Writing good drivers is really hard, part 2
Mr. eXoDia was very quick in fixing the bug I described few days ago.. That's a great work! smile
This is part of his new code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
... if (IsHidden) { Log("[TITANHIDE] NtSetContextThread by %d\n", pid); __try { ProbeForWrite(&Context->ContextFlags, sizeof(ULONG), 1); OriginalContextFlags = Context->ContextFlags; Context->ContextFlags &= ~CONTEXT_DEBUG_REGISTERS; } __except (EXCEPTION_EXECUTE_HANDLER) { return Undocumented::NtSetContextThread(ThreadHandle, Context); } } NTSTATUS ret = Undocumented::NtSetContextThread(ThreadHandle, Context); ... |
There are 2 bugs hiding in this short snippet, can you spot them?
Hints
Bug #1 is old and breaks the functionality of SetContextThread. It's much easier to spot it in disassembly than in source code.
Bug #2 makes it easy to bypass TitanHide. It was introduced in this commit.
Let the analysis begin! I'm waiting for your comments.. smile
Being really curious what the second bug is to bypass TitanHide... The first probably has something to do with CONTEXT_DEBUG_REGISTERS, which also removes the CONTEXT_AMD64 flag, which should break things (but somehow doesn't in the real world)...