namespace VEHShut
{
byte
*
func
=
NULL;
int
BeckupHardwareBP[
5
]
=
{
0
};
int
cAddrRtlDispatchException
=
NULL;
class
hooks
{
public:
CONTEXT backUpcontext;
PCONTEXT SetContext;
hooks(PCONTEXT context)
{
backUpcontext
=
*
context;
}
~hooks()noexcept
{
SetContext
-
>Dr0
=
backUpcontext.Dr0;
SetContext
-
>Dr1
=
backUpcontext.Dr1;
SetContext
-
>Dr2
=
backUpcontext.Dr2;
SetContext
-
>Dr3
=
backUpcontext.Dr3;
SetContext
-
>Dr6
=
backUpcontext.Dr6;
SetContext
-
>Dr7
=
backUpcontext.Dr7;
}
};
bool
GetRtlDispatcherAddr()
{
if
(cAddrRtlDispatchException)
return
true;
func
=
(byte
*
)GetProcAddress(GetModuleHandleA(XorString(
"ntdll.dll"
)), XorString(
"RtlUnwind"
));
func
+
=
0x20
;
if
(!func)
{
DbgPrintA(
"[-]未找到RtlUnwind"
);
return
false;;
}
for
(
int
i
=
0
; i <
0x200
; i
+
+
)
{
/
/
8B
FF
55
8B
EC
if
(func[i]
=
=
0x8B
&& func[i
+
1
]
=
=
0xFF
&& func[i
+
2
]
=
=
0x55
&& func[i
+
3
]
=
=
0x8B
&& func[i
+
4
]
=
=
0xEC
)
{
cAddrRtlDispatchException
=
(
int
)func
+
i;
printf(
"cAddrRtlDispatchException -> 0x%X\r\n"
, cAddrRtlDispatchException);
return
true;
}
}
return
false;
}
typedef void(_stdcall
*
_RtlExceptionDispatche)(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT Context);
_RtlExceptionDispatche Old_RtlExceptionDispatche
=
NULL;
uint64_t o_RtlExceptionDispatcher
=
NULL;
NOINLINE void _stdcall RtlExceptionDispatcher(PEXCEPTION_RECORD ExceptionRecord, PCONTEXT Context)noexcept
{
auto reset
=
hooks(Context);
if
(Context)
{
if
(Context
-
>ContextFlags & CONTEXT_DEBUG_REGISTERS)
{
Context
-
>Dr0
=
0
;
Context
-
>Dr1
=
0
;
Context
-
>Dr2
=
0
;
Context
-
>Dr3
=
0
;
Context
-
>Dr6
=
0
;
Context
-
>Dr7
=
0
;
}
}
return
PLH::FnCast(o_RtlExceptionDispatcher, Old_RtlExceptionDispatche)(ExceptionRecord, Context);
}
void ShutUpVEH()
{
if
(GetRtlDispatcherAddr())
{
PLH::CapstoneDisassembler dis(PLH::Mode::x86);
Old_RtlExceptionDispatche
=
(_RtlExceptionDispatche)cAddrRtlDispatchException;
PLH::x86Detour detour_RtlExceptionDispatcher((char
*
)cAddrRtlDispatchException, (char
*
)&RtlExceptionDispatcher, &o_RtlExceptionDispatcher, dis);
if
(!detour_RtlExceptionDispatcher.hook())
{
DbgPrintA(
"[-] detour_RtlExceptionDispatcher Failed\r\n"
);
}
}
}
}