|
#2
wp2319572014-09-17 09:30
|
内联了2段汇编
__declspec(naked) VOID EntryHookZone()
{
__asm
{
_emit 0x90
_emit 0x90
_emit 0x90
jmp [CallEntryRet]
}
}
__declspec(naked) VOID EntryProc()
{
__asm
{
..
..
jmp [EntryHookZone]
}
}
jmp [EntryHookZone];木有执行 而直接到了CC
4166 ff257c2f89f7 jmp dword ptr [MY_Driver!EntryHookZone (f7892f7c)]
f789416c cc int 3 //jmp [EntryHookZone];木有执行 而直接到了CC
f789416d cc int 3
f789416e cc int 3
FAULTING_IP:
MY_Driver!EntryProcc+c
f789416c cc int 3
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: f789416c (MY_Driver!EntryProc+0x0000000c)
ExceptionCode: 80000003 (Break instruction exception)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 00000000
Parameter[1]: 00000000
Parameter[2]: 00ccfb40
ERROR_CODE: (NTSTATUS) 0x80000003 - {
EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - <Unable to get error code text>
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 00000000
EXCEPTION_PARAMETER3: 00ccfb40
DEFAULT_BUCKET_ID: DRIVER_FAULT