-
-
[旧帖] [求助]windbg 反汇编结果不一致 0.00雪花
-
发表于: 2013-6-10 21:43
-
本菜鸟刚学习内核方面编程,自己琢磨举步维艰,今日又碰到一个怪问题,在windbg里反汇编 KeStackAttachProcess 函数时,有时反汇编出来的结果不一样,难道内核函数代码还会根据不同情况改变?代码如下:
kd> u KeStackAttachProcess KeStackAttachProcess+100
nt!KeStackAttachProcess:
804f234f 8bff mov edi,edi
804f2351 55 push ebp
804f2352 8bec mov ebp,esp
804f2354 56 push esi
804f2355 57 push edi
804f2356 64a124010000 mov eax,dword ptr fs:[00000124h]
804f235c 8bf0 mov esi,eax
804f235e 64a194090000 mov eax,dword ptr fs:[00000994h]
804f2364 85c0 test eax,eax
804f2366 0f85ebbc0200 jne nt!KeStackAttachProcess+0x19 (8051e057)
804f236c 8b7d08 mov edi,dword ptr [ebp+8]
804f236f 397e44 cmp dword ptr [esi+44h],edi
804f2372 7434 je nt!KeStackAttachProcess+0x3d (804f23a8)
804f2374 ff1594864d80 call dword ptr [nt!_imp__KeRaiseIrqlToDpcLevel (804d8694)]
804f237a 80be6501000000 cmp byte ptr [esi+165h],0
804f2381 884508 mov byte ptr [ebp+8],al
804f2384 0f85e9bc0200 jne nt!KeStackAttachProcess+0x5b (8051e073)
804f238a 8d864c010000 lea eax,[esi+14Ch]
804f2390 50 push eax
804f2391 ff7508 push dword ptr [ebp+8]
804f2394 57 push edi
804f2395 56 push esi
804f2396 e84fa0ffff call nt!KiAttachProcess (804ec3ea)
804f239b 8b450c mov eax,dword ptr [ebp+0Ch]
804f239e 83601000 and dword ptr [eax+10h],0
804f23a2 5f pop edi
804f23a3 5e pop esi
804f23a4 5d pop ebp
804f23a5 c20800 ret 8
804f23a8 8b450c mov eax,dword ptr [ebp+0Ch]
804f23ab c7401001000000 mov dword ptr [eax+10h],1
804f23b2 ebee jmp nt!KeStackAttachProcess+0x82 (804f23a2)
804f23b4 90 nop
804f23b5 90 nop
804f23b6 90 nop
804f23b7 90 nop
804f23b8 ff ???
804f23b9 ff ???
804f23ba ff ???
为啥有那么多问号,而且只调用了一次KiAttachProcess,是不是解析出错了,这反汇编代码有问题吗?有几次反汇编出来结果确是正确的,KeStackAttachProcess会调用两次KiAttachProcess,原因何在。。。。。
kd> u KeStackAttachProcess KeStackAttachProcess+100
nt!KeStackAttachProcess:
804f234f 8bff mov edi,edi
804f2351 55 push ebp
804f2352 8bec mov ebp,esp
804f2354 56 push esi
804f2355 57 push edi
804f2356 64a124010000 mov eax,dword ptr fs:[00000124h]
804f235c 8bf0 mov esi,eax
804f235e 64a194090000 mov eax,dword ptr fs:[00000994h]
804f2364 85c0 test eax,eax
804f2366 0f85ebbc0200 jne nt!KeStackAttachProcess+0x19 (8051e057)
804f236c 8b7d08 mov edi,dword ptr [ebp+8]
804f236f 397e44 cmp dword ptr [esi+44h],edi
804f2372 7434 je nt!KeStackAttachProcess+0x3d (804f23a8)
804f2374 ff1594864d80 call dword ptr [nt!_imp__KeRaiseIrqlToDpcLevel (804d8694)]
804f237a 80be6501000000 cmp byte ptr [esi+165h],0
804f2381 884508 mov byte ptr [ebp+8],al
804f2384 0f85e9bc0200 jne nt!KeStackAttachProcess+0x5b (8051e073)
804f238a 8d864c010000 lea eax,[esi+14Ch]
804f2390 50 push eax
804f2391 ff7508 push dword ptr [ebp+8]
804f2394 57 push edi
804f2395 56 push esi
804f2396 e84fa0ffff call nt!KiAttachProcess (804ec3ea)
804f239b 8b450c mov eax,dword ptr [ebp+0Ch]
804f239e 83601000 and dword ptr [eax+10h],0
804f23a2 5f pop edi
804f23a3 5e pop esi
804f23a4 5d pop ebp
804f23a5 c20800 ret 8
804f23a8 8b450c mov eax,dword ptr [ebp+0Ch]
804f23ab c7401001000000 mov dword ptr [eax+10h],1
804f23b2 ebee jmp nt!KeStackAttachProcess+0x82 (804f23a2)
804f23b4 90 nop
804f23b5 90 nop
804f23b6 90 nop
804f23b7 90 nop
804f23b8 ff ???
804f23b9 ff ???
804f23ba ff ???
为啥有那么多问号,而且只调用了一次KiAttachProcess,是不是解析出错了,这反汇编代码有问题吗?有几次反汇编出来结果确是正确的,KeStackAttachProcess会调用两次KiAttachProcess,原因何在。。。。。
[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
