系统服务描述表指针查找
反汇编KiSystemCall64
kd> uf KiSystemCall64
Flow analysis was incomplete, some code may be missing
nt!KiSystemCall64:
fffff800`040e1640 0f01f8 swapgs
fffff800`040e1643 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`040e164c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`040e1655 6a2b push 2Bh
fffff800`040e1657 65ff342510000000 push qword ptr gs:[10h]
fffff800`040e165f 4153 push r11
fffff800`040e1661 6a33 push 33h
fffff800`040e1663 51 push rcx
fffff800`040e1664 498bca mov rcx,r10
fffff800`040e1667 4883ec08 sub rsp,8
fffff800`040e166b 55 push rbp
fffff800`040e166c 4881ec58010000 sub rsp,158h
fffff800`040e1673 488dac2480000000 lea rbp,[rsp+80h]
fffff800`040e167b 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
fffff800`040e1682 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi
fffff800`040e1689 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
fffff800`040e1690 c645ab02 mov byte ptr [rbp-55h],2
fffff800`040e1694 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff800`040e169d 0f0d8bd8010000 prefetchw [rbx+1D8h]
fffff800`040e16a4 0fae5dac stmxcsr dword ptr [rbp-54h]
fffff800`040e16a8 650fae142580010000 ldmxcsr dword ptr gs:[180h]
fffff800`040e16b1 807b0300 cmp byte ptr [rbx+3],0
fffff800`040e16b5 66c785800000000000 mov word ptr [rbp+80h],0
fffff800`040e16be 0f848c000000 je nt!KiSystemCall64+0x110 (fffff800`040e1750) Branch
nt!KiSystemCall64+0x84:
fffff800`040e16c4 488945b0 mov qword ptr [rbp-50h],rax
fffff800`040e16c8 48894db8 mov qword ptr [rbp-48h],rcx
fffff800`040e16cc 488955c0 mov qword ptr [rbp-40h],rdx
fffff800`040e16d0 f6430303 test byte ptr [rbx+3],3
fffff800`040e16d4 4c8945c8 mov qword ptr [rbp-38h],r8
fffff800`040e16d8 4c894dd0 mov qword ptr [rbp-30h],r9
fffff800`040e16dc 7405 je nt!KiSystemCall64+0xa3 (fffff800`040e16e3) Branch
nt!KiSystemCall64+0x9e:
fffff800`040e16de e80d140000 call nt!KiSaveDebugRegisterState (fffff800`040e2af0)
nt!KiSystemCall64+0xa3:
fffff800`040e16e3 f6430380 test byte ptr [rbx+3],80h
fffff800`040e16e7 7442 je nt!KiSystemCall64+0xeb (fffff800`040e172b) Branch
nt!KiSystemCall64+0xa9:
fffff800`040e16e9 b9020100c0 mov ecx,0C0000102h
fffff800`040e16ee 0f32 rdmsr
fffff800`040e16f0 48c1e220 shl rdx,20h
fffff800`040e16f4 480bc2 or rax,rdx
fffff800`040e16f7 483983b8000000 cmp qword ptr [rbx+0B8h],rax
fffff800`040e16fe 742b je nt!KiSystemCall64+0xeb (fffff800`040e172b) Branch
nt!KiSystemCall64+0xc0:
fffff800`040e1700 483983b0010000 cmp qword ptr [rbx+1B0h],rax
fffff800`040e1707 7422 je nt!KiSystemCall64+0xeb (fffff800`040e172b) Branch
nt!KiSystemCall64+0xc9:
fffff800`040e1709 488b93b8010000 mov rdx,qword ptr [rbx+1B8h]
fffff800`040e1710 0fba6b4c0b bts dword ptr [rbx+4Ch],0Bh
fffff800`040e1715 66ff8bc4010000 dec word ptr [rbx+1C4h]
fffff800`040e171c 48898280000000 mov qword ptr [rdx+80h],rax
fffff800`040e1723 fb sti
fffff800`040e1724 e8170b0000 call nt!KiUmsCallEntry (fffff800`040e2240)
fffff800`040e1729 eb0f jmp nt!KiSystemCall64+0xfa (fffff800`040e173a) Branch
nt!KiSystemCall64+0xeb:
fffff800`040e172b f6430340 test byte ptr [rbx+3],40h
fffff800`040e172f 7409 je nt!KiSystemCall64+0xfa (fffff800`040e173a) Branch
nt!KiSystemCall64+0xf1:
fffff800`040e1731 f00fbaab0001000008 lock bts dword ptr [rbx+100h],8
nt!KiSystemCall64+0xfa:
fffff800`040e173a 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`040e173e 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff800`040e1742 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff800`040e1746 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff800`040e174a 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff800`040e174e 6690 xchg ax,ax
nt!KiSystemCall64+0x110:
fffff800`040e1750 fb sti
fffff800`040e1751 48898be0010000 mov qword ptr [rbx+1E0h],rcx
fffff800`040e1758 8983f8010000 mov dword ptr [rbx+1F8h],eax
fffff800`040e175e 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp
fffff800`040e1765 8bf8 mov edi,eax
fffff800`040e1767 c1ef07 shr edi,7
fffff800`040e176a 83e720 and edi,20h
fffff800`040e176d 25ff0f0000 and eax,0FFFh
nt!KiSystemServiceRepeat:
fffff800`040e1772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`04313840)]
fffff800`040e1779 4c8d1d00212300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800`04313880)]
fffff800`040e1780 f7830001000080000000 test dword ptr [rbx+100h],80h
fffff800`040e178a 4d0f45d3 cmovne r10,r11
fffff800`040e178e 423b441710 cmp eax,dword ptr [rdi+r10+10h]
fffff800`040e1793 0f83e9020000 jae nt!KiSystemServiceExit+0x1a7 (fffff800`040e1a82) Branch
nt!KiSystemServiceRepeat+0x27:
fffff800`040e1799 4e8b1417 mov r10,qword ptr [rdi+r10]
fffff800`040e179d 4d631c82 movsxd r11,dword ptr [r10+rax*4]
fffff800`040e17a1 498bc3 mov rax,r11
fffff800`040e17a4 49c1fb04 sar r11,4
fffff800`040e17a8 4d03d3 add r10,r11
fffff800`040e17ab 83ff20 cmp edi,20h
fffff800`040e17ae 7550 jne nt!KiSystemServiceGdiTebAccess+0x49 (fffff800`040e1800) Branch
nt!KiSystemServiceRepeat+0x3e:
fffff800`040e17b0 4c8b9bb8000000 mov r11,qword ptr [rbx+0B8h]
fffff800`040e17b7 4183bb4017000000 cmp dword ptr [r11+1740h],0
fffff800`040e17bf 743f je nt!KiSystemServiceGdiTebAccess+0x49 (fffff800`040e1800) Branch
nt!KiSystemServiceGdiTebAccess+0xa:
fffff800`040e17c1 488945b0 mov qword ptr [rbp-50h],rax
fffff800`040e17c5 48894db8 mov qword ptr [rbp-48h],rcx
fffff800`040e17c9 488955c0 mov qword ptr [rbp-40h],rdx
fffff800`040e17cd 498bd8 mov rbx,r8
fffff800`040e17d0 498bf9 mov rdi,r9
fffff800`040e17d3 498bf2 mov rsi,r10
fffff800`040e17d6 ff15341f2300 call qword ptr [nt!KeGdiFlushUserBatch (fffff800`04313710)]
fffff800`040e17dc 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`040e17e0 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff800`040e17e4 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff800`040e17e8 4c8bc3 mov r8,rbx
fffff800`040e17eb 4c8bcf mov r9,rdi
fffff800`040e17ee 4c8bd6 mov r10,rsi
fffff800`040e17f1 666666666666660f1f840000000000 nop word ptr [rax+rax]
nt!KiSystemServiceGdiTebAccess+0x49:
fffff800`040e1800 83e00f and eax,0Fh
fffff800`040e1803 0f84b7000000 je nt!KiSystemServiceCopyEnd (fffff800`040e18c0) Branch
nt!KiSystemServiceGdiTebAccess+0x52:
fffff800`040e1809 c1e003 shl eax,3
fffff800`040e180c 488d642490 lea rsp,[rsp-70h]
fffff800`040e1811 488d7c2418 lea rdi,[rsp+18h]
fffff800`040e1816 488bb500010000 mov rsi,qword ptr [rbp+100h]
fffff800`040e181d 488d7620 lea rsi,[rsi+20h]
fffff800`040e1821 f685f000000001 test byte ptr [rbp+0F0h],1
fffff800`040e1828 7416 je nt!KiSystemServiceGdiTebAccess+0x89 (fffff800`040e1840) Branch
nt!KiSystemServiceGdiTebAccess+0x73:
fffff800`040e182a 483b35cf172300 cmp rsi,qword ptr [nt!MmUserProbeAddress (fffff800`04313000)]
fffff800`040e1831 480f4335c7172300 cmovae rsi,qword ptr [nt!MmUserProbeAddress (fffff800`04313000)]
fffff800`040e1839 0f1f8000000000 nop dword ptr [rax]
nt!KiSystemServiceGdiTebAccess+0x89:
fffff800`040e1840 4c8d1d79000000 lea r11,[nt!KiSystemServiceCopyEnd (fffff800`040e18c0)]
fffff800`040e1847 4c2bd8 sub r11,rax
fffff800`040e184a 41ffe3 jmp r11
nt!KiSystemServiceCopyEnd:
fffff800`040e18c0 f705be7d180040000000 test dword ptr [nt!PerfGlobalGroupMask+0x8 (fffff800`04269688)],40h
fffff800`040e18ca 0f8550020000 jne nt!KiSystemServiceExit+0x245 (fffff800`040e1b20) Branch
nt!KiSystemServiceCopyEnd+0x10:
fffff800`040e18d0 41ffd2 call r10
nt!KiSystemServiceCopyEnd+0x13:
fffff800`040e18d3 65ff042538220000 inc dword ptr gs:[2238h]
nt!KiSystemServiceExit:
fffff800`040e18db 488b9dc0000000 mov rbx,qword ptr [rbp+0C0h]
fffff800`040e18e2 488bbdc8000000 mov rdi,qword ptr [rbp+0C8h]
fffff800`040e18e9 488bb5d0000000 mov rsi,qword ptr [rbp+0D0h]
fffff800`040e18f0 654c8b1c2588010000 mov r11,qword ptr gs:[188h]
fffff800`040e18f9 f685f000000001 test byte ptr [rbp+0F0h],1
fffff800`040e1900 0f844f010000 je nt!KiSystemServiceExit+0x17a (fffff800`040e1a55) Branch
nt!KiSystemServiceExit+0x2b:
fffff800`040e1906 440f20c1 mov rcx,cr8
fffff800`040e190a 410a8bf0010000 or cl,byte ptr [r11+1F0h]
fffff800`040e1911 410b8bc4010000 or ecx,dword ptr [r11+1C4h]
fffff800`040e1918 0f85ce010000 jne nt!KiSystemServiceExit+0x211 (fffff800`040e1aec) Branch
nt!KiSystemServiceExit+0x43:
fffff800`040e191e fa cli
fffff800`040e191f 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff800`040e1928 80797a00 cmp byte ptr [rcx+7Ah],0
fffff800`040e192c 7457 je nt!KiSystemServiceExit+0xaa (fffff800`040e1985) Branch
nt!KiSystemServiceExit+0x53:
fffff800`040e192e 488945b0 mov qword ptr [rbp-50h],rax
fffff800`040e1932 33c0 xor eax,eax
fffff800`040e1934 488945b8 mov qword ptr [rbp-48h],rax
fffff800`040e1938 488945c0 mov qword ptr [rbp-40h],rax
fffff800`040e193c 488945c8 mov qword ptr [rbp-38h],rax
fffff800`040e1940 488945d0 mov qword ptr [rbp-30h],rax
fffff800`040e1944 488945d8 mov qword ptr [rbp-28h],rax
fffff800`040e1948 488945e0 mov qword ptr [rbp-20h],rax
fffff800`040e194c 660fefc0 pxor xmm0,xmm0
fffff800`040e1950 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0
fffff800`040e1954 0f294500 movaps xmmword ptr [rbp],xmm0
fffff800`040e1958 0f294510 movaps xmmword ptr [rbp+10h],xmm0
fffff800`040e195c 0f294520 movaps xmmword ptr [rbp+20h],xmm0
fffff800`040e1960 0f294530 movaps xmmword ptr [rbp+30h],xmm0
fffff800`040e1964 0f294540 movaps xmmword ptr [rbp+40h],xmm0
fffff800`040e1968 b901000000 mov ecx,1
fffff800`040e196d 440f22c1 mov cr8,rcx
fffff800`040e1971 fb sti
fffff800`040e1972 e85947ffff call nt!KiInitiateUserApc (fffff800`040d60d0)
fffff800`040e1977 fa cli
fffff800`040e1978 b900000000 mov ecx,0
fffff800`040e197d 440f22c1 mov cr8,rcx
fffff800`040e1981 488b45b0 mov rax,qword ptr [rbp-50h]
nt!KiSystemServiceExit+0xaa:
fffff800`040e1985 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff800`040e198e f70100000240 test dword ptr [rcx],40020000h
fffff800`040e1994 742e je nt!KiSystemServiceExit+0xe9 (fffff800`040e19c4) Branch
nt!KiSystemServiceExit+0xbb:
fffff800`040e1996 488945b0 mov qword ptr [rbp-50h],rax
fffff800`040e199a f6410202 test byte ptr [rcx+2],2
fffff800`040e199e 740e je nt!KiSystemServiceExit+0xd3 (fffff800`040e19ae) Branch
nt!KiSystemServiceExit+0xc5:
fffff800`040e19a0 e87b9f0900 call nt!KiCopyCounters (fffff800`0417b920)
fffff800`040e19a5 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
nt!KiSystemServiceExit+0xd3:
fffff800`040e19ae f6410340 test byte ptr [rcx+3],40h
fffff800`040e19b2 740c je nt!KiSystemServiceExit+0xe5 (fffff800`040e19c0) Branch
nt!KiSystemServiceExit+0xd9:
fffff800`040e19b4 488d6580 lea rsp,[rbp-80h]
fffff800`040e19b8 4833c9 xor rcx,rcx
fffff800`040e19bb e8000b0000 call nt!KiUmsExit (fffff800`040e24c0)
nt!KiSystemServiceExit+0xe5:
fffff800`040e19c0 488b45b0 mov rax,qword ptr [rbp-50h]
nt!KiSystemServiceExit+0xe9:
fffff800`040e19c4 0fae55ac ldmxcsr dword ptr [rbp-54h]
fffff800`040e19c8 4d33d2 xor r10,r10
fffff800`040e19cb 6683bd8000000000 cmp word ptr [rbp+80h],0
fffff800`040e19d3 743e je nt!KiSystemServiceExit+0x138 (fffff800`040e1a13) Branch
nt!KiSystemServiceExit+0xfa:
fffff800`040e19d5 488945b0 mov qword ptr [rbp-50h],rax
fffff800`040e19d9 e8a2100000 call nt!KiRestoreDebugRegisterState (fffff800`040e2a80)
fffff800`040e19de 65488b042588010000 mov rax,qword ptr gs:[188h]
fffff800`040e19e7 488b4070 mov rax,qword ptr [rax+70h]
fffff800`040e19eb 488b8000010000 mov rax,qword ptr [rax+100h]
fffff800`040e19f2 480bc0 or rax,rax
fffff800`040e19f5 7418 je nt!KiSystemServiceExit+0x134 (fffff800`040e1a0f) Branch
nt!KiSystemServiceExit+0x11c:
fffff800`040e19f7 6683bdf000000033 cmp word ptr [rbp+0F0h],33h
fffff800`040e19ff 750e jne nt!KiSystemServiceExit+0x134 (fffff800`040e1a0f) Branch
nt!KiSystemServiceExit+0x126:
fffff800`040e1a01 4c8b95e8000000 mov r10,qword ptr [rbp+0E8h]
fffff800`040e1a08 488985e8000000 mov qword ptr [rbp+0E8h],rax
nt!KiSystemServiceExit+0x134:
fffff800`040e1a0f 488b45b0 mov rax,qword ptr [rbp-50h]
nt!KiSystemServiceExit+0x138:
fffff800`040e1a13 4c8b8500010000 mov r8,qword ptr [rbp+100h]
fffff800`040e1a1a 4c8b8dd8000000 mov r9,qword ptr [rbp+0D8h]
fffff800`040e1a21 33d2 xor edx,edx
fffff800`040e1a23 660fefc0 pxor xmm0,xmm0
fffff800`040e1a27 660fefc9 pxor xmm1,xmm1
fffff800`040e1a2b 660fefd2 pxor xmm2,xmm2
fffff800`040e1a2f 660fefdb pxor xmm3,xmm3
fffff800`040e1a33 660fefe4 pxor xmm4,xmm4
fffff800`040e1a37 660fefed pxor xmm5,xmm5
fffff800`040e1a3b 488b8de8000000 mov rcx,qword ptr [rbp+0E8h]
fffff800`040e1a42 4c8b9df8000000 mov r11,qword ptr [rbp+0F8h]
fffff800`040e1a49 498be9 mov rbp,r9
fffff800`040e1a4c 498be0 mov rsp,r8
fffff800`040e1a4f 0f01f8 swapgs
fffff800`040e1a52 480f07 sysretq
nt!KiSystemServiceExit+0x17a:
fffff800`040e1a55 488b95b8000000 mov rdx,qword ptr [rbp+0B8h]
fffff800`040e1a5c 498993d8010000 mov qword ptr [r11+1D8h],rdx
fffff800`040e1a63 8a55a8 mov dl,byte ptr [rbp-58h]
fffff800`040e1a66 418893f6010000 mov byte ptr [r11+1F6h],dl
fffff800`040e1a6d fa cli
fffff800`040e1a6e 488be5 mov rsp,rbp
fffff800`040e1a71 488badd8000000 mov rbp,qword ptr [rbp+0D8h]
fffff800`040e1a78 488ba42400010000 mov rsp,qword ptr [rsp+100h]
fffff800`040e1a80 fb sti
fffff800`040e1a81 c3 ret
nt!KiSystemServiceExit+0x1a7:
fffff800`040e1a82 83ff20 cmp edi,20h
fffff800`040e1a85 755b jne nt!KiSystemServiceExit+0x207 (fffff800`040e1ae2) Branch
nt!KiSystemServiceExit+0x1ac:
fffff800`040e1a87 894580 mov dword ptr [rbp-80h],eax
fffff800`040e1a8a 48894d88 mov qword ptr [rbp-78h],rcx
fffff800`040e1a8e 48895590 mov qword ptr [rbp-70h],rdx
fffff800`040e1a92 4c894598 mov qword ptr [rbp-68h],r8
fffff800`040e1a96 4c894da0 mov qword ptr [rbp-60h],r9
fffff800`040e1a9a e85184ffff call nt!KiConvertToGuiThread (fffff800`040d9ef0)
fffff800`040e1a9f 0bc0 or eax,eax
fffff800`040e1aa1 8b4580 mov eax,dword ptr [rbp-80h]
fffff800`040e1aa4 488b4d88 mov rcx,qword ptr [rbp-78h]
fffff800`040e1aa8 488b5590 mov rdx,qword ptr [rbp-70h]
fffff800`040e1aac 4c8b4598 mov r8,qword ptr [rbp-68h]
fffff800`040e1ab0 4c8b4da0 mov r9,qword ptr [rbp-60h]
fffff800`040e1ab4 4889a3d8010000 mov qword ptr [rbx+1D8h],rsp
fffff800`040e1abb 0f84b1fcffff je nt!KiSystemServiceRepeat (fffff800`040e1772) Branch
nt!KiSystemServiceExit+0x1e6:
fffff800`040e1ac1 488d3dd81d2300 lea rdi,[nt!KeServiceDescriptorTableShadow+0x20 (fffff800`043138a0)]
fffff800`040e1ac8 8b7710 mov esi,dword ptr [rdi+10h]
fffff800`040e1acb 488b3f mov rdi,qword ptr [rdi]
fffff800`040e1ace 3bc6 cmp eax,esi
fffff800`040e1ad0 7310 jae nt!KiSystemServiceExit+0x207 (fffff800`040e1ae2) Branch
nt!KiSystemServiceExit+0x1f7:
fffff800`040e1ad2 488d3cb7 lea rdi,[rdi+rsi*4]
fffff800`040e1ad6 0fbe0438 movsx eax,byte ptr [rax+rdi]
fffff800`040e1ada 0bc0 or eax,eax
fffff800`040e1adc 0f8ef9fdffff jle nt!KiSystemServiceExit (fffff800`040e18db) Branch
nt!KiSystemServiceExit+0x207:
fffff800`040e1ae2 b81c0000c0 mov eax,0C000001Ch
fffff800`040e1ae7 e9effdffff jmp nt!KiSystemServiceExit (fffff800`040e18db) Branch
nt!KiSystemServiceExit+0x211:
fffff800`040e1aec b94a000000 mov ecx,4Ah
fffff800`040e1af1 4533c9 xor r9d,r9d
fffff800`040e1af4 450f20c0 mov r8,cr8
fffff800`040e1af8 450bc0 or r8d,r8d
fffff800`040e1afb 7514 jne nt!KiSystemServiceExit+0x236 (fffff800`040e1b11) Branch
nt!KiSystemServiceExit+0x222:
fffff800`040e1afd b901000000 mov ecx,1
fffff800`040e1b02 450fb683f0010000 movzx r8d,byte ptr [r11+1F0h]
fffff800`040e1b0a 458b8bc4010000 mov r9d,dword ptr [r11+1C4h]
nt!KiSystemServiceExit+0x236:
fffff800`040e1b11 488b95e8000000 mov rdx,qword ptr [rbp+0E8h]
fffff800`040e1b18 4c8bd5 mov r10,rbp
fffff800`040e1b1b e860000000 call nt!KiBugCheckDispatch (fffff800`040e1b80)
nt!KiSystemServiceExit+0x245:
fffff800`040e1b20 4883ec50 sub rsp,50h
fffff800`040e1b24 48894c2420 mov qword ptr [rsp+20h],rcx
fffff800`040e1b29 4889542428 mov qword ptr [rsp+28h],rdx
fffff800`040e1b2e 4c89442430 mov qword ptr [rsp+30h],r8
fffff800`040e1b33 4c894c2438 mov qword ptr [rsp+38h],r9
fffff800`040e1b38 4c89542440 mov qword ptr [rsp+40h],r10
fffff800`040e1b3d 498bca mov rcx,r10
fffff800`040e1b40 e86b310e00 call nt!PerfInfoLogSysCallEntry (fffff800`041c4cb0)
fffff800`040e1b45 488b4c2420 mov rcx,qword ptr [rsp+20h]
fffff800`040e1b4a 488b542428 mov rdx,qword ptr [rsp+28h]
fffff800`040e1b4f 4c8b442430 mov r8,qword ptr [rsp+30h]
fffff800`040e1b54 4c8b4c2438 mov r9,qword ptr [rsp+38h]
fffff800`040e1b59 4c8b542440 mov r10,qword ptr [rsp+40h]
fffff800`040e1b5e 4883c450 add rsp,50h
fffff800`040e1b62 41ffd2 call r10
fffff800`040e1b65 488945b0 mov qword ptr [rbp-50h],rax
fffff800`040e1b69 488bc8 mov rcx,rax
fffff800`040e1b6c e8df300e00 call nt!PerfInfoLogSysCallExit (fffff800`041c4c50)
fffff800`040e1b71 488b45b0 mov rax,qword ptr [rbp-50h]
fffff800`040e1b75 e959fdffff jmp nt!KiSystemServiceCopyEnd+0x13 (fffff800`040e18d3) Branch
在KiSystemServiceRepeat中找到KeServiceDescriptorTable
nt!KiSystemServiceRepeat:
fffff800`040e1772 4c8d15c7202300 lea r10,[nt!KeServiceDescriptorTable (fffff800`04313840)]
fffff800`040e1779 4c8d1d00212300 lea r11,[nt!KeServiceDescriptorTableShadow (fffff800`04313880)]
fffff800`040e1780 f7830001000080000000 test dword ptr [rbx+100h],80h
fffff800`040e178a 4d0f45d3 cmovne r10,r11
fffff800`040e178e 423b441710 cmp eax,dword ptr [rdi+r10+10h]
fffff800`040e1793 0f83e9020000 jae nt!KiSystemServiceExit+0x1a7 (fffff800`040e1a82) Branch
读取MSR( C0000082寄存器 )
MSR的中文全称是“特别模块寄存器”(model specific register),它控制 CPU 的工作环境和标示 CPU 的工作状态等信息(例如倍频、最大 TDP、 危险警报温度),它能够读取,也能够写入,但是无论读取还是写入,都只能在 Ring 0 下 进行,KiSystemCall64 的地址可以通过读取C0000082 寄存器得到。
kd> rdmsr c0000082
msr[c0000082] = fffff800`040e1640
kd> u fffff800`040e1640
nt!KiSystemCall64:
fffff800`040e1640 0f01f8 swapgs
fffff800`040e1643 654889242510000000 mov qword ptr gs:[10h],rsp
fffff800`040e164c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff800`040e1655 6a2b push 2Bh
fffff800`040e1657 65ff342510000000 push qword ptr gs:[10h]
fffff800`040e165f 4153 push r11
fffff800`040e1661 6a33 push 33h
fffff800`040e1663 51 push rcx
