1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
|
VOID
NTAPI
DbgkCreateThread(IN PETHREAD Thread,
IN PVOID StartAddress)
{
PEPROCESS Process = PsGetCurrentProcess();
ULONG ProcessFlags;
IMAGE_INFO ImageInfo;
PIMAGE_NT_HEADERS NtHeader;
POBJECT_NAME_INFORMATION ModuleName;
UNICODE_STRING NtDllName;
NTSTATUS Status;
PVOID DebugPort;
DBGKM_MSG ApiMessage;
PDBGKM_CREATE_THREAD CreateThread = &ApiMessage.CreateThread;
PDBGKM_CREATE_PROCESS CreateProcess = &ApiMessage.CreateProcess;
PDBGKM_LOAD_DLL LoadDll = &ApiMessage.LoadDll;
OBJECT_ATTRIBUTES ObjectAttributes;
IO_STATUS_BLOCK IoStatusBlock;
PTEB Teb;
PAGED_CODE();
/* Sanity check */
ASSERT(Thread == PsGetCurrentThread());
//
// 获取是否要调用LoadImageNotifyRoutines标记
//
ProcessFlags = PspSetProcessFlag(Process,
PSF_CREATE_REPORTED_BIT |
PSF_IMAGE_NOTIFY_DONE_BIT);
//
// 如果进程标记中有设置PSF_IMAGE_NOTIFY_DONE_BIT 并且系统中开启了LoadImageNotifyRoutines服务
// 这个if 和调试没有关系, 不管.
//
if (!(ProcessFlags & PSF_IMAGE_NOTIFY_DONE_BIT) && (PsImageNotifyEnabled))
{
/* It hasn't.. set up the image info for the process */
ImageInfo.Properties = 0;
ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
ImageInfo.ImageBase = Process->SectionBaseAddress;
ImageInfo.ImageSize = 0;
ImageInfo.ImageSelector = 0;
ImageInfo.ImageSectionNumber = 0;
/* Get the NT Headers */
NtHeader = RtlImageNtHeader(Process->SectionBaseAddress);
if (NtHeader)
{
/* Set image size */
ImageInfo.ImageSize = NtHeader->OptionalHeader.SizeOfImage;
}
/* Get the image name */
Status = MmGetFileNameForSection(Process->SectionObject, &ModuleName);
if (NT_SUCCESS(Status))
{
/* Call the notify routines and free the name */
PspRunLoadImageNotifyRoutines(&ModuleName->Name,
Process->UniqueProcessId,
&ImageInfo);
ExFreePool(ModuleName);
}
else
{
/* Call the notify routines */
PspRunLoadImageNotifyRoutines(NULL,
Process->UniqueProcessId,
&ImageInfo);
}
/* Setup the info for ntdll.dll */
ImageInfo.Properties = 0;
ImageInfo.ImageAddressingMode = IMAGE_ADDRESSING_MODE_32BIT;
ImageInfo.ImageBase = PspSystemDllBase;
ImageInfo.ImageSize = 0;
ImageInfo.ImageSelector = 0;
ImageInfo.ImageSectionNumber = 0;
/* Get the NT Headers */
NtHeader = RtlImageNtHeader(PspSystemDllBase);
if (NtHeader)
{
/* Set image size */
ImageInfo.ImageSize = NtHeader->OptionalHeader.SizeOfImage;
}
/* Call the notify routines */
RtlInitUnicodeString(&NtDllName,
L"\\\\SystemRoot\\\\System32\\\\ntdll.dll");
PspRunLoadImageNotifyRoutines(&NtDllName,
Process->UniqueProcessId,
&ImageInfo);
}
//
// 这里才真的关于调试部分的代码
//
DebugPort = Process->DebugPort;
if (!DebugPort) return;
//
// 如果调试设置了创建进程通知消息
//
if (!(ProcessFlags & PSF_CREATE_REPORTED_BIT))
{
//
// CreateProcess 是R0这边传递调试消息的主要结构. 既然是创建进程
// 那么线程当然都是空了
//
CreateProcess->InitialThread.SubSystemKey = 0;
CreateProcess->InitialThread.StartAddress = NULL;
//
// 填写新进程的句柄
//
CreateProcess->SubSystemKey = 0;
CreateProcess->FileHandle = DbgkpSectionToFileHandle(Process->
SectionObject);
//
// 其他一些信息
//
CreateProcess->BaseOfImage = Process->SectionBaseAddress;
CreateProcess->DebugInfoFileOffset = 0;
CreateProcess->DebugInfoSize = 0;
//
// 这些信息其实也不重要, 程序入口, 符号表的地址和数量
//
NtHeader = RtlImageNtHeader(Process->SectionBaseAddress);
if (NtHeader)
{
//
// 根据PE信息获取入口
//
CreateProcess->InitialThread.StartAddress =
(PVOID)((ULONG_PTR)NtHeader->OptionalHeader.ImageBase +
NtHeader->OptionalHeader.AddressOfEntryPoint);
//
// 获取调试信息表地址
//
CreateProcess->DebugInfoFileOffset = NtHeader->FileHeader.
PointerToSymbolTable;
//
// 获取调试信息的数量
//
CreateProcess->DebugInfoSize = NtHeader->FileHeader.
NumberOfSymbols;
}
// 这边开始设置
ApiMessage.h.u1.Length = sizeof(DBGKM_MSG) << 16 |
(8 + sizeof(DBGKM_CREATE_PROCESS));
ApiMessage.h.u2.ZeroInit = 0;
ApiMessage.h.u2.s2.Type = LPC_DEBUG_EVENT;
ApiMessage.ApiNumber = DbgKmCreateProcessApi;
//
// 这个函数是内核里面分发调试消息的主要函数了, 后面一个参数表示
// 是否要冻结进程的所有线程
//
DbgkpSendApiMessage(&ApiMessage, FALSE);
//
// 内核这边其实会给R3关闭句柄, 所以R3那边其实不用操心的
//
ObCloseHandle(CreateProcess->FileHandle, KernelMode);
//
// 我们看到, 其实创建进程的时候, 默认就会发送nt.dll的LoadDll消息
//
LoadDll->BaseOfDll = PspSystemDllBase;
LoadDll->DebugInfoFileOffset = 0;
LoadDll->DebugInfoSize = 0;
LoadDll->NamePointer = NULL;
//
// 获取nt.dll的调试符号偏移和大小. PspSystemDllBase真神奇
//
NtHeader = RtlImageNtHeader(PspSystemDllBase);
if (NtHeader)
{
/* Fill out debug information */
LoadDll->DebugInfoFileOffset = NtHeader->
FileHeader.PointerToSymbolTable;
LoadDll->DebugInfoSize = NtHeader->FileHeader.NumberOfSymbols;
}
//
// 保存一点nt.dll的信息
//
Teb = Thread->Tcb.Teb;
if (Teb)
{
/* Copy the system library name and link to it */
wcsncpy(Teb->StaticUnicodeBuffer,
L"ntdll.dll",
sizeof(Teb->StaticUnicodeBuffer) / sizeof(WCHAR));
Teb->NtTib.ArbitraryUserPointer = Teb->StaticUnicodeBuffer;
/* Return it in the debug event as well */
LoadDll->NamePointer = &Teb->NtTib.ArbitraryUserPointer;
}
//
// 获取nt.dll的句柄
//
InitializeObjectAttributes(&ObjectAttributes,
&PsNtDllPathName,
OBJ_CASE_INSENSITIVE |
OBJ_KERNEL_HANDLE |
OBJ_FORCE_ACCESS_CHECK,
NULL,
NULL);
Status = ZwOpenFile(&LoadDll->FileHandle,
GENERIC_READ | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
FILE_SHARE_DELETE |
FILE_SHARE_READ |
FILE_SHARE_WRITE,
FILE_SYNCHRONOUS_IO_NONALERT);
if (NT_SUCCESS(Status))
{
//
// 句柄也有了. 有酒有肉了. 可以发送DLL加载消息了
//
ApiMessage.h.u1.Length = sizeof(DBGKM_MSG) << 16 |
(8 + sizeof(DBGKM_LOAD_DLL));
ApiMessage.h.u2.ZeroInit = 0;
ApiMessage.h.u2.s2.Type = LPC_DEBUG_EVENT;
ApiMessage.ApiNumber = DbgKmLoadDllApi;
/* Send the message */
DbgkpSendApiMessage(&ApiMessage, TRUE);
//
// 同样的, R3不需要关闭句柄, 以前真是纠结啊.
//
ObCloseHandle(LoadDll->FileHandle, KernelMode);
}
}
else
{
//
// 如果不是首次创建进程, 那么也好办, 直接发送线程创建消息就可以了
//
CreateThread->SubSystemKey = 0;
CreateThread->StartAddress = StartAddress;
/* Setup the API Message */
ApiMessage.h.u1.Length = sizeof(DBGKM_MSG) << 16 |
(8 + sizeof(DBGKM_CREATE_THREAD));
ApiMessage.h.u2.ZeroInit = 0;
ApiMessage.h.u2.s2.Type = LPC_DEBUG_EVENT;
ApiMessage.ApiNumber = DbgKmCreateThreadApi;
/* Send the message */
DbgkpSendApiMessage(&ApiMessage, TRUE);
}
}
NTSTATUS
NTAPI
DbgkpSendApiMessage(IN OUT PDBGKM_MSG ApiMsg,
IN BOOLEAN SuspendProcess)
{
NTSTATUS Status;
BOOLEAN Suspended = FALSE;
PAGED_CODE();
// 看看是否需要挂起整个线程.
if (SuspendProcess)
{
Suspended = DbgkpSuspendProcess();
}
//
// 将调试包设置成忙状态
//
ApiMsg->ReturnedStatus = STATUS_PENDING;
//
// 设置进程的PSF_CREATE_REPORTED_BIT位
//
PspSetProcessFlag(PsGetCurrentProcess(), PSF_CREATE_REPORTED_BIT);
//
// 将调试消息插入队列中
//
Status = DbgkpQueueMessage(PsGetCurrentProcess(),
PsGetCurrentThread(),
ApiMsg,
0,
NULL);
//
// 刷新指令缓存
//
ZwFlushInstructionCache(NtCurrentProcess(), NULL, 0);
//
// 如果挂起了线程, 那么还需要重新恢复线程运行
//
if (Suspended)
{
DbgkpResumeProcess();
}
return Status;
}
NTSTATUS
NTAPI
DbgkpQueueMessage(IN PEPROCESS Process,
IN PETHREAD Thread,
IN PDBGKM_MSG Message,
IN ULONG Flags,
IN PDEBUG_OBJECT TargetObject OPTIONAL)
{
PDEBUG_EVENT DebugEvent;
DEBUG_EVENT LocalDebugEvent;
PDEBUG_OBJECT DebugObject;
NTSTATUS Status;
BOOLEAN NewEvent;
PAGED_CODE();
//
// 检测是否需要分配调试事件句柄, 根据调试, 从来就没有进来过. 忽略
//
NewEvent = (Flags & DEBUG_EVENT_NOWAIT) ? TRUE : FALSE;
if (NewEvent)
{
/* Allocate it */
DebugEvent = ExAllocatePoolWithTag(NonPagedPool,
sizeof(DEBUG_EVENT),
'EgbD');
if (!DebugEvent) return STATUS_INSUFFICIENT_RESOURCES;
/* Set flags */
DebugEvent->Flags = Flags | DEBUG_EVENT_INACTIVE;
/* Reference the thread and process */
ObReferenceObject(Thread);
ObReferenceObject(Process);
/* Set the current thread */
DebugEvent->BackoutThread = PsGetCurrentThread();
/* Set the debug object */
DebugObject = TargetObject;
}
else
{
/* Use the debug event on the stack */
DebugEvent = &LocalDebugEvent;
DebugEvent->Flags = Flags;
//
// 获取调试消息发送自旋锁
//
ExAcquireFastMutex(&DbgkpProcessDebugPortMutex);
// 调试对象
DebugObject = Process->DebugPort;
//
// 这里检测是否要跳过某些消息, 显然是没有什么用的.
//
switch (Message->ApiNumber)
{
/* Process or thread creation */
case DbgKmCreateThreadApi:
case DbgKmCreateProcessApi:
/* Make sure we're not skipping creation messages */
if (Thread->SkipCreationMsg) DebugObject = NULL;
break;
/* Process or thread exit */
case DbgKmExitThreadApi:
case DbgKmExitProcessApi:
/* Make sure we're not skipping exit messages */
if (Thread->SkipTerminationMsg) DebugObject = NULL;
/* No special handling for other messages */
default:
break;
}
}
//
// 初始化调试信息发送完成事件
//
KeInitializeEvent(&DebugEvent->ContinueEvent, SynchronizationEvent, FALSE);
DebugEvent->Process = Process;
DebugEvent->Thread = Thread;
DebugEvent->ApiMsg = *Message;
DebugEvent->ClientId = Thread->Cid;
//
// 检测调试端口是否正常
//
if (!DebugObject)
{
/* Fail */
Status = STATUS_PORT_NOT_SET;
}
else
{
//
// 这是进程内调试对象获取的自旋锁
//
ExAcquireFastMutex(&DebugObject->Mutex);
//
// 检测调试器目前是否激活
//
if (!DebugObject->DebuggerInactive)
{
//
// 插入进程的调试端口事件链表
//
InsertTailList(&DebugObject->EventList, &DebugEvent->EventList);
//
// 事件置位, 这是干什么用的事件呢?
//
if (!NewEvent)
{
/* Signal it */
KeSetEvent(&DebugObject->EventsPresent,
IO_NO_INCREMENT,
FALSE);
}
/* Set success */
Status = STATUS_SUCCESS;
}
else
{
//
// 没有调试
//
Status = STATUS_DEBUGGER_INACTIVE;
}
/* Release the object lock */
ExReleaseFastMutex(&DebugObject->Mutex);
}
/* Check if we had acquired the port lock */
if (!NewEvent)
{
//
// 这里释放快速互斥锁
//
ExReleaseFastMutex(&DbgkpProcessDebugPortMutex);
/* Check if we got here through success */
if (NT_SUCCESS(Status))
{
//
// 等待R3那边过来取消息
//
KeWaitForSingleObject(&DebugEvent->ContinueEvent,
Executive,
KernelMode,
FALSE,
NULL);
/* Copy API Message back */
*Message = DebugEvent->ApiMsg;
/* Set return status */
Status = DebugEvent->Status;
}
}
else
{
/* Check if we failed */
if (!NT_SUCCESS(Status))
{
/* Dereference the process and thread */
ObDereferenceObject(Thread);
ObDereferenceObject(Process);
/* Free the debug event */
ExFreePool(DebugEvent);
}
}
return Status;
}
|
