Kdentereddebugger detection of a certain p

A p in the dual-machine debugging, will detect whether Kdentereddebugger equals 1, if equal to 1 restart.

Our approach is to allow detection to detect 0 forever. After analysis, when the position is kdentereddebugger+0x20 the value is 0. We can modify the point. As long as the inline hook ioallocatemdl can

Pmdl myioallocatemdl (__in_opt PVOID  virtualaddress,__in ULONG  length,__in BOOLEAN  secondarybuffer,__in BOOLEAN  chargequota,__inout_opt pirp  Irp  OPTIONAL) {PVOID Pkdentereddebugger = (PVOID) GETKDENTEREDDEBUGGERADDR (); if (Pkdentereddebugger = = virtualaddress) {virtualaddress = (PVOID) ((size_t) Pkdentereddebugger + 0x20);  +0x20  is to let him read other positions}return old_ioallocatemdl (virtualaddress, Length, SecondaryBuffer, Chargequota, IRP);}

Specific code implementation:

#include <NTDDK.H>#include<windef.h>#include<ntstatus.h>BYTE originalbytes[5] = {0}; BYTE hookcode[5] = {0xe9,0,0,0,0};//Jump AddressBYTE jmpcode[7] = {0xEA,0,0,0,0,0x08,0};//CS mode is 1b, kernel bitULONG Cr0value;#defineKmalloc (_s) ExAllocatePoolWithTag (NonPagedPool, _s, ' sysq ')//Find Kdentereddebugger Addressexternsize_t Kdentereddebugger; size_t getkdentereddebuggeraddr () {returnKdentereddebugger;}//hookioallocmdltypedef PMDL (__stdcall *_myioallocatemdl)         (_in_opt_ PVOID virtualaddress, _in_ ULONG Length, _in_ BOOLEAN SecondaryBuffer, _in_ BOOLEAN Chargequota, _inout_opt_ pirp Irp); _myioallocatemdl old_ioallocatemdl; Pmdl myioallocatemdl (__in_opt PVOID virtualaddress, __in ULONG Length, __in BOOLEAN SecondaryBuffer, __in BOOLEAN Chargequota, __inout_opt pirp Irp OPTIONAL) {PVOID Pkdentereddebugger=(PVOID) getkdentereddebuggeraddr (); if(Pkdentereddebugger = =virtualaddress) {virtualaddress= (PVOID) ((size_t) Pkdentereddebugger +0x20);//+0x20 is to get him to read other places.    }        returnold_ioallocatemdl (virtualaddress, Length, SecondaryBuffer, Chargequota, IRP);}voidhookioallocatemdl () {KIRQL Irql; Dbgprint ("ntioallocatemdl]: 0x%x", IOALLOCATEMDL); Dbgprint ("[myioallocatemdl]: 0x%x", MYIOALLOCATEMDL);//Address VerificationRtlcopymemory (Originalbytes, (BYTE *) ioallocatemdl,5); * (ULONG *) (hookcode+1) = (ULONG) myioallocatemdl-((ULONG) ioallocatemdl+5); Dbgprint ("* (ULONG *) (hookcode+1) = (ULONG) myioallocatemdl-((ULONG) ioallocatemdl+5);"); * (ULONG *) (jmpcode+1) = (ULONG) ((byte*) ioallocatemdl +5); Rtlcopymemory ((BYTE*) Old_ioallocatemdl,originalbytes,5); Rtlcopymemory ((BYTE*) old_ioallocatemdl+5, Jmpcode,7); //Remove write protection_asm {push eax mov eax, CR0  mov cr0value, eax and eax, 0FFFEFFFFH mov cr0, EAX pop eax}//increase IRQL Interrupt levelIRQL =Keraiseirqltodpclevel (); Dbgprint ("IRQL = Keraiseirqltodpclevel ();"); Rtlcopymemory ((BYTE*) Ioallocatemdl,hookcode,5); Dbgprint ("rtlcopymemory ((byte*) ioallocatemdl,hookcode,5);");         KELOWERIRQL (IRQL); //turn on write protection__asm {push eax                                                  mov eax, cr0value mov cr0, eax         Pop eax}; Dbgprint ("already Hook"); }voidmydriverunload (Pdriver_object P) {dbgprint ("has resumed");} NTSTATUS DriverEntry (in Out Pdriver_object driverobject, in punicode_string registrypath) {dbgprint ("Start Hook"); DriverObject->driverunload =Mydriverunload; OLD_IOALLOCATEMDL= (_MYIOALLOCATEMDL) kmalloc ( -); memset (OLD_IOALLOCATEMDL,0x90, -);    HOOKIOALLOCATEMDL (); returnstatus_success;}

Kdentereddebugger detection of a certain p