any doc/website about soft interrupt?

X

Xiang Shifu

i have hook 0xcc interrupt(int 3),but now how to get the interrupted
thread's info,such as eip,thread id ,process id? use stack?

any doc/website about this?

os:xp ,sp1 ddk,
 
G

Gary G. Little

Do you have the DDK, and have you done any study of it at all? The
functionality you want is available but certainly not at DIRQL, and would
most likely be meaningless to an interrupt service routine.
 
X

Xiang Shifu

this is my source code !

i try to write a small debugger with int 3,but don't kown how to get thread's eip!?


#ifndef __HOOK_H
#define __HOOK_H


#pragma once

#include <ntddk.h>

#define DWORD unsigned __int32
#define WORD unsigned __int16
#define BYTE unsigned __int8
#define BOOL __int32

#define LOWORD(l) ((WORD)(l))
#define HIWORD(l) ((WORD)(((DWORD)(l) >> 16) & 0xFFFF))
#define LOBYTE(w) ((BYTE)(w))
#define HIBYTE(w) ((BYTE)(((WORD)(w) >> 8) & 0xFF))

#define MAKELONG(a, b) ((LONG) (((WORD) (a)) | ((DWORD) ((WORD) (b))) << 16))

#pragma pack(1)

typedef struct tagIDTR {
WORD IDTLimit;
WORD LowIDTbase;
WORD HiIDTbase;
}IDTR, *PIDTR;


typedef struct tagIDTENTRY{
WORD OffsetLow;
WORD selector;
BYTE unused_lo;
unsigned char unused_hi:5;
unsigned char DPL:2;
unsigned char P:1;
WORD OffsetHigh;
} IDTENTRY, *PIDTENTRY;
#pragma pack()

VOID
InstallHookIntCC();

VOID
UnInstallHookIntCC();



#endif













#include "hook.h"
#include "debug.h"


#define XCCCALL 0x03

DWORD OldIntCCService;

VOID __fastcall IntXCCCall()
{
KIRQL OldIrql;
DWORD ThreadId;
DWORD ProcessId;

ProcessId = (DWORD)PsGetCurrentProcessId();
ThreadId=(DWORD)PsGetCurrentThreadId();

//get the interrupted thread's eip;



InterruptDrv_KDPRINT((" ProcessID: %d \n",ProcessId));

KeRaiseIrql(HIGH_LEVEL, &OldIrql);

InterruptDrv_KDPRINT(("int 0xcc happen \n"));

KeLowerIrql(OldIrql);

}

__declspec(naked) NewIntCCService()
{
__asm
{
pushad
pushfd
push fs
mov bx,0x30
mov fs,bx
push ds
push es

sti
call IntXCCCall;
cli

pop es
pop ds
pop fs
popfd
popad

jmp OldIntCCService;
}
}

VOID InstallHookIntCC()
{

IDTR idtr;
PIDTENTRY OIdt;
PIDTENTRY NIdt;


__asm
{
sidt idtr;
}


OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);


OldIntCCService = MAKELONG(OIdt[XCCCALL].OffsetLow,OIdt[XCCCALL].OffsetHigh);

NIdt = &(OIdt[XCCCALL]);

__asm
{
cli
lea eax,NewIntCCService;
mov ebx, NIdt;
mov [ebx],ax;
shr eax,16
mov [ebx+6],ax;
lidt idtr
sti
}

}

VOID UnInstallHookIntCC()
{
IDTR idtr;
PIDTENTRY OIdt;
PIDTENTRY NIdt;

__asm
{
sidt idtr;
}

OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);

NIdt = &(OIdt[XCCCALL]);

_asm
{
cli
lea eax,OldIntCCService;
mov ebx, NIdt;
mov [ebx],ax;
shr eax,16
mov [ebx+6],ax;
lidt idtr
sti
}

}
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows Thread Scheduler - Inserting Soft-Interrupt into executionstack 4
any example about read/write memory direct in driver? 1
Interrupts? 16
Don't really understand BeginCriticalRegion/EndCriticalRegion 1
"Thread has been interrupted from a waiting state" 2
HELP: Disabling Interrupts in multiple process environment 7
PC/AT 8259 PIC Operation 2
How do I reuse a BackgroundWorker object? 11

Top