Hook KiDispatchException

woaidaima2016

VOID
Hook_KiDispatchException (
IN PEXCEPTION_RECORD ExceptionRecord,
IN PKEXCEPTION_FRAME ExceptionFrame,
IN PKTRAP_FRAME TrapFrame,
IN KPROCESSOR_MODE PreviousMode,
IN BOOLEAN FirstChance
)
{
CONTEXT ExtendedContext;
ULONG Flags;
ULONG ContextLength;
PEXTEND_CONTEXT_AREA ExtenContextArea;
NTSTATUS status;
ULONG64 FaultingRsp;
BOOLEAN bText;
EXCEPTION_RECORD ExceptionRecord1;
PMACHINE_FRAME MachineFrame1;
ULONG64 UserStack1;
ULONG64 UserStack2;
ULONG64 UserStack3;
ULONG64 FaultingRspTemp;
CONTEXT_EX UserContextEx1;
CONTEXT_EX UserContextEx2;
*(PBYTE)((ULONGLONG)&ExtendedContext) = PreviousMode;
KeGetCurrentPrcb()->KeExceptionDispatchCount += 1;
Flags = 0x10001F;
if (PreviousMode)
{
if (_bittest((long*)&(*(ULONGLONG*)KeFeatureBits), 0x17u))
{
if ( *(ULONGLONG*)KeEnabledXStateFeatures & 0xFFFFFFFFFFFFFFFCui64 )
Flags = 0x10005F;
}
}
((Old_RtlGetExtendedContextLength)RtlGetExtendedContextLength)(Flags,&ContextLength);
//*(PDWORD)((ULONGLONG)&ExtendedContext+4) = Flags;
ExtendedContext.ContextFlags = Flags;
status = ((Old_RtlInitializeExtendedContext)RtlInitializeExtendedContext)(&ExtendedContext,Flags,&ExtenContextArea);
if ((Flags&0x10040) == 0x10040)
{
*(ULONGLONG*)(*(PDWORD)((ULONGLONG)ExtenContextArea+0x10)+(ULONGLONG)ExtenContextArea) = \
*(ULONGLONG*)KeEnabledXStateFeatures & 0xFFFFFFFFFFFFFFFCui64;
}
((Old_KeContextFromKframes)KeContextFromKframes)(TrapFrame,ExceptionFrame,&ExtendedContext);
if (ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT)
ExtendedContext.Rip--;
if (((Old_KiPreprocessFault)KiPreprocessFault)(
ExceptionRecord,
TrapFrame,
&ExtendedContext,
PreviousMode) != FALSE)
{
goto Handled1;
}
if (PreviousMode == KernelMode)
{
if (FirstChance != PreviousMode)
{
if (((PKDEBUG_ROUTINE)(*(PULONG64)KiDebugRoutine))(TrapFrame,
ExceptionFrame,
ExceptionRecord,
&ExtendedContext,
PreviousMode,
FALSE) != FALSE)
{
goto Handled1;
}
if (((Old_RtlDispatchException)RtlDispatchException)(ExceptionRecord, &ExtendedContext) != FALSE)
{
goto Handled1;
}
}
if (((PKDEBUG_ROUTINE)(*(PULONG64)KiDebugRoutine))(
TrapFrame,
ExceptionFrame,
ExceptionRecord,
&ExtendedContext,
FALSE,
TRUE) != FALSE)
{
goto Handled1;
}
KeBugCheckEx(KMODE_EXCEPTION_NOT_HANDLED,
ExceptionRecord->ExceptionCode,
(ULONG64)ExceptionRecord->ExceptionAddress,
ExceptionRecord->ExceptionInformation[0],
ExceptionRecord->ExceptionInformation[1]);
}
else
{
if (( ((PEPROCESS_S)PsGetCurrentProcess())->Wow64Process != NULL) &&
(ExceptionRecord->ExceptionCode == STATUS_DATATYPE_MISALIGNMENT) &&
((TrapFrame->EFlags & EFLAGS_AC_MASK) != 0))
{
TrapFrame->EFlags &= ~EFLAGS_AC_MASK;
goto TheEnd1;
}
if ((ExtendedContext.SegCs & 0xfff8) == KGDT64_R3_CMCODE)
{
switch (ExceptionRecord->ExceptionCode)
{
case STATUS_BREAKPOINT:
ExceptionRecord->ExceptionCode = STATUS_WX86_BREAKPOINT;
break;
case STATUS_SINGLE_STEP:
ExceptionRecord->ExceptionCode = STATUS_WX86_SINGLE_STEP;
break;
}
FaultingRsp = (ExtendedContext.Rsp & 0xfffffff0UI64);
} else {
FaultingRsp = ExtendedContext.Rsp;
}
if (STATUS_SINGLE_STEP == ExceptionRecord->ExceptionCode)
{
PETHREAD_S CurThread;
CurThread = (PETHREAD_S)PsGetCurrentThread();
if (CurThread)
{
if ((*(PBYTE)((ULONGLONG)CurThread+3))&0x40)
{
*(PULONGLONG)(*(PULONGLONG)((ULONGLONG)CurThread + 0x1B8) + 0x58) |= 0x10;
}
}
}
memset(&ExceptionRecord->ExceptionInformation[ExceptionRecord->NumberParameters],
0,
ExceptionRecord - &ExceptionRecord->ExceptionInformation[ExceptionRecord->NumberParameters] + sizeof(EXCEPTION_RECORD));
if (FirstChance == TRUE)
{
bText = FALSE;
if (ExceptionRecord->ExceptionCode == STATUS_BREAKPOINT ||
ExceptionRecord->ExceptionCode == STATUS_WX86_BREAKPOINT)
{
if (ExceptionRecord->NumberParameters > 0 &&
ExceptionRecord->ExceptionInformation[0] != NULL)
{
bText = TRUE;
}
}
//KiDispatchException + 0x241 eb KiDispatchException + 0x241 0x90 0xe9
if (((PEPROCESS_S)PsGetCurrentProcess())->DebugPort != NULL ||
*(ULONGLONG*)KdIgnoreUmExceptions != 0)
{
if (bText == FALSE)
{
goto __Leep2;
}
}
if (((PKDEBUG_ROUTINE)(*(PULONG64)KiDebugRoutine))(
TrapFrame,
ExceptionFrame,
ExceptionRecord,
&ExtendedContext,
PreviousMode,
NULL) != FALSE)
{
goto Handled1;
}
__Leep2:
if (DbgkForwardException(ExceptionRecord, TRUE, FALSE)) {
goto TheEnd1;
}
TrapFrame->EFlags &= ~EFLAGS_TF_MASK;
ExceptionRecord1.ExceptionCode = STATUS_ACCESS_VIOLATION;
memmove(&ExceptionRecord->ExceptionCode,&ExceptionRecord1.ExceptionCode,sizeof(EXCEPTION_RECORD));
FaultingRspTemp = FaultingRsp;//r15
if ((Flags&0x10040) == 0x10040)
{
FaultingRspTemp -= ExtenContextArea->Unkwon5;
FaultingRspTemp = FaultingRspTemp&0x0FFFFFFFFFFFFFFC0;
}
repeat:
__try
{
MachineFrame1 =
(PMACHINE_FRAME)((FaultingRspTemp - sizeof(MACHINE_FRAME)) & ~STACK_ROUND);
UserStack1 = (ULONG64)MachineFrame1 - EXCEPTION_RECORD_LENGTH;
UserContextEx1.All.Offset = (UserStack1 - 0x20);
UserStack2 = UserContextEx1.All.Offset - CONTEXT_LENGTH;
UserContextEx2.All.Offset = UserStack2 - UserContextEx1.All.Offset;
UserContextEx2.All.Length = FaultingRsp - UserStack2;
UserContextEx2.Legacy.Offset = UserStack2 - UserContextEx1.All.Offset;
UserContextEx2.Legacy.Length = 0x4D0;
UserContextEx2.XState.Offset = FaultingRspTemp - UserContextEx1.All.Offset;
UserContextEx2.XState.Length = FaultingRsp - FaultingRspTemp;
ProbeForWriteSmallStructure((PVOID)UserStack2,
sizeof(MACHINE_FRAME) + EXCEPTION_RECORD_LENGTH + CONTEXT_LENGTH,
STACK_ALIGN);
MachineFrame1->Rsp = FaultingRsp;
MachineFrame1->Rip = ExtendedContext.Rip;
//*(PEXCEPTION_RECORD)UserStack1 = *ExceptionRecord;
memmove((PVOID)UserStack1,ExceptionRecord,0x98);
((Old_RtlpCopyExtendedContext)RtlpCopyExtendedContext)(
TRUE,
UserContextEx1.All.Offset,
&UserContextEx2.All.Offset,
Flags,
ExtenContextArea,
0);
//*(PCONTEXT)UserContextEx1 = *(PCONTEXT)UserContextEx2.All.Offset;
memmove(&UserContextEx1,&UserContextEx2,0x18);
TrapFrame->Rsp = UserStack2; //+0x180 r14
_disable();
TrapFrame->SegCs = KGDT64_R3_CODE | RPL_MASK; // +0x170
TrapFrame->Rip = (ULONG64)KeUserExceptionDispatcher;
if (((PEPROCESS_S)PsGetCurrentProcess())->Pcb.InstrumentationCallback)
{
TrapFrame->R10 = TrapFrame->Rip;
TrapFrame->Rip = (ULONG64)((PEPROCESS_S)PsGetCurrentProcess())->Pcb.InstrumentationCallback;
}
_enable();
goto TheEnd1;
} __except (KiCopyInformation(&ExceptionRecord1,
(GetExceptionInformation())->ExceptionRecord))
{
if (ExceptionRecord1.ExceptionCode == STATUS_STACK_OVERFLOW)
{
ExceptionRecord1.ExceptionAddress = ExceptionRecord->ExceptionAddress;
*ExceptionRecord = ExceptionRecord1;
goto repeat;
}
}
}
else
{
if (DbgkForwardException(ExceptionRecord, TRUE, TRUE)) {
goto TheEnd1;
}else if (DbgkForwardException(ExceptionRecord, FALSE, TRUE)){
goto TheEnd1;
}else{
ZwTerminateProcess(NtCurrentProcess(), ExceptionRecord->ExceptionCode);
KeBugCheckEx(
KERNEL_MODE_EXCEPTION_NOT_HANDLED,
ExceptionRecord->ExceptionCode,
(ULONG)ExceptionRecord->ExceptionAddress,
(ULONG)TrapFrame,
0);
}
}
}
Handled1:
((Old_KeContextToKframes)KeContextToKframes)(
TrapFrame,
ExceptionFrame,
&ExtendedContext,
ExtendedContext.ContextFlags,
PreviousMode);
TheEnd1:;
}
赞 评论

xxyiyi

要是楼主能把结构的定义也发出来就完美了