-
-
[求助]我的call KiAttachProcess 为什么是第二个call呢?[已解决]
-
发表于: 2009-2-9 00:01
-
lkd> uf KeStackAttachProcess
nt!KeStackAttachProcess:
804f89d8 8bff mov edi,edi
804f89da 55 push ebp
804f89db 8bec mov ebp,esp
804f89dd 56 push esi
804f89de 57 push edi
804f89df 64a124010000 mov eax,dword ptr fs:[00000124h]
804f89e5 8bf0 mov esi,eax
804f89e7 64a194090000 mov eax,dword ptr fs:[00000994h]
804f89ed 85c0 test eax,eax
804f89ef 741c je nt!KeStackAttachProcess+0x35 (804f8a0d)
nt!KeStackAttachProcess+0x19:
804f89f1 64a194090000 mov eax,dword ptr fs:[00000994h]
804f89f7 50 push eax
804f89f8 0fb68665010000 movzx eax,byte ptr [esi+165h]
804f89ff 50 push eax
804f8a00 ff7644 push dword ptr [esi+44h]
804f8a03 ff7508 push dword ptr [ebp+8]
804f8a06 6a05 push 5
804f8a08 e89d120000 call nt!KeBugCheckEx (804f9caa)<=====第一个call
nt!KeStackAttachProcess+0x35:
804f8a0d 8b7d08 mov edi,dword ptr [ebp+8]
804f8a10 397e44 cmp dword ptr [esi+44h],edi
804f8a13 750c jne nt!KeStackAttachProcess+0x49 (804f8a21)
nt!KeStackAttachProcess+0x3d:
804f8a15 8b450c mov eax,dword ptr [ebp+0Ch]
804f8a18 c7401001000000 mov dword ptr [eax+10h],1
804f8a1f eb39 jmp nt!KeStackAttachProcess+0x82 (804f8a5a)
nt!KeStackAttachProcess+0x49:
804f8a21 ff1514874d80 call dword ptr [nt!_imp__KeRaiseIrqlToDpcLevel (804d8714)]
804f8a27 80be6501000000 cmp byte ptr [esi+165h],0
804f8a2e 884508 mov byte ptr [ebp+8],al
804f8a31 740f je nt!KeStackAttachProcess+0x6a (804f8a42)
nt!KeStackAttachProcess+0x5b:
804f8a33 ff750c push dword ptr [ebp+0Ch]
804f8a36 ff7508 push dword ptr [ebp+8]
804f8a39 57 push edi
804f8a3a 56 push esi
804f8a3b e898fdffff call nt!KiAttachProcess (804f87d8)<===========第二个call
804f8a40 eb18 jmp nt!KeStackAttachProcess+0x82 (804f8a5a)
nt!KeStackAttachProcess+0x6a:
804f8a42 8d864c010000 lea eax,[esi+14Ch]
804f8a48 50 push eax
804f8a49 ff7508 push dword ptr [ebp+8]
804f8a4c 57 push edi
804f8a4d 56 push esi
804f8a4e e885fdffff call nt!KiAttachProcess (804f87d8)
804f8a53 8b450c mov eax,dword ptr [ebp+0Ch]
804f8a56 83601000 and dword ptr [eax+10h],0
nt!KeStackAttachProcess+0x82:
804f8a5a 5f pop edi
804f8a5b 5e pop esi
804f8a5c 5d pop ebp
804f8a5d c20800 ret 8
不都是第一个CALL是KiAttachProcess吗?我的符号文件有错?自动下载的呀
我的系统是XPSP3
nt!KeStackAttachProcess:
804f89d8 8bff mov edi,edi
804f89da 55 push ebp
804f89db 8bec mov ebp,esp
804f89dd 56 push esi
804f89de 57 push edi
804f89df 64a124010000 mov eax,dword ptr fs:[00000124h]
804f89e5 8bf0 mov esi,eax
804f89e7 64a194090000 mov eax,dword ptr fs:[00000994h]
804f89ed 85c0 test eax,eax
804f89ef 741c je nt!KeStackAttachProcess+0x35 (804f8a0d)
nt!KeStackAttachProcess+0x19:
804f89f1 64a194090000 mov eax,dword ptr fs:[00000994h]
804f89f7 50 push eax
804f89f8 0fb68665010000 movzx eax,byte ptr [esi+165h]
804f89ff 50 push eax
804f8a00 ff7644 push dword ptr [esi+44h]
804f8a03 ff7508 push dword ptr [ebp+8]
804f8a06 6a05 push 5
804f8a08 e89d120000 call nt!KeBugCheckEx (804f9caa)<=====第一个call
nt!KeStackAttachProcess+0x35:
804f8a0d 8b7d08 mov edi,dword ptr [ebp+8]
804f8a10 397e44 cmp dword ptr [esi+44h],edi
804f8a13 750c jne nt!KeStackAttachProcess+0x49 (804f8a21)
nt!KeStackAttachProcess+0x3d:
804f8a15 8b450c mov eax,dword ptr [ebp+0Ch]
804f8a18 c7401001000000 mov dword ptr [eax+10h],1
804f8a1f eb39 jmp nt!KeStackAttachProcess+0x82 (804f8a5a)
nt!KeStackAttachProcess+0x49:
804f8a21 ff1514874d80 call dword ptr [nt!_imp__KeRaiseIrqlToDpcLevel (804d8714)]
804f8a27 80be6501000000 cmp byte ptr [esi+165h],0
804f8a2e 884508 mov byte ptr [ebp+8],al
804f8a31 740f je nt!KeStackAttachProcess+0x6a (804f8a42)
nt!KeStackAttachProcess+0x5b:
804f8a33 ff750c push dword ptr [ebp+0Ch]
804f8a36 ff7508 push dword ptr [ebp+8]
804f8a39 57 push edi
804f8a3a 56 push esi
804f8a3b e898fdffff call nt!KiAttachProcess (804f87d8)<===========第二个call
804f8a40 eb18 jmp nt!KeStackAttachProcess+0x82 (804f8a5a)
nt!KeStackAttachProcess+0x6a:
804f8a42 8d864c010000 lea eax,[esi+14Ch]
804f8a48 50 push eax
804f8a49 ff7508 push dword ptr [ebp+8]
804f8a4c 57 push edi
804f8a4d 56 push esi
804f8a4e e885fdffff call nt!KiAttachProcess (804f87d8)
804f8a53 8b450c mov eax,dword ptr [ebp+0Ch]
804f8a56 83601000 and dword ptr [eax+10h],0
nt!KeStackAttachProcess+0x82:
804f8a5a 5f pop edi
804f8a5b 5e pop esi
804f8a5c 5d pop ebp
804f8a5d c20800 ret 8
不都是第一个CALL是KiAttachProcess吗?我的符号文件有错?自动下载的呀
我的系统是XPSP3
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
谁有SP2的KeStackAttachProcess
?发上来看下,谢谢 
|
|
|
|
|
|
哦,就是找KeAttachProcess的第一个call,谢谢楼上的朋友
|
