURE_INFO SignatureInfo[5]); VOID WPOFF(); NTSTATUS _stdcall FilterNtOpenProcess (); VOID WPON(); VOID SetMonitor(PVOID Address); VOID CancelMonitor(PVOID Address);#ifndef CXX_DRXHOOK_H # include "DrxHook.h" #endif#include <ntimage.h>KIRQL Irql; PDRIVER_OBJECT g_LocalDriverObj; BOOLEAN g_bHookSuccess; ULONG_PTR g_RtlDispatchExeceptionAddress; ULONG_PTR g_JmpOrigDispatchException; UCHAR g_cDisExceptionCode[5];ULONG_PTR g_JmpOrigNtOpenProcess;void __declspec(naked) NewNtOpenProcess() {__asm{pushadpushfdcall FilterNtOpenProcesspopfdpopadmov edi , edipush espmov ebp , esp//跳過NtOpenProcess的前五個字節，//避免再次觸發異常 jmp g_JmpOrigNtOpenProcess} }void __declspec(naked) NewRtlDispatchException() {__asm{mov edi,edipush ebpmov ebp , esppushad //保存所有寄存器pushfd //保存標志寄存器push [ebp+0xc]push [ebp+0x8]call FilterRtlDispatchException//檢測返回值是否為0 test eax , eaxjz __SafeExit // 若eax為0 跳轉__SafeExit popfdpopadmov esp , ebppop ebp// 將KiDispatchException中對于RtlDispatchException的返回值進行校驗，// 如果為0 則對異常進行重新派發，為1則不再做處理mov eax ,0x01 retn 0x8 //平衡堆棧，兩個參數8字節 __SafeExit:popfdpopadmov esp , ebppop ebp//先執行RtlDispatchException原來的5個字節的內容 mov edi , edipush ebpmov ebp , espjmp g_JmpOrigDispatchException} }NTSTATUS _stdcall FilterNtOpenProcess () {DbgPrint("FilterNtOpenProcess---%s\r\n",(ULONG_PTR)PsGetCurrentProcess()+0x16c);return STATUS_SUCCESS; }ULONG_PTR _stdcallFilterRtlDispatchException (IN PEXCEPTION_RECORD ExceptionRecord,IN PCONTEXT ContextRecord) {//DbgPrint("Address:%x -- ExceptionCode:%x\r\n",ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode);//如果是NtOpenProcess處的異常if (ExceptionRecord->ExceptionAddress == (PVOID)KeServiceDescriptorTable.ServiceTableBase[190]){KdPrint(("<Except addresss>:%X <seh callBack>:%X -- <Except code>:%X",ContextRecord->Eip,ExceptionRecord->ExceptionAddress,ExceptionRecord->ExceptionCode));//將執行的下一條指令置為NewNtOpenProcess() 函數的地址，CPU接著去執行NewNtOpenProcessContextRecord->Eip = (ULONG_PTR)NewNtOpenProcess;//返回TRUE,異常不再進行派發return 1;}return 0; } VOID SetMonitor(PVOID Address) {__asm{mov eax , Addressmov DR0 , eaxmov eax , 0x02 //全局的，僅當執行時產生異常 mov DR7 , eax} }VOID CancelMonitor(PVOID Address) {__asm{xor eax , eaxmov DR0 , eaxmov DR7 , eax} } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryString) {NTSTATUS Status = STATUS_SUCCESS;g_LocalDriverObj = pDriverObject;HookRtlDispatchException();g_JmpOrigNtOpenProcess = (ULONG_PTR)(KeServiceDescriptorTable.ServiceTableBase[190] + 0x5);//為了方便，這里寫死了，NtOpenProcess Win7 x86 SetMonitor((PVOID)KeServiceDescriptorTable.ServiceTableBase[190]);return Status; }VOID HookRtlDispatchException() {PLDR_DATA_TABLE_ENTRY Ldr = NULL;//構建RtlDispatchException 的特征碼// nt!KiDispatchException+0x160:// 83eff040 53 push ebx// 83eff041 ff750c push dword ptr [ebp+0Ch]// 83eff044 ff7510 push dword ptr [ebp+10h]// 83eff047 ff15bc49fb83 call dword ptr [nt!KiDebugRoutine (83fb49bc)]// 83eff04d 84c0 test al,al// 83eff04f 0f859d000000 jne nt!KiDispatchException+0x211 (83eff0f2)// 83eff055 57 push edi// 83eff056 53 push ebx// 83eff057 e8 a372ffff call nt!RtlDispatchException (83ef62ff)// kd> u 83ef62ff// nt!RtlDispatchException:// 83ef62ff 8bff mov edi,edi// 83ef6301 55 push ebp// 83ef6302 8bec mov ebp,esp// 83ef6304 83e4f8 and esp,0FFFFFFF8h// 83ef6307 83ec6c sub esp,6Ch// 83ef630a 53 push ebx// 83ef630b 56 push esi// 83ef630c 57 push edi SIGNATURE_INFO SignCode[] = {{0x84,10},{0xc0,9},{0x57,2},{0x53,1},{0xE8,0}}; #ifndef _DEBUG__asm int 3 #endif g_bHookSuccess = FALSE;Ldr = SearchDriver(g_LocalDriverObj,L"ntoskrnl.exe");if (!Ldr) return;g_RtlDispatchExeceptionAddress = SearchAddressForSignFromPE((ULONG_PTR)(Ldr->DllBase),Ldr->SizeOfImage,SignCode); if (!MmIsAddressValid((PVOID)g_RtlDispatchExeceptionAddress)) return;//利用偏移轉成絕對地址 +5 過e8 a372ffff 這五個字節g_RtlDispatchExeceptionAddress = g_RtlDispatchExeceptionAddress+5 + *(ULONG_PTR*)(g_RtlDispatchExeceptionAddress+1);//過被占的前5個字節，繼續執行的代碼DbgPrint("RtlDispatchExceptionAddresss:%x",g_RtlDispatchExeceptionAddress);g_JmpOrigDispatchException = g_RtlDispatchExeceptionAddress + 5;g_bHookSuccess = Jmp_HookFunction(g_RtlDispatchExeceptionAddress,(ULONG_PTR)NewRtlDispatchException,g_cDisExceptionCode); }//搜索整個PE文件的 ULONG_PTR SearchAddressForSignFromPE(ULONG_PTR uStartBase,ULONG_PTR uSearchLength,SIGNATURE_INFO SignatureInfo[5]) {UCHAR *p;ULONG_PTR u_index1,u_index2;//ULONG uIndex; PIMAGE_DOS_HEADER pimage_dos_header;PIMAGE_NT_HEADERS pimage_nt_header;PIMAGE_SECTION_HEADER pimage_section_header;if(!MmIsAddressValid((PVOID)uStartBase)){ return 0; }pimage_dos_header = (PIMAGE_DOS_HEADER)uStartBase;pimage_nt_header = (PIMAGE_NT_HEADERS)((ULONG)uStartBase+pimage_dos_header->e_lfanew);pimage_section_header = (PIMAGE_SECTION_HEADER)((ULONG)pimage_nt_header+sizeof(IMAGE_NT_HEADERS));for (u_index1 = 0;u_index1<pimage_nt_header->FileHeader.NumberOfSections;u_index1++){//#define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.//#define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.//#define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.//0x60000000 = IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READif (pimage_section_header[u_index1].Characteristics&0x60000000){p = (UCHAR*)uStartBase + pimage_section_header[u_index1].VirtualAddress;for (u_index2 = 0;u_index2<pimage_section_header[u_index1].Misc.VirtualSize;u_index2++){if (!MmIsAddressValid((p-SignatureInfo[0].Offset))||!MmIsAddressValid((p-SignatureInfo[4].Offset))){p++;continue;}__try{if (*(p-SignatureInfo[0].Offset)==SignatureInfo[0].cSingature&&*(p-SignatureInfo[1].Offset)==SignatureInfo[1].cSingature&&*(p-SignatureInfo[2].Offset)==SignatureInfo[2].cSingature&&*(p-SignatureInfo[3].Offset)==SignatureInfo[3].cSingature&&*(p-SignatureInfo[4].Offset)==SignatureInfo[4].cSingature){return (ULONG_PTR)p;}}__except(EXCEPTION_EXECUTE_HANDLER){DbgPrint("Search error!");}p++;}}}return 0; }BOOLEAN Jmp_HookFunction(IN ULONG Destination,IN ULONG Source,IN UCHAR *Ori_Code) {ULONG jmp_offset;UCHAR jmp_code[5] = {0xE9};KSPIN_LOCK lock;KIRQL irql;if (Destination==0||Source==0){DbgPrint("Params error!");return FALSE;}RtlCopyMemory(Ori_Code,(PVOID)Destination,5);jmp_offset = Source - (Destination+5);*(ULONG*)&jmp_code[1] = jmp_offset; //放入偏移 KeInitializeSpinLock (&lock );KeAcquireSpinLock(&lock,&irql);WPOFF();RtlCopyMemory((PVOID)Destination,jmp_code,5);WPON();KeReleaseSpinLock (&lock,irql);return TRUE; }VOID WPOFF() {ULONG_PTR cr0 = 0;Irql = KeRaiseIrqlToDpcLevel();cr0 =__readcr0();cr0 &= 0xfffffffffffeffff;__writecr0(cr0);}VOID WPON() {ULONG_PTR cr0=__readcr0();cr0 |= 0x10000;__writecr0(cr0);KeLowerIrql(Irql); }//簡單的通過鏈表獲得內核模塊的基本信息 PLDR_DATA_TABLE_ENTRY SearchDriver(PDRIVER_OBJECT pDriverObject,wchar_t *strDriverName) {LDR_DATA_TABLE_ENTRY *pdata_table_entry,*ptemp_data_table_entry;PLIST_ENTRY plist;UNICODE_STRING str_module_name;RtlInitUnicodeString(&str_module_name,strDriverName);pdata_table_entry = (LDR_DATA_TABLE_ENTRY*)pDriverObject->DriverSection;if (!pdata_table_entry){return 0;}plist = pdata_table_entry->InLoadOrderLinks.Flink;while(plist!= &pdata_table_entry->InLoadOrderLinks){ptemp_data_table_entry = (LDR_DATA_TABLE_ENTRY *)plist;//DbgPrint("%wZ",&pTempDataTableEntry->BaseDllName);if (0==RtlCompareUnicodeString(&ptemp_data_table_entry->BaseDllName,&str_module_name,FALSE)){return ptemp_data_table_entry;}plist = plist->Flink;}return 0; }VOID UnloadDriver(PDRIVER_OBJECT DriverObject) {if (g_bHookSuccess){ResumeHookFunction(g_RtlDispatchExeceptionAddress,g_cDisExceptionCode,0x5);}}VOID ResumeHookFunction(IN ULONG Destination,IN UCHAR *Ori_Code,IN ULONG Length) {KSPIN_LOCK lock;KIRQL irql;if (Destination==0||Ori_Code==0) return; KeInitializeSpinLock (&lock );KeAcquireSpinLock(&lock,&irql);WPOFF();RtlCopyMemory((PVOID)Destination,Ori_Code,Length);WPON();KeReleaseSpinLock (&lock,irql); }

?

轉載于:https://www.cnblogs.com/lanrenxinxin/p/4680320.html

總結

以上是生活随笔為你收集整理的硬件断点 DrxHook的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。