any doc/website about soft interrupt?

[Xiang Shifu]

i have hook 0xcc interrupt(int 3),but now how to get the interrupted
thread's info,such as eip,thread id ,process id? use stack?

any doc/website about this?

os:xp ,sp1 ddk,

 

[Gary G. Little]

Do you have the DDK, and have you done any study of it at all? The
functionality you want is available but certainly not at DIRQL, and would
most likely be meaningless to an interrupt service routine.

 

[Xiang Shifu]

this is my source code !

i try to write a small debugger with int 3,but don't kown how to get thread's eip!?


#ifndef __HOOK_H
#define __HOOK_H


#pragma once

#include <ntddk.h>

#define DWORD unsigned __int32
#define WORD unsigned __int16
#define BYTE unsigned __int8
#define BOOL __int32

#define LOWORD(l) ((WORD)(l))
#define HIWORD(l) ((WORD)(((DWORD)(l) >> 16) & 0xFFFF))
#define LOBYTE(w) ((BYTE)(w))
#define HIBYTE(w) ((BYTE)(((WORD)(w) >> 8) & 0xFF))

#define MAKELONG(a, b) ((LONG) (((WORD) (a)) | ((DWORD) ((WORD) (b))) << 16))

#pragma pack(1)

typedef struct tagIDTR {
WORD IDTLimit;
WORD LowIDTbase;
WORD HiIDTbase;
}IDTR, *PIDTR;


typedef struct tagIDTENTRY{
WORD OffsetLow;
WORD selector;
BYTE unused_lo;
unsigned char unused_hi:5;
unsigned char DPL:2;
unsigned char P:1;
WORD OffsetHigh;
} IDTENTRY, *PIDTENTRY;
#pragma pack()

VOID
InstallHookIntCC();

VOID
UnInstallHookIntCC();



#endif













#include "hook.h"
#include "debug.h"


#define XCCCALL 0x03

DWORD OldIntCCService;

VOID __fastcall IntXCCCall()
{
KIRQL OldIrql;
DWORD ThreadId;
DWORD ProcessId;

ProcessId = (DWORD)PsGetCurrentProcessId();
ThreadId=(DWORD)PsGetCurrentThreadId();

//get the interrupted thread's eip;



InterruptDrv_KDPRINT((" ProcessID: %d \n",ProcessId));

KeRaiseIrql(HIGH_LEVEL, &OldIrql);

InterruptDrv_KDPRINT(("int 0xcc happen \n"));

KeLowerIrql(OldIrql);

}

__declspec(naked) NewIntCCService()
{
__asm
{
pushad
pushfd
push fs
mov bx,0x30
mov fs,bx
push ds
push es

sti
call IntXCCCall;
cli

pop es
pop ds
pop fs
popfd
popad

jmp OldIntCCService;
}
}

VOID InstallHookIntCC()
{

IDTR idtr;
PIDTENTRY OIdt;
PIDTENTRY NIdt;


__asm
{
sidt idtr;
}


OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);


OldIntCCService = MAKELONG(OIdt[XCCCALL].OffsetLow,OIdt[XCCCALL].OffsetHigh);

NIdt = &(OIdt[XCCCALL]);

__asm
{
cli
lea eax,NewIntCCService;
mov ebx, NIdt;
mov [ebx],ax;
shr eax,16
mov [ebx+6],ax;
lidt idtr
sti
}

}

VOID UnInstallHookIntCC()
{
IDTR idtr;
PIDTENTRY OIdt;
PIDTENTRY NIdt;

__asm
{
sidt idtr;
}

OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);

NIdt = &(OIdt[XCCCALL]);

_asm
{
cli
lea eax,OldIntCCService;
mov ebx, NIdt;
mov [ebx],ax;
shr eax,16
mov [ebx+6],ax;
lidt idtr
sti
}

}