hi ,man
i have written a driver for a few days, that is , there is a Game Protection(named TP,which developed by Tencent , China), it calls KdDisableDebugger to disable kernel debugger , added, that routine will be called when TP at stage of initialize , and then , it will create a thread to check the system variable KdDebuggerEnabled and call KdDisableDebugger in a loop while the variable is TRUE
also , there is a IAT HOOK, to instead address of KdSend/ReceivePacket with it’s own proxy routine
that’s a brief introduction all above , follow is my way to kill it
i write a driver , inline hook the KdDiableDebugger ,while this routine called by any driver at any where, i can get the caller address by _asm mov addr,dwrod ptr[ebp+4] , then i fill there with 0x90(NOP). by this way ,i killed two places of TP where it wanna call KdDisableDebugger. and i also killed the code of rebooting user’s PC in TP. finally , i hooked it’s proxy routine of KdSend/ReceivePacket by jumping to the exact address which export by kdcom.dll
but there is a problem, i run my driver after TP completely loaded , they both worked fine(i checked with windbg , perfect working),but i can’t set any breakpoint by windbg, so i check the variable KdDebuggerEnabled, it’s always FLASE and even i can’t change it’s value cuz my virtual machine will immediately stop while i modify it.
so i written a simple driver which function is calling KdEnableDebugger and printing the value of KdDebuggerEnabled , here is that
while(!(*KdDebuggerEnabled)) {
if(NT_SUCCESS(KdEnableDebugger())
KdPrint((“current status: value of KdDebuggerEnable is %s \n”,*KdDebuggerEnabled? “true”:“false”));
}
can you guess what result i got after i run my driver ? the code above will be executed for thousands of times , and the value of KdDebuggerEnabled still is FALSE
what should i do to solve this problem
looking forward to your reply and also sorry to my crappy engish , after all i am chinese and study at senior school, lol