Во время перехвата возникает BSOD. WinDBG: Код (Text): MODULE_NAME: HookSDT FAULTING_MODULE: 804d7000 nt DEBUG_FLR_IMAGE_TIMESTAMP: 458831c6 WRITE_ADDRESS: unable to get nt!MmSpecialPoolStart unable to get nt!MmSpecialPoolEnd unable to get nt!MmPoolCodeStart unable to get nt!MmPoolCodeEnd ffffffe8 FAULTING_IP: nt+2079 804d9079 0fc101 xadd [ecx],eax MM_INTERNAL_CODE: 0 CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 LAST_CONTROL_TRANSFER: from f3f25180 to 804d9079 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. b26d0c60 f3f25180 00000000 b26d0d54 f3f25303 nt+0x2079 b26d0c6c f3f25303 00000000 b26d0c7c 00000020 HookSDT+0x1180 b26d0d54 804de7ec 00000000 00000000 0012ff7c HookSDT+0x1303 b26d0d64 7c90eb94 badb0d00 0012fe88 b2d2bd98 nt+0x77ec b26d0d68 badb0d00 0012fe88 b2d2bd98 b2d2bdcc 0x7c90eb94 b26d0d6c 0012fe88 b2d2bd98 b2d2bdcc 00000000 0xbadb0d00 b26d0d70 b2d2bd98 b2d2bdcc 00000000 00000000 0x12fe88 b26d0d74 b2d2bdcc 00000000 00000000 00000000 0xb2d2bd98 b26d0d78 00000000 00000000 00000000 00000000 0xb2d2bdcc STACK_COMMAND: kb FOLLOWUP_IP: HookSDT+1180 f3f25180 ?? ??? FAULTING_SOURCE_CODE: SYMBOL_STACK_INDEX: 1 FOLLOWUP_NAME: MachineOwner SYMBOL_NAME: HookSDT+1180 IMAGE_NAME: HookSDT.sys BUCKET_ID: WRONG_SYMBOLS Followup: MachineOwner --------- kd> r eax=ffffffff ebx=00000000 ecx=ffffffe8 edx=b26d0c7c esi=0012fe90 edi=ffffffe8 eip=804d9079 esp=b26d0c4c ebp=b26d0c60 iopl=0 nv up ei pl zr na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 nt+0x2079: 804d9079 0fc101 xadd [ecx],eax ds:0023:ffffffe8=???????? Видно, что адрес не из моего кода :\ Код: Код (Text): void GetProcessNameByPointer(PVOID pProcess, char *pszName){ if (!pProcess){ pszName[0] = ' '; pszName[1] = 0; return; } strncpy(pszName, (PCHAR)pProcess + dwProcessNameOffset, 16); pszName[16] = 0; } void GetProcessNameByHandle(HANDLE hProcess, char *pszName){ PVOID pProc; ObReferenceObjectByHandle(hProcess, 0, 0, KernelMode, &pProc, NULL); GetProcessNameByPointer(pProc, pszName); ObDereferenceObject(pProc); } void WriteToLog(char *pszTarget, char *pszTerminator){ UNICODE_STRING usFile; OBJECT_ATTRIBUTES oaFile; IO_STATUS_BLOCK iosb; HANDLE hFile; ULONG OutLen; char Out[300]; RtlInitUnicodeString(&usFile, L"\\??\\C:\\log.txt"); InitializeObjectAttributes(&oaFile, &usFile, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, NULL, NULL); ZwCreateFile(&hFile, FILE_APPEND_DATA | SYNCHRONIZE, &oaFile, &iosb, NULL, 0, 0, FILE_OPEN_IF, FILE_SYNCHRONOUS_IO_NONALERT | FILE_NON_DIRECTORY_FILE, NULL, 0); OutLen = _snprintf(Out, 300, "%s terminate %s\r\n", pszTerminator, pszTarget); ZwWriteFile(hFile, 0, NULL, NULL, &iosb, Out, OutLen, NULL, NULL); ZwClose(hFile); } NTSTATUS NewNtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus){ NTSTATUS ns; char ProcName[100], Terminator[100]; IoAcquireRemoveLock(PREMOVE_LOCK, NULL); GetProcessNameByHandle(ProcessHandle, ProcName); GetProcessNameByPointer(PsGetCurrentProcess(), Terminator); WriteToLog(ProcName, Terminator); ns = ((NTTERMINATEPROCESS)NtTerminateProcess_Old)(ProcessHandle, ExitStatus); IoReleaseRemoveLock(PREMOVE_LOCK, NULL); return ns; }
Код (Text): program exmpl; uses Windows, DriverControl; var hDrv: THandle; br: DWORD; SI: TStartupInfo; PI: _PROCESS_INFORMATION; begin hDrv := AddDriver('HookSDT.sys', 'HookSDT', true); if hDrv <> DWORD(-1) then begin DeviceIoControl(hDrv, $08000004, nil, 0, nil, 0, br, nil); ZeroMemory(@SI, sizeof(SI)); SI.cb := sizeof(SI); CreateProcess(nil, 'notepad', nil, nil, false, 0, nil, nil, SI, PI); TerminateProcess(PI.hProcess, 0); CloseHandle(hDrv); // DeleteDriver(hDrv); end; Sleep(2000); end. BSOD появляется после завершения самой программы.
