| View previous topic :: View next topic |
| Author |
Message |
linden
Master Cheater
![]() Reputation: 0
Joined: 10 Mar 2006
Posts: 319
|
 Posted: Sun Dec 30, 2007 10:29 am Post subject: Double fault? (Question to DarkByte) |
 |
|
I'm now writing my int1 handler (I hooked it),
and I got DRIVER_IRQL_NOT_LESS_OR_EQUAL BSOD while referencing a usermode address from the handler.
(I was handling single step and disassembling the code pointed to by EIP, but it seems that code was not resident in memory...)
A question that came to me is... Is paging service available inside an interrupt handler  (int 0E inside int 01 handler...)
Sorry for such stupid question...
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 471
Joined: 09 May 2003
Posts: 25832
Location: The netherlands
|
| Posted: Sun Dec 30, 2007 2:07 pm Post subject: |
|
|
no, paging isn't available in the int1 handler, paging is only available at a specific irql and lower, but the interrupt handler is at the highest possible irql, even beyond paging.
Perhaps you can call specific api's to get something resident, but in the int1 handler I don't recommend api calls. Best do a DPC for this (never lookedinto it since the way int1 is hooked isn't really a compatible way)
Or else before hooking or setting a breakpoint get some memory regions to be marked as non-pageable or lock itm for the duration of the debug sessions.
Else keep in to the usermode address you know is valid: Page of the current eip, but stay withing the page range, don't try to read memory of the next page
To prevent blue screens related to paging: Hook int 0e as well whenever youer int1 hook is called let paging errors just write to a address indicating a pagefault and continue, instead of calling the original routine (So add some checks after accessing to see if a pagefault happened or not)
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
linden
Master Cheater
![]() Reputation: 0
Joined: 10 Mar 2006
Posts: 319
|
| Posted: Mon Dec 31, 2007 6:38 am Post subject: |
|
|
Thanks for your reply, DarkByte 
I just managed to locate GameMon's sprintf function by single stepping it from kernel.
Next goal is to hook that and dump their log (so that I don't have to decrypt those .erl files), but now having headache thinking about how to hook functions like sprintf which accepts variable arguments...
Overwriting the retn instruction would be the easiest, but unfortunately not enough space to write a jmp there.
Checking for "add esp, XXX" at the return address would be one way to find out the number of arguments, but there's no guarantee that there would be an "add esp, xxx" right after the call  Oh...Jesus...still lots of problems 
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
