Re: 请问Winxp sp2中KiFastCallEntry进入kisystemservice的方式?

Windows内核

请问Winxp sp2中KiFastCallEntry进入kisystemservice的方式?

merry 2009-03-26, 13:52 下午

在我的PC上反汇编KiFastCallEntry和kisystemservice的结果(见下面1)、2) )分别如下,从地址前后来看,KiFastCallEntry进入kisystemservice应该不是《软件调试》P181一书所提到的Fall Through方式,但是我从KiFastCallEntry的反汇编结果中也看不出KiFastCallEntry如何进入kisystemservice的.

我查询到《Nt vs. Zw - Clearing Confusion on the Native API》(见下面引用)一文提到KiFastCallEntry进入kisystemservice的方式是通过jmp nt!KiSystemService+0x5c (8053a357),可我在反汇编结果中也没有找到这个指令。

Q:请问Winxp sp2中KiFastCallEntry进入kisystemservice的方式? 谢谢!


Quote: ==>《Nt vs. Zw - Clearing Confusion on the Native API》
We can see here that KiFastCallEntry does not actually return, it just does an unconditional jump to some offset into KiSystemService.

在我PC上反汇编的结果:
1)
kd> u nt!KiFastCallEntry l30
nt!KiFastCallEntry:
80865930 b923000000      mov     ecx,23h
80865935 6a30            push    30h
80865937 0fa1            pop     fs
80865939 8ed9            mov     ds,cx
8086593b 8ec1            mov     es,cx
8086593d 8b0d40f0dfff    mov     ecx,dword ptr ds:[0FFDFF040h]
80865943 8b6104          mov     esp,dword ptr [ecx+4]
80865946 6a23            push    23h
80865948 52              push    edx
80865949 9c              pushfd
8086594a 6a02            push    2
8086594c 83c208          add     edx,8
8086594f 9d              popfd
80865950 804c240102      or      byte ptr [esp+1],2
80865955 6a1b            push    1Bh
80865957 ff350403dfff    push    dword ptr ds:[0FFDF0304h]
8086595d 6a00            push    0
8086595f 55              push    ebp
80865960 53              push    ebx
80865961 56              push    esi
80865962 57              push    edi
80865963 8b1d1cf0dfff    mov     ebx,dword ptr ds:[0FFDFF01Ch]
80865969 6a3b            push    3Bh
8086596b 8bb324010000    mov     esi,dword ptr [ebx+124h]
80865971 ff33            push    dword ptr [ebx]
80865973 c703ffffffff    mov     dword ptr [ebx],0FFFFFFFFh
80865979 8b6e18          mov     ebp,dword ptr [esi+18h]
8086597c 6a01            push    1
8086597e 83ec48          sub     esp,48h
80865981 81ed9c020000    sub     ebp,29Ch
80865987 c6864001000001  mov     byte ptr [esi+140h],1
8086598e 3bec            cmp     ebp,esp
80865990 759a            jne     nt!KiFastCallEntry2+0x47 (8086592c)
80865992 83652c00        and     dword ptr [ebp+2Ch],0
80865996 f6462cff        test    byte ptr [esi+2Ch],0FFh
8086599a 89ae34010000    mov     dword ptr [esi+134h],ebp
808659a0 0f854afeffff    jne     nt!Dr_FastCallDrSave (808657f0)
808659a6 8b5d60          mov     ebx,dword ptr [ebp+60h]
808659a9 8b7d68          mov     edi,dword ptr [ebp+68h]
808659ac 89550c          mov     dword ptr [ebp+0Ch],edx
808659af c74508000ddbba  mov     dword ptr [ebp+8],0BADB0D00h
808659b6 895d00          mov     dword ptr [ebp],ebx
808659b9 897d04          mov     dword ptr [ebp+4],edi
808659bc fb              sti
808659bd 8bf8            mov     edi,eax
808659bf c1ef08          shr     edi,8
808659c2 83e730          and     edi,30h
808659c5 8bcf            mov     ecx,edi

2)
kd> u kisystemservice
nt!KiSystemService:
80865871 6a00            push    0
80865873 55              push    ebp
80865874 53              push    ebx
80865875 56              push    esi
80865876 57              push    edi
80865877 0fa0            push    fs
80865879 bb30000000      mov     ebx,30h
8086587e 668ee3          mov     fs,bx

Re: 请问Winxp sp2中KiFastCallEntry进入kisystemservice的方式?

王宇 2009-03-26, 18:45 下午

下个断点一看便知.. 源码 + 解释如下:

;
; The arguments are passed on the stack. Therefore they always need to get
; copied since additional space has been allocated on the stack for the
; machine state frame.  Note that we don't check for the zero argument case -
; copy is always done regardless of the number of arguments because the
; zero argument case is very rare.
;

Kss40:  inc     dword ptr PCR[PcPrcbData+PbSystemCalls] ; system calls

        mov     esi, edx                ; (esi)->User arguments
        mov     ebx, [edi]+SdNumber     ; get argument table address
        xor     ecx, ecx
        mov     cl, byte ptr [ebx+eax]  ; (ecx) = argument size
        mov     edi, [edi]+SdBase       ; get service table address
        mov     ebx, [edi+eax*4]        ; (ebx)-> service routine
        sub     esp, ecx                ; allocate space for arguments
        shr     ecx, 2                  ; (ecx) = number of argument DWORDs
        mov     edi, esp                ; (edi)->location to receive 1st arg
        cmp     esi, _MmUserProbeAddress ; check if user address
        jae     kss80                   ; if ae, then not user address

KiSystemServiceCopyArguments:
        rep     movsd                   ; copy the arguments to top of stack.
                                        ; Since we usually copy more than 3
                                        ; arguments.  rep movsd is faster than
                                        ; mov instructions.

;
; Make actual call to system service
;

kssdoit:
        call    ebx                     ; call system service

Re: 请问Winxp sp2中KiFastCallEntry进入kisystemservice的方式?

merry 2009-03-26, 22:30 下午

Hi!王宇

 谢谢你的热心帮助!

 抱歉!我是一个newbie, 看到你的回复,我实在看不出...你贴出的反汇编代码和我贴出的反汇编代码有任何关系(一点也不像呀!除了最后一行:call    ebx ; call system service)。

 不过,我已经明白不应该忽视动态跟踪。

 我先动态跟踪一下,有问题我再请教! 谢谢!

Powered by Community Server Powered by CnForums.Net