首页
论坛
课程
招聘
[求助]写CR3寄存器蓝屏问题
2022-7-22 13:12 3677

[求助]写CR3寄存器蓝屏问题

2022-7-22 13:12
3677

本来是直接在驱动力改写cr3,但是蓝的很难看。
然后我尝试用KeStackAttachProcess附加到进程
但是还是蓝了,Windbg显示还是在mov cr3的地方爆了
0xc0000096错误,这是代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
VOID EnumModule(PEPROCESS Process, UNICODE_STRING name, unsigned __int64* ret)
{
    //VMProtectBegin("ENUM");
    ULONG64 Peb = 0;
    ULONG64 Ldr = 0;
    PLIST_ENTRY ModListHead = 0;
    PLIST_ENTRY Module = 0;
    ANSI_STRING AnsiString;
    KAPC_STATE ks;
    if (!MmIsAddressValid(Process))
        return;
    Peb = PsGetProcessPeb(Process);
    if (!Peb)
        return;
    KAPC_STATE ApcState;
    ULONG64 pDTB = 0, OldCr3 = 0, vAddr = 0;
    pDTB = Get64bitValue((UCHAR*)Process + DIRECTORY_TABLE_BASE);
    if (pDTB == 0)
    {
        //DbgPrint("[x64Drv] Can not get PDT");
        return;
    }
    _disable();
    OldCr3 = __readcr3();
    __writecr3(pDTB);
    _enable();
        Ldr = Peb + (ULONG64)LdrInPebOffset;
        if (!MmIsAddressValid((PULONG64)Ldr + ModListInPebOffset)) goto skip;
        ModListHead = (PLIST_ENTRY)(*(PULONG64)Ldr + ModListInPebOffset);
        Module = ModListHead->Flink;
        while (ModListHead != Module)
        {
            DbgPrint("[x64Drv] %wZ\n", &(((PLDR_DATA_TABLE_ENTRY)Module)->BaseDllName));
            if (RtlCompareUnicodeString(&name, &(((PLDR_DATA_TABLE_ENTRY)Module)->BaseDllName), TRUE) == 0) {
 
                *(ret) = (PVOID)(((PLDR_DATA_TABLE_ENTRY)Module)->DllBase);
                break;
            }
            Module = Module->Flink;
            if (!MmIsAddressValid(Module)) goto skip;
        }
    skip:;
    _disable();
    __writecr3(OldCr3);
    _enable();
    //VMProtectEnd();
}

附件是dmp文件


[2022冬季班]《安卓高级研修班(网课)》月薪三万班招生中~

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (1)
雪    币: 24
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
DreamForest 活跃值 2022-7-22 15:47
2
0
有大佬能帮忙看一下么求求了
游客
登录 | 注册 方可回帖
返回