Mattiwatti
commented
8 years ago I have replaced this function in my in-kernel embedded version of TitanHide. The hooked version of the function is extremely simple and looks like this:
NTSTATUS NTAPI HookedNtSystemDebugControl(
IN SYSDBG_COMMAND Command,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
OUT PULONG ReturnLength)
{
if (Command == SysDbgGetTriageDump) // 0x1D
{
return STATUS_INFO_LENGTH_MISMATCH;
}
return STATUS_DEBUGGER_INACTIVE;
}It is an SSDT-only function, but I just tried hooking it with TitanHide and the regular SSDT hook functions that are already in place work fine for it. So it's just a matter of adding the typedefs and hooks.
For reference, the full SYSDBG_COMMAND enum is
typedef enum _SYSDBG_COMMAND {
SysDbgQueryModuleInformation,
SysDbgQueryTraceInformation,
SysDbgSetTracepoint,
SysDbgSetSpecialCall,
SysDbgClearSpecialCalls,
SysDbgQuerySpecialCalls,
SysDbgBreakPoint,
SysDbgQueryVersion,
SysDbgReadVirtual,
SysDbgWriteVirtual,
SysDbgReadPhysical,
SysDbgWritePhysical,
SysDbgReadControlSpace,
SysDbgWriteControlSpace,
SysDbgReadIoSpace,
SysDbgWriteIoSpace,
SysDbgReadMsr,
SysDbgWriteMsr,
SysDbgReadBusData,
SysDbgWriteBusData,
SysDbgCheckLowMemory,
SysDbgEnableKernelDebugger,
SysDbgDisableKernelDebugger,
SysDbgGetAutoKdEnable,
SysDbgSetAutoKdEnable,
SysDbgGetPrintBufferSize,
SysDbgSetPrintBufferSize,
SysDbgGetKdUmExceptionEnable,
SysDbgSetKdUmExceptionEnable,
SysDbgGetTriageDump,
SysDbgGetKdBlockEnable,
SysDbgSetKdBlockEnable,
} SYSDBG_COMMAND, *PSYSDBG_COMMAND;
mrexodia
Originally reported by: Carbon Monoxide (Bitbucket: NtQuery, GitHub: NtQuery)
http://pastebin.com/6kbt1Vka