Sign in with
Sign up | Sign in
Your question

any doc/website about soft interrupt?

Last response: in Windows XP
Share
Anonymous
a b \ Driver
April 6, 2004 5:23:04 AM

Archived from groups: microsoft.public.windowsxp.device_driver.dev (More info?)

i have hook 0xcc interrupt(int 3),but now how to get the interrupted
thread's info,such as eip,thread id ,process id? use stack?

any doc/website about this?

os:xp ,sp1 ddk,
Anonymous
a b \ Driver
April 6, 2004 5:02:53 PM

Archived from groups: microsoft.public.windowsxp.device_driver.dev (More info?)

Do you have the DDK, and have you done any study of it at all? The
functionality you want is available but certainly not at DIRQL, and would
most likely be meaningless to an interrupt service routine.

--
Gary G. Little
Seagate Technologies, LLC

"Xiang Shifu" <xiangshifu@yahoo.com.cn> wrote in message
news:11700b0c.0404060023.29aebc56@posting.google.com...
> i have hook 0xcc interrupt(int 3),but now how to get the interrupted
> thread's info,such as eip,thread id ,process id? use stack?
>
> any doc/website about this?
>
> os:xp ,sp1 ddk,
Anonymous
a b \ Driver
April 6, 2004 11:45:42 PM

Archived from groups: microsoft.public.windowsxp.device_driver.dev (More info?)

this is my source code !

i try to write a small debugger with int 3,but don't kown how to get thread's eip!?


#ifndef __HOOK_H
#define __HOOK_H


#pragma once

#include <ntddk.h>

#define DWORD unsigned __int32
#define WORD unsigned __int16
#define BYTE unsigned __int8
#define BOOL __int32

#define LOWORD(l) ((WORD)(l))
#define HIWORD(l) ((WORD)(((DWORD)(l) >> 16) & 0xFFFF))
#define LOBYTE(w) ((BYTE)(w))
#define HIBYTE(w) ((BYTE)(((WORD)(w) >> 8) & 0xFF))

#define MAKELONG(a, b) ((LONG) (((WORD) (a)) | ((DWORD) ((WORD) (b))) << 16))

#pragma pack(1)

typedef struct tagIDTR {
WORD IDTLimit;
WORD LowIDTbase;
WORD HiIDTbase;
}IDTR, *PIDTR;


typedef struct tagIDTENTRY{
WORD OffsetLow;
WORD selector;
BYTE unused_lo;
unsigned char unused_hi:5;
unsigned char DPL:2;
unsigned char P:1;
WORD OffsetHigh;
} IDTENTRY, *PIDTENTRY;
#pragma pack()

VOID
InstallHookIntCC();

VOID
UnInstallHookIntCC();



#endif













#include "hook.h"
#include "debug.h"


#define XCCCALL 0x03

DWORD OldIntCCService;

VOID __fastcall IntXCCCall()
{
KIRQL OldIrql;
DWORD ThreadId;
DWORD ProcessId;

ProcessId = (DWORD)PsGetCurrentProcessId();
ThreadId=(DWORD)PsGetCurrentThreadId();

//get the interrupted thread's eip;



InterruptDrv_KDPRINT((" ProcessID: %d \n",ProcessId));

KeRaiseIrql(HIGH_LEVEL, &OldIrql);

InterruptDrv_KDPRINT(("int 0xcc happen \n"));

KeLowerIrql(OldIrql);

}

__declspec(naked) NewIntCCService()
{
__asm
{
pushad
pushfd
push fs
mov bx,0x30
mov fs,bx
push ds
push es

sti
call IntXCCCall;
cli

pop es
pop ds
pop fs
popfd
popad

jmp OldIntCCService;
}
}

VOID InstallHookIntCC()
{

IDTR idtr;
PIDTENTRY OIdt;
PIDTENTRY NIdt;


__asm
{
sidt idtr;
}


OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);


OldIntCCService = MAKELONG(OIdt[XCCCALL].OffsetLow,OIdt[XCCCALL].OffsetHigh);

NIdt = &(OIdt[XCCCALL]);

__asm
{
cli
lea eax,NewIntCCService;
mov ebx, NIdt;
mov [ebx],ax;
shr eax,16
mov [ebx+6],ax;
lidt idtr
sti
}

}

VOID UnInstallHookIntCC()
{
IDTR idtr;
PIDTENTRY OIdt;
PIDTENTRY NIdt;

__asm
{
sidt idtr;
}

OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);

NIdt = &(OIdt[XCCCALL]);

_asm
{
cli
lea eax,OldIntCCService;
mov ebx, NIdt;
mov [ebx],ax;
shr eax,16
mov [ebx+6],ax;
lidt idtr
sti
}

}



"Gary G. Little" <gary.g.little.nospam@seagate.com> wrote in message news:<1Uxcc.5089$933.1476@newssvr23.news.prodigy.com>...
> Do you have the DDK, and have you done any study of it at all? The
> functionality you want is available but certainly not at DIRQL, and would
> most likely be meaningless to an interrupt service routine.
>
> --
> Gary G. Little
> Seagate Technologies, LLC
>
> "Xiang Shifu" <xiangshifu@yahoo.com.cn> wrote in message
> news:11700b0c.0404060023.29aebc56@posting.google.com...
> > i have hook 0xcc interrupt(int 3),but now how to get the interrupted
> > thread's info,such as eip,thread id ,process id? use stack?
> >
> > any doc/website about this?
> >
> > os:xp ,sp1 ddk,
!