首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 经典问答
    3. 发新帖
ntoskrnl.exe和ntkrnlpa.exe问题
发表于: 2010-2-4 13:06 11861

ntoskrnl.exe和ntkrnlpa.exe问题

woshiczy 活跃值
2010-2-4 13:06
11861
ntkrnlpa.exe里的PspTerminateThreadByPointe
lkd> u PspTerminateThreadByPointer l50
nt!PspTerminateThreadByPointer:
805d38b4 8bff            mov     edi,edi
805d38b6 55              push    ebp
805d38b7 8bec            mov     ebp,esp
805d38b9 83ec0c          sub     esp,0Ch
805d38bc 834df8ff        or      dword ptr [ebp-8],0FFFFFFFFh
805d38c0 56              push    esi
805d38c1 57              push    edi
805d38c2 8b7d08          mov     edi,dword ptr [ebp+8]
805d38c5 8db748020000    lea     esi,[edi+248h]
805d38cb f60640          test    byte ptr [esi],40h
805d38ce c745f4c0bdf0ff  mov     dword ptr [ebp-0Ch],0FFF0BDC0h
805d38d5 7417            je      nt!PspTerminateThreadByPointer+0x3a (805d38ee)
805d38d7 8b8720020000    mov     eax,dword ptr [edi+220h]
805d38dd 0574010000      add     eax,174h
805d38e2 50              push    eax
805d38e3 57              push    edi
805d38e4 6884385d80      push    offset nt!PspExitNormalApc+0x54 (805d3884)
805d38e9 e894f1ffff      call    nt!PspCatchCriticalBreak (805d2a82)
805d38ee 64a124010000    mov     eax,dword ptr fs:[00000124h]
805d38f4 3bf8            cmp     edi,eax
805d38f6 750e            jne     nt!PspTerminateThreadByPointer+0x52 (805d3906)
805d38f8 33c0            xor     eax,eax
805d38fa 40              inc     eax
805d38fb f00906          lock or dword ptr [esi],eax
805d38fe ff750c          push    dword ptr [ebp+0Ch]
805d3901 e8bef7ffff      call    nt!PspExitThread (805d30c4)
805d3906 f60610          test    byte ptr [esi],10h
805d3909 740a            je      nt!PspTerminateThreadByPointer+0x61 (805d3915)
805d390b b8220000c0      mov     eax,0C0000022h
805d3910 e993000000      jmp     nt!PspTerminateThreadByPointer+0xf4 (805d39a8)
805d3915 53              push    ebx
805d3916 33db            xor     ebx,ebx
805d3918 895dfc          mov     dword ptr [ebp-4],ebx
805d391b be50734578      mov     esi,78457350h
805d3920 eb0b            jmp     nt!PspTerminateThreadByPointer+0x79 (805d392d)
805d3922 8d45f4          lea     eax,[ebp-0Ch]
805d3925 50              push    eax
805d3926 53              push    ebx
805d3927 53              push    ebx
805d3928 e84d7ff2ff      call    nt!KeDelayExecutionThread (804fb87a)
805d392d 56              push    esi
805d392e 6a30            push    30h
805d3930 53              push    ebx
805d3931 e83290f7ff      call    nt!ExAllocatePoolWithTag (8054c968)
805d3936 8bf8            mov     edi,eax
805d3938 3bfb            cmp     edi,ebx
805d393a 74e6            je      nt!PspTerminateThreadByPointer+0x6e (805d3922)
805d393c 8b4d08          mov     ecx,dword ptr [ebp+8]
805d393f 33d2            xor     edx,edx
805d3941 42              inc     edx
805d3942 81c148020000    add     ecx,248h
805d3948 8b01            mov     eax,dword ptr [ecx]
805d394a 8bf0            mov     esi,eax
805d394c 0bf2            or      esi,edx
805d394e f00fb131        lock cmpxchg dword ptr [ecx],esi
805d3952 75f6            jne     nt!PspTerminateThreadByPointer+0x96 (805d394a)
805d3954 84c2            test    dl,al
805d3956 7545            jne     nt!PspTerminateThreadByPointer+0xe9 (805d399d)
805d3958 ff750c          push    dword ptr [ebp+0Ch]
805d395b 53              push    ebx
805d395c 6830385d80      push    offset nt!PspExitNormalApc (805d3830)
805d3961 68502a5d80      push    offset nt!ExFreeCallBack (805d2a50)
805d3966 6804385d80      push    offset nt!PsExitSpecialApc (805d3804)
805d396b 53              push    ebx
805d396c ff7508          push    dword ptr [ebp+8]
805d396f 57              push    edi
805d3970 e8299af2ff      call    nt!KeInitializeApc (804fd39e)
805d3975 6a02            push    2
805d3977 53              push    ebx
805d3978 57              push    edi
805d3979 57              push    edi
805d397a e80b9bf2ff      call    nt!KeInsertQueueApc (804fd48a)
805d397f 84c0            test    al,al
805d3981 7510            jne     nt!PspTerminateThreadByPointer+0xdf (805d3993)
805d3983 53              push    ebx
805d3984 57              push    edi
805d3985 e85689f7ff      call    nt!ExFreePoolWithTag (8054c2e0)
805d398a c745fc010000c0  mov     dword ptr [ebp-4],0C0000001h
805d3991 eb11            jmp     nt!PspTerminateThreadByPointer+0xf0 (805d39a4)
805d3993 ff7508          push    dword ptr [ebp+8]


ntoskrnl.exe里的PspTerminateThreadByPointe
lkd> u PspTerminateThreadByPointer l50
nt!PspTerminateThreadByPointer:
8057c3cb 8bff            mov     edi,edi
8057c3cd 55              push    ebp
8057c3ce 8bec            mov     ebp,esp
8057c3d0 83ec0c          sub     esp,0Ch
8057c3d3 834df8ff        or      dword ptr [ebp-8],0FFFFFFFFh
8057c3d7 56              push    esi
8057c3d8 57              push    edi
8057c3d9 8b7d08          mov     edi,dword ptr [ebp+8]
8057c3dc 8db748020000    lea     esi,[edi+248h]
8057c3e2 f60640          test    byte ptr [esi],40h
8057c3e5 c745f4c0bdf0ff  mov     dword ptr [ebp-0Ch],0FFF0BDC0h
8057c3ec 0f8582fb0700    jne     nt!PspTerminateThreadByPointer+0x23 (805fbf74)
8057c3f2 64a124010000    mov     eax,dword ptr fs:[00000124h]
8057c3f8 3bf8            cmp     edi,eax
8057c3fa 0f858d730000    jne     nt!PspTerminateThreadByPointer+0x52 (8058378d)
8057c400 33c0            xor     eax,eax
8057c402 40              inc     eax
8057c403 f00906          lock or dword ptr [esi],eax
8057c406 ff750c          push    dword ptr [ebp+0Ch]
8057c409 e8a4fcffff      call    nt!PspExitThread (8057c0b2)
8057c40e 90              nop
8057c40f 90              nop
8057c410 90              nop
8057c411 90              nop
8057c412 90              nop
nt!CmNotifyRunDown:
8057c413 6a10            push    10h
8057c415 68b8944f80      push    offset nt!`string'+0x70 (804f94b8)
8057c41a e81c70f6ff      call    nt!_SEH_prolog (804e343b)
8057c41f 8b4508          mov     eax,dword ptr [ebp+8]
8057c422 05d4010000      add     eax,1D4h
8057c427 3900            cmp     dword ptr [eax],eax
8057c429 0f859bdd0100    jne     nt!CmNotifyRunDown+0x1c (8059a1ca)
8057c42f e84270f6ff      call    nt!_SEH_epilog (804e3476)
8057c434 c20400          ret     4
8057c437 90              nop
8057c438 90              nop
8057c439 90              nop
8057c43a 90              nop
8057c43b 90              nop
nt!PspThreadDelete:
8057c43c 8bff            mov     edi,edi
8057c43e 55              push    ebp
8057c43f 8bec            mov     ebp,esp
8057c441 51              push    ecx
8057c442 53              push    ebx
8057c443 56              push    esi
8057c444 8b7508          mov     esi,dword ptr [ebp+8]
8057c447 57              push    edi
8057c448 33ff            xor     edi,edi
8057c44a 397e18          cmp     dword ptr [esi+18h],edi
8057c44d 0f85d2f70700    jne     nt!PspThreadDelete+0x13 (805fbc25)
8057c453 8b86f0010000    mov     eax,dword ptr [esi+1F0h]
8057c459 3bc7            cmp     eax,edi
8057c45b 7415            je      nt!PspThreadDelete+0x49 (8057c472)
8057c45d 57              push    edi
8057c45e 50              push    eax
8057c45f ff3560245680    push    dword ptr [nt!PspCidTable (80562460)]
8057c465 e8d8c2feff      call    nt!ExDestroyHandle (80568742)
8057c46a 84c0            test    al,al
8057c46c 0f84ccf70700    je      nt!PspThreadDelete+0x42 (805fbc3e)
8057c472 56              push    esi
8057c473 e89d000000      call    nt!PspDeleteThreadSecurity (8057c515)
8057c478 8b9e20020000    mov     ebx,dword ptr [esi+220h]
8057c47e 3bdf            cmp     ebx,edi
8057c480 895dfc          mov     dword ptr [ebp-4],ebx
8057c483 747c            je      nt!PspThreadDelete+0xea (8057c501)
8057c485 39be2c020000    cmp     dword ptr [esi+22Ch],edi
8057c48b 746c            je      nt!PspThreadDelete+0xe2 (8057c4f9)
8057c48d 64a124010000    mov     eax,dword ptr fs:[00000124h]
8057c493 8bf8            mov     edi,eax
8057c495 ff8fd4000000    dec     dword ptr [edi+0D4h]
8057c49b 83c36c          add     ebx,6Ch
8057c49e 895d08          mov     dword ptr [ebp+8],ebx
8057c4a1 b800000000      mov     eax,0
8057c4a6 8b4d08          mov     ecx,dword ptr [ebp+8]
8057c4a9 ba02000000      mov     edx,2
8057c4ae 0fb111          cmpxchg dword ptr [ecx],edx
8057c4b1 85c0            test    eax,eax
8057c4b3 0f858cf70700    jne     nt!PspThreadDelete+0x90 (805fbc45)
8057c4b9 8b862c020000    mov     eax,dword ptr [esi+22Ch]
8057c4bf 8bb630020000    mov     esi,dword ptr [esi+230h]


很明显ntkrnlpa.exe里的PspTerminateThreadByPointe函数体是连续的,但是ntoskrnl.exe里的PspTerminateThreadByPointe是断开的,请问大牛们,这是为什么呢?

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (5)
zhzhtst
雪    币: 462
活跃值: (53)
能力值: ( LV9,RANK:460 )
在线值:
发帖
回帖
粉丝
私信
2
这两个文件是同一个系统中的吗?微软内部在优化代码时会使用一种称为OMAP的技术重新排列生成的二进制代码,以获得最大的执行效率。不过好像从XP系统开始就已经不使用了,主要原因是不方便调试。
2010-2-4 14:32
0
woshiczy
雪    币: 4
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
不是同一系统的,一个是在虚拟机的xp3,一个是我本机的xp3.....那如果是这样的,一个函数体断断续续的,那要如何才能操作正确的地址呢?
2010-2-4 16:24
0
woshiczy
雪    币: 4
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
......
2010-2-5 00:15
0
woshiczy
雪    币: 4
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
顶顶。。。。
2010-2-6 11:15
0
Ally Switch
雪    币: 7994
活跃值: (6319)
能力值: ( LV12,RANK:207 )
在线值:
发帖
回帖
粉丝
私信
6
前几天刚好遇到同样的问题,感谢2楼大佬解答
2020-5-26 10:53
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//