[求助]win7中KiFastCallEntry-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]win7中KiFastCallEntry

发表于: 2016-5-23 16:50 2889

[求助]win7中KiFastCallEntry

mknanren

2016-5-23 16:50

2889

根据网上说的说法，ring3进入ring0会调用KiFastCallEntry这个函数，该函数中会call ebx， ebx是ssdt中对应的函数地址，但是在查看的时候感觉不是这个函数
0: kd> u KiFastCallEntry
nt!KiFastCallEntry:
83e57790 b923000000    mov    ecx,23h
83e57795 6a30          push 30h
83e57797 0fa1          pop    fs
83e57799 8ed9          mov    ds,cx
83e5779b 8ec1          mov    es,cx
83e5779d 648b0d40000000  mov    ecx,dword ptr fs:[40h]
83e577a4 8b6104       mov    esp,dword ptr [ecx+4]
83e577a7 6a23          push 23h
0: kd> u
nt!KiFastCallEntry+0x19:
83e577a9 52             push edx
83e577aa 9c             pushfd
83e577ab 6a02          push 2
83e577ad 83c208       add    edx,8
83e577b0 9d             popfd
83e577b1 804c240102    or    byte ptr [esp+1],2
83e577b6 6a1b          push 1Bh
83e577b8 ff350403dfff push dword ptr ds:[0FFDF0304h]
0: kd> u
nt!KiFastCallEntry+0x2e:
83e577be 6a00          push 0
83e577c0 55             push ebp
83e577c1 53             push ebx
83e577c2 56             push esi
83e577c3 57             push edi
83e577c4 648b1d1c000000  mov    ebx,dword ptr fs:[1Ch]
83e577cb 6a3b          push 3Bh
83e577cd 8bb324010000 mov    esi,dword ptr [ebx+124h]
0: kd> u
nt!KiFastCallEntry+0x43:
83e577d3 ff33          push dword ptr [ebx]
83e577d5 c703ffffffff mov    dword ptr [ebx],0FFFFFFFFh
83e577db 8b6e28       mov    ebp,dword ptr [esi+28h]
83e577de 6a01          push 1
83e577e0 83ec48       sub    esp,48h
83e577e3 81ed9c020000 sub    ebp,29Ch
83e577e9 c6863a01000001  mov    byte ptr [esi+13Ah],1
83e577f0 3bec          cmp    ebp,esp
0: kd> u
nt!KiFastCallEntry+0x62:
83e577f2 7597          jne    nt!KiFastCallEntry2+0x49 (83e5778b)
83e577f4 83652c00       and    dword ptr [ebp+2Ch],0
83e577f8 f64603df       test byte ptr [esi+3],0DFh
83e577fc 89ae28010000 mov    dword ptr [esi+128h],ebp
83e57802 0f8538feffff jne    nt!Dr_FastCallDrSave (83e57640)
83e57808 8b5d60       mov    ebx,dword ptr [ebp+60h]
83e5780b 8b7d68       mov    edi,dword ptr [ebp+68h]
83e5780e 89550c       mov    dword ptr [ebp+0Ch],edx
0: kd> u
nt!KiFastCallEntry+0x81:
83e57811 c74508000ddbba  mov    dword ptr [ebp+8],0BADB0D00h
83e57818 895d00       mov    dword ptr [ebp],ebx
83e5781b 897d04       mov    dword ptr [ebp+4],edi
83e5781e fb             sti
83e5781f 8bf8          mov    edi,eax
83e57821 c1ef08       shr    edi,8
83e57824 83e710       and    edi,10h
83e57827 8bcf          mov    ecx,edi
0: kd> u
nt!KiFastCallEntry+0x99:
83e57829 03bebc000000 add    edi,dword ptr [esi+0BCh]
83e5782f 8bd8          mov    ebx,eax
83e57831 25ff0f0000    and    eax,0FFFh
83e57836 3b4708       cmp    eax,dword ptr [edi+8]
83e57839 0f8333fdffff jae    nt!KiBBTUnexpectedRange (83e57572)
83e5783f 83f910       cmp    ecx,10h
83e57842 751a          jne    nt!KiSystemServiceAccessTeb+0x12 (83e5785e)
83e57844 8b8e88000000 mov    ecx,dword ptr [esi+88h]
0: kd> u
nt!KiFastCallEntry+0xba:
83e5784a 33f6          xor    esi,esi

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・0

免费・0

支持