|
|
vfer
发表于 2010-9-30 22:11
本帖最后由 vfer 于 2010-10-1 01:04 编辑
这个是一个DEMO 但是重点在R3上不再R0
这是献给吾爱的
这个实际上我看不懂 如果你懂了 请教教我
//#define PROCESS_PAGE_DIR_BASE 0xC0300000
//#define PROCESS_PAGE_TABLE_BASE 0xC0000000
//#define HIGHEST_USER_ADDRESS 0x7FFFFFFF
#define MAKELONG(a, b) ((unsigned long) (((unsigned short) (a)) | ((unsigned long) ((unsigned short) (b))) << 16))
//////////////////////////////////////////////////////////////////////////
//typedef ULONG (*LoadTlb)(void);
PVOID p=NULL;
PMDL pmdl=0;
BOOLEAN IsLock=FALSE;
BOOLEAN IsIntHooked=FALSE;
SHADOWHOOK_INFO MyShadowHookInfo;
ULONG g_TargetPid=0;
ULONG ActiveCr3=0xFFFFFFFF;
ULONG g_LoadTlb;
ULONG start_range=0;
ULONG end_range=0;
ULONG ProcessListOffset=0;
ULONG NtBase=0;
WIN_VER_DETAIL g_WinVer;//系统版本
BOOLEAN Killed;
BOOLEAN IsPae;
ULONG old_int0es[32]={0};
ULONG old_int0e=0;
ULONG g_OldInt0EHander=0;
MMACCESSFAULT MmAccessFault;
BOOLEAN Allocated=FALSE;
//////////////////////////////////////////////////////////////////////////
void GetValue();
ULONG GetPteAddress( PVOID VirtualAddress );
void PrintIsLarge(ULONG Address);
void HookInterupt(ULONG newInterput,ULONG Index,ULONG oldInt0es,ULONG oldInt0e);
BOOLEAN HookMemoryPage(ULONG Address,ULONG Size);
void HookInt0E();
VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate );
void UnHookInt0E();
VOID SetCopyOnWrite(PVOID p);
void UnHookMemory();
BOOLEAN FakeMemoryFrame(ULONG Address);
UCHAR *PsGetProcessImageFileName(PEPROCESS Process);
VOID KeStackAttachProcess (PEPROCESS,PKAPC_STATE);
VOID KeUnstackDetachProcess(PKAPC_STATE);
ULONG MyWriteMemory(IN PVOID BaseAddress,IN PVOID NewAddress,IN SIZE_T BufferSize,IN HANDLE pid);
BOOL RemoveList(ULONG Pid);
BOOL GetIndexByVersion();
WIN_VER_DETAIL GetWindowsVersion();
ULONG GetPid();
ULONG GetKernelBase();
void __declspec(naked) new_int0e(void){
__asm{
cli
pushad
push fs
push ds
push es
mov ax, 30h
mov fs, ax
mov ax, 23h
mov ds, ax
mov es, ax
mov eax, cr2
push eax
mov eax, cr3
cmp cs:ActiveCr3, eax
jne __old_handler
mov eax, [esp.regErrorCode]
bt eax, 2 //user or supervisor
jnb __old_handler
mov eax, esp
push eax
call HandleAccessViolation
cli
test al, al
jnz __exit_exception
__old_handler: pop eax
mov cr2, eax
pop es
pop ds
pop fs
popad
jmp cs:[g_OldInt0EHander]
__exit_exception:
pop eax
mov cr2, eax
pop es
pop ds
pop fs
popad
add esp, 4
iretd
}
}
void __declspec(naked) new_Int0EHandler(void){
_asm
{
jmp g_OldInt0EHander
}
}
NTSTATUS
DriverEntry(
PDRIVER_OBJECT pDriverObj,
PUNICODE_STRING pRegistryString
)
/*++
Author: sudami [sudami@163.com]
Time : 2008/08/13
Routine Description:
Arguments:
-
Return Value:
--*/
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ustrLinkName;
UNICODE_STRING ustrDevName;
PDEVICE_OBJECT pDevObj;
ULONG c_cr4;
ULONG i;
dprintf("[PageFaultHook] DriverEntry\n");
pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate;
pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose;
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl;
pDriverObj->DriverUnload = DriverUnload;
RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
status = IoCreateDevice(pDriverObj,
0,
&ustrDevName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&pDevObj);
if(!NT_SUCCESS(status)) {
dprintf("[PageFaultHook] IoCreateDevice = 0x%x\n", status);
return status;
}
RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);
if(!NT_SUCCESS(status)) {
dprintf("[PageFaultHook] IoCreateSymbolicLink = 0x%x\n", status);
IoDeleteDevice(pDevObj);
return status;
}
c_cr4 = __readcr4();
if (TestBit(c_cr4, 5))
IsPae = TRUE;
else
IsPae = FALSE;//判断是否支持PAE
RtlZeroMemory(&MyShadowHookInfo,sizeof(MyShadowHookInfo));
g_WinVer=GetWindowsVersion();
NtBase=GetKernelBase();
if(NtBase==0)
{
return STATUS_UNSUCCESSFUL;
}
if(GetIndexByVersion())
{
status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
return status;
}
}
DbgPrint("Init Ok........\n");
//
// 添加执行代码
//
return STATUS_SUCCESS;
}
VOID
DriverUnload(
PDRIVER_OBJECT pDriverObj
)
{
UNICODE_STRING strLink;
int i;
RtlInitUnicodeString(&strLink, LINK_NAME);
if(p!=NULL)
{
ExFreePool(p);
p=NULL;
}
if(g_OldInt0EHander!=0)
{
for(i=0;i<KeNumberProcessors;i++)
{
KeSetAffinityThread(PsGetCurrentThread(), 1 << i);
UnHookInt0E();
}
}
//
// 添加卸载代码
//
IoDeleteSymbolicLink(&strLink);
IoDeleteDevice(pDriverObj->DeviceObject);
dprintf("[PageFaultHook] Unloaded\n");
}
NTSTATUS
DispatchCreate(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[PageFaultHook] IRP_MJ_CREATE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchClose(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
dprintf("[PageFaultHook] IRP_MJ_CLOSE\n");
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS
DispatchIoctl(
PDEVICE_OBJECT pDevObj,
PIRP pIrp
)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInSize;
ULONG uOutSize;
int i;
PETHREAD cur_thread;
ULONG DisableEnable;
PVOID NewAddress;
HOOKINFO HookInfo;
ULONG MyPid;
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
switch(uIoControlCode) {
case IOCTL_SET_SHADOWHOOK: {//启动SHADOW HOOK
//dprintf("[PageFaultHook] Hello\n");
if(uInSize!=sizeof(SHADOWHOOK_INFO))
{
status=STATUS_UNSUCCESSFUL;
break;
}//如果不是结构的长度
RtlCopyMemory(&MyShadowHookInfo,pIoBuffer,sizeof(SHADOWHOOK_INFO));//转移数据
g_TargetPid=MyShadowHookInfo.TargetPid;//保存PID
g_LoadTlb=MyShadowHookInfo.g_LoadITLB;//保存RET地址
MyShadowHookInfo.HookBegin^=0x12345678;
//DbgPrint("Want to Address :%08x\n",MyShadowHookInfo.HookBegin);
for(i=0;i<KeNumberProcessors;i++)
{
KeSetAffinityThread(PsGetCurrentThread(), 1 << i);
if(HookMemoryPage(MyShadowHookInfo.HookBegin,MyShadowHookInfo.HookLength)==FALSE)
{//挂钩 内存 如果失败直接返回 如果成功就OK
status=STATUS_UNSUCCESSFUL;
break;
}
}
status = STATUS_SUCCESS;
break;
}
case IOCTL_ALLOCATE_MEMORY:
{
if(uInSize!=sizeof(SHADOWHOOK_INFO))
{
status=STATUS_UNSUCCESSFUL;
break;
}
RtlCopyMemory(&MyShadowHookInfo,pIoBuffer,sizeof(SHADOWHOOK_INFO));//COPY DATA
DbgPrint("Allocate Start.........\n");
if(p)
{
ExFreePool(p);
p=NULL;
}
MyShadowHookInfo.HookBegin^=0x12345678;
//DbgPrint("Get Address :%08x\n",MyShadowHookInfo.HookBegin);
if(FakeMemoryFrame(MyShadowHookInfo.HookBegin)==FALSE)
{
status=STATUS_UNSUCCESSFUL;
break;
}
if(IsIntHooked==FALSE)
{
for(i=0;i<KeNumberProcessors;i++)
{
KeSetAffinityThread(PsGetCurrentThread(), 1 << i);
HookInt0E();
}
IsIntHooked=TRUE;
}
status=STATUS_SUCCESS;
break;
}
/* case IOCTL_MYHOOK:
{
RtlCopyMemory(&HookInfo,pIoBuffer,sizeof(HOOKINFO));
NewAddress=ExAllocatePoolWithTag(NonPagedPool,HookInfo.Size,'Writ');
HookInfo.BaseAddress^=0x12345678;
//DbgPrint("Get Write Address %08x\n",HookInfo.BaseAddress);
if(NewAddress)
{
RtlCopyMemory(NewAddress,HookInfo.NewAddr,HookInfo.Size);
MyWriteMemory(HookInfo.BaseAddress,NewAddress,HookInfo.Size,HookInfo.Pid);
ExFreePool(NewAddress);
}
status=STATUS_SUCCESS;
break;
}
case IOCTL_KILLLIST:
{
MyPid=*(ULONG *)pIoBuffer;
if(MyPid!=0)
{
RemoveList(MyPid);
}
status=STATUS_SUCCESS;
break;
}
case IOCTL_GETPID:
{
*(ULONG *)pIoBuffer=GetPid();
status=STATUS_SUCCESS;
break;
}*/
//
// 添加执行代码
//
}
if(status == STATUS_SUCCESS)
pIrp->IoStatus.Information = uOutSize;
else
pIrp->IoStatus.Information = 0;
/////////////////////////////////////
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return status;
}
///////////////////////////////////////////////////////////////// -- --
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++// -- - - --
//+ +// -- - - --
//+ 段落间隔 -- 输入你的模块功能 +// -- - --
//+ +// - sudami -
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++// -- --
///////////////////////////////////////////////////////////////// -- --
// -- --
//
void UnHookMemory(ULONG Start,ULONG End)
{
PPTE pte;
PPDE pde;
PPTE_NOPAE pte_nopae;
PPDE_NOPAE pde_nopae;
PLINEAR_ADDRESS pLinear;
PLINEAR_ADDRESS_PTE pLinearPte;
PLINEAR_ADDRESS_NOPAE pLinear_nopae;
PLINEAR_ADDRESS_PTE_NOPAE pLinearPte_nopae;
ULONG current, counter;
NTSTATUS status;
PEPROCESS eprocess;
status = PsLookupProcessByProcessId(g_TargetPid, &eprocess);
if (!NT_SUCCESS(status)){
return ;
}
KeAttachProcess(eprocess);
__try{
ProbeForRead((PVOID)Start, End - Start, 1);
current = Start;
counter = End - Start;
pte = PTE_OFFSET;
pde = PDE_OFFSET;
pte_nopae = PTE_OFFSET_NOPAE;
pde_nopae = PDE_OFFSET_NOPAE;
while (counter){
__asm mov eax, current
__asm mov eax, [eax] //pagein page...
pLinear = (PLINEAR_ADDRESS)¤t;
pLinearPte = (PLINEAR_ADDRESS_PTE)¤t;
pLinear_nopae = (PLINEAR_ADDRESS_NOPAE)¤t;
pLinearPte_nopae = (PLINEAR_ADDRESS_PTE_NOPAE)¤t;
if (IsPae)
pte[pLinearPte->Table].UserSupervisor = 1;
else
pte_nopae[pLinearPte_nopae->Table].UserSupervisor = 1;
__invlpg((PVOID)current);
counter -= PAGE_SIZE;
current += PAGE_SIZE;
}
KeDetachProcess();
ObDereferenceObject(eprocess);
}__except(EXCEPTION_EXECUTE_HANDLER){
KeDetachProcess();
ObDereferenceObject(eprocess);
}
}
BOOLEAN FakeMemoryFrame(ULONG Address)
{
ULONG HookStart;
PEPROCESS eprocess;
PPTE pte;
PPDE pde;
PPTE_NOPAE pte_nopae;
PPDE_NOPAE pde_nopae;
PLINEAR_ADDRESS pLinear;
PLINEAR_ADDRESS_PTE pLinearPte;
PLINEAR_ADDRESS_NOPAE pLinear_nopae;
PLINEAR_ADDRESS_PTE_NOPAE pLinearPte_nopae;
HookStart=Address;
p=ExAllocatePoolWithTag( PagedPool, 4*1024, 'HOOK');//申请一份内存
if(p)//如果申请成功
{
pmdl=IoAllocateMdl(p,4*1024,FALSE,FALSE,NULL);//建立MDL
if(pmdl==NULL)
{
ExFreePool(p);
return FALSE;
}//如果成功继续下去
__try
{
MmProbeAndLockPages(pmdl,KernelMode,IoReadAccess);//锁定MDL内存
IsLock=TRUE;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pmdl);
pmdl=NULL;
ExFreePool(p);
p=NULL;
}
}
if(pmdl==NULL||p==NULL)
{
return FALSE;
}
// DbgPrint("Allocate Memory is:%08x\n",p);
RtlZeroMemory(p,4*1024);//清零
RtlCopyMemory(p,(PVOID)(HookStart&0xFFFFF000),4*1024);
return TRUE;//复制代码
}
//复制数据
BOOLEAN HookMemoryPage(ULONG Address,ULONG Size)
{
ULONG i,counter;
PPTE pte;
PPDE pde;
PPTE_NOPAE pte_nopae;
PPDE_NOPAE pde_nopae;
PEPROCESS eprocess;
PLINEAR_ADDRESS pLinear;
PLINEAR_ADDRESS_PTE pLinearPte;
PLINEAR_ADDRESS_NOPAE pLinear_nopae;
PLINEAR_ADDRESS_PTE_NOPAE pLinearPte_nopae;
NTSTATUS status;
status=PsLookupProcessByProcessId(g_TargetPid, &eprocess);
if(!NT_SUCCESS(status))
{
return FALSE;
}
KeAttachProcess(eprocess);//ATTach上去 就可以读数据了
__try{
ProbeForRead((PVOID)Address,Size,1);
i=Address;
i&=0xFFFFF000;//按照aglin 处理
counter=Size;
if(counter%PAGE_SIZE)
counter=counter-(counter%PAGE_SIZE)+PAGE_SIZE;//修正大小
pte=PTE_OFFSET;
pde=PDE_OFFSET;
pte_nopae=PTE_OFFSET_NOPAE;
pde_nopae=PDE_OFFSET_NOPAE;
start_range=i;
end_range=i+counter;
while(counter)
{
_asm
{
mov eax,i
mov eax,[eax]
}
pLinear=(PLINEAR_ADDRESS)&i;
pLinearPte=(PLINEAR_ADDRESS_PTE)&i;
pLinear_nopae=(PLINEAR_ADDRESS_NOPAE)&i;
pLinearPte_nopae=(PLINEAR_ADDRESS_PTE_NOPAE)&i;
if(IsPae)
{
pte[pLinearPte->Table].UserSupervisor = 0;//disable
}
else
{
pte_nopae[pLinearPte->Table].UserSupervisor=0;//disable
}
__invlpg((PVOID)i);
counter-=PAGE_SIZE;
i+=PAGE_SIZE;
}
}__except(EXCEPTION_EXECUTE_HANDLER){
status=GetExceptionCode();
KeDetachProcess();
ObDereferenceObject(eprocess);
return FALSE;
}
InterlockedExchange(&ActiveCr3, __readcr3());
KeDetachProcess();
ObDereferenceObject(eprocess);
return TRUE;
}
BOOLEAN TestBit(ULONG value, ULONG bit){
if (value & (1 << bit))
return TRUE;
return FALSE;
}
void HookInterupt(ULONG newInterput,ULONG Index,PULONG oldInt0es,PULONG oldInt0e)
{
IDTINFO idt_info;
IDTENTRY* idt_entries;
_asm sidt idt_info
idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
_asm
{
pushfd
cli
}
if(oldInt0es!=NULL&oldInt0e!=NULL)
{
*oldInt0es=MAKELONG(idt_entries[Index].LowOffset,idt_entries[Index].HiOffset);
if(*oldInt0e==0)
{
oldInt0e=MAKELONG(idt_entries[Index].LowOffset,idt_entries[Index].HiOffset);
}
}//保存原始的int0e
idt_entries[Index].LowOffset=(USHORT)(newInterput & 0xFFFF);
idt_entries[Index].HiOffset=(USHORT)(newInterput >> 16);//Hook
}
BOOLEAN HandleAccessViolation(PREGSX86 regs){
NTSTATUS status;
PPTE pte;
PPTE_NOPAE pte_nopae;
ULONG c_cr2;
ULONG dummy;
PLINEAR_ADDRESS_PTE pLinearPte;
PLINEAR_ADDRESS_PTE_NOPAE pLinearPte_nopae;
PTE BackPte;
PTE UsePte;
PTE_NOPAE gBackPte;
PTE_NOPAE gUsePte;
ULONG BackupCr2;
// not interested in not present pages
// basically, we may handle them here by
// calling MmAccessFault to bring back these
// pages, but let windows to perform such
// action...
RtlZeroMemory(&BackPte,sizeof(PTE));
RtlZeroMemory(&UsePte,sizeof(PTE));
RtlZeroMemory(&gBackPte,sizeof(PTE_NOPAE));
RtlZeroMemory(&gUsePte,sizeof(PTE_NOPAE));
if (!TestBit(regs->regErrorCode, 0))
return FALSE;
// although cr2 is passed in regs struct, it's safe to read it again due to cli
c_cr2 = __readcr2();
BackupCr2=c_cr2;
// check range
//DbgPrint("cr2:%08x\n",c_cr2);
if (c_cr2 >=start_range&&c_cr2<end_range)
{
goto Next;
}
return FALSE;
Next:
//check if we have r/w or execute on this range
if (c_cr2 != regs->regEip){
//DbgPrint("Read/Write :Target is:%08x Current is:%08x\n",c_cr2,regs->regEip);
if (IsPae){
//DbgPrint("Support PAE.......\n");
if(BackupCr2>=start_range&&BackupCr2<end_range)
{
if(p)
{
pte = PTE_OFFSET;
pLinearPte = (PLINEAR_ADDRESS_PTE)&c_cr2;
RtlCopyMemory(&BackPte,&pte[pLinearPte->Table],sizeof(PTE));//保存原始的PTE数据
pte = PTE_OFFSET;
pLinearPte = (PLINEAR_ADDRESS_PTE)&p;//得到申请的内存的地址
RtlCopyMemory(&UsePte,&pte[pLinearPte->Table],sizeof(PTE));//保存申请的PTE
pte = PTE_OFFSET;
pLinearPte = (PLINEAR_ADDRESS_PTE)&c_cr2;//再次获取PTE
pte[pLinearPte->Table].PageBaseAddress=UsePte.PageBaseAddress;
pte[pLinearPte->Table].Reserved=UsePte.Reserved;
pte[pLinearPte->Table].NxBit=UsePte.NxBit;
pte[pLinearPte->Table].UserSupervisor = 1;
__asm mov eax, c_cr2
__asm mov eax, [eax]
pte[pLinearPte->Table].UserSupervisor = 0;
pte = PTE_OFFSET;
pLinearPte = (PLINEAR_ADDRESS_PTE)&c_cr2;
RtlCopyMemory(&pte[pLinearPte->Table],&BackPte,sizeof(PTE));//回复原始的PTE数据
return TRUE;
}
}
pte = PTE_OFFSET;
pLinearPte = (PLINEAR_ADDRESS_PTE)&c_cr2;
pte[pLinearPte->Table].UserSupervisor = 1;
__asm mov eax, c_cr2
__asm mov eax, [eax]
pte[pLinearPte->Table].UserSupervisor = 0;
return TRUE;
}
else
{
if(BackupCr2>=start_range&&BackupCr2<end_range)
{
if(p)
{
pte_nopae=PTE_OFFSET_NOPAE;
pLinearPte_nopae=(PLINEAR_ADDRESS_PTE_NOPAE)&c_cr2;
RtlCopyMemory(&gBackPte,&pte_nopae[pLinearPte_nopae->Table],sizeof(PTE_NOPAE));
pte_nopae=PTE_OFFSET_NOPAE;
pLinearPte_nopae=(PLINEAR_ADDRESS_PTE_NOPAE)&p;
RtlCopyMemory(&gUsePte,&pte_nopae[pLinearPte_nopae->Table],sizeof(PTE_NOPAE));
pte_nopae = PTE_OFFSET_NOPAE;
pLinearPte_nopae = (PLINEAR_ADDRESS_PTE_NOPAE)&c_cr2;
pte_nopae[pLinearPte_nopae->Table].PageBaseAddress=gUsePte.PageBaseAddress;
pte_nopae[pLinearPte_nopae->Table].UserSupervisor = 1;
__asm mov eax, c_cr2
__asm mov eax, [eax]
pte_nopae[pLinearPte_nopae->Table].UserSupervisor = 0;
pte_nopae = PTE_OFFSET_NOPAE;
pLinearPte_nopae = (PLINEAR_ADDRESS_PTE_NOPAE)&c_cr2;
RtlCopyMemory(&pte_nopae[pLinearPte_nopae->Table],&gBackPte,sizeof(PTE_NOPAE));
return TRUE;
}
}
pte_nopae=PTE_OFFSET_NOPAE;
pLinearPte_nopae=(PLINEAR_ADDRESS_PTE_NOPAE)&c_cr2;
pte_nopae[pLinearPte_nopae->Table].UserSupervisor = 1;
__asm mov eax, c_cr2
__asm mov eax, [eax]
pte_nopae[pLinearPte_nopae->Table].UserSupervisor = 0;
return TRUE;
}
}
if(IsPae)
{
if(BackupCr2>=start_range&&BackupCr2<end_range)
{
pte=PTE_OFFSET;
pLinearPte = (PLINEAR_ADDRESS_PTE)&c_cr2;
pte[pLinearPte->Table].UserSupervisor = 1;
__invlpg(c_cr2);
_asm
{
mov eax,g_LoadTlb
call eax
}
pte[pLinearPte->Table].UserSupervisor = 0;
return TRUE;
}
}
else
{
if(BackupCr2>=start_range&&BackupCr2<end_range)
{
pte_nopae = PTE_OFFSET_NOPAE;
pLinearPte_nopae = (PLINEAR_ADDRESS_PTE_NOPAE)&c_cr2;
pte_nopae[pLinearPte_nopae->Table].UserSupervisor = 1;
__invlpg(c_cr2);
_asm
{
mov eax,g_LoadTlb
call eax
}//Load ITLB
pte_nopae[pLinearPte_nopae->Table].UserSupervisor = 0;
return TRUE;
}
}
}
void __invlpg(void *pPage)
{
_asm
{
mov eax,pPage
invlpg [eax]
}
}
unsigned long __readcr2(void)
{
_asm
{
mov eax,cr2
}
}
unsigned long __readcr3(void)
{
_asm
{
mov eax,cr3
}
}
unsigned long __readcr4(void)
{
_asm
{
_emit 0x0F // mov eax,cr4
_emit 0x20
_emit 0xE0
}
}
void HookInt0E()
{
IDTINFO idt_info;
IDTENTRY* idt_entries;
_asm sidt idt_info
idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
if(g_OldInt0EHander==0)
{
g_OldInt0EHander=MAKELONG(idt_entries[0x0e].LowOffset,idt_entries[0x0e].HiOffset);
//DbgPrint("Got Int 0E :%08x\n",g_OldInt0EHander);
}
_asm cli
idt_entries[0x0e].LowOffset=(short)(ULONG)new_int0e;
idt_entries[0x0e].HiOffset=(short)(((ULONG)new_int0e>>16)&0xffff);
}
void UnHookInt0E()
{
IDTINFO idt_info;
IDTENTRY* idt_entries;
_asm sidt idt_info
idt_entries = (IDTENTRY*) MAKELONG(idt_info.LowIDTbase,idt_info.HiIDTbase);
if(g_OldInt0EHander)
{
__asm
{
push eax
mov eax, CR0
and eax, 0FFFEFFFFh
mov CR0, eax
pop eax
}
idt_entries[0x0e].LowOffset=(short)(ULONG)g_OldInt0EHander;
idt_entries[0x0e].HiOffset=(short)(((ULONG)g_OldInt0EHander>>16)&0xffff);
__asm
{
push eax
mov eax, CR0
or eax, NOT 0FFFEFFFFh
mov CR0, eax
pop eax
}
}
}
一个字 乱..... |
|
[复制链接]
