I'm writing a file protector that is similar to armadillo. So, I want to implement some kind of "nanomites" for anti-dump protection.
However, instead of opening my own process I've decided to hook KiUserExceptionDispatcher
.
The problem is I don't know what is being passed to KiUserExceptionDispatcher
nor am I sure how to continue after I have determined the exception type is a STATUS_BREAKPOINT
exception.
I've tried searching Google, but to no avail. All I find are results for KiDispatchException
, which is hooked in rootkits.
Can someone provide me a typedef of this function, and tell me what I would do to continue after determining it was indeed a STATUS_BREAKPOINT
exception? Would I call NtContinue
after modifying the EIP context?
Or if this is not simple as I think it is, should I just stick to the armadillo style? Debugging my own process?
Thanks.