windows 7 x64 KiSystemCall64 笔记
Win7 x64 本地内核调试:
1.下载liveKd https://download.sysinternals.com/files/LiveKD.zip;
2.解压至windbg根目录;
3.livekd -w
前置:
ntdll!NtCreateDebugObject:
00000000`76d70680 4c8bd1 mov r10,rcx
00000000`76d70683 b890000000 mov eax,90h
00000000`76d70688 0f05 syscall
00000000`76d7068a c3 ret
syscall
{
rcx = rip; /* save rip for syscall return */
r11 = rflags; /* save rflags to r11 */
...
jmp MSR_LSTAR; /* MSR_LSTAR = __readmsr(0xC0000082); */
}
.text:000000014007F640 KiSystemCall64 proc near ; DATA XREF: KiInitializeBootStructures+26Eo
.text:000000014007F640
.text:000000014007F640 var_1C0 = qword ptr -1C0h
.text:000000014007F640 var_1B8 = qword ptr -1B8h
.text:000000014007F640 var_1B0 = qword ptr -1B0h
.text:000000014007F640 var_1A8 = qword ptr -1A8h
.text:000000014007F640 var_1A0 = qword ptr -1A0h
.text:000000014007F640 var_178 = qword ptr -178h
.text:000000014007F640 var_110 = byte ptr -110h
.text:000000014007F640 anonymous_0 = word ptr -90h
.text:000000014007F640 arg_F8 = qword ptr 100h
.text:000000014007F640
.text:000000014007F640 swapgs ; 交换 MSR(C0000101)-GS基址 与 MSR(C0000102)-内核GS基址-KPCR
.text:000000014007F643 mov gs:10h, rsp ; 保存用户态栈
.text:000000014007F64C mov rsp, gs:1A8h ; 切换到内核栈
.text:000000014007F655 push 2Bh
.text:000000014007F657 push qword ptr gs:10h
.text:000000014007F65F push r11 ; r11里保存的是rflags
.text:000000014007F661 push 33h
.text:000000014007F663 push rcx ; rcx里保存的是用户态syscall的下一条指令地址
.text:000000014007F664 mov rcx, r10 ; 把系统调用的第一个参数重新赋给ecx
.text:000000014007F667 sub rsp, 8
.text:000000014007F66B push rbp
.text:000000014007F66C sub rsp, 158h
.text:000000014007F673 lea rbp, [rsp+190h+var_110]
.text:000000014007F67B mov [rbp+0C0h], rbx
.text:000000014007F682 mov [rbp+0C8h], rdi
.text:000000014007F689 mov [rbp+0D0h], rsi
.text:000000014007F690 mov byte ptr [rbp-55h], 2
.text:000000014007F694 mov rbx, gs:188h ; KTHREAD
.text:000000014007F69D prefetchw byte ptr [rbx+1D8h]
.text:000000014007F6A4 stmxcsr dword ptr [rbp-54h]
.text:000000014007F6A8 ldmxcsr dword ptr gs:180h
.text:000000014007F6B1 cmp byte ptr [rbx+3], 0 ; DebugActive
.text:000000014007F6B5 mov word ptr [rbp+80h], 0
.text:000000014007F6BE jz loc_14007F750 ; 一般这里要跳(看上面的DebugActive)
.text:000000014007F6C4 mov [rbp-50h], rax
.text:000000014007F6C8 mov [rbp-48h], rcx
.text:000000014007F6CC mov [rbp-40h], rdx
.text:000000014007F6D0 test byte ptr [rbx+3], 3
.text:000000014007F6D4 mov [rbp-38h], r8
.text:000000014007F6D8 mov [rbp-30h], r9
.text:000000014007F6DC jz short loc_14007F6E3
.text:000000014007F6DE call KiSaveDebugRegisterState
.text:000000014007F6E3
.text:000000014007F6E3 loc_14007F6E3: ; CODE XREF: KiSystemCall64+9Cj
.text:000000014007F6E3 test byte ptr [rbx+3], 80h
.text:000000014007F6E7 jz short loc_14007F72B
.text:000000014007F6E9 mov ecx, 0C0000102h
.text:000000014007F6EE rdmsr
.text:000000014007F6F0 shl rdx, 20h
.text:000000014007F6F4 or rax, rdx
.text:000000014007F6F7 cmp [rbx+0B8h], rax
.text:000000014007F6FE jz short loc_14007F72B
.text:000000014007F700 cmp [rbx+1B0h], rax
.text:000000014007F707 jz short loc_14007F72B
.text:000000014007F709 mov rdx, [rbx+1B8h]
.text:000000014007F710 bts dword ptr [rbx+4Ch], 0Bh
.text:000000014007F715 dec word ptr [rbx+1C4h]
.text:000000014007F71C mov [rdx+80h], rax
.text:000000014007F723 sti
.text:000000014007F724 call KiUmsCallEntry
.text:000000014007F729 jmp short loc_14007F73A
.text:000000014007F72B ; ---------------------------------------------------------------------------
.text:000000014007F72B
.text:000000014007F72B loc_14007F72B: ; CODE XREF: KiSystemCall64+A7j
.text:000000014007F72B ; KiSystemCall64+BEj ...
.text:000000014007F72B test byte ptr [rbx+3], 40h
.text:000000014007F72F jz short loc_14007F73A
.text:000000014007F731 lock bts dword ptr [rbx+100h], 8
.text:000000014007F73A
.text:000000014007F73A loc_14007F73A: ; CODE XREF: KiSystemCall64+E9j
.text:000000014007F73A ; KiSystemCall64+EFj
.text:000000014007F73A mov rax, [rbp-50h]
.text:000000014007F73E mov rcx, [rbp-48h]
.text:000000014007F742 mov rdx, [rbp-40h]
.text:000000014007F746 mov r8, [rbp-38h]
.text:000000014007F74A mov r9, [rbp-30h]
.text:000000014007F74E xchg ax, ax
.text:000000014007F750
.text:000000014007F750 loc_14007F750: ; CODE XREF: KiSystemCall64+7Ej
.text:000000014007F750 sti
.text:000000014007F751 mov [rbx+1E0h], rcx
.text:000000014007F758 mov [rbx+1F8h], eax
.text:000000014007F75E
.text:000000014007F75E KiSystemServiceStart: ; DATA XREF: KiServiceInternal+5Ao
.text:000000014007F75E ; .data:00000001401EE648o
.text:000000014007F75E mov [rbx+1D8h], rsp
.text:000000014007F765 mov edi, eax ; 系统调用号
.text:000000014007F767 shr edi, 7 ; 0x1000右移7刚好是0x20;
.text:000000014007F767 ; 这个0x20用作KeServiceDescriptorTableShadow里ServiceTable的偏移
.text:000000014007F76A and edi, 20h
.text:000000014007F76D and eax, 0FFFh
.text:000000014007F772
.text:000000014007F772 KiSystemServiceRepeat: ; CODE XREF: KiSystemCall64+47Bj
.text:000000014007F772 lea r10, KeServiceDescriptorTable
.text:000000014007F779 lea r11, KeServiceDescriptorTableShadow
.text:000000014007F780 test dword ptr [rbx+100h], 80h ; ThreadFlags & GuiThread(0x80)
.text:000000014007F78A cmovnz r10, r11
.text:000000014007F78E cmp eax, [rdi+r10+10h] ; NumberOfServices
.text:000000014007F793 jnb loc_14007FA82
.text:000000014007F799 mov r10, [rdi+r10] ; ServiceTable
.text:000000014007F79D movsxd r11, dword ptr [r10+rax*4]
.text:000000014007F7A1 mov rax, r11
.text:000000014007F7A4 sar r11, 4 ; 后面四bit表示系统调用的参数个数
.text:000000014007F7A8 add r10, r11 ; ServiceTable+(r11>>4)是每个系统调用的地址
.text:000000014007F7AB cmp edi, 20h
.text:000000014007F7AE jnz short L_SSDT
.text:000000014007F7B0 mov r11, [rbx+0B8h]
.text:000000014007F7B7
.text:000000014007F7B7 KiSystemServiceGdiTebAccess: ; DATA XREF: KiSystemServiceHandler+Do
.text:000000014007F7B7 cmp dword ptr [r11+1740h], 0
.text:000000014007F7BF jz short L_SSDT
.text:000000014007F7C1 mov [rbp-50h], rax
.text:000000014007F7C5 mov [rbp-48h], rcx
.text:000000014007F7C9 mov [rbp-40h], rdx
.text:000000014007F7CD mov rbx, r8
.text:000000014007F7D0 mov rdi, r9
.text:000000014007F7D3 mov rsi, r10
.text:000000014007F7D6 call cs:KeGdiFlushUserBatch
.text:000000014007F7DC mov rax, [rbp-50h]
.text:000000014007F7E0 mov rcx, [rbp-48h]
.text:000000014007F7E4 mov rdx, [rbp-40h]
.text:000000014007F7E8 mov r8, rbx
.text:000000014007F7EB mov r9, rdi
.text:000000014007F7EE mov r10, rsi
.text:000000014007F7F1 db 66h, 66h, 66h, 66h, 66h, 66h
.text:000000014007F7F1 nop word ptr [rax+rax+00000000h]
.text:000000014007F800
.text:000000014007F800 L_SSDT: ; CODE XREF: KiSystemCall64+16Ej
.text:000000014007F800 ; KiSystemCall64+17Fj
.text:000000014007F800 and eax, 0Fh ; 取系统调用参数个数
.text:000000014007F803 jz KiSystemServiceCopyEnd
.text:000000014007F809 shl eax, 3 ; 参数个数*8
.text:000000014007F80C lea rsp, [rsp-70h]
.text:000000014007F811 lea rdi, [rsp+190h+var_178]
.text:000000014007F816 mov rsi, [rbp+100h]
.text:000000014007F81D lea rsi, [rsi+20h]
.text:000000014007F821 test byte ptr [rbp+0F0h], 1
.text:000000014007F828 jz short loc_14007F840
.text:000000014007F82A cmp rsi, cs:MmUserProbeAddress
.text:000000014007F831 cmovnb rsi, cs:MmUserProbeAddress
.text:000000014007F839 nop dword ptr [rax+00000000h]
.text:000000014007F840
.text:000000014007F840 loc_14007F840: ; CODE XREF: KiSystemCall64+1E8j
.text:000000014007F840 lea r11, KiSystemServiceCopyEnd
.text:000000014007F847 sub r11, rax ; eax = 参数个数*8
.text:000000014007F84A jmp r11 ; r11指向的代码会拷贝系统调用的参数到内核栈;
.text:000000014007F84A ; 每向上8字节代码,多拷贝一个参数
.text:000000014007F84A ; ---------------------------------------------------------------------------
.text:000000014007F84D align 10h
.text:000000014007F850
.text:000000014007F850 KiSystemServiceCopyStart: ; DATA XREF: KiSystemServiceHandler+1Ao
.text:000000014007F850 mov rax, [rsi+70h]
.text:000000014007F854 mov [rdi+70h], rax
.text:000000014007F858 mov rax, [rsi+68h]
.text:000000014007F85C mov [rdi+68h], rax
.text:000000014007F860 mov rax, [rsi+60h]
.text:000000014007F864 mov [rdi+60h], rax
.text:000000014007F868 mov rax, [rsi+58h]
.text:000000014007F86C mov [rdi+58h], rax
.text:000000014007F870 mov rax, [rsi+50h]
.text:000000014007F874 mov [rdi+50h], rax
.text:000000014007F878 mov rax, [rsi+48h]
.text:000000014007F87C mov [rdi+48h], rax
.text:000000014007F880 mov rax, [rsi+40h]
.text:000000014007F884 mov [rdi+40h], rax
.text:000000014007F888 mov rax, [rsi+38h]
.text:000000014007F88C mov [rdi+38h], rax
.text:000000014007F890 mov rax, [rsi+30h]
.text:000000014007F894 mov [rdi+30h], rax
.text:000000014007F898 mov rax, [rsi+28h]
.text:000000014007F89C mov [rdi+28h], rax
.text:000000014007F8A0 mov rax, [rsi+20h]
.text:000000014007F8A4 mov [rdi+20h], rax
.text:000000014007F8A8 mov rax, [rsi+18h]
.text:000000014007F8AC mov [rdi+18h], rax
.text:000000014007F8B0 mov rax, [rsi+10h]
.text:000000014007F8B4 mov [rdi+10h], rax
.text:000000014007F8B8 mov rax, [rsi+8]
.text:000000014007F8BC mov [rdi+8], rax
.text:000000014007F8C0
.text:000000014007F8C0 KiSystemServiceCopyEnd: ; CODE XREF: KiSystemCall64+1C3j
.text:000000014007F8C0 ; DATA XREF: KiSystemServiceHandler+27o ...
.text:000000014007F8C0 test cs:dword_140207688, 40h ; 性能计数的开关
.text:000000014007F8CA jnz loc_14007FB20
.text:000000014007F8D0 call r10 ; call系统调用
.text:000000014007F8D3
.text:000000014007F8D3 loc_14007F8D3: ; CODE XREF: KiSystemCall64+535j
.text:000000014007F8D3 inc dword ptr gs:2238h
.text:000000014007F8DB
.text:000000014007F8DB KiSystemServiceExit: ; CODE XREF: KiSystemCall64+49Cj
.text:000000014007F8DB ; KiSystemCall64+4A7j
.text:000000014007F8DB ; DATA XREF: ...
.text:000000014007F8DB mov rbx, [rbp+0C0h]
.text:000000014007F8E2 mov rdi, [rbp+0C8h]
.text:000000014007F8E9 mov rsi, [rbp+0D0h]
.text:000000014007F8F0 mov r11, gs:188h
.text:000000014007F8F9 test byte ptr [rbp+0F0h], 1
.text:000000014007F900 jz loc_14007FA55
.text:000000014007F906 mov rcx, cr8
.text:000000014007F90A or cl, [r11+1F0h]
.text:000000014007F911 or ecx, [r11+1C4h]
.text:000000014007F918 jnz loc_14007FAEC
.text:000000014007F91E cli
.text:000000014007F91F mov rcx, gs:188h
.text:000000014007F928 cmp byte ptr [rcx+7Ah], 0
.text:000000014007F92C jz short loc_14007F985
.text:000000014007F92E mov [rbp-50h], rax
.text:000000014007F932 xor eax, eax
.text:000000014007F934 mov [rbp-48h], rax
.text:000000014007F938 mov [rbp-40h], rax
.text:000000014007F93C mov [rbp-38h], rax
.text:000000014007F940 mov [rbp-30h], rax
.text:000000014007F944 mov [rbp-28h], rax
.text:000000014007F948 mov [rbp-20h], rax
.text:000000014007F94C pxor xmm0, xmm0
.text:000000014007F950 movaps xmmword ptr [rbp-10h], xmm0
.text:000000014007F954 movaps xmmword ptr [rbp+0], xmm0
.text:000000014007F958 movaps xmmword ptr [rbp+10h], xmm0
.text:000000014007F95C movaps xmmword ptr [rbp+20h], xmm0
.text:000000014007F960 movaps xmmword ptr [rbp+30h], xmm0
.text:000000014007F964 movaps xmmword ptr [rbp+40h], xmm0
.text:000000014007F968 mov ecx, 1
.text:000000014007F96D mov cr8, rcx
.text:000000014007F971 sti
.text:000000014007F972 call KiInitiateUserApc
.text:000000014007F977 cli
.text:000000014007F978 mov ecx, 0
.text:000000014007F97D mov cr8, rcx
.text:000000014007F981 mov rax, [rbp-50h]
.text:000000014007F985
.text:000000014007F985 loc_14007F985: ; CODE XREF: KiSystemCall64+2ECj
.text:000000014007F985 mov rcx, gs:188h
.text:000000014007F98E test dword ptr [rcx], 40020000h
.text:000000014007F994 jz short loc_14007F9C4
.text:000000014007F996 mov [rbp-50h], rax
.text:000000014007F99A test byte ptr [rcx+2], 2
.text:000000014007F99E jz short loc_14007F9AE
.text:000000014007F9A0 call KiCopyCounters
.text:000000014007F9A5 mov rcx, gs:188h
.text:000000014007F9AE
.text:000000014007F9AE loc_14007F9AE: ; CODE XREF: KiSystemCall64+35Ej
.text:000000014007F9AE test byte ptr [rcx+3], 40h
.text:000000014007F9B2 jz short loc_14007F9C0
.text:000000014007F9B4 lea rsp, [rbp-80h]
.text:000000014007F9B8 xor rcx, rcx
.text:000000014007F9BB call KiUmsExit
.text:000000014007F9C0
.text:000000014007F9C0 loc_14007F9C0: ; CODE XREF: KiSystemCall64+372j
.text:000000014007F9C0 mov rax, [rbp-50h]
.text:000000014007F9C4
.text:000000014007F9C4 loc_14007F9C4: ; CODE XREF: KiSystemCall64+354j
.text:000000014007F9C4 ldmxcsr dword ptr [rbp-54h]
.text:000000014007F9C8 xor r10, r10
.text:000000014007F9CB cmp word ptr [rbp+80h], 0
.text:000000014007F9D3 jz short loc_14007FA13
.text:000000014007F9D5 mov [rbp-50h], rax
.text:000000014007F9D9 call KiRestoreDebugRegisterState
.text:000000014007F9DE mov rax, gs:188h
.text:000000014007F9E7 mov rax, [rax+70h]
.text:000000014007F9EB mov rax, [rax+100h]
.text:000000014007F9F2 or rax, rax
.text:000000014007F9F5 jz short loc_14007FA0F
.text:000000014007F9F7 cmp word ptr [rbp+0F0h], 33h
.text:000000014007F9FF jnz short loc_14007FA0F
.text:000000014007FA01 mov r10, [rbp+0E8h]
.text:000000014007FA08 mov [rbp+0E8h], rax
.text:000000014007FA0F
.text:000000014007FA0F loc_14007FA0F: ; CODE XREF: KiSystemCall64+3B5j
.text:000000014007FA0F ; KiSystemCall64+3BFj
.text:000000014007FA0F mov rax, [rbp-50h]
.text:000000014007FA13
.text:000000014007FA13 loc_14007FA13: ; CODE XREF: KiSystemCall64+393j
.text:000000014007FA13 mov r8, [rbp+100h]
.text:000000014007FA1A mov r9, [rbp+0D8h]
.text:000000014007FA21 xor edx, edx
.text:000000014007FA23 pxor xmm0, xmm0
.text:000000014007FA27 pxor xmm1, xmm1
.text:000000014007FA2B pxor xmm2, xmm2
.text:000000014007FA2F pxor xmm3, xmm3
.text:000000014007FA33 pxor xmm4, xmm4
.text:000000014007FA37 pxor xmm5, xmm5
.text:000000014007FA3B mov rcx, [rbp+0E8h]
.text:000000014007FA42 mov r11, [rbp+0F8h]
.text:000000014007FA49 mov rbp, r9
.text:000000014007FA4C mov rsp, r8
.text:000000014007FA4F swapgs
.text:000000014007FA52 sysret
.text:000000014007FA55
.text:000000014007FA55 loc_14007FA55: ; CODE XREF: KiSystemCall64+2C0j
.text:000000014007FA55 mov rdx, [rbp+0B8h]
.text:000000014007FA5C mov [r11+1D8h], rdx
.text:000000014007FA63 mov dl, [rbp-58h]
.text:000000014007FA66 mov [r11+1F6h], dl
.text:000000014007FA6D cli
.text:000000014007FA6E mov rsp, rbp
.text:000000014007FA71 mov rbp, [rbp+0D8h]
.text:000000014007FA78 mov rsp, [rsp+arg_F8]
.text:000000014007FA80 sti
.text:000000014007FA81 retn
.text:000000014007FA82 ; ---------------------------------------------------------------------------
.text:000000014007FA82
.text:000000014007FA82 loc_14007FA82: ; CODE XREF: KiSystemCall64+153j
.text:000000014007FA82 cmp edi, 20h
.text:000000014007FA85 jnz short loc_14007FAE2
.text:000000014007FA87 mov [rbp-80h], eax
.text:000000014007FA8A mov [rbp-78h], rcx
.text:000000014007FA8E mov [rbp-70h], rdx
.text:000000014007FA92 mov [rbp-68h], r8
.text:000000014007FA96 mov [rbp-60h], r9
.text:000000014007FA9A call KiConvertToGuiThread
.text:000000014007FA9F or eax, eax
.text:000000014007FAA1 mov eax, [rbp-80h]
.text:000000014007FAA4 mov rcx, [rbp-78h]
.text:000000014007FAA8 mov rdx, [rbp-70h]
.text:000000014007FAAC mov r8, [rbp-68h]
.text:000000014007FAB0 mov r9, [rbp-60h]
.text:000000014007FAB4 mov [rbx+1D8h], rsp
.text:000000014007FABB jz KiSystemServiceRepeat
.text:000000014007FAC1 lea rdi, unk_1402B18A0
.text:000000014007FAC8 mov esi, [rdi+10h]
.text:000000014007FACB mov rdi, [rdi]
.text:000000014007FACE cmp eax, esi
.text:000000014007FAD0 jnb short loc_14007FAE2
.text:000000014007FAD2 lea rdi, [rdi+rsi*4]
.text:000000014007FAD6 movsx eax, byte ptr [rax+rdi]
.text:000000014007FADA or eax, eax
.text:000000014007FADC jle KiSystemServiceExit
.text:000000014007FAE2
.text:000000014007FAE2 loc_14007FAE2: ; CODE XREF: KiSystemCall64+445j
.text:000000014007FAE2 ; KiSystemCall64+490j
.text:000000014007FAE2 mov eax, 0C000001Ch
.text:000000014007FAE7 jmp KiSystemServiceExit
.text:000000014007FAEC ; ---------------------------------------------------------------------------
.text:000000014007FAEC
.text:000000014007FAEC loc_14007FAEC: ; CODE XREF: KiSystemCall64+2D8j
.text:000000014007FAEC mov ecx, 4Ah
.text:000000014007FAF1 xor r9d, r9d
.text:000000014007FAF4 mov r8, cr8
.text:000000014007FAF8 or r8d, r8d
.text:000000014007FAFB jnz short loc_14007FB11
.text:000000014007FAFD mov ecx, 1
.text:000000014007FB02 movzx r8d, byte ptr [r11+1F0h]
.text:000000014007FB0A mov r9d, [r11+1C4h]
.text:000000014007FB11
.text:000000014007FB11 loc_14007FB11: ; CODE XREF: KiSystemCall64+4BBj
.text:000000014007FB11 mov rdx, [rbp+0E8h]
.text:000000014007FB18 mov r10, rbp
.text:000000014007FB1B call KiBugCheckDispatch
.text:000000014007FB20 ; ---------------------------------------------------------------------------
.text:000000014007FB20
.text:000000014007FB20 loc_14007FB20: ; CODE XREF: KiSystemCall64+28Aj
.text:000000014007FB20 sub rsp, 50h
.text:000000014007FB24 mov [rsp+1E0h+var_1C0], rcx
.text:000000014007FB29 mov [rsp+1E0h+var_1B8], rdx
.text:000000014007FB2E mov [rsp+1E0h+var_1B0], r8
.text:000000014007FB33 mov [rsp+1E0h+var_1A8], r9
.text:000000014007FB38 mov [rsp+1E0h+var_1A0], r10
.text:000000014007FB3D mov rcx, r10
.text:000000014007FB40 call PerfInfoLogSysCallEntry
.text:000000014007FB45 mov rcx, [rsp+1E0h+var_1C0]
.text:000000014007FB4A mov rdx, [rsp+1E0h+var_1B8]
.text:000000014007FB4F mov r8, [rsp+1E0h+var_1B0]
.text:000000014007FB54 mov r9, [rsp+1E0h+var_1A8]
.text:000000014007FB59 mov r10, [rsp+1E0h+var_1A0]
.text:000000014007FB5E add rsp, 50h
.text:000000014007FB62 call r10
.text:000000014007FB65 mov [rbp-50h], rax
.text:000000014007FB69 mov rcx, rax
.text:000000014007FB6C call PerfInfoLogSysCallExit
.text:000000014007FB71 mov rax, [rbp-50h]
.text:000000014007FB75 jmp loc_14007F8D3
.text:000000014007FB75 KiSystemCall64 endp
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!