KernelMode.info

A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/

Debug Trap in atapi.sys

https://www.kernelmode.info/forum/viewtopic.php?f=13&t=1512

Page 2 of 2

Re: Debug Trap in atapi.sys

PostPosted:Mon Jun 04, 2012 6:07 am
by Tigzy
Ok, anyway this is new at least for me :)
Just one question. When jumping to KiDebugRoutine, how the filter know where it comes from, and get the args back?

Re: Debug Trap in atapi.sys

PostPosted:Mon Jun 04, 2012 3:32 pm
by Alex
Here is the mentioned PoC - Single Byte Hooks. A short description how to use KiDebugRoutine in other way.
Just take look at parameters passed to KdpStub/KdpTrap and you will see what information you can extract from them - part of NGdbg kernel debugger:
Code: Select all
BOOLEAN
DbgTrap (
    IN PKTRAP_FRAME TrapFrame,
    IN PKEXCEPTION_FRAME ExceptionFrame,
    IN PEXCEPTION_RECORD ExceptionRecord,
    IN PCONTEXT ContextRecord,
    IN KPROCESSOR_MODE PreviousMode,
    IN BOOLEAN SecondChance
    );
All times are UTC
Page 2 of 2
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/