WIN7X64自定义硬断

发布于 2016-05-26  620 次阅读


我只是 截了 我代码中的 关键片段~至于 详细的 你们自己想
控制是否 恢复DR的是 DR7和dbgactive这两个 或者patch相关字节~
VOID T_KiRestoreDebugRegisterState(){

PEPROCESS Process=NULL;
PETHREAD Thread=NULL;
PPROCESS_List PlIST = NULL;;
PTHREAD_dr_List TList = NULL;
ULONG64 UDR = NULL;
PLARGE_INTEGER PDR = &UDR;

Thread = PsGetCurrentThread();
if (Thread!=NULL)
{
Process = IoThreadToProcess(Thread);

if (Process != NULL){

PlIST = Dr_FindProcessList(Process);
if (PlIST != NULL)
{

TList = Dr_FindThreadContextByThreadList(PlIST, Thread);
if (TList != NULL)
{
PDR->LowPart = TList->Dr0;
PDR->HighPart = 0x00000000;
__writedr(0, UDR);

PDR->LowPart = TList->Dr1;
PDR->HighPart = 0x00000000;
__writedr(1, UDR);

PDR->LowPart = TList->Dr2;
PDR->HighPart = 0x00000000;
__writedr(2, UDR);

PDR->LowPart = TList->Dr3;
PDR->HighPart = 0x00000000;
__writedr(3, UDR);

PDR->LowPart = TList->Dr6;
PDR->HighPart = 0x00000000;
__writedr(6, UDR);

PDR->LowPart = TList->Dr7;
PDR->HighPart = 0x00000000;
__writedr(7, UDR);
}

}

}

}

return 0;
}

if (contex->Dr7 != NULL)
{
*(UCHAR*)(Thread + 0x3) = 0x40;

}

mycontex.Dr0 = contex->Dr0;
mycontex.Dr1 = contex->Dr1;
mycontex.Dr2 = contex->Dr2;
mycontex.Dr3 = contex->Dr3;
mycontex.Dr6 = contex->Dr6;
mycontex.Dr7 = contex->Dr7;
mycontex.EFlags = contex->EFlags;
contex->Dr0 = ((PLARGE_INTEGER)(&pframe->Dr0))->LowPart;
contex->Dr1 = ((PLARGE_INTEGER)(&pframe->Dr1))->LowPart;
contex->Dr2 = ((PLARGE_INTEGER)(&pframe->Dr2))->LowPart;
contex->Dr3 = ((PLARGE_INTEGER)(&pframe->Dr3))->LowPart;
contex->Dr6 = ((PLARGE_INTEGER)(&pframe->Dr6))->LowPart;
// contex->Dr7 = ((PLARGE_INTEGER)(&pframe->Dr7))->LowPart;
// contex->EFlags = pframe->EFlags;
实现 内核切用户层恢复DR

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员