KEXCEPTION_FRAME ExceptionFrame,IN PEXCEPTION_RECORD ExceptionRecord,IN PCONTEXT ContextRecord,IN KPROCESSOR_MODE PreviousMode,IN BOOLEAN SecondChanceException);
//那面作一个跳转
VOID ModifyKdpTrap(PVOID myaddress,PVOID targetaddress) {
KIRQL irql;
ULONGLONG myfun;
UCHAR jmp_code[] = "\x 四 八\xB 八\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\xFF\xE0\x00\x00";//mov rax xxx,jmp rax
myfun = (ULONGLONG)myaddress;//调换 成本身 的函数天址
RtlCopyMemory(jmp_code + 二, &myfun, 八);
//debg();
irql = WPOFFx 六 四();
RtlCopyMemory(targetaddress, jmp_code, 一 二);
WPONx 六 四(irql);
}
//那面实现hook
NTSTATUS HookKdpTrap(
IN PKTRAP_FRAME TrapFrame,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PEXCEPTION_RECORD ExceptionRecord,
IN PCONTEXT ContextRecord,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN SecondChanceException){
PEPROCESS hp = PsGetCurrentProcess();
if (!_stricmp((char *)PsGetProcessImageFileName(hp), "TASLogin.exe")){
return STATUS_SUCCESS;
}
return hdbktrap(TrapFrame, ExceptionFrame, ExceptionRecord, ContextRecord, PreviousMode, SecondChanceException);
}
//那面作一个借本
void UnHookKdpTrap() {
KIRQL irql;
UCHAR orignal_code[] = "\x 四 八\x 八 九\x 五c\x 二 四\x0 八\x 四 八\x 八 九\x 五 四\x 二 四\x 一0\x 五 七\x 四 八\x 八 三\xec\x 四0";//mov rax xxx,jmp rax
irql = WPOFFx 六 四();
RtlCopyMemory(orgkdt, orignal_code, 一 五);
WPONx 六 四(irql);
}
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//二、避免 平安 组件添载掉 败
VOID DisableKdDebuggerEnabled() {
SharedUserData->KdDebuggerEnabled = FALSE; //预防平安 组件添载掉 败
}
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//三、TP会浑整KdDebuggerEnabled,那面作一个每一隔一秒的准时 器
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//----------------------------------------------------------------------------------------------------------------------------------------------------------------
//四、断链暗藏kdcom,预防kdcom内存被浑空招致战windbg通信 没有了
/*
0: kd> dt _eprocess
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x 二e0 ProcessLock : _EX_PUSH_LOCK
+0x 二e 八 UniqueProcessId : Ptr 六 四 Void
+0x 二f0 ActiveProcessLinks : _LIST_ENTRY
*/
PDRIVER_OBJECT pDriverObject = NULL;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
PVOID ExceptionTable;
ULONG ExceptionTableSize;
PVOID GpValue;
ULONG UnKnow;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT __Unused 五;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID PatchInformation;
} KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;