_KiFastCallEntry static analysis

Others 2019-06-16 12:36:27 views: null

.text:0040689F _KiFastCallEntry proc near ; DATA XREF: _KiTrap01+71o
.text:0040689F ; KiLoadFastSyscallMachineSpecificRegisters(x)+24o
.text:0040689F
.text:0040689F var_B = byte ptr -0Bh
.text:0040689F arg_14 = dword ptr 18h
.text:0040689F arg_28 = dword ptr 2Ch
.text:0040689F arg_5C = dword ptr 60h
.text:0040689F arg_64 = dword ptr 68h
.text:0040689F arg_DC = dword ptr 0E0h
.text:0040689F arg_130 = dword ptr 134h
.text:0040689F arg_634 = dword ptr 638h
.text:0040689F arg_F6C = dword ptr 0F70h
.text:0040689F
.text:0040689F ; FUNCTION CHUNK AT .text:0040686C SIZE 00000024 BYTES
.text:0040689F ; FUNCTION CHUNK AT .text:00406B43 SIZE 00000014 BYTES
.text: 0040689F
.text: 0040689F mov ECX, 23h
.text: 004068A4 the Push 30h
.text: 004068A6 POP FS
.text: 004068A8 mov ds, ECX
.text: 004068AA mov es, ECX
.text: 004068AC mov ECX, Large FS: _KPCR.TSS; ECX = TSS
.text: 004068B3 MOV ESP, [ECX + _KTSS.Esp0]; here has switched the stack ESP points _KTRAP_FRAME V86Es
.text: 004068B6 Push 23 h; tricyclic save the SS
.text: 004068B8 push edx; save tricyclic ESP
.text: 004068B9 PUSHF; save the flag register
.text: 004068BA
.text: 004068BA loc_4068BA:; CODE XREF: _KiFastCallEntry2 + 23 J?
.text: 004068BA the Push 2; = 2 closed interrupt the EFLAGS
.text : 004068BC add edx, 8; edx = tricyclic kept inside the stack inside the first parameter
.text: 004068BF popf; EFLAGS value 202 assigned to
.text: 004068C0 or byte ptr [esp + 1], 2; eflags of 9 to 1, 1 is set in response to the maskable interrupt
.text: 004068C5 push 1Bh; Save CS
.text: 004068C7 Push DWORD PTR DS: 0FFDF0304h ; pressed SystemCallReturn, find shared structure KUSER_SHARED_DATA
.text: Push 004068CD 0; ErrCode save a 0
.text: 004068CF Push EBP
.text: 004068D0 Push EBX
.text: 004068D1 Push ESI
.text: 004068D2 Push EDI; save EDI
.text : 004068D3 MOV EBX, Large FS: _KPCR.SelfPcr; EBX = KPCR
.text: Push 004068DA 3Bh; save the FS
.text: 004068DC MOV ESI, [EBX + 124h]; ESI = current thread structure pointer
.text: 004068E2 push dword ptr [ebx]; exception list to save _KTRAP_FRAME
.text: 004068E4 MOV DWORD PTR [EBX], 0FFFFFFFFh; _KPCR inside exception handling empty list
.text: 004068EA mov ebp, [esi + _ETHREAD.Tcb.InitialStack]
.text: 004068ED push 1; save the previous mode. 1
.text: Sub 004068EF ESP, 48h; _KTRAP_FRAME ESP is now equal to the first address
.text: 004068F2 sub ebp, 29Ch; which is equal to the floating point register 210h + _KTRAP_FRAME the word 8C section
.text: 004068F8 mov [esi + _KTHREAD.PreviousMode ], 1; the current thread to the previous mode is set to. 1
.text: 004068FF CMP EBP, ESP; two values are not equal then the abnormality occurs, the jump
.text: JNZ loc_40686C 00,406,901
.text: 00,406,907 and DWORD PTR [EBP 2Ch +], 0; = 0 DR7
.text: 0040690B Test [ESI + _KTHREAD.DebugActive], 0FFh; if the value is 0, no dr0 save, not to DR7 under hardware breakpoint, a thread is used for the protection of the game clear value 0
.text: 0040690F MOV [ESI + 134h], EBP; save _TRAP_FRAME structure updated,
.text: 00,406,915 JNZ Dr_FastCallDrSave
.text: 0040691B
.text: loc_40691B 0040691B:; CODE XREF:? Dr_FastCallDrSave + 10 J
.text: 0040691B; Dr_FastCallDrSave. 7C + J?
.text: 0040691B mov ebx, [ebp + 60h]; EBP 3 ring
.text: 0040691E mov edi, [ebp + arg_64]; EIP 3 ring
.text: 00406921 mov [ebp + 0Ch ], edx; 3 loop parameters pointer
.text: 00,406,924 MOV DWORD PTR [EBP +. 8], 0BADB0D00h
.text: 0040692B MOV [EBP + 0], EBX; save EBP
.text: 0040692E MOV [EBP + 100B], EDI; EIP save save job end
. text: 00406931 sti; represents a processor interrupt flag register flag is set, the interrupt
.text: 00,406,932
.text: 00,406,932 loc_406932:; the XREF CODE: 18 is _KiBBTUnexpectedRange + J?
.text: 00,406,932; 71 is _KiSystemService + J?
.text : 00406932 mov edi, eax; eax = No service
.text: 00406934 shr edi, 8; edi = 8 service number right. 12 service number as well as four
.text: 00406937 and edi, 30h; the remaining four service number is also set to 0, eax if the first 12 to 1, the result is 10h, otherwise, the result is zero
. text: 0040693A mov ecx, edi; ecx = 10h = 0 or
.text: 0040693C add edi, [esi + 0E0h]; edi = address system service table the first table or the second table. Two tables differ 10H
.text: 00,406,942 MOV EBX, EAX; = EBX service number
.text: 00406944 and eax, 0FFFh; 3 bytes of storage, to give a real number is greater than the service if the service number 1000 will be set high 0
.text : 00406949 cmp eax, [edi + 8]; if the number is larger than the size of the service inside the service table ServiceLimit jump
.text: 0040694C JNB _KiBBTUnexpectedRange
.text: 00,406,952 CMP ECX, 10H; judge shadow ssdt or ssdt, the jump is not is a shadow ssdt, jump is SSDT
.text: 00,406,955 jnz Short loc_406972; system call number +1
.text: 00,406,957 mov ECX, Large FS: _KPCR.NtTib.Self; ECX = _KPCR
.text: 0040695E xor EBX, EBX; EBX 0 =
.text: 00.40696 million
.text: 00.40696 million loc_406960:; the XREF the DATA: 114 _KiTrap0E + O?
.text: 00.40696 million or EBX, [ECX + 0F70h]; if there is an abnormality
.text: 00406966 jz short loc_406972; system calls +1
.text: 00,406,968 the Push edx
.text: 00,406,969 the Push eax
.text: 0040696A Call ds: _KeGdiFlushUserBatch
.text: 00.40697 million POP eax
.text: 00,406,971 POP edx
.text: 00,406,972
.text: 00,406,972 loc_406972:; CODE XREF: _KiFastCallEntry + B6? J
.text: 00,406,972; _KiFastCallEntry C7 + J?
.text: Large 00,406,972 inc is DWORD PTR FS: 638h; number of calls to the system + 1'd
.text: 00,406,979 MOV ESI, EDX; tricyclic esi = pointer parameter
.text: 0040697B mov ebx , [edi + 0Ch]; ebx = function parameter list
.text: 0040697E XOR ECX, ECX; ECX = 0
.text: 00.40698 million MOV Cl, [EAX + EBX]; Cl /. 4 = the number of function parameters
.text: 00406983 mov edi, [edi]; yl edi = address table
.text: 00406985 mov ebx, [edi + eax * 4]; ebx = real address function
.text: 00406988 sub esp, ecx; enhance the stack size of function parameters the total number of bytes
.text: 0040698A shr ecx, 2; ecx / 4 to obtain the number of functions
.text: 0040698D MOV EDI, ESP; EDI = ESP
.text: 0040698F CMP esi, DS: _MmUserProbeAddress; esi if the user is greater than the available address jump
.text : 00,406,995 JNB loc_406B43
.text: 0040699B
.text: 0040699B loc_40699B:; the XREF CODE: _KiFastCallEntry 2A8 + J?
.text: 0040699B; the XREF the DATA: _KiTrap0E 1OA + O?
.text: 0040699B REP MOVSD; ring 3 to the value assigned to parameter 0 ring stack
.text: 0040699D call ebx; calling a function
.text: 0040699F
.text: 0040699F loc_40699F:; CODE XREF: _KiFastCallEntry 2B3 + J?
.text: 0040699F; the DATA XREF:? _KiTrap0E 12A + O ...
.text: 0040699F mov ESP , ebp; ESP = ebp = _KTRAP_FRAME
.text: 004069A1
.text: 004069A1 loc_4069A1:; CODE XREF:? _KiBBTUnexpectedRange + 38 J
.text:004069A1 ; _KiBBTUnexpectedRange+43j
.text:004069A1 mov ecx, large fs:_KPCR.PrcbData.CurrentThread
.text:004069A8 mov edx, [ebp+3Ch] ; _KTRAP_FRAM中取出edx
.text:004069AB mov [ecx+_KTHREAD.TrapFrame], edx
.text:004069AB _KiFastCallEntry endp

Guess you like

Origin blog.csdn.net/qq_41490873/article/details/91780741
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com