9,506
社区成员
发帖
与我相关
我的任务
分享高手进,hook SYSENTER指令的问题
DriverEntry返回后操作系统崩溃,为什么呢,哪位高手解答下,感激。
windbg信息如下:
kernel!DriverEntry+0x27:
f9d2d057 5d pop ebp
kd> g
RTL: RtlNtStatusToDosError(0x81280000): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: RtlNtStatusToDosError(0x813707d8): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: ERROR_MR_MID_NOT_FOUND is being returned
RTL: ERROR_MR_MID_NOT_FOUND is being returned
Terminating critical process 0x81544020 (csrss.exe)
Break, or Ignore (bi)? i
i
*** Fatal System Error: 0x00000050
(0xF000F85D,0x00000000,0x805D891F,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Wed Mar 23 13:10:23.033 2011 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
..............
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
以下是源代码:
ULONG Real_KiFastCallEntry;
ULONG ulCnt = 0;
__declspec(naked) Hook_KiFastCallEntry()
{
ulCnt++;
/*if (ulCnt%100 == 0)
{
DbgPrint("第%d百次调用SYSENTER指令!\n", ulCnt/100);
}*/
__asm
{
jmp Real_KiFastCallEntry ;
}
}
NTSTATUS
DriverEntry(
__in struct _DRIVER_OBJECT *pDriverObject,
__in PUNICODE_STRING pRegistryPath
)
{
#ifdef DBG
_asm int 3;
#endif
pDriverObject->DriverUnload = Unload;
__asm
{
mov ecx, 0x176;
rdmsr; // 读取SYSENTER_EIP_MSR寄存器
mov Real_KiFastCallEntry, eax;
mov eax, Hook_KiFastCallEntry;
xor edx, edx; //写SYSENTER_EIP_MSR寄存器前得清空edx,否则引起系统崩溃
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
return STATUS_SUCCESS;
}
//驱动卸载
VOID
Unload(
__in struct _DRIVER_OBJECT *pDriverObject
)
{
_asm
{
mov ecx, 0x176;
xor edx, edx;
mov eax, Real_KiFastCallEntry;
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
DbgPrint("Unload运行完毕,驱动卸载成功!\n");
}
//哪位大牛给解惑下咯。
windbg信息如下:
kernel!DriverEntry+0x27:
f9d2d057 5d pop ebp
kd> g
RTL: RtlNtStatusToDosError(0x81280000): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: RtlNtStatusToDosError(0x813707d8): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: ERROR_MR_MID_NOT_FOUND is being returned
RTL: ERROR_MR_MID_NOT_FOUND is being returned
Terminating critical process 0x81544020 (csrss.exe)
Break, or Ignore (bi)? i
i
*** Fatal System Error: 0x00000050
(0xF000F85D,0x00000000,0x805D891F,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Wed Mar 23 13:10:23.033 2011 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
..............
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
以下是源代码:
ULONG Real_KiFastCallEntry;
ULONG ulCnt = 0;
__declspec(naked) Hook_KiFastCallEntry()
{
ulCnt++;
/*if (ulCnt%100 == 0)
{
DbgPrint("第%d百次调用SYSENTER指令!\n", ulCnt/100);
}*/
__asm
{
jmp Real_KiFastCallEntry ;
}
}
NTSTATUS
DriverEntry(
__in struct _DRIVER_OBJECT *pDriverObject,
__in PUNICODE_STRING pRegistryPath
)
{
#ifdef DBG
_asm int 3;
#endif
pDriverObject->DriverUnload = Unload;
__asm
{
mov ecx, 0x176;
rdmsr; // 读取SYSENTER_EIP_MSR寄存器
mov Real_KiFastCallEntry, eax;
mov eax, Hook_KiFastCallEntry;
xor edx, edx; //写SYSENTER_EIP_MSR寄存器前得清空edx,否则引起系统崩溃
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
return STATUS_SUCCESS;
}
//驱动卸载
VOID
Unload(
__in struct _DRIVER_OBJECT *pDriverObject
)
{
_asm
{
mov ecx, 0x176;
xor edx, edx;
mov eax, Real_KiFastCallEntry;
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
DbgPrint("Unload运行完毕,驱动卸载成功!\n");
}
//哪位大牛给解惑下咯。
...全文
请发表友善的回复…
发表回复
VirtualRookit 2011-03-23
- 打赏
- 举报
[Quote=引用 1 楼 keeley20 的回复:]
你这个发到相应的编程板块好一点,专业人士多一些。
[/Quote]
嗯,我在别的版块解决了,解决如下:
//注意__declspec(naked)函数的用法
__declspec(naked) Hook_KiFastCallEntry()
{
_asm pushad; //保护通用寄存器
ulCnt++; //此处用到寄存器
/*if (ulCnt%100 == 0)
{
DbgPrint("第%d百次调用SYSENTER指令!\n", ulCnt/100);
}*/
_asm popad;
__asm
{
jmp Real_KiFastCallEntry ;
}
}
你这个发到相应的编程板块好一点,专业人士多一些。
[/Quote]
嗯,我在别的版块解决了,解决如下:
//注意__declspec(naked)函数的用法
__declspec(naked) Hook_KiFastCallEntry()
{
_asm pushad; //保护通用寄存器
ulCnt++; //此处用到寄存器
/*if (ulCnt%100 == 0)
{
DbgPrint("第%d百次调用SYSENTER指令!\n", ulCnt/100);
}*/
_asm popad;
__asm
{
jmp Real_KiFastCallEntry ;
}
}
keeley20 2011-03-23
- 打赏
- 举报
你这个发到相应的编程板块好一点,专业人士多一些。
