 |
|
|
|
|
|
|
|
Windows内核
帖子发起人: merry 发起时间: 2009-04-11 17:07 下午 回复: 6
  
|
|
帖子排序:
|
|
|
|
 2009-04-11, 17:07 下午
|
merry
注册: 2008-09-26
发 贴: 61
|
KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
PC+VMware调试
Host OS: Winxp SP2
Guest OS: Winxp SP2
Q:KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
(蓝色字为我输入的命令,红色字为KiServiceExit函数的第一条指令)
按照《软件调试》一书所指出,KiFastCallEntry函数应调用KiSystemService函数,但按如下步骤试验时,KiFastCallEntry没有进入KiSystemService, 却直接进入KiServiceExit函数,请问一下原因,谢谢!
//windbg连接到Guest OS
...
nt!RtlpBreakWithStatusInstruction:
80526da8 cc int 3 //进入Guest OS后,首次在此中断
kd> bp nt!kifastcallentry
kd> bp nt!kisystemservice
kd> bl
0 e 8053c710 0001 (0001) nt!KiFastCallEntry
1 e 8053c651 0001 (0001) nt!KiSystemService
kd> g
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run kd.exe) or, *
* CTRL+BREAK (if you run WinDBG), *
* on your debugger machine's keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the "g" key, then *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again. *
* *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
80526da8 cc int 3
kd> g
Breakpoint 0 hit
nt!KiFastCallEntry:
8053c710 b923000000 mov ecx,23h
kd> p 30
nt!KiFastCallEntry+0x5:
8053c715 6a30 push 30h
nt!KiFastCallEntry+0x7:
8053c717 0fa1 pop fs
nt!KiFastCallEntry+0x9:
8053c719 8ed9 mov ds,cx
nt!KiFastCallEntry+0xb:
8053c71b 8ec1 mov es,cx
nt!KiFastCallEntry+0xd:
8053c71d 8b0d40f0dfff mov ecx,dword ptr ds:[0FFDFF040h]
nt!KiFastCallEntry+0x13:
8053c723 8b6104 mov esp,dword ptr [ecx+4]
nt!KiFastCallEntry+0x16:
8053c726 6a23 push 23h
nt!KiFastCallEntry+0x18:
8053c728 52 push edx
nt!KiFastCallEntry+0x19:
8053c729 9c pushfd
nt!KiFastCallEntry+0x1a:
8053c72a 6a02 push 2
nt!KiFastCallEntry+0x1c:
8053c72c 83c208 add edx,8
nt!KiFastCallEntry+0x1f:
8053c72f 9d popfd
nt!KiFastCallEntry+0x20:
8053c730 804c240102 or byte ptr [esp+1],2
nt!KiFastCallEntry+0x25:
8053c735 6a1b push 1Bh
nt!KiFastCallEntry+0x27:
8053c737 ff350403dfff push dword ptr ds:[0FFDF0304h]
nt!KiFastCallEntry+0x2d:
8053c73d 6a00 push 0
nt!KiFastCallEntry+0x2f:
8053c73f 55 push ebp
nt!KiFastCallEntry+0x30:
8053c740 53 push ebx
nt!KiFastCallEntry+0x31:
8053c741 56 push esi
nt!KiFastCallEntry+0x32:
8053c742 57 push edi
nt!KiFastCallEntry+0x33:
8053c743 8b1d1cf0dfff mov ebx,dword ptr ds:[0FFDFF01Ch]
nt!KiFastCallEntry+0x39:
8053c749 6a3b push 3Bh
nt!KiFastCallEntry+0x3b:
8053c74b 8bb324010000 mov esi,dword ptr [ebx+124h]
nt!KiFastCallEntry+0x41:
8053c751 ff33 push dword ptr [ebx]
nt!KiFastCallEntry+0x43:
8053c753 c703ffffffff mov dword ptr [ebx],0FFFFFFFFh
nt!KiFastCallEntry+0x49:
8053c759 8b6e18 mov ebp,dword ptr [esi+18h]
nt!KiFastCallEntry+0x4c:
8053c75c 6a01 push 1
nt!KiFastCallEntry+0x4e:
8053c75e 83ec48 sub esp,48h
nt!KiFastCallEntry+0x51:
8053c761 81ed9c020000 sub ebp,29Ch
nt!KiFastCallEntry+0x57:
8053c767 c6864001000001 mov byte ptr [esi+140h],1
nt!KiFastCallEntry+0x5e:
8053c76e 3bec cmp ebp,esp
nt!KiFastCallEntry+0x60:
8053c770 759a jne nt!KiFastCallEntry2+0x47 (8053c70c)
nt!KiFastCallEntry+0x62:
8053c772 83652c00 and dword ptr [ebp+2Ch],0
nt!KiFastCallEntry+0x66:
8053c776 f6462cff test byte ptr [esi+2Ch],0FFh
nt!KiFastCallEntry+0x6a:
8053c77a 89ae34010000 mov dword ptr [esi+134h],ebp
nt!KiFastCallEntry+0x70:
8053c780 0f854afeffff jne nt!Dr_FastCallDrSave (8053c5d0)
nt!KiFastCallEntry+0x76:
8053c786 8b5d60 mov ebx,dword ptr [ebp+60h]
nt!KiFastCallEntry+0x79:
8053c789 8b7d68 mov edi,dword ptr [ebp+68h]
nt!KiFastCallEntry+0x7c:
8053c78c 89550c mov dword ptr [ebp+0Ch],edx
nt!KiFastCallEntry+0x7f:
8053c78f c74508000ddbba mov dword ptr [ebp+8],0BADB0D00h
nt!KiFastCallEntry+0x86:
8053c796 895d00 mov dword ptr [ebp],ebx
nt!KiFastCallEntry+0x89:
8053c799 897d04 mov dword ptr [ebp+4],edi
nt!KiFastCallEntry+0x8c:
8053c79c fb sti
nt!KiFastCallEntry+0x8d:
8053c79d 8bf8 mov edi,eax
nt!KiFastCallEntry+0x8f:
8053c79f c1ef08 shr edi,8
nt!KiFastCallEntry+0x92:
8053c7a2 83e730 and edi,30h
nt!KiFastCallEntry+0x95:
8053c7a5 8bcf mov ecx,edi
nt!KiFastCallEntry+0x97:
8053c7a7 03bee0000000 add edi,dword ptr [esi+0E0h]
kd> p 10
nt!KiFastCallEntry+0x9d:
8053c7ad 8bd8 mov ebx,eax
nt!KiFastCallEntry+0x9f:
8053c7af 25ff0f0000 and eax,0FFFh
nt!KiFastCallEntry+0xa4:
8053c7b4 3b4708 cmp eax,dword ptr [edi+8]
nt!KiFastCallEntry+0xa7:
8053c7b7 0f8345fdffff jae nt!KiBBTUnexpectedRange (8053c502)
nt!KiFastCallEntry+0xad:
8053c7bd 83f910 cmp ecx,10h
nt!KiFastCallEntry+0xb0:
8053c7c0 751a jne nt!KiFastCallEntry+0xcc (8053c7dc)
nt!KiFastCallEntry+0xcc:
8053c7dc ff0538f6dfff inc dword ptr ds:[0FFDFF638h]
nt!KiFastCallEntry+0xd2:
8053c7e2 8bf2 mov esi,edx
nt!KiFastCallEntry+0xd4:
8053c7e4 8b5f0c mov ebx,dword ptr [edi+0Ch]
nt!KiFastCallEntry+0xd7:
8053c7e7 33c9 xor ecx,ecx
nt!KiFastCallEntry+0xd9:
8053c7e9 8a0c18 mov cl,byte ptr [eax+ebx]
nt!KiFastCallEntry+0xdc:
8053c7ec 8b3f mov edi,dword ptr [edi]
nt!KiFastCallEntry+0xde:
8053c7ee 8b1c87 mov ebx,dword ptr [edi+eax*4]
nt!KiFastCallEntry+0xe1:
8053c7f1 2be1 sub esp,ecx
nt!KiFastCallEntry+0xe3:
8053c7f3 c1e902 shr ecx,2
nt!KiFastCallEntry+0xe6:
8053c7f6 8bfc mov edi,esp
kd> p 10
nt!KiFastCallEntry+0xe8:
8053c7f8 3b35b47b5580 cmp esi,dword ptr [nt!MmUserProbeAddress (80557bb4)]
nt!KiFastCallEntry+0xee:
8053c7fe 0f83a8010000 jae nt!KiSystemCallExit2+0x9f (8053c9ac)
nt!KiFastCallEntry+0xf4:
8053c804 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
nt!KiFastCallEntry+0xf6:
8053c806 ffd3 call ebx
nt!KiFastCallEntry+0xf8:
8053c808 8be5 mov esp,ebp
nt!KiFastCallEntry+0xfa:
8053c80a 8b0d24f1dfff mov ecx,dword ptr ds:[0FFDFF124h]
nt!KiFastCallEntry+0x100:
8053c810 8b553c mov edx,dword ptr [ebp+3Ch]
nt!KiFastCallEntry+0x103:
8053c813 899134010000 mov dword ptr [ecx+134h],edx
nt!KiServiceExit:
8053c819 fa cli
nt!KiServiceExit+0x1:
8053c81a f7457000000200 test dword ptr [ebp+70h],20000h
nt!KiServiceExit+0x8:
8053c821 7506 jne nt!KiServiceExit+0x10 (8053c829)
nt!KiServiceExit+0xa:
8053c823 f6456c01 test byte ptr [ebp+6Ch],1
nt!KiServiceExit+0xe:
8053c827 7457 je nt!KiServiceExit+0x67 (8053c880)
nt!KiServiceExit+0x10:
8053c829 8b1d24f1dfff mov ebx,dword ptr ds:[0FFDFF124h]
nt!KiServiceExit+0x16:
8053c82f c6432e00 mov byte ptr [ebx+2Eh],0
nt!KiServiceExit+0x1a:
8053c833 807b4a00 cmp byte ptr [ebx+4Ah],0
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-13, 11:10 上午
|
王宇
注册: 2007-05-08
发 贴: 306
|
Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
|
|
楼主很细心,内核陷入的代码 (细节) 变动的相对频繁,这个问题要分情况说明。
《软件调试》一书里列出的 nt!KiFastCallEntry 应该是 Win-2000 平台下的,大致如下:
kd> u nt!KiFastCallEntry
nt!KiFastCallEntry:
804647dd 368b2540f0dfff mov esp,dword ptr ss:[0FFDFF040h]
804647e4 8b642404 mov esp,dword ptr [esp+4]
804647e8 6a23 push 23h
804647ea 52 push edx
804647eb 832c2404 sub dword ptr [esp],4
804647ef 9c pushfd
804647f0 810c2400020000 or dword ptr [esp],200h
804647f7 6a1b push 1Bh
804647f9 51 push ecx
804647fa 6a00 push 0
804647fc 55 push ebp
804647fd 53 push ebx
804647fe 56 push esi
804647ff 57 push edi
80464800 0fa0 push fs
80464802 bb30000000 mov ebx,30h
80464807 668ee3 mov fs,bx
8046480a ff3500f0dfff push dword ptr ds:[0FFDFF000h]
80464810 c70500f0dfffffffffff mov dword ptr ds:[0FFDFF000h],0FFFFFFFFh
8046481a 8b3524f1dfff mov esi,dword ptr ds:[0FFDFF124h]
80464820 ffb634010000 push dword ptr [esi+134h]
80464826 83ec48 sub esp,48h
80464829 8b5c246c mov ebx,dword ptr [esp+6Ch]
8046482d 83e301 and ebx,1
80464830 889e34010000 mov byte ptr [esi+134h],bl
80464836 8bec mov ebp,esp
80464838 8b9e28010000 mov ebx,dword ptr [esi+128h]
8046483e 895d3c mov dword ptr [ebp+3Ch],ebx
80464841 89ae28010000 mov dword ptr [esi+128h],ebp
80464847 fc cld
80464848 f6462cff test byte ptr [esi+2Ch],0FFh
8046484c 0f850affffff jne nt!Dr_kfce_a (8046475c)
80464852 fb sti
80464853 e9de000000 jmp nt!KiSystemService+0x59 (80464936)
80464858 90 nop
........
函数的最后会陷入 IDT 0x2E - nt!KiSystemService。
在 0 e 804647dd 0001 (0001) nt!KiFastCallEntry
下断点会发现,该断点不会被命中,因为内核陷入机制采用的是 IDT 0x2E 处理例程。
kd> u KiSystemService
nt!KiSystemService:
804648dd 6a00 push 0
804648df 55 push ebp
804648e0 53 push ebx
804648e1 56 push esi
804648e2 57 push edi
804648e3 0fa0 push fs
804648e5 bb30000000 mov ebx,30h
804648ea 668ee3 mov fs,bx
804648ed ff3500f0dfff push dword ptr ds:[0FFDFF000h]
804648f3 c70500f0dfffffffffff mov dword ptr ds:[0FFDFF000h],0FFFFFFFFh
804648fd 8b3524f1dfff mov esi,dword ptr ds:[0FFDFF124h]
80464903 ffb634010000 push dword ptr [esi+134h]
80464909 83ec48 sub esp,48h
8046490c 8b5c246c mov ebx,dword ptr [esp+6Ch]
80464910 83e301 and ebx,1
80464913 889e34010000 mov byte ptr [esi+134h],bl
80464919 8bec mov ebp,esp
8046491b 8b9e28010000 mov ebx,dword ptr [esi+128h]
80464921 895d3c mov dword ptr [ebp+3Ch],ebx
80464924 89ae28010000 mov dword ptr [esi+128h],ebp
8046492a fc cld
8046492b f6462cff test byte ptr [esi+2Ch],0FFh
8046492f 0f8524ffffff jne nt!Dr_kss_a (80464859)
80464935 fb sti
80464936 8bf8 mov edi,eax ; 注意这里就是 nt!KiFastCallEntry 跳转过来的地方
80464938 c1ef08 shr edi,8
8046493b 83e730 and edi,30h
8046493e 8bcf mov ecx,edi
80464940 03bedc000000 add edi,dword ptr [esi+0DCh]
80464946 8bd8 mov ebx,eax
80464948 25ff0f0000 and eax,0FFFh
8046494d 3b4708 cmp eax,dword ptr [edi+8]
80464950 0f83bcfdffff jae nt!KiBBTUnexpectedRange (80464712)
80464956 83f910 cmp ecx,10h
80464959 751a jne nt!KiSystemService+0x98 (80464975)
8046495b 8b0d18f0dfff mov ecx,dword ptr ds:[0FFDFF018h]
80464961 33db xor ebx,ebx
80464963 0b99700f0000 or ebx,dword ptr [ecx+0F70h]
80464969 740a je nt!KiSystemService+0x98 (80464975)
8046496b 52 push edx
8046496c 50 push eax
8046496d ff15a01a4880 call dword ptr [nt!KeGdiFlushUserBatch (80481aa0)]
80464973 58 pop eax
80464974 5a pop edx
80464975 ff05dcf5dfff inc dword ptr ds:[0FFDFF5DCh]
8046497b 8bf2 mov esi,edx
8046497d 8b5f0c mov ebx,dword ptr [edi+0Ch]
80464980 33c9 xor ecx,ecx
80464982 8a0c18 mov cl,byte ptr [eax+ebx]
80464985 8b3f mov edi,dword ptr [edi]
80464987 8b1c87 mov ebx,dword ptr [edi+eax*4]
8046498a 2be1 sub esp,ecx
8046498c c1e902 shr ecx,2
8046498f 8bfc mov edi,esp
80464991 3b3548cc4680 cmp esi,dword ptr [nt!MmUserProbeAddress (8046cc48)]
80464997 0f83e4010000 jae nt!KiServiceExit+0x1ce (80464b81)
8046499d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
8046499f ffd3 call ebx
........
这个就是正常的 Win-2000 下内核服务派遣流程。
可以看出楼主研究的平台是 Win-XP+,这些平台下的操作系统会判断处理器的版本(CPUID),进而选择是否采用“快速系统调用”。
此时 msr 176 是 nt!KiFastCallEntry:
nt!KiFastCallEntry:
80541510 b923000000 mov ecx,23h
80541515 6a30 push 30h
80541517 0fa1 pop fs
80541519 8ed9 mov ds,cx
8054151b 8ec1 mov es,cx
8054151d 648b0d40000000 mov ecx,dword ptr fs:[40h]
80541524 8b6104 mov esp,dword ptr [ecx+4]
80541527 6a23 push 23h
80541529 52 push edx
8054152a 9c pushfd
8054152b 6a02 push 2
8054152d 83c208 add edx,8
80541530 9d popfd
80541531 804c240102 or byte ptr [esp+1],2
80541536 6a1b push 1Bh
80541538 ff350403dfff push dword ptr ds:[0FFDF0304h]
8054153e 6a00 push 0
80541540 55 push ebp
80541541 53 push ebx
80541542 56 push esi
80541543 57 push edi
80541544 648b1d1c000000 mov ebx,dword ptr fs:[1Ch]
8054154b 6a3b push 3Bh
8054154d 8bb324010000 mov esi,dword ptr [ebx+124h]
80541553 ff33 push dword ptr [ebx]
80541555 c703ffffffff mov dword ptr [ebx],0FFFFFFFFh
8054155b 8b6e18 mov ebp,dword ptr [esi+18h]
8054155e 6a01 push 1
80541560 83ec48 sub esp,48h
80541563 81ed9c020000 sub ebp,29Ch
80541569 c6864001000001 mov byte ptr [esi+140h],1
80541570 3bec cmp ebp,esp
80541572 758d jne nt!KiFastCallEntry2+0x49 (80541501)
80541574 83652c00 and dword ptr [ebp+2Ch],0
80541578 f6462cff test byte ptr [esi+2Ch],0FFh
8054157c 89ae34010000 mov dword ptr [esi+134h],ebp
80541582 0f8538feffff jne nt!Dr_FastCallDrSave (805413c0)
80541588 8b5d60 mov ebx,dword ptr [ebp+60h]
8054158b 8b7d68 mov edi,dword ptr [ebp+68h]
8054158e 89550c mov dword ptr [ebp+0Ch],edx
80541591 c74508000ddbba mov dword ptr [ebp+8],0BADB0D00h
80541598 895d00 mov dword ptr [ebp],ebx
8054159b 897d04 mov dword ptr [ebp+4],edi
8054159e fb sti
8054159f 8bf8 mov edi,eax ; 注意这里就是 nt!KiSystemService 跳转过来的地方
805415a1 c1ef08 shr edi,8
805415a4 83e730 and edi,30h
805415a7 8bcf mov ecx,edi
805415a9 03bee0000000 add edi,dword ptr [esi+0E0h]
805415af 8bd8 mov ebx,eax
805415b1 25ff0f0000 and eax,0FFFh
805415b6 3b4708 cmp eax,dword ptr [edi+8]
805415b9 0f8333fdffff jae nt!KiBBTUnexpectedRange (805412f2)
805415bf 83f910 cmp ecx,10h
805415c2 751b jne nt!KiFastCallEntry+0xcf (805415df)
805415c4 648b0d18000000 mov ecx,dword ptr fs:[18h]
805415cb 33db xor ebx,ebx
805415cd 0b99700f0000 or ebx,dword ptr [ecx+0F70h]
805415d3 740a je nt!KiFastCallEntry+0xcf (805415df)
805415d5 52 push edx
805415d6 50 push eax
805415d7 ff1528c75580 call dword ptr [nt!KeGdiFlushUserBatch (8055c728)]
805415dd 58 pop eax
805415de 5a pop edx
805415df 64ff0538060000 inc dword ptr fs:[638h]
805415e6 8bf2 mov esi,edx
805415e8 8b5f0c mov ebx,dword ptr [edi+0Ch]
805415eb 33c9 xor ecx,ecx
805415ed 8a0c18 mov cl,byte ptr [eax+ebx]
805415f0 8b3f mov edi,dword ptr [edi]
805415f2 8b1c87 mov ebx,dword ptr [edi+eax*4]
805415f5 2be1 sub esp,ecx
805415f7 c1e902 shr ecx,2
805415fa 8bfc mov edi,esp
805415fc 3b3514215680 cmp esi,dword ptr [nt!MmUserProbeAddress (80562114)]
80541602 0f83a8010000 jae nt!KiSystemCallExit2+0x9f (805417b0)
80541608 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
8054160a ffd3 call ebx
........
这个是标准的内核服务派遣流程。
而 nt!KiSystemService 函数此时只是 nt!KiFastCallEntry 的封装:
nt!KiSystemService:
80541441 6a00 push 0
80541443 55 push ebp
80541444 53 push ebx
80541445 56 push esi
80541446 57 push edi
80541447 0fa0 push fs
80541449 bb30000000 mov ebx,30h
8054144e 668ee3 mov fs,bx
80541451 64ff3500000000 push dword ptr fs:[0]
80541458 64c70500000000ffffffff mov dword ptr fs:[0],0FFFFFFFFh
80541463 648b3524010000 mov esi,dword ptr fs:[124h]
8054146a ffb640010000 push dword ptr [esi+140h]
80541470 83ec48 sub esp,48h
80541473 8b5c246c mov ebx,dword ptr [esp+6Ch]
80541477 83e301 and ebx,1
8054147a 889e40010000 mov byte ptr [esi+140h],bl
80541480 8bec mov ebp,esp
80541482 8b9e34010000 mov ebx,dword ptr [esi+134h]
80541488 895d3c mov dword ptr [ebp+3Ch],ebx
8054148b 89ae34010000 mov dword ptr [esi+134h],ebp
80541491 fc cld
80541492 8b5d60 mov ebx,dword ptr [ebp+60h]
80541495 8b7d68 mov edi,dword ptr [ebp+68h]
80541498 89550c mov dword ptr [ebp+0Ch],edx
8054149b c74508000ddbba mov dword ptr [ebp+8],0BADB0D00h
805414a2 895d00 mov dword ptr [ebp],ebx
805414a5 897d04 mov dword ptr [ebp+4],edi
805414a8 f6462cff test byte ptr [esi+2Ch],0FFh
805414ac 0f858afeffff jne nt!Dr_kss_a (8054133c)
805414b2 fb sti
805414b3 e9e7000000 jmp nt!KiFastCallEntry+0x8f (8054159f)
........
用中断计数工具查看会发现 IDT 0x2E 不会被系统主动触发(从中断系统走)。如图:
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-13, 18:33 下午
|
merry
注册: 2008-09-26
发 贴: 61
|
Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-14, 09:18 上午
|
merry
注册: 2008-09-26
发 贴: 61
|
Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
|
看到王宇的回复后,做实验加以验证。
从我做实验的结果来看,确实看到是从nt!KiSystemService无条件转移(jmp)到nt!KiFastCallEntry 中继续执行,这让我更迷惑了。
MSR 176 指向nt!KiFastCallEntry :
1) 在win2000时,nt!KiFastCallEntry执行完再执行nt!KiSystemService,进行系统服务分发(Service Dispatcher)。
2) 然而在winxp时,nt!KiFastCallEntry函数不跳转到nt!KiSystemService,反而是nt!KiSystemService跳转到nt!KiFastCallEntry。 那么,既然nt!KiFastCallEntry函数不转移到nt!KiSystemService,nt!KiSystemService如何获得CPU执行机会?
假设nt!KiSystemService获得了执行机会,为什么没有进行系统服务分发,却又要跳回nt!KiFastCallEntry?
谢谢!
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-15, 10:08 上午
|
王宇
注册: 2007-05-08
发 贴: 306
|
Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
|
昨天不在,见到了 HD Moore。呵呵 楼主没想清楚
在 Win-2000 下不支持所谓的 msr,nt!KiSystemService 例程就是最终"服务派遣"的实现者。此时 nt!KiFastCallEntry 函数虽然存在,但不会被调用(试验看就是这样的),从反汇编来看即使被调用了它也只是前者的一个封装。
Win-2000 之后,nt!KiFastCallEntry 函数变成了核心,所以"服务派遣"工作改由它来实现。但 idt 0x2E 的处理例程 (nt!KiSystemService) 依然存在,为的是方便那些 "在不支持 SYSENTER / SYSCALL 的老处理器上安装 Win-XP+" 的机器可以工作(它们还要依靠中断陷入内核)。此时 nt!KiSystemService 是 nt!KiFastCallEntry 的封装,从实验来看,系统不会主动走中断调用 nt!KiSystemService。
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-15, 13:07 下午
|
merry
注册: 2008-09-26
发 贴: 61
|
Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
|
呵呵!看来那天晚上我做实验状态有问题.
因为你前面的回复已经很清楚:win2000不支持Fast System Call(sysenter等指令),所以不应该说"在win2000上,MSR 176指向nt!KiFastCallEntry".
另外,你所说的"封装"(eg.:nt!KiSystemService 是 nt!KiFastCallEntry 的封装)是指:
nt!KiSystemService就是 nt!KiFastCallEntry 的stub吗?
下图是我从一篇英文pdf文档中看到并修改后upload,你看一下画红圈是否有问题。(那篇英文pdf文档出处已记不得)
http://clouddisk.co.cc/files/get/m5D_NKur0Z/ad.jpg
(因为不知道论坛如何上传图片,所以放到网络免费硬盘clouddisk,在网页中Image Preview部分可以看到原图的缩略图,如要看全图,需等待几十秒)
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
2009-04-15, 16:37 下午
|
王宇
注册: 2007-05-08
发 贴: 306
|
Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
|
|
|
|
IP 地址: 已记录
|
报告
|
|
|
|
|
高端调试 » 内核探秘 » Windows内核 » KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
|
|
|
|
|
|