[原创]windows 7 x64 KiSystemCall64 笔记-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]windows 7 x64 KiSystemCall64 笔记

发表于: 2016-3-22 16:08 20442

[原创]windows 7 x64 KiSystemCall64 笔记

囧囧

2016-3-22 16:08

20442

windows 7 x64 KiSystemCall64 笔记

Win7 x64 本地内核调试：
1.下载liveKd https://download.sysinternals.com/files/LiveKD.zip;
2.解压至windbg根目录；
3.livekd -w

前置：
ntdll!NtCreateDebugObject:
00000000`76d70680 4c8bd1          mov     r10,rcx
00000000`76d70683 b890000000      mov     eax,90h
00000000`76d70688 0f05            syscall
00000000`76d7068a c3              ret

syscall
{
rcx = rip;            /* save rip for syscall return */
r11 = rflags;         /* save rflags to r11 */
...
jmp MSR_LSTAR;        /* MSR_LSTAR = __readmsr(0xC0000082); */
}

.text:000000014007F640 KiSystemCall64  proc near               ; DATA XREF: KiInitializeBootStructures+26Eo
.text:000000014007F640
.text:000000014007F640 var_1C0         = qword ptr -1C0h
.text:000000014007F640 var_1B8         = qword ptr -1B8h
.text:000000014007F640 var_1B0         = qword ptr -1B0h
.text:000000014007F640 var_1A8         = qword ptr -1A8h
.text:000000014007F640 var_1A0         = qword ptr -1A0h
.text:000000014007F640 var_178         = qword ptr -178h
.text:000000014007F640 var_110         = byte ptr -110h
.text:000000014007F640 anonymous_0     = word ptr -90h
.text:000000014007F640 arg_F8          = qword ptr  100h
.text:000000014007F640
.text:000000014007F640                 swapgs                  ; 交换 MSR(C0000101)-GS基址与 MSR(C0000102)-内核GS基址-KPCR
.text:000000014007F643                 mov     gs:10h, rsp     ; 保存用户态栈
.text:000000014007F64C                 mov     rsp, gs:1A8h    ; 切换到内核栈
.text:000000014007F655                 push    2Bh
.text:000000014007F657                 push    qword ptr gs:10h
.text:000000014007F65F                 push    r11             ; r11里保存的是rflags
.text:000000014007F661                 push    33h
.text:000000014007F663                 push    rcx             ; rcx里保存的是用户态syscall的下一条指令地址
.text:000000014007F664                 mov     rcx, r10        ; 把系统调用的第一个参数重新赋给ecx
.text:000000014007F667                 sub     rsp, 8
.text:000000014007F66B                 push    rbp
.text:000000014007F66C                 sub     rsp, 158h
.text:000000014007F673                 lea     rbp, [rsp+190h+var_110]
.text:000000014007F67B                 mov     [rbp+0C0h], rbx
.text:000000014007F682                 mov     [rbp+0C8h], rdi
.text:000000014007F689                 mov     [rbp+0D0h], rsi
.text:000000014007F690                 mov     byte ptr [rbp-55h], 2
.text:000000014007F694                 mov     rbx, gs:188h    ; KTHREAD
.text:000000014007F69D                 prefetchw byte ptr [rbx+1D8h]
.text:000000014007F6A4                 stmxcsr dword ptr [rbp-54h]
.text:000000014007F6A8                 ldmxcsr dword ptr gs:180h
.text:000000014007F6B1                 cmp     byte ptr [rbx+3], 0 ; DebugActive
.text:000000014007F6B5                 mov     word ptr [rbp+80h], 0
.text:000000014007F6BE                 jz      loc_14007F750   ; 一般这里要跳（看上面的DebugActive）
.text:000000014007F6C4                 mov     [rbp-50h], rax
.text:000000014007F6C8                 mov     [rbp-48h], rcx
.text:000000014007F6CC                 mov     [rbp-40h], rdx
.text:000000014007F6D0                 test    byte ptr [rbx+3], 3
.text:000000014007F6D4                 mov     [rbp-38h], r8
.text:000000014007F6D8                 mov     [rbp-30h], r9
.text:000000014007F6DC                 jz      short loc_14007F6E3
.text:000000014007F6DE                 call    KiSaveDebugRegisterState
.text:000000014007F6E3
.text:000000014007F6E3 loc_14007F6E3:                          ; CODE XREF: KiSystemCall64+9Cj
.text:000000014007F6E3                 test    byte ptr [rbx+3], 80h
.text:000000014007F6E7                 jz      short loc_14007F72B
.text:000000014007F6E9                 mov     ecx, 0C0000102h
.text:000000014007F6EE                 rdmsr
.text:000000014007F6F0                 shl     rdx, 20h
.text:000000014007F6F4                 or      rax, rdx
.text:000000014007F6F7                 cmp     [rbx+0B8h], rax
.text:000000014007F6FE                 jz      short loc_14007F72B
.text:000000014007F700                 cmp     [rbx+1B0h], rax
.text:000000014007F707                 jz      short loc_14007F72B
.text:000000014007F709                 mov     rdx, [rbx+1B8h]
.text:000000014007F710                 bts     dword ptr [rbx+4Ch], 0Bh
.text:000000014007F715                 dec     word ptr [rbx+1C4h]
.text:000000014007F71C                 mov     [rdx+80h], rax
.text:000000014007F723                 sti
.text:000000014007F724                 call    KiUmsCallEntry
.text:000000014007F729                 jmp     short loc_14007F73A
.text:000000014007F72B ; ---------------------------------------------------------------------------
.text:000000014007F72B
.text:000000014007F72B loc_14007F72B:                          ; CODE XREF: KiSystemCall64+A7j
.text:000000014007F72B                                         ; KiSystemCall64+BEj ...
.text:000000014007F72B                 test    byte ptr [rbx+3], 40h
.text:000000014007F72F                 jz      short loc_14007F73A
.text:000000014007F731                 lock bts dword ptr [rbx+100h], 8
.text:000000014007F73A
.text:000000014007F73A loc_14007F73A:                          ; CODE XREF: KiSystemCall64+E9j
.text:000000014007F73A                                         ; KiSystemCall64+EFj
.text:000000014007F73A                 mov     rax, [rbp-50h]
.text:000000014007F73E                 mov     rcx, [rbp-48h]
.text:000000014007F742                 mov     rdx, [rbp-40h]
.text:000000014007F746                 mov     r8, [rbp-38h]
.text:000000014007F74A                 mov     r9, [rbp-30h]
.text:000000014007F74E                 xchg    ax, ax
.text:000000014007F750
.text:000000014007F750 loc_14007F750:                          ; CODE XREF: KiSystemCall64+7Ej
.text:000000014007F750                 sti
.text:000000014007F751                 mov     [rbx+1E0h], rcx
.text:000000014007F758                 mov     [rbx+1F8h], eax
.text:000000014007F75E
.text:000000014007F75E KiSystemServiceStart:                   ; DATA XREF: KiServiceInternal+5Ao
.text:000000014007F75E                                         ; .data:00000001401EE648o
.text:000000014007F75E                 mov     [rbx+1D8h], rsp
.text:000000014007F765                 mov     edi, eax        ; 系统调用号
.text:000000014007F767                 shr     edi, 7          ; 0x1000右移7刚好是0x20；
.text:000000014007F767                                         ; 这个0x20用作KeServiceDescriptorTableShadow里ServiceTable的偏移
.text:000000014007F76A                 and     edi, 20h
.text:000000014007F76D                 and     eax, 0FFFh
.text:000000014007F772
.text:000000014007F772 KiSystemServiceRepeat:                  ; CODE XREF: KiSystemCall64+47Bj
.text:000000014007F772                 lea     r10, KeServiceDescriptorTable
.text:000000014007F779                 lea     r11, KeServiceDescriptorTableShadow
.text:000000014007F780                 test    dword ptr [rbx+100h], 80h ; ThreadFlags & GuiThread(0x80)
.text:000000014007F78A                 cmovnz  r10, r11
.text:000000014007F78E                 cmp     eax, [rdi+r10+10h] ; NumberOfServices
.text:000000014007F793                 jnb     loc_14007FA82
.text:000000014007F799                 mov     r10, [rdi+r10]  ; ServiceTable
.text:000000014007F79D                 movsxd  r11, dword ptr [r10+rax*4]
.text:000000014007F7A1                 mov     rax, r11
.text:000000014007F7A4                 sar     r11, 4          ; 后面四bit表示系统调用的参数个数
.text:000000014007F7A8                 add     r10, r11        ; ServiceTable+(r11>>4)是每个系统调用的地址
.text:000000014007F7AB                 cmp     edi, 20h
.text:000000014007F7AE                 jnz     short L_SSDT
.text:000000014007F7B0                 mov     r11, [rbx+0B8h]
.text:000000014007F7B7
.text:000000014007F7B7 KiSystemServiceGdiTebAccess:            ; DATA XREF: KiSystemServiceHandler+Do
.text:000000014007F7B7                 cmp     dword ptr [r11+1740h], 0
.text:000000014007F7BF                 jz      short L_SSDT
.text:000000014007F7C1                 mov     [rbp-50h], rax
.text:000000014007F7C5                 mov     [rbp-48h], rcx
.text:000000014007F7C9                 mov     [rbp-40h], rdx
.text:000000014007F7CD                 mov     rbx, r8
.text:000000014007F7D0                 mov     rdi, r9
.text:000000014007F7D3                 mov     rsi, r10
.text:000000014007F7D6                 call    cs:KeGdiFlushUserBatch
.text:000000014007F7DC                 mov     rax, [rbp-50h]
.text:000000014007F7E0                 mov     rcx, [rbp-48h]
.text:000000014007F7E4                 mov     rdx, [rbp-40h]
.text:000000014007F7E8                 mov     r8, rbx
.text:000000014007F7EB                 mov     r9, rdi
.text:000000014007F7EE                 mov     r10, rsi
.text:000000014007F7F1                 db      66h, 66h, 66h, 66h, 66h, 66h
.text:000000014007F7F1                 nop     word ptr [rax+rax+00000000h]
.text:000000014007F800
.text:000000014007F800 L_SSDT:                                 ; CODE XREF: KiSystemCall64+16Ej
.text:000000014007F800                                         ; KiSystemCall64+17Fj
.text:000000014007F800                 and     eax, 0Fh        ; 取系统调用参数个数
.text:000000014007F803                 jz      KiSystemServiceCopyEnd
.text:000000014007F809                 shl     eax, 3          ; 参数个数*8
.text:000000014007F80C                 lea     rsp, [rsp-70h]
.text:000000014007F811                 lea     rdi, [rsp+190h+var_178]
.text:000000014007F816                 mov     rsi, [rbp+100h]
.text:000000014007F81D                 lea     rsi, [rsi+20h]
.text:000000014007F821                 test    byte ptr [rbp+0F0h], 1
.text:000000014007F828                 jz      short loc_14007F840
.text:000000014007F82A                 cmp     rsi, cs:MmUserProbeAddress
.text:000000014007F831                 cmovnb  rsi, cs:MmUserProbeAddress
.text:000000014007F839                 nop     dword ptr [rax+00000000h]
.text:000000014007F840
.text:000000014007F840 loc_14007F840:                          ; CODE XREF: KiSystemCall64+1E8j
.text:000000014007F840                 lea     r11, KiSystemServiceCopyEnd
.text:000000014007F847                 sub     r11, rax        ; eax = 参数个数*8
.text:000000014007F84A                 jmp     r11             ; r11指向的代码会拷贝系统调用的参数到内核栈；
.text:000000014007F84A                                         ; 每向上8字节代码，多拷贝一个参数
.text:000000014007F84A ; ---------------------------------------------------------------------------
.text:000000014007F84D                 align 10h
.text:000000014007F850
.text:000000014007F850 KiSystemServiceCopyStart:               ; DATA XREF: KiSystemServiceHandler+1Ao
.text:000000014007F850                 mov     rax, [rsi+70h]
.text:000000014007F854                 mov     [rdi+70h], rax
.text:000000014007F858                 mov     rax, [rsi+68h]
.text:000000014007F85C                 mov     [rdi+68h], rax
.text:000000014007F860                 mov     rax, [rsi+60h]
.text:000000014007F864                 mov     [rdi+60h], rax
.text:000000014007F868                 mov     rax, [rsi+58h]
.text:000000014007F86C                 mov     [rdi+58h], rax
.text:000000014007F870                 mov     rax, [rsi+50h]
.text:000000014007F874                 mov     [rdi+50h], rax
.text:000000014007F878                 mov     rax, [rsi+48h]
.text:000000014007F87C                 mov     [rdi+48h], rax
.text:000000014007F880                 mov     rax, [rsi+40h]
.text:000000014007F884                 mov     [rdi+40h], rax
.text:000000014007F888                 mov     rax, [rsi+38h]
.text:000000014007F88C                 mov     [rdi+38h], rax
.text:000000014007F890                 mov     rax, [rsi+30h]
.text:000000014007F894                 mov     [rdi+30h], rax
.text:000000014007F898                 mov     rax, [rsi+28h]
.text:000000014007F89C                 mov     [rdi+28h], rax
.text:000000014007F8A0                 mov     rax, [rsi+20h]
.text:000000014007F8A4                 mov     [rdi+20h], rax
.text:000000014007F8A8                 mov     rax, [rsi+18h]
.text:000000014007F8AC                 mov     [rdi+18h], rax
.text:000000014007F8B0                 mov     rax, [rsi+10h]
.text:000000014007F8B4                 mov     [rdi+10h], rax
.text:000000014007F8B8                 mov     rax, [rsi+8]
.text:000000014007F8BC                 mov     [rdi+8], rax
.text:000000014007F8C0
.text:000000014007F8C0 KiSystemServiceCopyEnd:                 ; CODE XREF: KiSystemCall64+1C3j
.text:000000014007F8C0                                         ; DATA XREF: KiSystemServiceHandler+27o ...
.text:000000014007F8C0                 test    cs:dword_140207688, 40h ; 性能计数的开关
.text:000000014007F8CA                 jnz     loc_14007FB20
.text:000000014007F8D0                 call    r10             ; call系统调用
.text:000000014007F8D3
.text:000000014007F8D3 loc_14007F8D3:                          ; CODE XREF: KiSystemCall64+535j
.text:000000014007F8D3                 inc     dword ptr gs:2238h
.text:000000014007F8DB
.text:000000014007F8DB KiSystemServiceExit:                    ; CODE XREF: KiSystemCall64+49Cj
.text:000000014007F8DB                                         ; KiSystemCall64+4A7j
.text:000000014007F8DB                                         ; DATA XREF: ...
.text:000000014007F8DB                 mov     rbx, [rbp+0C0h]
.text:000000014007F8E2                 mov     rdi, [rbp+0C8h]
.text:000000014007F8E9                 mov     rsi, [rbp+0D0h]
.text:000000014007F8F0                 mov     r11, gs:188h
.text:000000014007F8F9                 test    byte ptr [rbp+0F0h], 1
.text:000000014007F900                 jz      loc_14007FA55
.text:000000014007F906                 mov     rcx, cr8
.text:000000014007F90A                 or      cl, [r11+1F0h]
.text:000000014007F911                 or      ecx, [r11+1C4h]
.text:000000014007F918                 jnz     loc_14007FAEC
.text:000000014007F91E                 cli
.text:000000014007F91F                 mov     rcx, gs:188h
.text:000000014007F928                 cmp     byte ptr [rcx+7Ah], 0
.text:000000014007F92C                 jz      short loc_14007F985
.text:000000014007F92E                 mov     [rbp-50h], rax
.text:000000014007F932                 xor     eax, eax
.text:000000014007F934                 mov     [rbp-48h], rax
.text:000000014007F938                 mov     [rbp-40h], rax
.text:000000014007F93C                 mov     [rbp-38h], rax
.text:000000014007F940                 mov     [rbp-30h], rax
.text:000000014007F944                 mov     [rbp-28h], rax
.text:000000014007F948                 mov     [rbp-20h], rax
.text:000000014007F94C                 pxor    xmm0, xmm0
.text:000000014007F950                 movaps  xmmword ptr [rbp-10h], xmm0
.text:000000014007F954                 movaps  xmmword ptr [rbp+0], xmm0
.text:000000014007F958                 movaps  xmmword ptr [rbp+10h], xmm0
.text:000000014007F95C                 movaps  xmmword ptr [rbp+20h], xmm0
.text:000000014007F960                 movaps  xmmword ptr [rbp+30h], xmm0
.text:000000014007F964                 movaps  xmmword ptr [rbp+40h], xmm0
.text:000000014007F968                 mov     ecx, 1
.text:000000014007F96D                 mov     cr8, rcx
.text:000000014007F971                 sti
.text:000000014007F972                 call    KiInitiateUserApc
.text:000000014007F977                 cli
.text:000000014007F978                 mov     ecx, 0
.text:000000014007F97D                 mov     cr8, rcx
.text:000000014007F981                 mov     rax, [rbp-50h]
.text:000000014007F985
.text:000000014007F985 loc_14007F985:                          ; CODE XREF: KiSystemCall64+2ECj
.text:000000014007F985                 mov     rcx, gs:188h
.text:000000014007F98E                 test    dword ptr [rcx], 40020000h
.text:000000014007F994                 jz      short loc_14007F9C4
.text:000000014007F996                 mov     [rbp-50h], rax
.text:000000014007F99A                 test    byte ptr [rcx+2], 2
.text:000000014007F99E                 jz      short loc_14007F9AE
.text:000000014007F9A0                 call    KiCopyCounters
.text:000000014007F9A5                 mov     rcx, gs:188h
.text:000000014007F9AE
.text:000000014007F9AE loc_14007F9AE:                          ; CODE XREF: KiSystemCall64+35Ej
.text:000000014007F9AE                 test    byte ptr [rcx+3], 40h
.text:000000014007F9B2                 jz      short loc_14007F9C0
.text:000000014007F9B4                 lea     rsp, [rbp-80h]
.text:000000014007F9B8                 xor     rcx, rcx
.text:000000014007F9BB                 call    KiUmsExit
.text:000000014007F9C0
.text:000000014007F9C0 loc_14007F9C0:                          ; CODE XREF: KiSystemCall64+372j
.text:000000014007F9C0                 mov     rax, [rbp-50h]
.text:000000014007F9C4
.text:000000014007F9C4 loc_14007F9C4:                          ; CODE XREF: KiSystemCall64+354j
.text:000000014007F9C4                 ldmxcsr dword ptr [rbp-54h]
.text:000000014007F9C8                 xor     r10, r10
.text:000000014007F9CB                 cmp     word ptr [rbp+80h], 0
.text:000000014007F9D3                 jz      short loc_14007FA13
.text:000000014007F9D5                 mov     [rbp-50h], rax
.text:000000014007F9D9                 call    KiRestoreDebugRegisterState
.text:000000014007F9DE                 mov     rax, gs:188h
.text:000000014007F9E7                 mov     rax, [rax+70h]
.text:000000014007F9EB                 mov     rax, [rax+100h]
.text:000000014007F9F2                 or      rax, rax
.text:000000014007F9F5                 jz      short loc_14007FA0F
.text:000000014007F9F7                 cmp     word ptr [rbp+0F0h], 33h
.text:000000014007F9FF                 jnz     short loc_14007FA0F
.text:000000014007FA01                 mov     r10, [rbp+0E8h]
.text:000000014007FA08                 mov     [rbp+0E8h], rax
.text:000000014007FA0F
.text:000000014007FA0F loc_14007FA0F:                          ; CODE XREF: KiSystemCall64+3B5j
.text:000000014007FA0F                                         ; KiSystemCall64+3BFj
.text:000000014007FA0F                 mov     rax, [rbp-50h]
.text:000000014007FA13
.text:000000014007FA13 loc_14007FA13:                          ; CODE XREF: KiSystemCall64+393j
.text:000000014007FA13                 mov     r8, [rbp+100h]
.text:000000014007FA1A                 mov     r9, [rbp+0D8h]
.text:000000014007FA21                 xor     edx, edx
.text:000000014007FA23                 pxor    xmm0, xmm0
.text:000000014007FA27                 pxor    xmm1, xmm1
.text:000000014007FA2B                 pxor    xmm2, xmm2
.text:000000014007FA2F                 pxor    xmm3, xmm3
.text:000000014007FA33                 pxor    xmm4, xmm4
.text:000000014007FA37                 pxor    xmm5, xmm5
.text:000000014007FA3B                 mov     rcx, [rbp+0E8h]
.text:000000014007FA42                 mov     r11, [rbp+0F8h]
.text:000000014007FA49                 mov     rbp, r9
.text:000000014007FA4C                 mov     rsp, r8
.text:000000014007FA4F                 swapgs
.text:000000014007FA52                 sysret
.text:000000014007FA55
.text:000000014007FA55 loc_14007FA55:                          ; CODE XREF: KiSystemCall64+2C0j
.text:000000014007FA55                 mov     rdx, [rbp+0B8h]
.text:000000014007FA5C                 mov     [r11+1D8h], rdx
.text:000000014007FA63                 mov     dl, [rbp-58h]
.text:000000014007FA66                 mov     [r11+1F6h], dl
.text:000000014007FA6D                 cli
.text:000000014007FA6E                 mov     rsp, rbp
.text:000000014007FA71                 mov     rbp, [rbp+0D8h]
.text:000000014007FA78                 mov     rsp, [rsp+arg_F8]
.text:000000014007FA80                 sti
.text:000000014007FA81                 retn
.text:000000014007FA82 ; ---------------------------------------------------------------------------
.text:000000014007FA82
.text:000000014007FA82 loc_14007FA82:                          ; CODE XREF: KiSystemCall64+153j
.text:000000014007FA82                 cmp     edi, 20h
.text:000000014007FA85                 jnz     short loc_14007FAE2
.text:000000014007FA87                 mov     [rbp-80h], eax
.text:000000014007FA8A                 mov     [rbp-78h], rcx
.text:000000014007FA8E                 mov     [rbp-70h], rdx
.text:000000014007FA92                 mov     [rbp-68h], r8
.text:000000014007FA96                 mov     [rbp-60h], r9
.text:000000014007FA9A                 call    KiConvertToGuiThread
.text:000000014007FA9F                 or      eax, eax
.text:000000014007FAA1                 mov     eax, [rbp-80h]
.text:000000014007FAA4                 mov     rcx, [rbp-78h]
.text:000000014007FAA8                 mov     rdx, [rbp-70h]
.text:000000014007FAAC                 mov     r8, [rbp-68h]
.text:000000014007FAB0                 mov     r9, [rbp-60h]
.text:000000014007FAB4                 mov     [rbx+1D8h], rsp
.text:000000014007FABB                 jz      KiSystemServiceRepeat
.text:000000014007FAC1                 lea     rdi, unk_1402B18A0
.text:000000014007FAC8                 mov     esi, [rdi+10h]
.text:000000014007FACB                 mov     rdi, [rdi]
.text:000000014007FACE                 cmp     eax, esi
.text:000000014007FAD0                 jnb     short loc_14007FAE2
.text:000000014007FAD2                 lea     rdi, [rdi+rsi*4]
.text:000000014007FAD6                 movsx   eax, byte ptr [rax+rdi]
.text:000000014007FADA                 or      eax, eax
.text:000000014007FADC                 jle     KiSystemServiceExit
.text:000000014007FAE2
.text:000000014007FAE2 loc_14007FAE2:                          ; CODE XREF: KiSystemCall64+445j
.text:000000014007FAE2                                         ; KiSystemCall64+490j
.text:000000014007FAE2                 mov     eax, 0C000001Ch
.text:000000014007FAE7                 jmp     KiSystemServiceExit
.text:000000014007FAEC ; ---------------------------------------------------------------------------
.text:000000014007FAEC
.text:000000014007FAEC loc_14007FAEC:                          ; CODE XREF: KiSystemCall64+2D8j
.text:000000014007FAEC                 mov     ecx, 4Ah
.text:000000014007FAF1                 xor     r9d, r9d
.text:000000014007FAF4                 mov     r8, cr8
.text:000000014007FAF8                 or      r8d, r8d
.text:000000014007FAFB                 jnz     short loc_14007FB11
.text:000000014007FAFD                 mov     ecx, 1
.text:000000014007FB02                 movzx   r8d, byte ptr [r11+1F0h]
.text:000000014007FB0A                 mov     r9d, [r11+1C4h]
.text:000000014007FB11
.text:000000014007FB11 loc_14007FB11:                          ; CODE XREF: KiSystemCall64+4BBj
.text:000000014007FB11                 mov     rdx, [rbp+0E8h]
.text:000000014007FB18                 mov     r10, rbp
.text:000000014007FB1B                 call    KiBugCheckDispatch
.text:000000014007FB20 ; ---------------------------------------------------------------------------
.text:000000014007FB20
.text:000000014007FB20 loc_14007FB20:                          ; CODE XREF: KiSystemCall64+28Aj
.text:000000014007FB20                 sub     rsp, 50h
.text:000000014007FB24                 mov     [rsp+1E0h+var_1C0], rcx
.text:000000014007FB29                 mov     [rsp+1E0h+var_1B8], rdx
.text:000000014007FB2E                 mov     [rsp+1E0h+var_1B0], r8
.text:000000014007FB33                 mov     [rsp+1E0h+var_1A8], r9
.text:000000014007FB38                 mov     [rsp+1E0h+var_1A0], r10
.text:000000014007FB3D                 mov     rcx, r10
.text:000000014007FB40                 call    PerfInfoLogSysCallEntry
.text:000000014007FB45                 mov     rcx, [rsp+1E0h+var_1C0]
.text:000000014007FB4A                 mov     rdx, [rsp+1E0h+var_1B8]
.text:000000014007FB4F                 mov     r8, [rsp+1E0h+var_1B0]
.text:000000014007FB54                 mov     r9, [rsp+1E0h+var_1A8]
.text:000000014007FB59                 mov     r10, [rsp+1E0h+var_1A0]
.text:000000014007FB5E                 add     rsp, 50h
.text:000000014007FB62                 call    r10
.text:000000014007FB65                 mov     [rbp-50h], rax
.text:000000014007FB69                 mov     rcx, rax
.text:000000014007FB6C                 call    PerfInfoLogSysCallExit
.text:000000014007FB71                 mov     rax, [rbp-50h]
.text:000000014007FB75                 jmp     loc_14007F8D3
.text:000000014007FB75 KiSystemCall64  endp

[课程]FART 脱壳王！加量不加价！FART作者讲授！

收藏・14

免费・3

支持

最新回复 (4)
JAYceMS 雪币： 6169 活跃值： (3346) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 64 粉丝 0 关注私信	JAYceMS 2 楼感谢分享, 前阵子还找了一下GS的资料, 在这里又发现顺带提到了看起来果然很像笔记(或注释) 2016-3-22 17:36 0
syskeylbz 雪币： 39 活跃值： (158) 能力值： ( LV2，RANK：10 ) 在线值：发帖 23 回帖 194 粉丝 1 关注私信	syskeylbz 3 楼我现在才知道以livekd -w方式启动可以本机调试 2016-3-22 18:34 0
ookkaa 雪币： 246 活跃值： (4427) 能力值： ( LV4，RANK：45 ) 在线值：发帖 22 回帖 214 粉丝 50 关注私信	ookkaa 4 楼 r11指向的代码就是下面的KiSystemServiceCopyStart 2020-11-21 17:17 0
ookkaa 雪币： 246 活跃值： (4427) 能力值： ( LV4，RANK：45 ) 在线值：发帖 22 回帖 214 粉丝 50 关注私信	ookkaa 5 楼楼主写的不错 2020-11-21 17:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

囧囧

发帖

335

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (4)
JAYceMS 雪币： 6169 活跃值： (3346) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 64 粉丝 0 关注私信	JAYceMS 2 楼感谢分享, 前阵子还找了一下GS的资料, 在这里又发现顺带提到了看起来果然很像笔记(或注释) 2016-3-22 17:36 0
syskeylbz 雪币： 39 活跃值： (158) 能力值： ( LV2，RANK：10 ) 在线值：发帖 23 回帖 194 粉丝 1 关注私信	syskeylbz 3 楼我现在才知道以livekd -w方式启动可以本机调试 2016-3-22 18:34 0
ookkaa 雪币： 246 活跃值： (4427) 能力值： ( LV4，RANK：45 ) 在线值：发帖 22 回帖 214 粉丝 50 关注私信	ookkaa 4 楼 r11指向的代码就是下面的KiSystemServiceCopyStart 2020-11-21 17:17 0
ookkaa 雪币： 246 活跃值： (4427) 能力值： ( LV4，RANK：45 ) 在线值：发帖 22 回帖 214 粉丝 50 关注私信	ookkaa 5 楼楼主写的不错 2020-11-21 17:17 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复