Re: 请教:从用户态转为内核态的接口都有哪些?

Windows内核调试

请教:从用户态转为内核态的接口都有哪些?

pch 2008-11-26, 08:07 上午
从用户态转为内核态的接口都有哪些?

Re: 请教:从用户态转为内核态的接口都有哪些?

手语 2008-11-26, 09:08 上午
Native APIs
鸿鹄安知燕雀之志

Re: 请教:从用户态转为内核态的接口都有哪些?

王宇 2008-11-26, 11:27 上午

80596542 8bff            mov     edi,edi
80596544 55              push    ebp
80596545 8bec            mov     ebp,esp
80596547 837d1803        cmp     dword ptr [ebp+18h],3
8059654b 7760            ja      nt!KeAddSystemServiceTable+0x6b (805965ad)
8059654d 8b4518          mov     eax,dword ptr [ebp+18h]
80596550 c1e004          shl     eax,4
80596553 83b88031558000  cmp     dword ptr nt!KeServiceDescriptorTable (80553180)[eax],0
8059655a 7551            jne     nt!KeAddSystemServiceTable+0x6b (805965ad)
8059655c 8d8840315580    lea     ecx,nt!KeServiceDescriptorTableShadow (80553140)[eax]
80596562 833900          cmp     dword ptr [ecx],0
80596565 7546            jne     nt!KeAddSystemServiceTable+0x6b (805965ad)
80596567 837d1801        cmp     dword ptr [ebp+18h],1
8059656b 8b5508          mov     edx,dword ptr [ebp+8]


kd> dd 80553140
80553140  80502030 00000000 0000011c 805024a4
80553150  bf997600 00000000 0000029b bf998310
80553160  00000000 00000000 00000000 00000000
80553170  00000000 00000000 00000000 00000000
80553180  80502030 00000000 0000011c 805024a4
80553190  00000000 00000000 00000000 00000000
805531a0  00000000 00000000 00000000 00000000
805531b0  00000000 00000000 00000000 00000000


SOURCE:

    PAGED_CODE();

    //
    // If a system service table is already defined for the specified
    // index, then return FALSE. Otherwise, establish the new system
    // service table.
    //

    if ((Index > NUMBER_SERVICE_TABLES - 1) ||
        (KeServiceDescriptorTable[Index].Base != NULL) ||
        (KeServiceDescriptorTableShadow[Index].Base != NULL)) {

        return FALSE;

    } else {

        //
        // If the service table index is equal to the Win32 table, then
        // only update the shadow system service table. Otherwise, both
        // the shadow and static system service tables are updated.
        //

        KeServiceDescriptorTableShadow[Index].Base = Base;
        KeServiceDescriptorTableShadow[Index].Count = Count;
        KeServiceDescriptorTableShadow[Index].Limit = Limit;
        KeServiceDescriptorTableShadow[Index].Number = Number;
        if (Index != WIN32K_SERVICE_INDEX) {
            KeServiceDescriptorTable[Index].Base = Base;
            KeServiceDescriptorTable[Index].Count = Count;
            KeServiceDescriptorTable[Index].Limit = Limit;
            KeServiceDescriptorTable[Index].Number = Number;
        }

        return TRUE;
    }

Re: 请教:从用户态转为内核态的接口都有哪些?

MJ0011 2008-11-26, 11:39 上午
1.sysenter
2.中断自陷
3.异常

Re: 请教:从用户态转为内核态的接口都有哪些?

pch 2008-11-27, 12:29 下午
请详细讲解一下吧。谢谢。

Re: 请教:从用户态转为内核态的接口都有哪些?

sudami 2008-11-28, 09:06 上午
你太懒惰了。
没人有时间像教小孩子一样详细教你。

Re: 请教:从用户态转为内核态的接口都有哪些?

pch 2008-11-28, 09:21 上午
不好意思,本人是新手,好多问题不是很清楚,一直在努力。
kd> u nt!KiSystemCallExit L20
nt!KiSystemCallExit [C:\WRK-v1.2\base\ntos\ke\i386\trap.asm @ 1396]:
8088998f cf iretd
nt!KiSystemCallExit2 [C:\WRK-v1.2\base\ntos\ke\i386\trap.asm @ 1396]:
80889990 f744240800010000 test dword ptr [esp+8],100h
80889998 75f5 jne nt!KiSystemCallExit (8088998f)
8088999a 5a pop edx
8088999b 83c404 add esp,4
8088999e 812424fffdffff and dword ptr [esp],0FFFFFDFFh
808899a5 9d popfd
808899a6 59 pop ecx
808899a7 fb sti
808899a8 0f35 sysexit
nt!KiSystemCallExit3 [C:\WRK-v1.2\base\ntos\ke\i386\trap.asm @ 1396]:
808899aa 59 pop ecx
808899ab 83c408 add esp,8
808899ae 5c pop esp
808899af 0f07 sysret
808899b1 cf iretd
808899b2 8bff mov edi,edi
808899b4 f7457000000200 test dword ptr [ebp+70h],20000h
808899bb 750d jne nt!KiSystemCallExit3+0x20 (808899ca)
808899bd f7456c01000000 test dword ptr [ebp+6Ch],1
808899c4 0f8464ffffff je nt!KiServiceExit+0x90 (8088992e)
808899ca 33db xor ebx,ebx
808899cc 8b7518 mov esi,dword ptr [ebp+18h]
808899cf 8b7d1c mov edi,dword ptr [ebp+1Ch]
808899d2 0f23fb mov dr7,ebx
808899d5 0f23c6 mov dr0,esi
808899d8 8b5d20 mov ebx,dword ptr [ebp+20h]
808899db 0f23cf mov dr1,edi
808899de 0f23d3 mov dr2,ebx
808899e1 8b7524 mov esi,dword ptr [ebp+24h]
808899e4 8b7d28 mov edi,dword ptr [ebp+28h]
808899e7 8b5d2c mov ebx,dword ptr [ebp+2Ch]
808899ea 0f23de mov dr3,esi
上面为什么都是同一位置i386\trap.asm @ 1396?
;
; Exit from SystemService
;

EXIT_ALL NoRestoreSegs, NoRestoreVolatile
反汇编和源代码为什么对不起来,困惑。

Re: 请教:从用户态转为内核态的接口都有哪些?

compiler 2008-11-29, 12:31 下午
因为上面那些代码都是EXIT_ALL宏展开得到的,所以行号1396 和C的宏替换差不多一个意思

Powered by Community Server Powered by CnForums.Net