分类
反反调试

WIN7X64自定义硬断

我只是 截了 我代码中的 关键片段~至于 详细的 你们自己想
控制是否 恢复DR的是 DR7和dbgactive这两个 或者patch相关字节~

 VOID T_KiRestoreDebugRegisterState(){

PEPROCESS Process=NULL;
 PETHREAD Thread=NULL;
 PPROCESS_List PlIST = NULL;;
 PTHREAD_dr_List TList = NULL;
 ULONG64 UDR = NULL;
 PLARGE_INTEGER PDR = &UDR;

Thread = PsGetCurrentThread();
 if (Thread!=NULL)
 {
 Process = IoThreadToProcess(Thread);

if (Process != NULL){

PlIST = Dr_FindProcessList(Process);
 if (PlIST != NULL)
 {

TList = Dr_FindThreadContextByThreadList(PlIST, Thread);
 if (TList != NULL)
 {
 PDR->LowPart = TList->Dr0;
 PDR->HighPart = 0x00000000;
 __writedr(0, UDR);

PDR->LowPart = TList->Dr1;
 PDR->HighPart = 0x00000000;
 __writedr(1, UDR);

PDR->LowPart = TList->Dr2;
 PDR->HighPart = 0x00000000;
 __writedr(2, UDR);

PDR->LowPart = TList->Dr3;
 PDR->HighPart = 0x00000000;
 __writedr(3, UDR);

PDR->LowPart = TList->Dr6;
 PDR->HighPart = 0x00000000;
 __writedr(6, UDR);

PDR->LowPart = TList->Dr7;
 PDR->HighPart = 0x00000000;
 __writedr(7, UDR);
 }

}

}

}

return 0;
 }

if (contex->Dr7 != NULL)
 {
 *(UCHAR*)(Thread + 0x3) = 0x40;

}

mycontex.Dr0 = contex->Dr0;
 mycontex.Dr1 = contex->Dr1;
 mycontex.Dr2 = contex->Dr2;
 mycontex.Dr3 = contex->Dr3;
 mycontex.Dr6 = contex->Dr6;
 mycontex.Dr7 = contex->Dr7;
 mycontex.EFlags = contex->EFlags;
 contex->Dr0 = ((PLARGE_INTEGER)(&pframe->Dr0))->LowPart;
 contex->Dr1 = ((PLARGE_INTEGER)(&pframe->Dr1))->LowPart;
 contex->Dr2 = ((PLARGE_INTEGER)(&pframe->Dr2))->LowPart;
 contex->Dr3 = ((PLARGE_INTEGER)(&pframe->Dr3))->LowPart;
 contex->Dr6 = ((PLARGE_INTEGER)(&pframe->Dr6))->LowPart;
 // contex->Dr7 = ((PLARGE_INTEGER)(&pframe->Dr7))->LowPart;
 // contex->EFlags = pframe->EFlags;

实现 内核切用户层恢复DR

0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
你的昵称 用于分别你是谁
你的电子邮箱 用于被回复时通知
0 评论
Inline Feedbacks
View all comments