,hook SYSENTER指令的有关问题
日期:2014-05-17 浏览次数:20866 次
高手进,hook SYSENTER指令的问题
DriverEntry返回后操作系统崩溃,为什么呢,哪位高手解答下,感激。
windbg信息如下:
kernel!DriverEntry+0x27:
f9d2d057 5d pop ebp
kd> g
RTL: RtlNtStatusToDosError(0x81280000): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: RtlNtStatusToDosError(0x813707d8): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: ERROR_MR_MID_NOT_FOUND is being returned
RTL: ERROR_MR_MID_NOT_FOUND is being returned
Terminating critical process 0x81544020 (csrss.exe)
Break, or Ignore (bi)? i
i
*** Fatal System Error: 0x00000050
(0xF000F85D,0x00000000,0x805D891F,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Wed Mar 23 13:10:23.033 2011 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
..............
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
以下是源代码:
ULONG Real_KiFastCallEntry;
ULONG ulCnt = 0;
__declspec(naked) Hook_KiFastCallEntry()
{
ulCnt++;
/*if (ulCnt%100 == 0)
{
DbgPrint("第%d百次调用SYSENTER指令!\n", ulCnt/100);
}*/
__asm
{
jmp Real_KiFastCallEntry ;
}
}
NTSTATUS
DriverEntry(
__in struct _DRIVER_OBJECT *pDriverObject,
__in PUNICODE_STRING pRegistryPath
)
{
#ifdef DBG
_asm int 3;
#endif
pDriverObject->DriverUnload = Unload;
__asm
{
mov ecx, 0x176;
rdmsr; // 读取SYSENTER_EIP_MSR寄存器
mov Real_KiFastCallEntry, eax;
mov eax, Hook_KiFastCallEntry;
xor edx, edx; //写SYSENTER_EIP_MSR寄存器前得清空edx,否则引起系统崩溃
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
return STATUS_SUCCESS;
}
//驱动卸载
VOID
Unload(
__in struct _DRIVER_OBJECT *pDriverObject
)
{
_asm
{
mov ecx, 0x176;
xor edx, edx;
mov eax, Real_KiFastCallEntry;
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
DbgPrint("Unload运行完毕,驱动卸载成功!\n");
}
//哪位大牛给解惑下咯。
------解决方案--------------------
你这个发到相应的编程板块好一点,专业人士多一些。
DriverEntry返回后操作系统崩溃,为什么呢,哪位高手解答下,感激。
windbg信息如下:
kernel!DriverEntry+0x27:
f9d2d057 5d pop ebp
kd> g
RTL: RtlNtStatusToDosError(0x81280000): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: RtlNtStatusToDosError(0x813707d8): No Valid Win32 Error Mapping
RTL: Edit ntos\rtl\generr.c to correct the problem
RTL: ERROR_MR_MID_NOT_FOUND is being returned
RTL: ERROR_MR_MID_NOT_FOUND is being returned
Terminating critical process 0x81544020 (csrss.exe)
Break, or Ignore (bi)? i
i
*** Fatal System Error: 0x00000050
(0xF000F85D,0x00000000,0x805D891F,0x00000000)
Break instruction exception - code 80000003 (first chance)
A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.
A fatal system error has occurred.
Connected to Windows XP 2600 x86 compatible target at (Wed Mar 23 13:10:23.033 2011 (GMT+8)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
......................................................
Loading User Symbols
..............
Loading unloaded module list
.........
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
以下是源代码:
ULONG Real_KiFastCallEntry;
ULONG ulCnt = 0;
__declspec(naked) Hook_KiFastCallEntry()
{
ulCnt++;
/*if (ulCnt%100 == 0)
{
DbgPrint("第%d百次调用SYSENTER指令!\n", ulCnt/100);
}*/
__asm
{
jmp Real_KiFastCallEntry ;
}
}
NTSTATUS
DriverEntry(
__in struct _DRIVER_OBJECT *pDriverObject,
__in PUNICODE_STRING pRegistryPath
)
{
#ifdef DBG
_asm int 3;
#endif
pDriverObject->DriverUnload = Unload;
__asm
{
mov ecx, 0x176;
rdmsr; // 读取SYSENTER_EIP_MSR寄存器
mov Real_KiFastCallEntry, eax;
mov eax, Hook_KiFastCallEntry;
xor edx, edx; //写SYSENTER_EIP_MSR寄存器前得清空edx,否则引起系统崩溃
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
return STATUS_SUCCESS;
}
//驱动卸载
VOID
Unload(
__in struct _DRIVER_OBJECT *pDriverObject
)
{
_asm
{
mov ecx, 0x176;
xor edx, edx;
mov eax, Real_KiFastCallEntry;
wrmsr; // 写入SYSENTER_EIP_MSR寄存器
}
DbgPrint("Unload运行完毕,驱动卸载成功!\n");
}
//哪位大牛给解惑下咯。
------解决方案--------------------
你这个发到相应的编程板块好一点,专业人士多一些。
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
