gmh5225/KiSetupForInstrumentationReturn

Last active May 16, 2022 10:52

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/gmh5225/aa6c14d9e6b05499f3ea7a74cf2fcf3f.js"></script>
Save gmh5225/aa6c14d9e6b05499f3ea7a74cf2fcf3f to your computer and use it in GitHub Desktop.

Download ZIP

KiSetupForInstrumentationReturn

Raw

KiSetupForInstrumentationReturn

Author

gmh5225 commented Feb 21, 2022

1809
VOID __fastcall KiSetupForInstrumentationReturn(_KTRAP_FRAME *TrapFrame)
{
  _ETHREAD *ret_KeGetCurrentThread; // rax
  void *CurAPCProcess_InstrumentationCallback; // r8

  ret_KeGetCurrentThread = (_ETHREAD *)KeGetCurrentThread();
  InstrumentationCallback = ret_KeGetCurrentThread->Tcb.ApcState.Process->Pcb.InstrumentationCallback;
  if ( InstrumentationCallback )
  {
    if ( TrapFrame->SegCs == 0x33 )
    {
      OldTrapFrameRIP = (_ETHREAD *)TrapFrame->Rip;
      TrapFrame->R10 = (unsigned __int64)OldTrapFrameRIP;    //R10 -> OldTrapFrameRIP
      TrapFrame->Rip = (unsigned __int64)InstrumentationCallback;
    }
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment