diff --git a/HookGuard/HookGuard/Hook.c b/HookGuard/HookGuard/Hook.c index d7b9117..906eb0a 100644 --- a/HookGuard/HookGuard/Hook.c +++ b/HookGuard/HookGuard/Hook.c @@ -6,21 +6,17 @@ RTLDISPATCHEXCEPTION g_RtlDispatchException = NULL; LONG64 g_TotalCalls = 0; LONG64 g_TotalResolved = 0; -DECLSPEC_NOINLINE VOID HookBreakpoint(VOID) -{ - *(UINT32*)(g_KernelBase + g_Offsets.KdDebuggerLock) = 0x0; - *(UINT32*)(g_KernelBase + g_Offsets.NtGlobalFlag) = 0x0; - __debugbreak(); -} - -VOID HookHandlePrivilegedInstruction(PEXCEPTION_RECORD exceptionRecord, PCONTEXT context) +DECLSPEC_NOINLINE VOID HookHandlePrivilegedInstruction(PEXCEPTION_RECORD exceptionRecord, PCONTEXT context) { if (exceptionRecord->ExceptionCode != STATUS_PRIVILEGED_INSTRUCTION) + { return; + } - // mov cr3, xxx if (*(PWORD)context->Rip != 0x220F) + { return; + } BYTE operand = *(PBYTE)(context->Rip + 2); operand &= 7; @@ -33,15 +29,12 @@ VOID HookHandlePrivilegedInstruction(PEXCEPTION_RECORD exceptionRecord, PCONTEXT cr3.Reserved3 = 0x0; cr3.AddressOfPageDirectory = GuardCrypt(cr3.AddressOfPageDirectory); - KdpPrint("Fixing CR3 from 0x%p to 0x%p\n", invalidCr3, cr3.AsUInt); InterlockedIncrement64(&g_TotalResolved); __writecr3(cr3.AsUInt); context->Rip += 3; g_ZwContinue(context, FALSE); - - HookBreakpoint(); } DECLSPEC_NOINLINE VOID HookFindRecord(VOID) @@ -49,13 +42,22 @@ DECLSPEC_NOINLINE VOID HookFindRecord(VOID) CONTEXT current; RtlCaptureContext(¤t); - CONTEXT frames[10] = { 0 }; + UNWIND_HISTORY_TABLE historyTable = { 0 }; + + PCONTEXT frames = (PCONTEXT)ExAllocatePool2(POOL_FLAG_NON_PAGED, sizeof(CONTEXT) * 10, 'dGkH'); + if (!frames) + { + return; + } + for (ULONG frame = 0; frame < 10; frame++) { ULONG64 imageBase; - const PRUNTIME_FUNCTION runtimeFunction = RtlLookupFunctionEntry(current.Rip, &imageBase, NULL); + const PRUNTIME_FUNCTION runtimeFunction = RtlLookupFunctionEntry(current.Rip, &imageBase, &historyTable); if (!runtimeFunction) + { break; + } PVOID handlerData; ULONG64 establisherFrame; @@ -71,22 +73,17 @@ DECLSPEC_NOINLINE VOID HookFindRecord(VOID) &nvContext); if (!current.Rip) + { break; + } frames[frame] = current; if (!(current.Rip >= g_KdTrap && current.Rip < g_KdTrap + 0x50)) + { continue; + } - /* - * 0: HookGuard!HookEntry+0x2d - * 1: nt!KeStallExecutionProcessor+0x9b - * 2: nt!KeFreezeExecution+0x110 - * 3: nt!KdEnterDebugger+0x6d - * 4: nt!KdpReport+0x74 - * 5: nt!KdpTrap+0x160 - * 6: nt!KdTrap+0x2d - */ const ULONG64 originalIrql = *(ULONG64*)(frames[2].Rsp + sizeof(ULONG64) * 1); _enable(); @@ -95,17 +92,16 @@ DECLSPEC_NOINLINE VOID HookFindRecord(VOID) const PEXCEPTION_RECORD exceptionRecord = *(PEXCEPTION_RECORD*)current.Rsp; const PCONTEXT exceptionContext = *(PCONTEXT*)(current.Rsp + sizeof(ULONG64) * 10); - KdpPrint("Handling exception with code 0x%p, flags 0x%lx, RIP 0x%p, IRQL %lu\n", exceptionRecord->ExceptionCode, exceptionRecord->ExceptionFlags, exceptionContext->Rip, originalIrql); - if (exceptionRecord->ExceptionCode == STATUS_PRIVILEGED_INSTRUCTION) + { HookHandlePrivilegedInstruction(exceptionRecord, exceptionContext); - - if (exceptionRecord->ExceptionCode == STATUS_BREAKPOINT) - HookBreakpoint(); + } g_RtlDispatchException(exceptionRecord, exceptionContext); break; } + + ExFreePool(frames); } DECLSPEC_NOINLINE ULONG64 HookEntry(ULONG64 arg1, ULONG64 arg2, ULONG64 arg3, ULONG64 arg4) @@ -113,4 +109,4 @@ DECLSPEC_NOINLINE ULONG64 HookEntry(ULONG64 arg1, ULONG64 arg2, ULONG64 arg3, UL InterlockedIncrement64(&g_TotalCalls); HookFindRecord(); return ((ULONG64(*)(ULONG64, ULONG64, ULONG64, ULONG64))(g_OriginalHandler))(arg1, arg2, arg3, arg4); -} \ No newline at end of file +}