What does this code mean?

Question

What does this code mean?

Waterman178 opened this issue 5 years ago · 1 comments

`IHF_EXPORT NTSTATUS FixInfinityHook( void* IfhpInternalGetCpuClock, BOOLEAN Verbose )
{
ClockRedirect = IfhpInternalGetCpuClock;

return ByePgInitialize( [ ] ( CONTEXT* ContextRecord, EXCEPTION_RECORD* ExceptionRecord ) -> LONG
{
	if ( ExceptionRecord->ExceptionCode == ( FAST_FAIL_ETW_CORRUPTION << 32 | KERNEL_SECURITY_CHECK_FAILURE ) )
	{
		ContextRecord->Rsp += 0x28;
		ContextRecord->Rip = ( ULONG64 ) ClockRedirect;
		return EXCEPTION_CONTINUE_EXECUTION;
	}
	return EXCEPTION_EXECUTE_HANDLER;
}, Verbose );

}`
There is no place to call this function.I guess it should be that when the cpu cycle is read, an exception is triggered to enter our callback function. But how do I trigger this exception?
"FAST_FAIL_ETW_CORRUPTION" What does this mean? What does this code have to do with ETW?

Answer 1 · 2019-10-23T00:54:24.000Z

Microsoft patched against InfinityHook by fast-failing with code FAST_FAIL_ETW_CORRUPTION on invalid GetCpuClock.

If you want to use InfinityHook and bypass this mitigation, you first export IfhpInternalGetCpuClock from InfinityHook source, call FixInfinityHook with the exported IfhpInternalGetCpuClock passed and afterwards you can use InfinityHook as usual.