1 kd> rdmsr 0C0000082h
msr[c0000082] = fffff800`03c8f640

2 kd> ln fffff800`03c8f640
(fffff800`03c8f640)   nt!KiSystemCall64   |  (fffff800`03c8f75e)   nt!KiSystemServiceStart
Exact matches:
    nt!KiSystemCall64 = <no type information>

3 uf fffff800`03c8f640

 ... ...

nt!KiSystemCall64+0x110:
  fffff800`03c8f750 fb              sti
  fffff800`03c8f751 48898be0010000  mov     qword ptr [rbx+1E0h],rcx
  fffff800`03c8f758 8983f8010000    mov     dword ptr [rbx+1F8h],eax
  fffff800`03c8f75e 4889a3d8010000  mov     qword ptr [rbx+1D8h],rsp

  // 1 特征码
  fffff800`03c8f765 8bf8            mov     edi,eax
  fffff800`03c8f767 c1ef07          shr     edi,7
  fffff800`03c8f76a 83e720          and     edi,20h
  fffff800`03c8f76d 25ff0f0000      and     eax,0FFFh

  // 2 0x8d4c 这里会取得nt!KeServiceDescriptorTable的地址
  nt!KiSystemServiceRepeat:
  fffff800`03c8f772 4c8d15c7202300  lea     r10,[nt!KeServiceDescriptorTable (fffff800`03ec1840)]
  fffff800`03c8f779 4c8d1d00212300  lea     r11,[nt!KeServiceDescriptorTableShadow (fffff800`03ec1880)]
  fffff800`03c8f780 f7830001000080000000 test dword ptr [rbx+100h],80h
  fffff800`03c8f78a 4d0f45d3        cmovne  r10,r11
  fffff800`03c8f78e 423b441710      cmp     eax,dword ptr [rdi+r10+10h]
  fffff800`03c8f793 0f83e9020000    jae     nt!KiSystemServiceExit+0x1a7 (fffff800`03c8fa82)
 
  // 3开始计算
  if (*(USHORT*)IterAddr == (USHORT)0x8d4c)
  {
   return (PVOID)(((LONGLONG)IterAddr +7) + *(LONG*)(IterAddr +3));
  }
  此时 CurAddr = fffff800`03c8f772
  ((LONGLONG)CurAddr +7) = fffff800`03c8f772+7 = fffff800`03c8f779 //a
  (CurAddr +3) = fffff800`03c8f775

  kd> dd fffff800`03c8f775
  fffff800`03c8f775  002320c7 001d8d4c f7002321 00010083
  取值002320c7               //b

  fffff800`03c8f779+002320c7 = FFFFF800'03EC1840
  即
  fffff800`03c8f772 4c8d15c7202300  lea     r10,[nt!KeServiceDescriptorTable (fffff800`03ec1840)]

[课程]FART 脱壳王！加量不加价！FART作者讲授！