[Tigzy]

Ok, anyway this is new at least for me :)
Just one question. When jumping to KiDebugRoutine, how the filter know where it comes from, and get the args back?

[Alex]

Here is the mentioned PoC - Single Byte Hooks. A short description how to use KiDebugRoutine in other way.
Just take look at parameters passed to KdpStub/KdpTrap and you will see what information you can extract from them - part of NGdbg kernel debugger:

Code: Select all

BOOLEAN
DbgTrap (
    IN PKTRAP_FRAME TrapFrame,
    IN PKEXCEPTION_FRAME ExceptionFrame,
    IN PEXCEPTION_RECORD ExceptionRecord,
    IN PCONTEXT ContextRecord,
    IN KPROCESSOR_MODE PreviousMode,
    IN BOOLEAN SecondChance
    );