;还原调试处理
mov eax, 08b55ff8bh mov ebx, 804f9a08h
mov DWORD ptr [ebx], eax mov eax, 08b5653ech
mov DWORD ptr [ebx + 4], eax
mov eax, cr0
or eax, 10000h mov cr0, eax sti
ret
DriverUnload endp
;显示LinkTable的信息
ShowLinkTableInfo proc ptrLT pushad
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).ThreadHandle
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr0Seg
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr1Seg
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr2Seg
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr3Seg
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr6Seg
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).Dr7Seg
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).LinkPtr
invoke DbgPrint, $CTA0(\
mov ebx, ptrLT
mov eax, (LinkTable ptr [ebx]).NextLinkPtr
invoke DbgPrint, $CTA0(\ popad ret
ShowLinkTableInfo endp
;判断该线程是否存在
;如果不存在则返回0,存在则返回指向该链表的指针,1代表链表为空 ExsitsLinkTable proc pHandle pushad
mov eax, threadCxtLink .if !eax ;链表为空 pushad
invoke DbgPrint, $CTA0(\ popad
popad
mov eax, 1 ret .endif @@:
mov ebx, (LinkTable ptr [eax]).ThreadHandle cmp ebx, pHandle ;如果匹配已经存在 je @F
mov eax, (LinkTable ptr [eax]).NextLinkPtr .if !eax ;已经到达末尾,没有找到匹配 pushad
invoke DbgPrint, $CTA0(\ popad
popad
xor eax, eax ret .endif jmp @B
@@: pushad
invoke DbgPrint, $CTA0(\ popad
invoke ShowLinkTableInfo, eax ;返回链表指针 mov tmpLink, eax popad
mov eax, tmpLink ret
ExsitsLinkTable endp
;拷贝Context到LinkTable中
CopyContextToLinkTable proc ptrContext, ptrLT pushad
mov ebx, ptrContext mov edx, ptrLT mov ecx, 4 @@:
mov eax, DWORD ptr [ebx + ecx] mov DWORD ptr [edx + ecx], eax add ecx, 4 cmp ecx, 18h jbe @B popad ret
CopyContextToLinkTable endp
;添加LinkTable表
AddLinkTable proc pHandle, ptrContext pushad
invoke ExsitsLinkTable, pHandle .if eax > 1
;已经存在只需要更新dr寄存器即可
invoke CopyContextToLinkTable, eax, ptrContext .else
push eax
invoke ExAllocatePool, 1, size LinkTable .if eax
;申请内存成功 mov ebx, eax pop eax
;置地一个元素 mov ecx, pHandle
mov (LinkTable ptr [ebx]).ThreadHandle, ecx ;拷贝dr寄存器的值
invoke CopyContextToLinkTable, ptrContext, ebx ;置另外两个元素
mov (LinkTable ptr [ebx]).LinkPtr, ebx mov (LinkTable ptr [ebx]).NextLinkPtr, 0 invoke ShowLinkTableInfo, ebx
;把新的链表项添加到链表中 .if eax == 1
;如果链表为空,直接加在表头 mov threadCxtLink, ebx .else
;如果链表不为空则加到末尾 mov eax, threadCxtLink @@:
;指向下一个元素
mov ecx, (LinkTable ptr [eax]).NextLinkPtr test ecx, ecx je @F
mov eax, ecx jmp @B @@:
mov (LinkTable ptr [eax]).NextLinkPtr, ebx .endif .else
;申请内存失败 pop eax pushad
invoke DbgPrint, $CTA0(\ popad jmp @F .endif .endif @@: popad ret
AddLinkTable endp
;判断进程是否过虑进程
;如果是需要过虑的进程返回值为1,否则返回0 IsFilterProcess proc pushad
;获取当前进程名
invoke PsGetCurrentProcess mov ebx, eax
add ebx, nameOffset
invoke DbgPrint, $CTA0(\ invoke strncmp, $CTA0(\ test eax, eax jne @F popad
mov eax, 1 ret @@: popad
xor eax, eax ret
IsFilterProcess endp
;显示Context的调试寄存器 ShowDrRegInfo proc ptrContext pushad
invoke DbgPrint, $CTA0(\
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 4]
invoke DbgPrint, $CTA0(\
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 8]
invoke DbgPrint, $CTA0(\
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 0ch]
invoke DbgPrint, $CTA0(\
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 10h]
invoke DbgPrint, $CTA0(\
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 14h]
invoke DbgPrint, $CTA0(\
mov ebx, ptrContext
mov eax, DWORD ptr [ebx + 18h]
invoke DbgPrint, $CTA0(\