Last active
January 14, 2024 05:53
-
-
Save esoterix/df38008568c50d4f83123e3a90b62ebb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void InstrumentationCallback(CONTEXT *context) | |
| { | |
| TEB *teb = NtCurrentTeb(); | |
| context->Rip = teb->InstrumentationCallbackPreviousPc; | |
| context->Rsp = teb->InstrumentationCallbackPreviousSp; | |
| context->Rcx = context->R10; | |
| // Prevent recursion | |
| if (!teb->InstrumentationCallbackDisabled) { | |
| teb->InstrumentationCallbackDisabled = TRUE; | |
| // Do whatever you want | |
| teb->InstrumentationCallbackDisabled = FALSE; | |
| } | |
| RtlRestoreContext(context, NULL); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| include ksamd64.inc | |
| extern InstrumentationCallback:proc | |
| EXTERNDEF __imp_RtlCaptureContext:QWORD | |
| .code | |
| InstrumentationCallbackThunk proc | |
| mov gs:[2e0h], rsp ; Win10 TEB InstrumentationCallbackPreviousSp | |
| mov gs:[2d8h], r10 ; Win10 TEB InstrumentationCallbackPreviousPc | |
| mov r10, rcx ; Save original RCX | |
| sub rsp, 4d0h ; Alloc stack space for CONTEXT structure | |
| and rsp, -10h ; RSP must be 16 byte aligned before calls | |
| mov rcx, rsp | |
| call __imp_RtlCaptureContext ; Save the current register state. RtlCaptureContext does not require shadow space | |
| sub rsp, 20h ; Shadow space | |
| call InstrumentationCallback | |
| int 3 | |
| InstrumentationCallbackThunk endp | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment