win10 KiDispatchException about hooklib HOT 23 CLOSED

Need more information

from hooklib.

SetHook(KiDispatchException) Will freeze the system （win10 1909 20h2）
Similar to here #4

SetHook((PVOID)GetFunctionAddr(L"ObCreateObject"), MyObCreateObject, reinterpret_cast<PVOID*>(&pfn_ObCreateObject));

•                                                                         *
  

•                    Bugcheck Analysis                                    *
  

•                                                                         *
  

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: ffffbd0347c848ea, Address of the instruction which caused the bugcheck
Arg3: fffffb09394e5fd0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:

0: kd> u ObCreateObject
nt!ObCreateObject:
fffff80347c848e0 e97bf31104 jmp MyObCreateObject (fffff8034bda3c60)
fffff80347c848e5 8364244800 and dword ptr [rsp+48h],0 fffff80347c848ea 488b8424a0000000 mov rax,qword ptr [rsp+0A0h]
fffff80347c848f2 4889442440 mov qword ptr [rsp+40h],rax fffff80347c848f7 8b842498000000 mov eax,dword ptr [rsp+98h]
fffff80347c848fe 89442438 mov dword ptr [rsp+38h],eax fffff80347c84902 8b842490000000 mov eax,dword ptr [rsp+90h]
fffff803`47c84909 89442430 mov dword ptr [rsp+30h],eax

0: kd> u FFFFBD03C03062F0 (pfn_ObCreateObject)
ffffbd03c03062f0 4883ec58 sub rsp,58h ffffbd03c03062f4 488364244800 and qword ptr [rsp+48h],0
ffffbd03c03062fa e9ebe59787 jmp ffffbd0347c848ea
ffffbd03c03062ff 0000 add byte ptr [rax],al ffffbd03c0306301 0000 add byte ptr [rax],al
ffffbd03c0306303 0000 add byte ptr [rax],al ffffbd03c0306305 0000 add byte ptr [rax],al
ffffbd03`c0306307 0000 add byte ptr [rax],al

from hooklib.

Give me definition of MyObCreateObject. It seems you have invalid function body or invalid hook prototype declaration.

from hooklib.

typedef NTSTATUS(*OBCREATEOBJECT)(
	_In_opt_ KPROCESSOR_MODE ObjectAttributesAccessMode,
	_In_ POBJECT_TYPE ObjectType,
	_In_opt_ POBJECT_ATTRIBUTES ObjectAttributes,
	_In_ KPROCESSOR_MODE AccessMode,
	_Inout_opt_ PVOID ParseContext,
	_In_ ULONG ObjectSize,
	_In_opt_ ULONG PagedPoolCharge,
	_In_opt_ ULONG NonPagedPoolCharge,
	_Out_ PVOID* Object);

OBCREATEOBJECT pfn_ObCreateObject = NULL;
NTSTATUS MyObCreateObject(IN KPROCESSOR_MODE ProbeMode OPTIONAL,
IN POBJECT_TYPE Type,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
IN OUT PVOID ParseContext OPTIONAL,
IN ULONG ObjectSize,
IN ULONG PagedPoolCharge OPTIONAL,
IN ULONG NonPagedPoolCharge OPTIONAL,
OUT PVOID* Object)
{
return pfn_ObCreateObject(ProbeMode, Type, ObjectAttributes, AccessMode, ParseContext, ObjectSize, PagedPoolCharge, NonPagedPoolCharge, Object);
}

from hooklib.

Are you sure your prototype is valid?
For example, there are only four arguments:

from hooklib.

Hm, no, you're right, it's a valid prototype:

from hooklib.

win7 x64
kd> u ObCreateObject
nt!ObCreateObject:
fffff8000417dce0 ff2500000000 jmp qword ptr [nt!ObCreateObject+0x6 (fffff8000417dce6)]
fffff8000417dce6 802695 and byte ptr [rsi],95h fffff8000417dce9 0380f8ffff18 add eax,dword ptr [rax+18FFFFF8h]
fffff8000417dcef 48897c2420 mov qword ptr [rsp+20h],rdi fffff8000417dcf4 4154 push r12
fffff8000417dcf6 4155 push r13 fffff8000417dcf8 4156 push r14
fffff800`0417dcfa 4883ec50 sub rsp,50h

win10 x64
1: kd> u ObCreateObject
nt!ObCreateObject:
fffff8004c661a20 e95bfcbb04 jmp TestDrv!MyObCreateObject (fffff80051221680)
fffff8004c661a25 8364244800 and dword ptr [rsp+48h],0 fffff8004c661a2a 488b8424a0000000 mov rax,qword ptr [rsp+0A0h]
fffff8004c661a32 4889442440 mov qword ptr [rsp+40h],rax fffff8004c661a37 8b842498000000 mov eax,dword ptr [rsp+98h]
fffff8004c661a3e 89442438 mov dword ptr [rsp+38h],eax fffff8004c661a42 8b842490000000 mov eax,dword ptr [rsp+90h]
fffff800`4c661a49 89442430 mov dword ptr [rsp+30h],eax

Why on win7 is far jump hook and win10 is not。Is it my code problem or?

from hooklib.

trying to hook kidispatchexception, it freezes the system after patching first bytes to hook function

from hooklib.

试图钩住kidispatchexception，它在将第一个字节修补到钩子功能后冻结系统

Interrupts need to be turned off for writing. HookLib currently supports hooking this function.

from hooklib.

can you help me? i cant find any information about disabling interrupts

from hooklib.

can you help me? i cant find any information about disabling interrupts

You need to check whether your code context is normal, because you cannot debug at this time, first you need to raise the IRQL to prevent interruption, and then use _disable //If this is not possible, you should use HookLib instead of writing directly to memory via TitanHide MDL

from hooklib.

TitanHide MDL

i used hooklib, but it still crashes. What i did wrong?

KeRaiseIrql(HIGH_LEVEL, &current_irql);
    _disable();
    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);
    _enable();
    KeLowerIrql(current_irql);

where can i read more about interruptions?

from hooklib.

TitanHide MDL

i used hooklib, but it still crashes. What i did wrong?

KeRaiseIrql(HIGH_LEVEL, &current_irql);
    _disable();
    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);
    _enable();
    KeLowerIrql(current_irql);

where can i read more about interruptions?

Is HookKiDispatchException returned via KeRUE? Are the parameter calls correct? If using hooklib you don't need to disable interrupts and raise irql

from hooklib.

TitanHide MDL

i used hooklib, but it still crashes. What i did wrong?

KeRaiseIrql(HIGH_LEVEL, &current_irql);
    _disable();
    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);
    _enable();
    KeLowerIrql(current_irql);

where can i read more about interruptions?

Is HookKiDispatchException returned via KeRUE? Are the parameter calls correct? If using hooklib you don't need to disable interrupts and raise irql

Yes, Undocumented::KiDispatchException is a wrapper for KeRUE. Parameters are correct. I could not find out the reason even. It just freezes my system or bsod me with reason unexpected kernel mode trap.

static NTSTATUS NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");
    auto Status = Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");

    return Status;
    
}

from hooklib.

TitanHide MDL

i used hooklib, but it still crashes. What i did wrong?

KeRaiseIrql(HIGH_LEVEL, &current_irql);
    _disable();
    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);
    _enable();
    KeLowerIrql(current_irql);

where can i read more about interruptions?

Is HookKiDispatchException returned via KeRUE? Are the parameter calls correct? If using hooklib you don't need to disable interrupts and raise irql

Yes, Undocumented::KiDispatchException is a wrapper for KeRUE. Parameters are correct. I could not find out the reason even. It just freezes my system or bsod me with reason unexpected kernel mode trap.

static NTSTATUS NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");
    auto Status = Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");

    return Status;
    
}

DbgPrintEx will trigger an exception and should not call the output directly. It can be used in user mode. In kernel mode, you need to pay attention to the exception code. You need to judge, Undocumented::KiDispatchException. I don’t know where your address came from. If it is a KeRUE address, there is no problem.

from hooklib.

TitanHide MDL

i used hooklib, but it still crashes. What i did wrong?

KeRaiseIrql(HIGH_LEVEL, &current_irql);
    _disable();
    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);
    _enable();
    KeLowerIrql(current_irql);

where can i read more about interruptions?

Is HookKiDispatchException returned via KeRUE? Are the parameter calls correct? If using hooklib you don't need to disable interrupts and raise irql

Yes, Undocumented::KiDispatchException is a wrapper for KeRUE. Parameters are correct. I could not find out the reason even. It just freezes my system or bsod me with reason unexpected kernel mode trap.

static NTSTATUS NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");
    auto Status = Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");

    return Status;
    
}

DbgPrintEx will trigger an exception and should not call the output directly. It can be used in user mode. In kernel mode, you need to pay attention to the exception code. You need to judge, Undocumented::KiDispatchException. I don’t know where your address came from. If it is a KeRUE address, there is no problem.

now i have such a code

static NTSTATUS NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    auto Status = Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);

    return Status;
}

NTSTATUS NTAPI Undocumented::KiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}

typedef NTSTATUS(NTAPI* KERAISEUSEREXCEPTION)(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance);
static KERAISEUSEREXCEPTION KeRUE = 0;

but i got

from hooklib.

TitanHide MDL

i used hooklib, but it still crashes. What i did wrong?

KeRaiseIrql(HIGH_LEVEL, &current_irql);
    _disable();
    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);
    _enable();
    KeLowerIrql(current_irql);

where can i read more about interruptions?

Is HookKiDispatchException returned via KeRUE? Are the parameter calls correct? If using hooklib you don't need to disable interrupts and raise irql

Yes, Undocumented::KiDispatchException is a wrapper for KeRUE. Parameters are correct. I could not find out the reason even. It just freezes my system or bsod me with reason unexpected kernel mode trap.

static NTSTATUS NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");
    auto Status = Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException");

    return Status;
    
}

DbgPrintEx will trigger an exception and should not call the output directly. It can be used in user mode. In kernel mode, you need to pay attention to the exception code. You need to judge, Undocumented::KiDispatchException. I don’t know where your address came from. If it is a KeRUE address, there is no problem.

now i have such a code

static NTSTATUS NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    auto Status = Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);

    return Status;
}

NTSTATUS NTAPI Undocumented::KiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}

typedef NTSTATUS(NTAPI* KERAISEUSEREXCEPTION)(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance);
static KERAISEUSEREXCEPTION KeRUE = 0;

but i got

typedef NTSTATUS > typedef VOID

from hooklib.

same story, i cant understand why

from hooklib.

same story, i cant understand why

I need to see the complete code

from hooklib.

same story, i cant understand why

I need to see the complete code

hooking stage:

ULONG kernel_size = 0;
    auto kernel_base = Undocumented::GetKernelBase(&kernel_size);
    u64 KiDispatchException = (u64)PE::find_signature("\xE8\x00\x00\x00\x00\xFA\x48\x8B\x64\x24\x00", "x????xxxxx?", (uintptr_t)kernel_base, kernel_size);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KiDispatchException = KiDispatchException + 5 + *(INT32*)(KiDispatchException + 1);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);

KeRUE - pointer to function, hook is HookLib function. Address of KiDispatchException is right.
hookedfunction logic.

static VOID NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
VOID NTAPI Undocumented::KiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
typedef VOID(NTAPI* KERAISEUSEREXCEPTION)(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance);
static KERAISEUSEREXCEPTION KeRUE = 0;

from hooklib.

same story, i cant understand why

I need to see the complete code

hooking stage:

ULONG kernel_size = 0;
    auto kernel_base = Undocumented::GetKernelBase(&kernel_size);
    u64 KiDispatchException = (u64)PE::find_signature("\xE8\x00\x00\x00\x00\xFA\x48\x8B\x64\x24\x00", "x????xxxxx?", (uintptr_t)kernel_base, kernel_size);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KiDispatchException = KiDispatchException + 5 + *(INT32*)(KiDispatchException + 1);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);

KeRUE - pointer to function, hook is HookLib function. Address of KiDispatchException is right. hookedfunction logic.

static VOID NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
VOID NTAPI Undocumented::KiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
typedef VOID(NTAPI* KERAISEUSEREXCEPTION)(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance);
static KERAISEUSEREXCEPTION KeRUE = 0;

return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);

KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);

return:

from hooklib.

same story, i cant understand why

I need to see the complete code

hooking stage:

ULONG kernel_size = 0;
    auto kernel_base = Undocumented::GetKernelBase(&kernel_size);
    u64 KiDispatchException = (u64)PE::find_signature("\xE8\x00\x00\x00\x00\xFA\x48\x8B\x64\x24\x00", "x????xxxxx?", (uintptr_t)kernel_base, kernel_size);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KiDispatchException = KiDispatchException + 5 + *(INT32*)(KiDispatchException + 1);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);

KeRUE - pointer to function, hook is HookLib function. Address of KiDispatchException is right. hookedfunction logic.

static VOID NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
VOID NTAPI Undocumented::KiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
typedef VOID(NTAPI* KERAISEUSEREXCEPTION)(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance);
static KERAISEUSEREXCEPTION KeRUE = 0;

return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);

KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);

return:

i really doesnt understand why or what can cause such kind of behavior

from hooklib.

same story, i cant understand why

I need to see the complete code

hooking stage:

ULONG kernel_size = 0;
    auto kernel_base = Undocumented::GetKernelBase(&kernel_size);
    u64 KiDispatchException = (u64)PE::find_signature("\xE8\x00\x00\x00\x00\xFA\x48\x8B\x64\x24\x00", "x????xxxxx?", (uintptr_t)kernel_base, kernel_size);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KiDispatchException = KiDispatchException + 5 + *(INT32*)(KiDispatchException + 1);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);

KeRUE - pointer to function, hook is HookLib function. Address of KiDispatchException is right. hookedfunction logic.

static VOID NTAPI HookKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    Undocumented::KiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
VOID NTAPI Undocumented::KiDispatchException(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}
typedef VOID(NTAPI* KERAISEUSEREXCEPTION)(PEXCEPTION_RECORD ExceptionRecord, PKEXCEPTION_FRAME ExceptionFrame, PKTRAP_FRAME TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance);
static KERAISEUSEREXCEPTION KeRUE = 0;

return KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);

KeRUE(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
return:

i really doesnt understand why or what can cause such kind of behavior

Maybe you should analyze the blue screen document. Logically speaking, there will be no problems with your code. Unless you use different cpp files and do not declare them, there may be some problems. I am not in front of the computer now and cannot further verify the problem.

from hooklib.

it freezes system during
KeRUE = (KERAISEUSEREXCEPTION)hook((void*)KiDispatchException, (void*)HookKiDispatchException);

i think may be it causes that because memcpy patches KiDispatchException with jmp [&HookKiDispatchException] but in that moment KeRUE is 0 because function wasn't executed till return and i got crash? I need to check source code more to confirm something.

from hooklib.

@IvankoEanko, could you upload a crashdump with pdb and sourcecode of your driver?

from hooklib.

@IvankoEanko, could you upload a crashdump with pdb and sourcecode of your driver?

https://mega.nz/file/3QNAEJJL#b2RyOFNclgP3cdA9LnEz8kxM3NnD-c4I700RpIgqglg

from hooklib.

it seems that i can hook every function except KiDispatchException. NtUserQueryWindow hook works fine for me

from hooklib.

@IvankoEanko, yes, it looks like original KiDispatchException was NULL when you called it in your hook:

6: kd> k
  *** Stack trace for last set context - .thread/.cxr resets it
 # Child-SP          RetAddr               Call Site
00 ffff8700`168fcf68 fffff801`04999ad3     0x0
01 ffff8700`168fcf70 fffff800`7cdfb1a2     TitanHide!Undocumented::KiDispatchException+0x1b [C:\Users\Name\Desktop\TitanHide-master\TitanHide\undocumented.cpp @ 258] 
02 ffff8700`168fcfb0 fffff800`7cdfb170     nt!KxExceptionDispatchOnExceptionStack+0x12
03 ffffc486`1437ef38 00000000`00000000     nt!KiExceptionDispatchOnExceptionStackContinue

from hooklib.

@IvankoEanko, fixed by changing the hooks interface. Functions no longer return a pointer to the original, but accept a pointer to a variable into which the address of the original will be written before hooks are set. Try it now, it should fix your problem.

from hooklib.

@IvankoEanko, fixed by changing the hooks interface. Functions no longer return a pointer to the original, but accept a pointer to a variable into which the address of the original will be written before hooks are set. Try it now, it should fix your problem.

hello. thank you for commit. i tried again. but the same story. there is a zero value

from hooklib.

Could you show your current code? And upload full memory dump with pdb again

from hooklib.

Could you show your current code? And upload full memory dump with pdb again

https://mega.nz/file/LFEgyCRI#kSF0jdBAubBxnkd4tFZTYVNQ0gdxlsqrWy3t8rzr1VU

i thougth that multihook fails and write to original pointer zero, but multihook returns 1 (success)

i didn't change code, except additional parameter for hook function. Everything else is the same. You can see it in messages above.
CODE

    ULONG kernel_size = 0;
    auto kernel_base = Undocumented::GetKernelBase("ntoskrnl.exe", &kernel_size);
    u64 KiDispatchException = (u64)PE::find_signature("\xE8\x00\x00\x00\x00\xFA\x48\x8B\x64\x24\x00", "x????xxxxx?", (uintptr_t)kernel_base, kernel_size);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    KiDispatchException = KiDispatchException + 5 + *(INT32*)(KiDispatchException + 1);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p)", KiDispatchException);

    hook((void*)KiDispatchException, (void*)HookKiDispatchException, (void**)&KeRUE);

    DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "KiDispatchException (0x%p) hooked!", KiDispatchException);

from hooklib.

@IvankoEanko, attach WinDbg to your kernel, place breakpoint to your handler at C:\Users\Name\Desktop\TitanHide-master\TitanHide\undocumented.cpp @ 258 and examine the KeRUE. Is it really NULL? Could you step through hook() and find at which place the original pointer becomes NULL?

from hooklib.

@IvankoEanko, attach WinDbg to your kernel, place breakpoint to your handler at C:\Users\Name\Desktop\TitanHide-master\TitanHide\undocumented.cpp @ 258 and examine the KeRUE. Is it really NULL? Could you step through hook() and find at which place the original pointer becomes NULL?

my debugger doesnt stop after stepping over
const bool status = writeToReadonly(fn, &jump, sizeof(jump));

but pointer to original before this line is valid and consists valid trampoline data.

i dont know about pointer after
const bool status = writeToReadonly(fn, &jump, sizeof(jump));
so, i cant say for sure

from hooklib.

I use FF25 hookKiDispatchException and it is very safe on the machine, even if it is hooklib, I have not encountered other thread interruption or execution problems

from hooklib.

@IvankoEanko, I checked on my VM and it works fine:

using FnKiDispatchException = void(__stdcall*)(PEXCEPTION_RECORD ExceptionRecord, void* ExceptionFrame, KTRAP_FRAME* TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance);

static FnKiDispatchException g_originalKiDispatchException = nullptr;

static void __stdcall hookedKiDispatchException(PEXCEPTION_RECORD ExceptionRecord, void* ExceptionFrame, KTRAP_FRAME* TrapFrame, KPROCESSOR_MODE PreviousMode, BOOLEAN FirstChance)
{
    return g_originalKiDispatchException(ExceptionRecord, ExceptionFrame, TrapFrame, PreviousMode, FirstChance);
}

extern "C" NTSTATUS NTAPI DriverEntry(PDRIVER_OBJECT, PUNICODE_STRING)
{
    __debugbreak();
    // Change the address below to the correct one!
    hook(reinterpret_cast<void*>(0xfffff8023cf452c0), hookedKiDispatchException, reinterpret_cast<void**>(&g_originalKiDispatchException));
    return STATUS_SUCCESS;
}

The original pointer fills with correct address and the saved original stub is correct with the correct jump to continuation.

Looks like something is wrong with your code. First of all, try this clean sample and (important!) - don't set breakpoints on KiDispatchException.

from hooklib.

@IvankoEanko, could it be that your static KeRUE is defined in header and duplicates for each translation unit? So, it could be that you have two different KeRUEs: one is passed to hook() and the other is uses in your hook (and it is always NULL).

from hooklib.

@IvankoEanko, could it be that your static KeRUE is defined in header and duplicates for each translation unit? So, it could be that you have two different KeRUEs: one is passed to hook() and the other is uses in your hook (and it is always NULL).

Thank you! It works for me.

from hooklib.