any doc/website about soft interrupt?

Archived from groups: microsoft.public.windowsxp.device_driver.dev (More info?)

i have hook 0xcc interrupt(int 3),but now how to get the interrupted
thread's info,such as eip,thread id ,process id? use stack?

any doc/website about this?

os:xp ,sp1 ddk,
2 answers Last reply
More about website soft interrupt
  1. Archived from groups: microsoft.public.windowsxp.device_driver.dev (More info?)

    Do you have the DDK, and have you done any study of it at all? The
    functionality you want is available but certainly not at DIRQL, and would
    most likely be meaningless to an interrupt service routine.

    --
    Gary G. Little
    Seagate Technologies, LLC

    "Xiang Shifu" <xiangshifu@yahoo.com.cn> wrote in message
    news:11700b0c.0404060023.29aebc56@posting.google.com...
    > i have hook 0xcc interrupt(int 3),but now how to get the interrupted
    > thread's info,such as eip,thread id ,process id? use stack?
    >
    > any doc/website about this?
    >
    > os:xp ,sp1 ddk,
  2. Archived from groups: microsoft.public.windowsxp.device_driver.dev (More info?)

    this is my source code !

    i try to write a small debugger with int 3,but don't kown how to get thread's eip!?


    #ifndef __HOOK_H
    #define __HOOK_H


    #pragma once

    #include <ntddk.h>

    #define DWORD unsigned __int32
    #define WORD unsigned __int16
    #define BYTE unsigned __int8
    #define BOOL __int32

    #define LOWORD(l) ((WORD)(l))
    #define HIWORD(l) ((WORD)(((DWORD)(l) >> 16) & 0xFFFF))
    #define LOBYTE(w) ((BYTE)(w))
    #define HIBYTE(w) ((BYTE)(((WORD)(w) >> 8) & 0xFF))

    #define MAKELONG(a, b) ((LONG) (((WORD) (a)) | ((DWORD) ((WORD) (b))) << 16))

    #pragma pack(1)

    typedef struct tagIDTR {
    WORD IDTLimit;
    WORD LowIDTbase;
    WORD HiIDTbase;
    }IDTR, *PIDTR;


    typedef struct tagIDTENTRY{
    WORD OffsetLow;
    WORD selector;
    BYTE unused_lo;
    unsigned char unused_hi:5;
    unsigned char DPL:2;
    unsigned char P:1;
    WORD OffsetHigh;
    } IDTENTRY, *PIDTENTRY;
    #pragma pack()

    VOID
    InstallHookIntCC();

    VOID
    UnInstallHookIntCC();


    #endif


    #include "hook.h"
    #include "debug.h"


    #define XCCCALL 0x03

    DWORD OldIntCCService;

    VOID __fastcall IntXCCCall()
    {
    KIRQL OldIrql;
    DWORD ThreadId;
    DWORD ProcessId;

    ProcessId = (DWORD)PsGetCurrentProcessId();
    ThreadId=(DWORD)PsGetCurrentThreadId();

    //get the interrupted thread's eip;



    InterruptDrv_KDPRINT((" ProcessID: %d \n",ProcessId));

    KeRaiseIrql(HIGH_LEVEL, &OldIrql);

    InterruptDrv_KDPRINT(("int 0xcc happen \n"));

    KeLowerIrql(OldIrql);

    }

    __declspec(naked) NewIntCCService()
    {
    __asm
    {
    pushad
    pushfd
    push fs
    mov bx,0x30
    mov fs,bx
    push ds
    push es

    sti
    call IntXCCCall;
    cli

    pop es
    pop ds
    pop fs
    popfd
    popad

    jmp OldIntCCService;
    }
    }

    VOID InstallHookIntCC()
    {

    IDTR idtr;
    PIDTENTRY OIdt;
    PIDTENTRY NIdt;


    __asm
    {
    sidt idtr;
    }


    OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);


    OldIntCCService = MAKELONG(OIdt[XCCCALL].OffsetLow,OIdt[XCCCALL].OffsetHigh);

    NIdt = &(OIdt[XCCCALL]);

    __asm
    {
    cli
    lea eax,NewIntCCService;
    mov ebx, NIdt;
    mov [ebx],ax;
    shr eax,16
    mov [ebx+6],ax;
    lidt idtr
    sti
    }

    }

    VOID UnInstallHookIntCC()
    {
    IDTR idtr;
    PIDTENTRY OIdt;
    PIDTENTRY NIdt;

    __asm
    {
    sidt idtr;
    }

    OIdt = (PIDTENTRY)MAKELONG(idtr.LowIDTbase,idtr.HiIDTbase);

    NIdt = &(OIdt[XCCCALL]);

    _asm
    {
    cli
    lea eax,OldIntCCService;
    mov ebx, NIdt;
    mov [ebx],ax;
    shr eax,16
    mov [ebx+6],ax;
    lidt idtr
    sti
    }

    }


    "Gary G. Little" <gary.g.little.nospam@seagate.com> wrote in message news:<1Uxcc.5089$933.1476@newssvr23.news.prodigy.com>...
    > Do you have the DDK, and have you done any study of it at all? The
    > functionality you want is available but certainly not at DIRQL, and would
    > most likely be meaningless to an interrupt service routine.
    >
    > --
    > Gary G. Little
    > Seagate Technologies, LLC
    >
    > "Xiang Shifu" <xiangshifu@yahoo.com.cn> wrote in message
    > news:11700b0c.0404060023.29aebc56@posting.google.com...
    > > i have hook 0xcc interrupt(int 3),but now how to get the interrupted
    > > thread's info,such as eip,thread id ,process id? use stack?
    > >
    > > any doc/website about this?
    > >
    > > os:xp ,sp1 ddk,
Ask a new question

Read More

Drivers Microsoft Device Driver Windows XP