The following is an example of how to skip a function (even if you don't have the source) in a device driver. Look at the assembly below. This is the function start/end for a 3rd party device driver function that I wish to fail without executing. First I let the stack frame get set up so I must also tear it down. I set the breakpoint at instruction f7ed0511 so that before this line executes, the breakpoint will go off. Then I give a command to the break point. The command 'reax = c0000001' sets the eax register to STATUS_UNSUCCESSFUL. The command 'reip = f7ed0735' sets the instruction pointer to the line 'pop edi' to begin the stack frame teardown. The final command 'g' tells the debugger to go. So each time this breakpoint is executed, the function is skipped with a failure code and the debugger continues execution. You can even use the .echo command to display a message every time the breakpoint goes off.
1: kd> u fslx+7506
fslx+0x7506:
f7ed0506 8bff mov edi,edi
f7ed0508 55 push ebp
f7ed0509 8bec mov ebp,esp
f7ed050b 53 push ebx
f7ed050c 8b5d08 mov ebx,dword ptr [ebp+8]
f7ed050f 56 push esi
f7ed0510 57 push edi
f7ed0511 6846583430 push 30345846h
1: kd> u fslx+7735
fslx+0x7735:
f7ed0735 5f pop edi
f7ed0736 5e pop esi
f7ed0737 5b pop ebx
f7ed0738 5d pop ebp
f7ed0739 c21800 ret 18h
1: kd> bp f7ed0511 "reax = c0000001; reip = f7ed0735; g"
1: kd> bl
1 e f7ed0511 0001 (0001) fslx+0x7511 "reax = c0000001; reip = f7ed0735; g"
With the .echo command:
1: kd> bp f7ed0511 "reax = c0000001; reip = f7ed0735; .echo \"skipping function...\"; g"
No comments:
Post a Comment