kd> dt nt!_KIDTENTRY64 @idtr + @@(sizeof(nt!_KIDTENTRY64))
 +0x000 OffsetLow : 0x44c0
 +0x002 Selector : 0x10
 +0x004 IstIndex : 0y000
 +0x004 Reserved0 : 0y00000 (0)
 +0x004 Type : 0y01110 (0xe)
 +0x004 Dpl : 0y00
 +0x004 Present : 0y1
 +0x006 OffsetMiddle : 0x40e
 +0x008 OffsetHigh : 0xfffff800
 +0x00c Reserved1 : 0
 +0x000 Alignment : 0x40e8e00`001044c0
 kd> !idt 1

Dumping IDT:

01: fffff800040e44c0 nt!KiDebugTrapOrFault

#pragma pack(1)
 typedef struct{
 USHORT limit;
 ULONG64 BASE;

}IDT_INFO,*PIDT_INFO;

typedef union _KIDTENTRY64
 {
 struct
 {
 USHORT OffsetLow;
 USHORT Selector;
 USHORT IstIndex : 3;
 USHORT Reserved0 : 5;
 USHORT Type : 5;
 USHORT Dpl : 2;
 USHORT Present : 1;
 USHORT OffsetMiddle;
 ULONG OffsetHigh;
 ULONG Reserved1;
 };
 UINT64 Alignment;
 } KIDTENTRY64, *PKIDTENTRY64;

#pragma pack()
 typedef NTSTATUS(NTAPI *_KeSetAffinityThread)(
 IN PKTHREAD Thread,
 IN KAFFINITY Affinity
 );
 NTSTATUS HOOKIDT(ULONG IDTID, PVOID NewfcuncAddress,__out PVOID * oldTRAP1){

KIRQL oldIrql;
 ULONG lowpart;
 KAFFINITY processOrs;
 PKTHREAD thread;
 LONG i;
 IDT_INFO idtinfo;
 ULONG_PTR oldTrap = 0;
 ULONG_PTR newTrap;
 KIDTENTRY64*idt_entry;
 UNICODE_STRING ustrKeSetAffinityThread;
 _KeSetAffinityThread KeSetAffinityThread;
 RtlInitUnicodeString(&ustrKeSetAffinityThread, L"KeSetAffinityThread");
 KeSetAffinityThread = (_KeSetAffinityThread)MmGetSystemRoutineAddress(&ustrKeSetAffinityThread);
 processOrs = KeQueryActiveProcessors();
 thread = KeGetCurrentThread();
 newTrap = (ULONG_PTR)NewfcuncAddress;
 if (!MmIsAddressValid(oldTRAP1))
 { return 1; }

for (i = 0; i < 32; i++){
 KAFFINITY curProc = processOrs &(1 << i);
 if (curProc != 0){

KeSetAffinityThread(thread, curProc);
 __sidt(&idtinfo);
 idt_entry = idtinfo.BASE;

oldTrap = (ULONG_PTR)((((ULONGLONG)idt_entry[IDTID].OffsetHigh) << 32) | (ULONGLONG)(((idt_entry[IDTID].OffsetMiddle << 16) | idt_entry[IDTID].OffsetLow) & 0x00000000ffffffff)); if ( *oldTRAP1 == NULL) { *oldTRAP1 = (PVOID)oldTrap; } KeRaiseIrql(HIGH_LEVEL, &oldIrql); lowpart = (ULONG)((ULONGLONG)(newTrap)); idt_entry[IDTID].OffsetLow = (USHORT)lowpart; idt_entry[IDTID].OffsetMiddle = (USHORT)(lowpart >> 16);
 idt_entry[IDTID].OffsetHigh = (ULONG)((ULONGLONG)newTrap >> 32);
 KeLowerIrql(oldIrql);
 }

}
 KeSetAffinityThread(thread, processOrs);

return STATUS_SUCCESS;
 }

发表回复

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据