Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SyscallEntryPoint #34

Open
ranlincang opened this issue Feb 15, 2021 · 0 comments
Open

SyscallEntryPoint #34

ranlincang opened this issue Feb 15, 2021 · 0 comments

Comments

@ranlincang
Copy link

ranlincang commented Feb 15, 2021
edited
Loading

EXTERN HookEnabled:DB
EXTERN ArgTble:DB
EXTERN HookTable:DQ

EXTERN KiSystemCall64Ptr:DQ
EXTERN KiServiceCopyEndPtr:DQ

USERMD_STACK_GS = 10h
KERNEL_STACK_GS = 1A8h

MAX_SYSCALL_INDEX = 1000h

.CODE

; *********************************************************
;
; Determine if the specific syscall should be hooked
;
; if (SyscallHookEnabled[EAX & 0xFFF] == TRUE)
; jmp KiSystemCall64_Emulate
; else (fall-through)
; jmp KiSystemCall64
;
; *********************************************************
SyscallEntryPoint PROC
;cli ; Disable interrupts
swapgs ; swap GS base to kernel PCR
mov gs:[USERMD_STACK_GS], rsp ; save user stack pointer

cmp         rax, MAX_SYSCALL_INDEX      ; Is the index larger than the array size?
jge         KiSystemCall64              ;

lea         rsp, offset HookEnabled     ; RSP = &SyscallHookEnabled
cmp         byte ptr [rsp + rax], 0     ; Is hooking enabled for this index?
jne         KiSystemCall64_Emulate      ; NE = index is hooked

SyscallEntryPoint ENDP

; *********************************************************
;
; Return to the original NTOSKRNL syscall handler
; (Restore all old registers first)
;
; *********************************************************
KiSystemCall64 PROC
mov rsp, gs:[USERMD_STACK_GS] ; Usermode RSP
swapgs ; Switch to usermode GS
jmp [KiSystemCall64Ptr] ; Jump back to the old syscall handler
KiSystemCall64 ENDP

; *********************************************************
;
; Emulated routine executed directly after a SYSCALL
; (See: MSR_LSTAR)
;
; *********************************************************
KiSystemCall64_Emulate PROC
; NOTE:
; First 2 lines are included in SyscallEntryPoint

mov         rsp, gs:[KERNEL_STACK_GS]   ; set kernel stack pointer
push        2Bh                         ; push dummy SS selector
push        qword ptr gs:[10h]          ; push user stack pointer
push        r11                         ; push previous EFLAGS
push        33h                         ; push dummy 64-bit CS selector
push        rcx                         ; push return address
mov         rcx, r10                    ; set first argument value

sub         rsp, 8h                     ; allocate dummy error code
push        rbp                         ; save standard register
sub         rsp, 158h                   ; allocate fixed frame
lea         rbp, [rsp+80h]              ; set frame pointer
mov         [rbp+0C0h], rbx             ; save nonvolatile registers
mov         [rbp+0C8h], rdi             ;
mov         [rbp+0D0h], rsi             ;
mov         byte ptr [rbp-55h], 2h      ; set service active
mov         rbx, gs:[188h]              ; get current thread address
prefetchw   byte ptr [rbx+90h]          ; prefetch with write intent
stmxcsr     dword ptr [rbp-54h]         ; save current MXCSR
ldmxcsr     dword ptr gs:[180h]         ; set default MXCSR
cmp         byte ptr [rbx+3], 0         ; test if debug enabled
mov         word ptr [rbp+80h], 0       ; assume debug not enabled
jz          KiSS05                      ; if z, debug not enabled
mov         [rbp-50h], rax              ; save service argument registers
mov         [rbp-48h], rcx              ;
mov         [rbp-40h], rdx              ;
mov         [rbp-38h], r8               ;
mov         [rbp-30h], r9               ;

int         3                           ; FIXME (Syscall with debug registers active)
align       10h

KiSS05:
;sti                                    ; enable interrupts
_**mov         [rbx+1e0h], rcx             ;mov         [rbx+88h], rcx  ???
mov         [rbx+1f8h], eax              ;mov         [rbx+80h], eax ???**_

KiSystemCall64_Emulate ENDP

KiSystemServiceStart_Emulate PROC
mov [rbx+1d8h], rsp ; mov [rbx+90h], rsp
mov edi, eax
shr edi, 7
and edi, 20h
and eax, 0FFFh
KiSystemServiceStart_Emulate ENDP

KiSystemServiceRepeat_Emulate PROC
; RAX = [IN ] syscall index
; RAX = [OUT] number of parameters
; R10 = [OUT] function address
; R11 = [I/O] trashed

lea         r11, offset HookTable
mov         r10, qword ptr [r11 + rax * 8h]

lea         r11, offset ArgTble
movzx       rax, byte ptr [r11 + rax]   ; RAX = paramter count

jmp         [KiServiceCopyEndPtr]

KiSystemServiceRepeat_Emulate ENDP

END

kd> u FFFFF80003E85640 l 0x1000
nt!KiSystemCall64:
fffff80003e85640 0f01f8 swapgs fffff80003e85643 654889242510000000 mov qword ptr gs:[10h],rsp
fffff80003e8564c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h] fffff80003e85655 6a2b push 2Bh
fffff80003e85657 65ff342510000000 push qword ptr gs:[10h] fffff80003e8565f 4153 push r11
fffff80003e85661 6a33 push 33h fffff80003e85663 51 push rcx
fffff80003e85664 498bca mov rcx,r10 fffff80003e85667 4883ec08 sub rsp,8
fffff80003e8566b 55 push rbp fffff80003e8566c 4881ec58010000 sub rsp,158h
fffff80003e85673 488dac2480000000 lea rbp,[rsp+80h] fffff80003e8567b 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
fffff80003e85682 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi fffff80003e85689 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
fffff80003e85690 c645ab02 mov byte ptr [rbp-55h],2 fffff80003e85694 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff80003e8569d 0f0d8bd8010000 prefetchw [rbx+1D8h] fffff80003e856a4 0fae5dac stmxcsr dword ptr [rbp-54h]
fffff80003e856a8 650fae142580010000 ldmxcsr dword ptr gs:[180h] fffff80003e856b1 807b0300 cmp byte ptr [rbx+3],0
fffff80003e856b5 66c785800000000000 mov word ptr [rbp+80h],0 fffff80003e856be 0f848c000000 je nt!KiSystemCall64+0x110 (fffff80003e85750) fffff80003e856c4 488945b0 mov qword ptr [rbp-50h],rax
fffff80003e856c8 48894db8 mov qword ptr [rbp-48h],rcx fffff80003e856cc 488955c0 mov qword ptr [rbp-40h],rdx
fffff80003e856d0 f6430303 test byte ptr [rbx+3],3 fffff80003e856d4 4c8945c8 mov qword ptr [rbp-38h],r8
fffff80003e856d8 4c894dd0 mov qword ptr [rbp-30h],r9 fffff80003e856dc 7405 je nt!KiSystemCall64+0xa3 (fffff80003e856e3) fffff80003e856de e80d140000 call nt!KiSaveDebugRegisterState (fffff80003e86af0) fffff80003e856e3 f6430380 test byte ptr [rbx+3],80h
fffff80003e856e7 7442 je nt!KiSystemCall64+0xeb (fffff80003e8572b)
fffff80003e856e9 b9020100c0 mov ecx,0C0000102h fffff80003e856ee 0f32 rdmsr
fffff80003e856f0 48c1e220 shl rdx,20h fffff80003e856f4 480bc2 or rax,rdx
fffff80003e856f7 483983b8000000 cmp qword ptr [rbx+0B8h],rax fffff80003e856fe 742b je nt!KiSystemCall64+0xeb (fffff80003e8572b) fffff80003e85700 483983b0010000 cmp qword ptr [rbx+1B0h],rax
fffff80003e85707 7422 je nt!KiSystemCall64+0xeb (fffff80003e8572b)
fffff80003e85709 488b93b8010000 mov rdx,qword ptr [rbx+1B8h] fffff80003e85710 0fba6b4c0b bts dword ptr [rbx+4Ch],0Bh
fffff80003e85715 66ff8bc4010000 dec word ptr [rbx+1C4h] fffff80003e8571c 48898280000000 mov qword ptr [rdx+80h],rax
fffff80003e85723 fb sti fffff80003e85724 e8170b0000 call nt!KiUmsCallEntry (fffff80003e86240) fffff80003e85729 eb0f jmp nt!KiSystemCall64+0xfa (fffff80003e8573a) fffff80003e8572b f6430340 test byte ptr [rbx+3],40h
fffff80003e8572f 7409 je nt!KiSystemCall64+0xfa (fffff80003e8573a)
fffff80003e85731 f00fbaab0001000008 lock bts dword ptr [rbx+100h],8 fffff80003e8573a 488b45b0 mov rax,qword ptr [rbp-50h]
fffff80003e8573e 488b4db8 mov rcx,qword ptr [rbp-48h] fffff80003e85742 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff80003e85746 4c8b45c8 mov r8,qword ptr [rbp-38h] fffff80003e8574a 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff80003e8574e 6690 xchg ax,ax fffff80003e85750 fb sti
fffff80003e85751 48898be0010000 mov qword ptr [rbx+1E0h],rcx fffff80003e85758 8983f8010000 mov dword ptr [rbx+1F8h],eax
nt!KiSystemServiceStart:
fffff80003e8575e 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp fffff80003e85765 8bf8 mov edi,eax
fffff80003e85767 c1ef07 shr edi,7 fffff80003e8576a 83e720 and edi,20h
fffff80003e8576d 25ff0f0000 and eax,0FFFh nt!KiSystemServiceRepeat: fffff80003e85772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800040b7840)] fffff80003e85779 4c8d1d00212300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800040b7880)] fffff80003e85780 f7830001000080000000 test dword ptr [rbx+100h],80h
fffff80003e8578a 4d0f45d3 cmovne r10,r11 fffff80003e8578e 423b441710 cmp eax,dword ptr [rdi+r10+10h]
fffff80003e85793 0f83e9020000 jae nt!KiSystemServiceExit+0x1a7 (fffff80003e85a82)
fffff80003e85799 4e8b1417 mov r10,qword ptr [rdi+r10] fffff80003e8579d 4d631c82 movsxd r11,dword ptr [r10+rax4]
fffff80003e857a1 498bc3 mov rax,r11 fffff80003e857a4 49c1fb04 sar r11,4
fffff80003e857a8 4d03d3 add r10,r11 fffff80003e857ab 83ff20 cmp edi,20h
fffff80003e857ae 7550 jne nt!KiSystemServiceGdiTebAccess+0x49 (fffff80003e85800)
fffff80003e857b0 4c8b9bb8000000 mov r11,qword ptr [rbx+0B8h] nt!KiSystemServiceGdiTebAccess: fffff80003e857b7 4183bb4017000000 cmp dword ptr [r11+1740h],0
fffff80003e857bf 743f je nt!KiSystemServiceGdiTebAccess+0x49 (fffff80003e85800)
fffff80003e857c1 488945b0 mov qword ptr [rbp-50h],rax fffff80003e857c5 48894db8 mov qword ptr [rbp-48h],rcx
fffff80003e857c9 488955c0 mov qword ptr [rbp-40h],rdx fffff80003e857cd 498bd8 mov rbx,r8
fffff80003e857d0 498bf9 mov rdi,r9 fffff80003e857d3 498bf2 mov rsi,r10
fffff80003e857d6 ff15341f2300 call qword ptr [nt!KeGdiFlushUserBatch (fffff800040b7710)]
fffff80003e857dc 488b45b0 mov rax,qword ptr [rbp-50h] fffff80003e857e0 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff80003e857e4 488b55c0 mov rdx,qword ptr [rbp-40h] fffff80003e857e8 4c8bc3 mov r8,rbx
fffff80003e857eb 4c8bcf mov r9,rdi fffff80003e857ee 4c8bd6 mov r10,rsi
fffff80003e857f1 666666666666660f1f840000000000 nop word ptr [rax+rax] fffff80003e85800 83e00f and eax,0Fh
fffff80003e85803 0f84b7000000 je nt!KiSystemServiceCopyEnd (fffff80003e858c0)
fffff80003e85809 c1e003 shl eax,3 fffff80003e8580c 488d642490 lea rsp,[rsp-70h]
fffff80003e85811 488d7c2418 lea rdi,[rsp+18h] fffff80003e85816 488bb500010000 mov rsi,qword ptr [rbp+100h]
fffff80003e8581d 488d7620 lea rsi,[rsi+20h] fffff80003e85821 f685f000000001 test byte ptr [rbp+0F0h],1
fffff80003e85828 7416 je nt!KiSystemServiceGdiTebAccess+0x89 (fffff80003e85840)
fffff80003e8582a 483b35cf172300 cmp rsi,qword ptr [nt!MmUserProbeAddress (fffff800040b7000)]
fffff80003e85831 480f4335c7172300 cmovae rsi,qword ptr [nt!MmUserProbeAddress (fffff800040b7000)]
fffff80003e85839 0f1f8000000000 nop dword ptr [rax] fffff80003e85840 4c8d1d79000000 lea r11,[nt!KiSystemServiceCopyEnd (fffff80003e858c0)] fffff80003e85847 4c2bd8 sub r11,rax
fffff80003e8584a 41ffe3 jmp r11 fffff80003e8584d 0f1f00 nop dword ptr [rax]
nt!KiSystemServiceCopyStart:
fffff80003e85850 488b4670 mov rax,qword ptr [rsi+70h] fffff80003e85854 48894770 mov qword ptr [rdi+70h],rax
fffff80003e85858 488b4668 mov rax,qword ptr [rsi+68h] fffff80003e8585c 48894768 mov qword ptr [rdi+68h],rax
fffff80003e85860 488b4660 mov rax,qword ptr [rsi+60h] fffff80003e85864 48894760 mov qword ptr [rdi+60h],rax
fffff80003e85868 488b4658 mov rax,qword ptr [rsi+58h] fffff80003e8586c 48894758 mov qword ptr [rdi+58h],rax
fffff80003e85870 488b4650 mov rax,qword ptr [rsi+50h] fffff80003e85874 48894750 mov qword ptr [rdi+50h],rax
fffff80003e85878 488b4648 mov rax,qword ptr [rsi+48h] fffff80003e8587c 48894748 mov qword ptr [rdi+48h],rax
fffff80003e85880 488b4640 mov rax,qword ptr [rsi+40h] fffff80003e85884 48894740 mov qword ptr [rdi+40h],rax
fffff80003e85888 488b4638 mov rax,qword ptr [rsi+38h] fffff80003e8588c 48894738 mov qword ptr [rdi+38h],rax
fffff80003e85890 488b4630 mov rax,qword ptr [rsi+30h] fffff80003e85894 48894730 mov qword ptr [rdi+30h],rax
fffff80003e85898 488b4628 mov rax,qword ptr [rsi+28h] fffff80003e8589c 48894728 mov qword ptr [rdi+28h],rax
fffff80003e858a0 488b4620 mov rax,qword ptr [rsi+20h] fffff80003e858a4 48894720 mov qword ptr [rdi+20h],rax
fffff80003e858a8 488b4618 mov rax,qword ptr [rsi+18h] fffff80003e858ac 48894718 mov qword ptr [rdi+18h],rax
fffff80003e858b0 488b4610 mov rax,qword ptr [rsi+10h] fffff80003e858b4 48894710 mov qword ptr [rdi+10h],rax
fffff80003e858b8 488b4608 mov rax,qword ptr [rsi+8] fffff80003e858bc 48894708 mov qword ptr [rdi+8],rax
nt!KiSystemServiceCopyEnd:
fffff80003e858c0 f705be7d180040000000 test dword ptr [nt!PerfGlobalGroupMask+0x8 (fffff8000400d688)],40h
fffff80003e858ca 0f8550020000 jne nt!KiSystemServiceExit+0x245 (fffff80003e85b20)
fffff80003e858d0 41ffd2 call r10 fffff80003e858d3 65ff042538220000 inc dword ptr gs:[2238h]
nt!KiSystemServiceExit:
fffff80003e858db 488b9dc0000000 mov rbx,qword ptr [rbp+0C0h] fffff80003e858e2 488bbdc8000000 mov rdi,qword ptr [rbp+0C8h]
fffff80003e858e9 488bb5d0000000 mov rsi,qword ptr [rbp+0D0h] fffff80003e858f0 654c8b1c2588010000 mov r11,qword ptr gs:[188h]
fffff80003e858f9 f685f000000001 test byte ptr [rbp+0F0h],1 fffff80003e85900 0f844f010000 je nt!KiSystemServiceExit+0x17a (fffff80003e85a55) fffff80003e85906 440f20c1 mov rcx,cr8
fffff80003e8590a 410a8bf0010000 or cl,byte ptr [r11+1F0h] fffff80003e85911 410b8bc4010000 or ecx,dword ptr [r11+1C4h]
fffff80003e85918 0f85ce010000 jne nt!KiSystemServiceExit+0x211 (fffff80003e85aec)
fffff80003e8591e fa cli fffff80003e8591f 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff80003e85928 80797a00 cmp byte ptr [rcx+7Ah],0 fffff80003e8592c 7457 je nt!KiSystemServiceExit+0xaa (fffff80003e85985) fffff80003e8592e 488945b0 mov qword ptr [rbp-50h],rax
fffff80003e85932 33c0 xor eax,eax fffff80003e85934 488945b8 mov qword ptr [rbp-48h],rax
fffff80003e85938 488945c0 mov qword ptr [rbp-40h],rax fffff80003e8593c 488945c8 mov qword ptr [rbp-38h],rax
fffff80003e85940 488945d0 mov qword ptr [rbp-30h],rax fffff80003e85944 488945d8 mov qword ptr [rbp-28h],rax
fffff80003e85948 488945e0 mov qword ptr [rbp-20h],rax fffff80003e8594c 660fefc0 pxor xmm0,xmm0
fffff80003e85950 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0 fffff80003e85954 0f294500 movaps xmmword ptr [rbp],xmm0
fffff80003e85958 0f294510 movaps xmmword ptr [rbp+10h],xmm0 fffff80003e8595c 0f294520 movaps xmmword ptr [rbp+20h],xmm0
fffff80003e85960 0f294530 movaps xmmword ptr [rbp+30h],xmm0 fffff80003e85964 0f294540 movaps xmmword ptr [rbp+40h],xmm0
fffff80003e85968 b901000000 mov ecx,1 fffff80003e8596d 440f22c1 mov cr8,rcx
fffff80003e85971 fb sti fffff80003e85972 e85947ffff call nt!KiInitiateUserApc (fffff80003e7a0d0) fffff80003e85977 fa cli
fffff80003e85978 b900000000 mov ecx,0 fffff80003e8597d 440f22c1 mov cr8,rcx
fffff80003e85981 488b45b0 mov rax,qword ptr [rbp-50h] fffff80003e85985 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff80003e8598e f70100000240 test dword ptr [rcx],40020000h fffff80003e85994 742e je nt!KiSystemServiceExit+0xe9 (fffff80003e859c4) fffff80003e85996 488945b0 mov qword ptr [rbp-50h],rax
fffff80003e8599a f6410202 test byte ptr [rcx+2],2 fffff80003e8599e 740e je nt!KiSystemServiceExit+0xd3 (fffff80003e859ae) fffff80003e859a0 e87b9f0900 call nt!KiCopyCounters (fffff80003f1f920) fffff80003e859a5 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff80003e859ae f6410340 test byte ptr [rcx+3],40h fffff80003e859b2 740c je nt!KiSystemServiceExit+0xe5 (fffff80003e859c0) fffff80003e859b4 488d6580 lea rsp,[rbp-80h]
fffff80003e859b8 4833c9 xor rcx,rcx fffff80003e859bb e8000b0000 call nt!KiUmsExit (fffff80003e864c0) fffff80003e859c0 488b45b0 mov rax,qword ptr [rbp-50h]
fffff80003e859c4 0fae55ac ldmxcsr dword ptr [rbp-54h] fffff80003e859c8 4d33d2 xor r10,r10
fffff80003e859cb 6683bd8000000000 cmp word ptr [rbp+80h],0 fffff80003e859d3 743e je nt!KiSystemServiceExit+0x138 (fffff80003e85a13) fffff80003e859d5 488945b0 mov qword ptr [rbp-50h],rax
fffff80003e859d9 e8a2100000 call nt!KiRestoreDebugRegisterState (fffff80003e86a80)
fffff80003e859de 65488b042588010000 mov rax,qword ptr gs:[188h] fffff80003e859e7 488b4070 mov rax,qword ptr [rax+70h]
fffff80003e859eb 488b8000010000 mov rax,qword ptr [rax+100h] fffff80003e859f2 480bc0 or rax,rax
fffff80003e859f5 7418 je nt!KiSystemServiceExit+0x134 (fffff80003e85a0f)
fffff80003e859f7 6683bdf000000033 cmp word ptr [rbp+0F0h],33h fffff80003e859ff 750e jne nt!KiSystemServiceExit+0x134 (fffff80003e85a0f) fffff80003e85a01 4c8b95e8000000 mov r10,qword ptr [rbp+0E8h]
fffff80003e85a08 488985e8000000 mov qword ptr [rbp+0E8h],rax fffff80003e85a0f 488b45b0 mov rax,qword ptr [rbp-50h]
fffff80003e85a13 4c8b8500010000 mov r8,qword ptr [rbp+100h] fffff80003e85a1a 4c8b8dd8000000 mov r9,qword ptr [rbp+0D8h]
fffff80003e85a21 33d2 xor edx,edx fffff80003e85a23 660fefc0 pxor xmm0,xmm0
fffff80003e85a27 660fefc9 pxor xmm1,xmm1 fffff80003e85a2b 660fefd2 pxor xmm2,xmm2
fffff80003e85a2f 660fefdb pxor xmm3,xmm3 fffff80003e85a33 660fefe4 pxor xmm4,xmm4
fffff80003e85a37 660fefed pxor xmm5,xmm5 fffff80003e85a3b 488b8de8000000 mov rcx,qword ptr [rbp+0E8h]
fffff80003e85a42 4c8b9df8000000 mov r11,qword ptr [rbp+0F8h] fffff80003e85a49 498be9 mov rbp,r9
fffff80003e85a4c 498be0 mov rsp,r8 fffff80003e85a4f 0f01f8 swapgs
fffff80003e85a52 480f07 sysretq fffff80003e85a55 488b95b8000000 mov rdx,qword ptr [rbp+0B8h]
fffff80003e85a5c 498993d8010000 mov qword ptr [r11+1D8h],rdx fffff80003e85a63 8a55a8 mov dl,byte ptr [rbp-58h]
fffff80003e85a66 418893f6010000 mov byte ptr [r11+1F6h],dl fffff80003e85a6d fa cli
fffff80003e85a6e 488be5 mov rsp,rbp fffff80003e85a71 488badd8000000 mov rbp,qword ptr [rbp+0D8h]
fffff80003e85a78 488ba42400010000 mov rsp,qword ptr [rsp+100h] fffff80003e85a80 fb sti
fffff80003e85a81 c3 ret fffff80003e85a82 83ff20 cmp edi,20h
fffff80003e85a85 755b jne nt!KiSystemServiceExit+0x207 (fffff80003e85ae2)
fffff80003e85a87 894580 mov dword ptr [rbp-80h],eax fffff80003e85a8a 48894d88 mov qword ptr [rbp-78h],rcx
fffff80003e85a8e 48895590 mov qword ptr [rbp-70h],rdx fffff80003e85a92 4c894598 mov qword ptr [rbp-68h],r8
fffff80003e85a96 4c894da0 mov qword ptr [rbp-60h],r9 fffff80003e85a9a e85184ffff call nt!KiConvertToGuiThread (fffff80003e7def0) fffff80003e85a9f 0bc0 or eax,eax
fffff80003e85aa1 8b4580 mov eax,dword ptr [rbp-80h] fffff80003e85aa4 488b4d88 mov rcx,qword ptr [rbp-78h]
fffff80003e85aa8 488b5590 mov rdx,qword ptr [rbp-70h] fffff80003e85aac 4c8b4598 mov r8,qword ptr [rbp-68h]
fffff80003e85ab0 4c8b4da0 mov r9,qword ptr [rbp-60h] fffff80003e85ab4 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp
fffff80003e85abb 0f84b1fcffff je nt!KiSystemServiceRepeat (fffff80003e85772)
fffff80003e85ac1 488d3dd81d2300 lea rdi,[nt!KeServiceDescriptorTableShadow+0x20 (fffff800040b78a0)]
fffff80003e85ac8 8b7710 mov esi,dword ptr [rdi+10h] fffff80003e85acb 488b3f mov rdi,qword ptr [rdi]
fffff80003e85ace 3bc6 cmp eax,esi fffff80003e85ad0 7310 jae nt!KiSystemServiceExit+0x207 (fffff80003e85ae2) fffff80003e85ad2 488d3cb7 lea rdi,[rdi+rsi4]
fffff80003e85ad6 0fbe0438 movsx eax,byte ptr [rax+rdi] fffff80003e85ada 0bc0 or eax,eax
fffff80003e85adc 0f8ef9fdffff jle nt!KiSystemServiceExit (fffff80003e858db)
fffff80003e85ae2 b81c0000c0 mov eax,0C000001Ch fffff80003e85ae7 e9effdffff jmp nt!KiSystemServiceExit (fffff80003e858db) fffff80003e85aec b94a000000 mov ecx,4Ah
fffff80003e85af1 4533c9 xor r9d,r9d fffff80003e85af4 450f20c0 mov r8,cr8
fffff80003e85af8 450bc0 or r8d,r8d fffff80003e85afb 7514 jne nt!KiSystemServiceExit+0x236 (fffff80003e85b11) fffff80003e85afd b901000000 mov ecx,1
fffff80003e85b02 450fb683f0010000 movzx r8d,byte ptr [r11+1F0h] fffff80003e85b0a 458b8bc4010000 mov r9d,dword ptr [r11+1C4h]
fffff80003e85b11 488b95e8000000 mov rdx,qword ptr [rbp+0E8h] fffff80003e85b18 4c8bd5 mov r10,rbp
fffff80003e85b1b e860000000 call nt!KiBugCheckDispatch (fffff80003e85b80)
fffff80003e85b20 4883ec50 sub rsp,50h fffff80003e85b24 48894c2420 mov qword ptr [rsp+20h],rcx
fffff80003e85b29 4889542428 mov qword ptr [rsp+28h],rdx fffff80003e85b2e 4c89442430 mov qword ptr [rsp+30h],r8
fffff80003e85b33 4c894c2438 mov qword ptr [rsp+38h],r9 fffff80003e85b38 4c89542440 mov qword ptr [rsp+40h],r10
fffff80003e85b3d 498bca mov rcx,r10 fffff80003e85b40 e86b310e00 call nt!PerfInfoLogSysCallEntry (fffff80003f68cb0) fffff80003e85b45 488b4c2420 mov rcx,qword ptr [rsp+20h]
fffff80003e85b4a 488b542428 mov rdx,qword ptr [rsp+28h] fffff80003e85b4f 4c8b442430 mov r8,qword ptr [rsp+30h]
fffff80003e85b54 4c8b4c2438 mov r9,qword ptr [rsp+38h] fffff80003e85b59 4c8b542440 mov r10,qword ptr [rsp+40h]
fffff80003e85b5e 4883c450 add rsp,50h fffff80003e85b62 41ffd2 call r10
fffff80003e85b65 488945b0 mov qword ptr [rbp-50h],rax fffff80003e85b69 488bc8 mov rcx,rax
fffff80003e85b6c e8df300e00 call nt!PerfInfoLogSysCallExit (fffff80003f68c50)
fffff80003e85b71 488b45b0 mov rax,qword ptr [rbp-50h] fffff80003e85b75 e959fdffff jmp nt!KiSystemServiceCopyEnd+0x13 (fffff80003e858d3) fffff80003e85b7a 660f1f440000 nop word ptr [rax+rax]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ranlincang