1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
/********************************************************/
/* ntapi: Native API core library */
/* Copyright (C) 2013--2019 Z. Gilboa */
/* Released under GPLv2 and GPLv3; see COPYING.NTAPI. */
/********************************************************/
#include <psxtypes/psxtypes.h>
#include <ntapi/nt_object.h>
#include <ntapi/nt_debug.h>
#include "ntapi_impl.h"
static int32_t __tt_debug_break_process_fail(void * hthread, int32_t status)
{
__ntapi->zw_terminate_thread(
hthread,status);
return status;
}
struct __dbg_hoppla {
void * caller;
void * cx;
intptr_t dx;
intptr_t r9;
intptr_t r8;
};
int32_t __stdcall __ntapi_tt_debug_break_process(
__in void * hprocess,
__out void ** hthread,
__out nt_cid * cid)
{
int32_t status;
nt_thread_params tparams;
nt_thread_context context;
nt_user_stack spinfo;
struct __dbg_hoppla hoppla;
uintptr_t sptop;
uintptr_t spreg;
int32_t (*dbg_break_point)(void *);
/* interrupt & return */
dbg_break_point = pe_get_procedure_address(
pe_get_ntdll_module_handle(),
"DbgBreakPoint");
/* thread params */
__ntapi->tt_aligned_block_memset(
&tparams,0,
sizeof(tparams));
__ntapi->tt_aligned_block_memset(
&spinfo,0,
sizeof(spinfo));
tparams.start = dbg_break_point;
tparams.hprocess = hprocess;
tparams.stack_size_commit = 0x1000;
tparams.stack_size_reserve = 0x1000;
tparams.stack_info = &spinfo;
tparams.creation_flags = NT_CREATE_SUSPENDED;
if ((status = __ntapi->tt_create_thread(&tparams)))
return status;
/* context */
__ntapi->tt_aligned_block_memset(
&context,0,
sizeof(context));
context.uc_context_flags = NT_CONTEXT_JUST_EVERYTHING;
if ((status = __ntapi->zw_get_context_thread(
tparams.hthread,
&context)))
return __tt_debug_break_process_fail(
tparams.hthread,
status);
/* return address:=) */
hoppla.caller = __ntapi->zw_terminate_thread;
hoppla.cx = NT_CURRENT_THREAD_HANDLE;
hoppla.dx = NT_STATUS_BREAKPOINT;
hoppla.r8 = 0;
hoppla.r9 = 0;
sptop = (uintptr_t)tparams.stack_info->expandable_stack_base;
spreg = context.STACK_POINTER_REGISTER;
if (sptop - spreg < sizeof(hoppla))
spreg -= sizeof(hoppla);
if ((status = __ntapi->zw_write_virtual_memory(
hprocess,
(void *)spreg,
(char *)&hoppla,
sizeof(hoppla),0)))
return __tt_debug_break_process_fail(
tparams.hthread,
status);
/* (fast call args not needed on x86) */
context.STACK_POINTER_REGISTER = spreg;
context.FAST_CALL_ARG0 = (uintptr_t)hoppla.cx;
context.FAST_CALL_ARG1 = hoppla.dx;
if ((status = __ntapi->zw_set_context_thread(
tparams.hthread,
&context)))
return __tt_debug_break_process_fail(
tparams.hthread,
status);
/* at last... */
if ((status = __ntapi->zw_resume_thread(tparams.hthread,0)))
return __tt_debug_break_process_fail(
tparams.hthread,
status);
/* yay */
*hthread = tparams.hthread;
cid->thread_id = tparams.cid.thread_id;
cid->process_id = tparams.cid.process_id;
return NT_STATUS_SUCCESS;
}
|
