差不多我用到的大部分代码都是从上面cv(Ctrl+c---->Ctrl+v)下来的
1、首先解决The context is partially valid. Only x86 user-mode context is available.
具体方式是hookKdpTrap
2、 防止安全组件加载失败
SharedUserData->KdDebuggerEnabled = FALSE; //防止安全组件加载失败,SharedUserData这个是一个导出的全局变量直接写就行
3、XP会清零KdDebuggerEnabled
这里本来是打算做一个定时器,但是还是会导致TesNginx.Sycccccccccccccc出现蓝屏,所以只有手动的去修改
4、断链隐藏 kdcom,防止kdcom内存被清空导致和windbg通讯不了
5、XP会检测KdEnteredDebugger,如果是1就直接蓝屏
处理方式是让他去找其他位置(PUCHAR)KdEnteredDebugger + 0x30; //据暗中观察,+0x30 的位置恒为0
做完这些之后基本上就能够下断点了,但是其实还是有问题(由于hook了系统函数有一定的几率会触发109错误->PathGuard,一开始我也分不清楚,后来慢慢的也了解了)
之后放上一张过了图片
最后把代码也带上吧,.asm文件很简单简单的inlinhook就行了
#include <Ntifs.h> #include <ntimage.h> extern void debg(); //关闭写保护 KIRQL WPOFFx64(){ KIRQL irql = KeRaiseIrqlToDpcLevel(); UINT64 cr0 = __readcr0(); cr0 &= 0xfffffffffffeffff; __writecr0(cr0); _disable(); return irql; } //开启写保护 void WPONx64(KIRQL irql){ UINT64 cr0 = __readcr0(); cr0 |= 0x10000; _enable(); __writecr0(cr0); KeLowerIrql(irql); } //这里尝试过tp的双机调试,环境为win10 1903 //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //1、首先解决The context is partially valid. Only x86 user-mode context is available. /* nt!KdpTrap: fffff807`64bfffc8 48895c2408 mov qword ptr [rsp+8],rbx fffff807`64bfffcd 4889542410 mov qword ptr [rsp+10h],rdx fffff807`64bfffd2 57 push rdi fffff807`64bfffd3 4883ec40 sub rsp,40h fffff807`64bfffd7 33d2 xor edx,edx */ ULONG64 orgkdt = 0xfffff80166201fc8; //ULONG64 orgkdt= 0xfffff80764bfffc8;//直接写硬编码,这里需要进行修改<------------------------------------------------------------------------------------------------------------------------------------------------------- NTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process); extern NTSTATUS hdbktrap(IN PKTRAP_FRAME TrapFrame,IN PKEXCEPTION_FRAME ExceptionFrame,IN PEXCEPTION_RECORD ExceptionRecord,IN PCONTEXT ContextRecord,IN KPROCESSOR_MODE PreviousMode,IN BOOLEAN SecondChanceException); //这里做一个跳转 VOID ModifyKdpTrap(PVOID myaddress,PVOID targetaddress) { KIRQL irql; ULONGLONG myfun; UCHAR jmp_code[] = "\x48\xB8\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\xFF\xE0\x00\x00";//mov rax xxx,jmp rax myfun = (ULONGLONG)myaddress;//替换成自己的函数地址 RtlCopyMemory(jmp_code + 2, &myfun, 8); //debg(); irql = WPOFFx64(); RtlCopyMemory(targetaddress, jmp_code, 12); WPONx64(irql); } //这里完成hook NTSTATUS HookKdpTrap( IN PKTRAP_FRAME TrapFrame, IN PKEXCEPTION_FRAME ExceptionFrame, IN PEXCEPTION_RECORD ExceptionRecord, IN PCONTEXT ContextRecord, IN KPROCESSOR_MODE PreviousMode, IN BOOLEAN SecondChanceException){ PEPROCESS hp = PsGetCurrentProcess(); if (!_stricmp((char *)PsGetProcessImageFileName(hp), "TASLogin.exe")){ return STATUS_SUCCESS; } return hdbktrap(TrapFrame, ExceptionFrame, ExceptionRecord, ContextRecord, PreviousMode, SecondChanceException); } //这里做一个还原 void UnHookKdpTrap() { KIRQL irql; UCHAR orignal_code[] = "\x48\x89\x5c\x24\x08\x48\x89\x54\x24\x10\x57\x48\x83\xec\x40";//mov rax xxx,jmp rax irql = WPOFFx64(); RtlCopyMemory(orgkdt, orignal_code, 15); WPONx64(irql); } //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //2、 防止安全组件加载失败 VOID DisableKdDebuggerEnabled() { SharedUserData->KdDebuggerEnabled = FALSE; //防止安全组件加载失败 } //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //3、TP会清零KdDebuggerEnabled,这里做一个每隔一秒的定时器 //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //4、断链隐藏 kdcom,防止kdcom内存被清空导致和windbg通讯不了 /* 0: kd> dt _eprocess nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x2e0 ProcessLock : _EX_PUSH_LOCK +0x2e8 UniqueProcessId : Ptr64 Void +0x2f0 ActiveProcessLinks : _LIST_ENTRY */ PDRIVER_OBJECT pDriverObject = NULL; typedef struct _KLDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; PVOID ExceptionTable; ULONG ExceptionTableSize; PVOID GpValue; ULONG UnKnow; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT __Unused5; PVOID SectionPointer; ULONG CheckSum; PVOID LoadedImports; PVOID PatchInformation; } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; VOID HideDriver(){ PKLDR_DATA_TABLE_ENTRY entry = (PKLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection; PKLDR_DATA_TABLE_ENTRY firstentry; UNICODE_STRING uniDriverName; firstentry = entry; // 初始化要隐藏驱动的驱动名 RtlInitUnicodeString(&uniDriverName, L"kdcom.dll"); while ((PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink != firstentry){ if (entry->FullDllName.Buffer != 0){ if (RtlCompareUnicodeString(&uniDriverName, &(entry->BaseDllName), FALSE) == 0){ //DbgPrint("隐藏驱动 %ws 成功!\n", entry->BaseDllName.Buffer); // 修改 Flink 和 Blink 指针, 以跳过我们要隐藏的驱动 *((ULONG*)entry->InLoadOrderLinks.Blink) = (ULONG)entry->InLoadOrderLinks.Flink; entry->InLoadOrderLinks.Flink->Blink = entry->InLoadOrderLinks.Blink; /* 使被隐藏驱动LIST_ENTRY结构体的Flink, Blink域指向自己 因为此节点本来在链表中, 那么它邻接的节点驱动被卸载时, 系统会把此节点的Flink, Blink域指向它相邻节点的下一个节点. 但是, 它此时已经脱离链表了, 如果现在它原本相邻的节点驱动被 卸载了, 那么此节点的Flink, Blink域将有可能指向无用的地址, 而 造成随机性的BSoD. */ entry->InLoadOrderLinks.Flink = (LIST_ENTRY*)&(entry->InLoadOrderLinks.Flink); entry->InLoadOrderLinks.Blink = (LIST_ENTRY*)&(entry->InLoadOrderLinks.Flink); break; } } // 链表往前走 entry = (PKLDR_DATA_TABLE_ENTRY)entry->InLoadOrderLinks.Flink; } } //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //---------------------------------------------------------------------------------------------------------------------------------------------------------------- //5、处理TP蓝屏 /* fffff807`642d2210 48895c2420 mov qword ptr [rsp+20h],rbx fffff807`642d2215 4488442418 mov byte ptr [rsp+18h],r8b fffff807`642d221a 56 push rsi fffff807`642d221b 57 push rdi fffff807`642d221c 4154 push r12 fffff807`642d221e 4155 push r13 fffff807`642d2220 4157 push r15 fffff807`642d2222 4883ec20 sub rsp,20h */ #define KdEnteredDebugger 0xfffff80165d061e0 //#define KdEnteredDebugger 0xfffff80764704100//直接写硬编码,这里需要进行修改<----------------------------------------------------------------------------------------------------------------------------------------------- extern PMDL hookIoAllocateMdl(__drv_aliasesMem PVOID VirtualAddress, ULONG Length, BOOLEAN SecondaryBuffer, BOOLEAN ChargeQuota, PIRP Irp); ULONG64 IoAllocateM=0; //这里做一个跳转 VOID ModifyIoAllocateMdl(PVOID myaddress, PVOID targetaddress) { KIRQL irql; ULONGLONG myfun; UCHAR jmp_code[] = "\x48\xB8\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\xFF\xE0\x00\x00";//mov rax xxx,jmp rax myfun = (ULONGLONG)myaddress;//替换成自己的函数地址 RtlCopyMemory(jmp_code + 2, &myfun, 8); //debg(); irql = WPOFFx64(); RtlCopyMemory(targetaddress, jmp_code, 12); WPONx64(irql); } PMDL newIoAllocateMdl(__drv_aliasesMem PVOID VirtualAddress, ULONG Length, BOOLEAN SecondaryBuffer, BOOLEAN ChargeQuota, PIRP Irp){ //debg(); if(VirtualAddress == KdEnteredDebugger){ //DbgPrint("[KdEnteredDebugger] address: %p\n", KdEnteredDebugger); VirtualAddress = (PUCHAR)KdEnteredDebugger + 0x30; //据暗中观察,+0x30 的位置恒为0 } return hookIoAllocateMdl(VirtualAddress, Length, SecondaryBuffer, ChargeQuota, Irp); } //这里做一个还原 void UnHookIoAllocateMdl() { KIRQL irql; UCHAR orignal_code[] = "\x48\x89\x5c\x24\x20\x44\x88\x44\x24\x18\x56\x57\x41\x54\x41\x55"; irql = WPOFFx64(); RtlCopyMemory(IoAllocateMdl, orignal_code, 15); WPONx64(irql); } //---------------------------------------------------------------------------------------------------------------------------------------------------------------- VOID DriverUnload(PDRIVER_OBJECT DriverObject) { //还原之前的KdpTraphook UnHookKdpTrap(); //还原之前的IoAllocateMdl UnHookIoAllocateMdl(); //取消定时器 DbgPrint("See You !\n"); } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegPath) { pDriverObject = DriverObject; DriverObject->DriverUnload = DriverUnload; //这里把这个函数进行了hook ModifyKdpTrap(HookKdpTrap, orgkdt); //防止安全组件加载失败 DisableKdDebuggerEnabled(); //摘掉kdcom的eprocess HideDriver(); //干掉TP蓝屏 IoAllocateM = (ULONG64)IoAllocateMdl;//得到函数的地址 ModifyIoAllocateMdl(newIoAllocateMdl, IoAllocateMdl); //设置定时器 return STATUS_SUCCESS; }
总结
以上所述是小编给大家分享的Win10 1903过TP的双机调试问题,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对网站的支持!
如果你觉得本文对你有帮助,欢迎转载,烦请注明出处,谢谢!
免责声明:本站资源来自互联网收集,仅供用于学习和交流,请遵循相关法律法规,本站一切资源不代表本站立场,如有侵权、后门、不妥请联系本站删除!
稳了!魔兽国服回归的3条重磅消息!官宣时间再确认!
昨天有一位朋友在大神群里分享,自己亚服账号被封号之后居然弹出了国服的封号信息对话框。
这里面让他访问的是一个国服的战网网址,com.cn和后面的zh都非常明白地表明这就是国服战网。
而他在复制这个网址并且进行登录之后,确实是网易的网址,也就是我们熟悉的停服之后国服发布的暴雪游戏产品运营到期开放退款的说明。这是一件比较奇怪的事情,因为以前都没有出现这样的情况,现在突然提示跳转到国服战网的网址,是不是说明了简体中文客户端已经开始进行更新了呢?
更新日志
- 小骆驼-《草原狼2(蓝光CD)》[原抓WAV+CUE]
- 群星《欢迎来到我身边 电影原声专辑》[320K/MP3][105.02MB]
- 群星《欢迎来到我身边 电影原声专辑》[FLAC/分轨][480.9MB]
- 雷婷《梦里蓝天HQⅡ》 2023头版限量编号低速原抓[WAV+CUE][463M]
- 群星《2024好听新歌42》AI调整音效【WAV分轨】
- 王思雨-《思念陪着鸿雁飞》WAV
- 王思雨《喜马拉雅HQ》头版限量编号[WAV+CUE]
- 李健《无时无刻》[WAV+CUE][590M]
- 陈奕迅《酝酿》[WAV分轨][502M]
- 卓依婷《化蝶》2CD[WAV+CUE][1.1G]
- 群星《吉他王(黑胶CD)》[WAV+CUE]
- 齐秦《穿乐(穿越)》[WAV+CUE]
- 发烧珍品《数位CD音响测试-动向效果(九)》【WAV+CUE】
- 邝美云《邝美云精装歌集》[DSF][1.6G]
- 吕方《爱一回伤一回》[WAV+CUE][454M]