WIN7X64自定义硬断
来源:互联网 发布:卖店铺淘宝客软件 编辑:程序博客网 时间:2024/04/30 01:34
我只是 截了 我代码中的 关键片段~至于 详细的 你们自己想
控制是否 恢复DR的是 DR7和dbgactive这两个 或者patch相关字节~
VOID T_KiRestoreDebugRegisterState(){
PEPROCESS Process=NULL;
PETHREAD Thread=NULL;
PPROCESS_List PlIST = NULL;;
PTHREAD_dr_List TList = NULL;
ULONG64 UDR = NULL;
PLARGE_INTEGER PDR = &UDR;
Thread = PsGetCurrentThread();
if (Thread!=NULL)
{
Process = IoThreadToProcess(Thread);
if (Process != NULL){
PlIST = Dr_FindProcessList(Process);
if (PlIST != NULL)
{
TList = Dr_FindThreadContextByThreadList(PlIST, Thread);
if (TList != NULL)
{
PDR->LowPart = TList->Dr0;
PDR->HighPart = 0x00000000;
__writedr(0, UDR);
PDR->LowPart = TList->Dr1;
PDR->HighPart = 0x00000000;
__writedr(1, UDR);
PDR->LowPart = TList->Dr2;
PDR->HighPart = 0x00000000;
__writedr(2, UDR);
PDR->LowPart = TList->Dr3;
PDR->HighPart = 0x00000000;
__writedr(3, UDR);
PDR->LowPart = TList->Dr6;
PDR->HighPart = 0x00000000;
__writedr(6, UDR);
PDR->LowPart = TList->Dr7;
PDR->HighPart = 0x00000000;
__writedr(7, UDR);
}
}
}
}
return 0;
}
if (contex->Dr7 != NULL)
{
*(UCHAR*)(Thread + 0x3) = 0x40;
}
mycontex.Dr0 = contex->Dr0;
mycontex.Dr1 = contex->Dr1;
mycontex.Dr2 = contex->Dr2;
mycontex.Dr3 = contex->Dr3;
mycontex.Dr6 = contex->Dr6;
mycontex.Dr7 = contex->Dr7;
mycontex.EFlags = contex->EFlags;
contex->Dr0 = ((PLARGE_INTEGER)(&pframe->Dr0))->LowPart;
contex->Dr1 = ((PLARGE_INTEGER)(&pframe->Dr1))->LowPart;
contex->Dr2 = ((PLARGE_INTEGER)(&pframe->Dr2))->LowPart;
contex->Dr3 = ((PLARGE_INTEGER)(&pframe->Dr3))->LowPart;
contex->Dr6 = ((PLARGE_INTEGER)(&pframe->Dr6))->LowPart;
// contex->Dr7 = ((PLARGE_INTEGER)(&pframe->Dr7))->LowPart;
// contex->EFlags = pframe->EFlags;
实现 内核切用户层恢复DR
控制是否 恢复DR的是 DR7和dbgactive这两个 或者patch相关字节~
VOID T_KiRestoreDebugRegisterState(){
PEPROCESS Process=NULL;
PETHREAD Thread=NULL;
PPROCESS_List PlIST = NULL;;
PTHREAD_dr_List TList = NULL;
ULONG64 UDR = NULL;
PLARGE_INTEGER PDR = &UDR;
Thread = PsGetCurrentThread();
if (Thread!=NULL)
{
Process = IoThreadToProcess(Thread);
if (Process != NULL){
PlIST = Dr_FindProcessList(Process);
if (PlIST != NULL)
{
TList = Dr_FindThreadContextByThreadList(PlIST, Thread);
if (TList != NULL)
{
PDR->LowPart = TList->Dr0;
PDR->HighPart = 0x00000000;
__writedr(0, UDR);
PDR->LowPart = TList->Dr1;
PDR->HighPart = 0x00000000;
__writedr(1, UDR);
PDR->LowPart = TList->Dr2;
PDR->HighPart = 0x00000000;
__writedr(2, UDR);
PDR->LowPart = TList->Dr3;
PDR->HighPart = 0x00000000;
__writedr(3, UDR);
PDR->LowPart = TList->Dr6;
PDR->HighPart = 0x00000000;
__writedr(6, UDR);
PDR->LowPart = TList->Dr7;
PDR->HighPart = 0x00000000;
__writedr(7, UDR);
}
}
}
}
return 0;
}
if (contex->Dr7 != NULL)
{
*(UCHAR*)(Thread + 0x3) = 0x40;
}
mycontex.Dr0 = contex->Dr0;
mycontex.Dr1 = contex->Dr1;
mycontex.Dr2 = contex->Dr2;
mycontex.Dr3 = contex->Dr3;
mycontex.Dr6 = contex->Dr6;
mycontex.Dr7 = contex->Dr7;
mycontex.EFlags = contex->EFlags;
contex->Dr0 = ((PLARGE_INTEGER)(&pframe->Dr0))->LowPart;
contex->Dr1 = ((PLARGE_INTEGER)(&pframe->Dr1))->LowPart;
contex->Dr2 = ((PLARGE_INTEGER)(&pframe->Dr2))->LowPart;
contex->Dr3 = ((PLARGE_INTEGER)(&pframe->Dr3))->LowPart;
contex->Dr6 = ((PLARGE_INTEGER)(&pframe->Dr6))->LowPart;
// contex->Dr7 = ((PLARGE_INTEGER)(&pframe->Dr7))->LowPart;
// contex->EFlags = pframe->EFlags;
实现 内核切用户层恢复DR
0 0
- WIN7X64自定义硬断
- 刚刚换了win7x64
- Chrome for win7x64
- win7x64使用mapx
- ocx-win7x64-ie
- win7x64安装plsql
- MyEclipse10/Win7x64安装SVN
- mysql 5.6 win7X64 配置
- win7x64编译poco
- win7x64+vs2008+OPNET
- Win7x64+cuda8+PyTorch+VS2015
- WIN7x64 禁用驱动程序签名强制
- VS2012+win7x64+OpenCV2.4.2安装
- win7x64下实现进程保护
- win7x64上安装Python2.7.13
- Android 硬菜之圆角Dialog显示自定义布局(无棱角)
- 无痕HOOK方式=硬断+VEH
- 硬球
- 成为Java高手的25个学习要点
- 每天一个linux命令-rm
- Java设计模式(三):工厂模式(简单工厂模式、工厂方法模式、抽象工厂模式)
- java输出所有的字符编码
- S-Function 使用及应用举例
- WIN7X64自定义硬断
- Servlet中获取ServletContext(jsp中application)
- win7添加打印机
- android视频播放(二) 利用android原生的MediaPlayer+SurfaceView
- codeforces_667D. World Tour
- 第6章 应用逻辑顺序
- dev记录
- AndroidOrientation Sensor(方向传感器),新的替代方法详解(安卓官方提供)
- Android如何使用NoHttp
