Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

Windows内核

KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

merry 2009-04-11, 17:07 下午
PC+VMware调试

Host OS: Winxp SP2
Guest OS: Winxp SP2

Q:KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?
(蓝色字为我输入的命令,红色字为KiServiceExit函数的第一条指令)

按照《软件调试》一书所指出，KiFastCallEntry函数应调用KiSystemService函数，但按如下步骤试验时，KiFastCallEntry没有进入KiSystemService, 却直接进入KiServiceExit函数，请问一下原因，谢谢！

//windbg连接到Guest OS
...
nt!RtlpBreakWithStatusInstruction:
80526da8 cc              int     3 //进入Guest OS后，首次在此中断

kd> bp nt!kifastcallentry
kd> bp nt!kisystemservice
kd> bl
0 e 8053c710     0001 (0001) nt!KiFastCallEntry
1 e 8053c651     0001 (0001) nt!KiSystemService

kd> g
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now. This message might immediately reappear. If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
80526da8 cc              int     3
kd> g
Breakpoint 0 hit
nt!KiFastCallEntry:
8053c710 b923000000      mov     ecx,23h
kd> p 30
nt!KiFastCallEntry+0x5:
8053c715 6a30            push    30h
nt!KiFastCallEntry+0x7:
8053c717 0fa1            pop     fs
nt!KiFastCallEntry+0x9:
8053c719 8ed9            mov     ds,cx
nt!KiFastCallEntry+0xb:
8053c71b 8ec1            mov     es,cx
nt!KiFastCallEntry+0xd:
8053c71d 8b0d40f0dfff    mov     ecx,dword ptr ds:[0FFDFF040h]
nt!KiFastCallEntry+0x13:
8053c723 8b6104          mov     esp,dword ptr [ecx+4]
nt!KiFastCallEntry+0x16:
8053c726 6a23            push    23h
nt!KiFastCallEntry+0x18:
8053c728 52              push    edx
nt!KiFastCallEntry+0x19:
8053c729 9c              pushfd
nt!KiFastCallEntry+0x1a:
8053c72a 6a02            push    2
nt!KiFastCallEntry+0x1c:
8053c72c 83c208          add     edx,8
nt!KiFastCallEntry+0x1f:
8053c72f 9d              popfd
nt!KiFastCallEntry+0x20:
8053c730 804c240102      or      byte ptr [esp+1],2
nt!KiFastCallEntry+0x25:
8053c735 6a1b            push    1Bh
nt!KiFastCallEntry+0x27:
8053c737 ff350403dfff    push    dword ptr ds:[0FFDF0304h]
nt!KiFastCallEntry+0x2d:
8053c73d 6a00            push    0
nt!KiFastCallEntry+0x2f:
8053c73f 55              push    ebp
nt!KiFastCallEntry+0x30:
8053c740 53              push    ebx
nt!KiFastCallEntry+0x31:
8053c741 56              push    esi
nt!KiFastCallEntry+0x32:
8053c742 57              push    edi
nt!KiFastCallEntry+0x33:
8053c743 8b1d1cf0dfff    mov     ebx,dword ptr ds:[0FFDFF01Ch]
nt!KiFastCallEntry+0x39:
8053c749 6a3b            push    3Bh
nt!KiFastCallEntry+0x3b:
8053c74b 8bb324010000    mov     esi,dword ptr [ebx+124h]
nt!KiFastCallEntry+0x41:
8053c751 ff33            push    dword ptr [ebx]
nt!KiFastCallEntry+0x43:
8053c753 c703ffffffff    mov     dword ptr [ebx],0FFFFFFFFh
nt!KiFastCallEntry+0x49:
8053c759 8b6e18          mov     ebp,dword ptr [esi+18h]
nt!KiFastCallEntry+0x4c:
8053c75c 6a01            push    1
nt!KiFastCallEntry+0x4e:
8053c75e 83ec48          sub     esp,48h
nt!KiFastCallEntry+0x51:
8053c761 81ed9c020000    sub     ebp,29Ch
nt!KiFastCallEntry+0x57:
8053c767 c6864001000001 mov     byte ptr [esi+140h],1
nt!KiFastCallEntry+0x5e:
8053c76e 3bec            cmp     ebp,esp
nt!KiFastCallEntry+0x60:
8053c770 759a            jne     nt!KiFastCallEntry2+0x47 (8053c70c)
nt!KiFastCallEntry+0x62:
8053c772 83652c00        and     dword ptr [ebp+2Ch],0
nt!KiFastCallEntry+0x66:
8053c776 f6462cff        test    byte ptr [esi+2Ch],0FFh
nt!KiFastCallEntry+0x6a:
8053c77a 89ae34010000    mov     dword ptr [esi+134h],ebp
nt!KiFastCallEntry+0x70:
8053c780 0f854afeffff    jne     nt!Dr_FastCallDrSave (8053c5d0)
nt!KiFastCallEntry+0x76:
8053c786 8b5d60          mov     ebx,dword ptr [ebp+60h]
nt!KiFastCallEntry+0x79:
8053c789 8b7d68          mov     edi,dword ptr [ebp+68h]
nt!KiFastCallEntry+0x7c:
8053c78c 89550c          mov     dword ptr [ebp+0Ch],edx
nt!KiFastCallEntry+0x7f:
8053c78f c74508000ddbba mov     dword ptr [ebp+8],0BADB0D00h
nt!KiFastCallEntry+0x86:
8053c796 895d00          mov     dword ptr [ebp],ebx
nt!KiFastCallEntry+0x89:
8053c799 897d04          mov     dword ptr [ebp+4],edi
nt!KiFastCallEntry+0x8c:
8053c79c fb              sti
nt!KiFastCallEntry+0x8d:
8053c79d 8bf8            mov     edi,eax
nt!KiFastCallEntry+0x8f:
8053c79f c1ef08          shr     edi,8
nt!KiFastCallEntry+0x92:
8053c7a2 83e730          and     edi,30h
nt!KiFastCallEntry+0x95:
8053c7a5 8bcf            mov     ecx,edi
nt!KiFastCallEntry+0x97:
8053c7a7 03bee0000000    add     edi,dword ptr [esi+0E0h]
kd> p 10
nt!KiFastCallEntry+0x9d:
8053c7ad 8bd8            mov     ebx,eax
nt!KiFastCallEntry+0x9f:
8053c7af 25ff0f0000      and     eax,0FFFh
nt!KiFastCallEntry+0xa4:
8053c7b4 3b4708          cmp     eax,dword ptr [edi+8]
nt!KiFastCallEntry+0xa7:
8053c7b7 0f8345fdffff    jae     nt!KiBBTUnexpectedRange (8053c502)
nt!KiFastCallEntry+0xad:
8053c7bd 83f910          cmp     ecx,10h
nt!KiFastCallEntry+0xb0:
8053c7c0 751a            jne     nt!KiFastCallEntry+0xcc (8053c7dc)
nt!KiFastCallEntry+0xcc:
8053c7dc ff0538f6dfff    inc     dword ptr ds:[0FFDFF638h]
nt!KiFastCallEntry+0xd2:
8053c7e2 8bf2            mov     esi,edx
nt!KiFastCallEntry+0xd4:
8053c7e4 8b5f0c          mov     ebx,dword ptr [edi+0Ch]
nt!KiFastCallEntry+0xd7:
8053c7e7 33c9            xor     ecx,ecx
nt!KiFastCallEntry+0xd9:
8053c7e9 8a0c18          mov     cl,byte ptr [eax+ebx]
nt!KiFastCallEntry+0xdc:
8053c7ec 8b3f            mov     edi,dword ptr [edi]
nt!KiFastCallEntry+0xde:
8053c7ee 8b1c87          mov     ebx,dword ptr [edi+eax*4]
nt!KiFastCallEntry+0xe1:
8053c7f1 2be1            sub     esp,ecx
nt!KiFastCallEntry+0xe3:
8053c7f3 c1e902          shr     ecx,2
nt!KiFastCallEntry+0xe6:
8053c7f6 8bfc            mov     edi,esp
kd> p 10
nt!KiFastCallEntry+0xe8:
8053c7f8 3b35b47b5580    cmp     esi,dword ptr [nt!MmUserProbeAddress (80557bb4)]
nt!KiFastCallEntry+0xee:
8053c7fe 0f83a8010000    jae     nt!KiSystemCallExit2+0x9f (8053c9ac)
nt!KiFastCallEntry+0xf4:
8053c804 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
nt!KiFastCallEntry+0xf6:
8053c806 ffd3            call    ebx
nt!KiFastCallEntry+0xf8:
8053c808 8be5            mov     esp,ebp
nt!KiFastCallEntry+0xfa:
8053c80a 8b0d24f1dfff    mov     ecx,dword ptr ds:[0FFDFF124h]
nt!KiFastCallEntry+0x100:
8053c810 8b553c          mov     edx,dword ptr [ebp+3Ch]
nt!KiFastCallEntry+0x103:
8053c813 899134010000    mov     dword ptr [ecx+134h],edx
nt!KiServiceExit:
8053c819 fa              cli
nt!KiServiceExit+0x1:
8053c81a f7457000000200 test    dword ptr [ebp+70h],20000h
nt!KiServiceExit+0x8:
8053c821 7506            jne     nt!KiServiceExit+0x10 (8053c829)
nt!KiServiceExit+0xa:
8053c823 f6456c01        test    byte ptr [ebp+6Ch],1
nt!KiServiceExit+0xe:
8053c827 7457            je      nt!KiServiceExit+0x67 (8053c880)
nt!KiServiceExit+0x10:
8053c829 8b1d24f1dfff    mov     ebx,dword ptr ds:[0FFDFF124h]
nt!KiServiceExit+0x16:
8053c82f c6432e00        mov     byte ptr [ebx+2Eh],0
nt!KiServiceExit+0x1a:
8053c833 807b4a00        cmp     byte ptr [ebx+4Ah],0

Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

王宇 2009-04-13, 11:10 上午

楼主很细心，内核陷入的代码 (细节) 变动的相对频繁，这个问题要分情况说明。

《软件调试》一书里列出的 nt!KiFastCallEntry 应该是 Win-2000 平台下的，大致如下：

kd> u nt!KiFastCallEntry
nt!KiFastCallEntry:
804647dd 368b2540f0dfff mov     esp,dword ptr ss:[0FFDFF040h]
804647e4 8b642404        mov     esp,dword ptr [esp+4]
804647e8 6a23            push    23h
804647ea 52              push    edx
804647eb 832c2404        sub     dword ptr [esp],4
804647ef 9c              pushfd
804647f0 810c2400020000 or      dword ptr [esp],200h
804647f7 6a1b            push    1Bh
804647f9 51              push    ecx
804647fa 6a00            push    0
804647fc 55              push    ebp
804647fd 53              push    ebx
804647fe 56              push    esi
804647ff 57              push    edi
80464800 0fa0            push    fs
80464802 bb30000000      mov     ebx,30h
80464807 668ee3          mov     fs,bx
8046480a ff3500f0dfff    push    dword ptr ds:[0FFDFF000h]
80464810 c70500f0dfffffffffff mov dword ptr ds:[0FFDFF000h],0FFFFFFFFh
8046481a 8b3524f1dfff    mov     esi,dword ptr ds:[0FFDFF124h]
80464820 ffb634010000    push    dword ptr [esi+134h]
80464826 83ec48          sub     esp,48h
80464829 8b5c246c        mov     ebx,dword ptr [esp+6Ch]
8046482d 83e301          and     ebx,1
80464830 889e34010000    mov     byte ptr [esi+134h],bl
80464836 8bec            mov     ebp,esp
80464838 8b9e28010000    mov     ebx,dword ptr [esi+128h]
8046483e 895d3c          mov     dword ptr [ebp+3Ch],ebx
80464841 89ae28010000    mov     dword ptr [esi+128h],ebp
80464847 fc              cld
80464848 f6462cff        test    byte ptr [esi+2Ch],0FFh
8046484c 0f850affffff    jne     nt!Dr_kfce_a (8046475c)
80464852 fb              sti
80464853 e9de000000      jmp     nt!KiSystemService+0x59 (80464936)
80464858 90              nop
........

函数的最后会陷入 IDT 0x2E - nt!KiSystemService。
在 0 e 804647dd     0001 (0001) nt!KiFastCallEntry
下断点会发现，该断点不会被命中，因为内核陷入机制采用的是 IDT 0x2E 处理例程。

kd> u KiSystemService
nt!KiSystemService:
804648dd 6a00            push    0
804648df 55              push    ebp
804648e0 53              push    ebx
804648e1 56              push    esi
804648e2 57              push    edi
804648e3 0fa0            push    fs
804648e5 bb30000000      mov     ebx,30h
804648ea 668ee3          mov     fs,bx
804648ed ff3500f0dfff    push    dword ptr ds:[0FFDFF000h]
804648f3 c70500f0dfffffffffff mov dword ptr ds:[0FFDFF000h],0FFFFFFFFh
804648fd 8b3524f1dfff    mov     esi,dword ptr ds:[0FFDFF124h]
80464903 ffb634010000    push    dword ptr [esi+134h]
80464909 83ec48          sub     esp,48h
8046490c 8b5c246c        mov     ebx,dword ptr [esp+6Ch]
80464910 83e301          and     ebx,1
80464913 889e34010000    mov     byte ptr [esi+134h],bl
80464919 8bec            mov     ebp,esp
8046491b 8b9e28010000    mov     ebx,dword ptr [esi+128h]
80464921 895d3c          mov     dword ptr [ebp+3Ch],ebx
80464924 89ae28010000    mov     dword ptr [esi+128h],ebp
8046492a fc              cld
8046492b f6462cff        test    byte ptr [esi+2Ch],0FFh
8046492f 0f8524ffffff    jne     nt!Dr_kss_a (80464859)
80464935 fb              sti
80464936 8bf8            mov     edi,eax ; 注意这里就是 nt!KiFastCallEntry 跳转过来的地方
80464938 c1ef08          shr     edi,8
8046493b 83e730          and     edi,30h
8046493e 8bcf            mov     ecx,edi
80464940 03bedc000000    add     edi,dword ptr [esi+0DCh]
80464946 8bd8            mov     ebx,eax
80464948 25ff0f0000      and     eax,0FFFh
8046494d 3b4708          cmp     eax,dword ptr [edi+8]
80464950 0f83bcfdffff    jae     nt!KiBBTUnexpectedRange (80464712)
80464956 83f910          cmp     ecx,10h
80464959 751a            jne     nt!KiSystemService+0x98 (80464975)
8046495b 8b0d18f0dfff    mov     ecx,dword ptr ds:[0FFDFF018h]
80464961 33db            xor     ebx,ebx
80464963 0b99700f0000    or      ebx,dword ptr [ecx+0F70h]
80464969 740a            je      nt!KiSystemService+0x98 (80464975)
8046496b 52              push    edx
8046496c 50              push    eax
8046496d ff15a01a4880    call    dword ptr [nt!KeGdiFlushUserBatch (80481aa0)]
80464973 58              pop     eax
80464974 5a              pop     edx
80464975 ff05dcf5dfff    inc     dword ptr ds:[0FFDFF5DCh]
8046497b 8bf2            mov     esi,edx
8046497d 8b5f0c          mov     ebx,dword ptr [edi+0Ch]
80464980 33c9            xor     ecx,ecx
80464982 8a0c18          mov     cl,byte ptr [eax+ebx]
80464985 8b3f            mov     edi,dword ptr [edi]
80464987 8b1c87          mov     ebx,dword ptr [edi+eax*4]
8046498a 2be1            sub     esp,ecx
8046498c c1e902          shr     ecx,2
8046498f 8bfc            mov     edi,esp
80464991 3b3548cc4680    cmp     esi,dword ptr [nt!MmUserProbeAddress (8046cc48)]
80464997 0f83e4010000    jae     nt!KiServiceExit+0x1ce (80464b81)
8046499d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
8046499f ffd3            call    ebx
........

这个就是正常的 Win-2000 下内核服务派遣流程。

可以看出楼主研究的平台是 Win-XP+，这些平台下的操作系统会判断处理器的版本(CPUID)，进而选择是否采用“快速系统调用”。

此时 msr 176 是 nt!KiFastCallEntry：

nt!KiFastCallEntry:
80541510 b923000000      mov     ecx,23h
80541515 6a30            push    30h
80541517 0fa1            pop     fs
80541519 8ed9            mov     ds,cx
8054151b 8ec1            mov     es,cx
8054151d 648b0d40000000 mov     ecx,dword ptr fs:[40h]
80541524 8b6104          mov     esp,dword ptr [ecx+4]
80541527 6a23            push    23h
80541529 52              push    edx
8054152a 9c              pushfd
8054152b 6a02            push    2
8054152d 83c208          add     edx,8
80541530 9d              popfd
80541531 804c240102      or      byte ptr [esp+1],2
80541536 6a1b            push    1Bh
80541538 ff350403dfff    push    dword ptr ds:[0FFDF0304h]
8054153e 6a00            push    0
80541540 55              push    ebp
80541541 53              push    ebx
80541542 56              push    esi
80541543 57              push    edi
80541544 648b1d1c000000 mov     ebx,dword ptr fs:[1Ch]
8054154b 6a3b            push    3Bh
8054154d 8bb324010000    mov     esi,dword ptr [ebx+124h]
80541553 ff33            push    dword ptr [ebx]
80541555 c703ffffffff    mov     dword ptr [ebx],0FFFFFFFFh
8054155b 8b6e18          mov     ebp,dword ptr [esi+18h]
8054155e 6a01            push    1
80541560 83ec48          sub     esp,48h
80541563 81ed9c020000    sub     ebp,29Ch
80541569 c6864001000001 mov     byte ptr [esi+140h],1
80541570 3bec            cmp     ebp,esp
80541572 758d            jne     nt!KiFastCallEntry2+0x49 (80541501)
80541574 83652c00        and     dword ptr [ebp+2Ch],0
80541578 f6462cff        test    byte ptr [esi+2Ch],0FFh
8054157c 89ae34010000    mov     dword ptr [esi+134h],ebp
80541582 0f8538feffff    jne     nt!Dr_FastCallDrSave (805413c0)
80541588 8b5d60          mov     ebx,dword ptr [ebp+60h]
8054158b 8b7d68          mov     edi,dword ptr [ebp+68h]
8054158e 89550c          mov     dword ptr [ebp+0Ch],edx
80541591 c74508000ddbba mov     dword ptr [ebp+8],0BADB0D00h
80541598 895d00          mov     dword ptr [ebp],ebx
8054159b 897d04          mov     dword ptr [ebp+4],edi
8054159e fb              sti
8054159f 8bf8            mov     edi,eax ; 注意这里就是 nt!KiSystemService 跳转过来的地方
805415a1 c1ef08          shr     edi,8
805415a4 83e730          and     edi,30h
805415a7 8bcf            mov     ecx,edi
805415a9 03bee0000000    add     edi,dword ptr [esi+0E0h]
805415af 8bd8            mov     ebx,eax
805415b1 25ff0f0000      and     eax,0FFFh
805415b6 3b4708          cmp     eax,dword ptr [edi+8]
805415b9 0f8333fdffff    jae     nt!KiBBTUnexpectedRange (805412f2)
805415bf 83f910          cmp     ecx,10h
805415c2 751b            jne     nt!KiFastCallEntry+0xcf (805415df)
805415c4 648b0d18000000 mov     ecx,dword ptr fs:[18h]
805415cb 33db            xor     ebx,ebx
805415cd 0b99700f0000    or      ebx,dword ptr [ecx+0F70h]
805415d3 740a            je      nt!KiFastCallEntry+0xcf (805415df)
805415d5 52              push    edx
805415d6 50              push    eax
805415d7 ff1528c75580    call    dword ptr [nt!KeGdiFlushUserBatch (8055c728)]
805415dd 58              pop     eax
805415de 5a              pop     edx
805415df 64ff0538060000 inc     dword ptr fs:[638h]
805415e6 8bf2            mov     esi,edx
805415e8 8b5f0c          mov     ebx,dword ptr [edi+0Ch]
805415eb 33c9            xor     ecx,ecx
805415ed 8a0c18          mov     cl,byte ptr [eax+ebx]
805415f0 8b3f            mov     edi,dword ptr [edi]
805415f2 8b1c87          mov     ebx,dword ptr [edi+eax*4]
805415f5 2be1            sub     esp,ecx
805415f7 c1e902          shr     ecx,2
805415fa 8bfc            mov     edi,esp
805415fc 3b3514215680    cmp     esi,dword ptr [nt!MmUserProbeAddress (80562114)]
80541602 0f83a8010000    jae     nt!KiSystemCallExit2+0x9f (805417b0)
80541608 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
8054160a ffd3            call    ebx
........

这个是标准的内核服务派遣流程。

而 nt!KiSystemService 函数此时只是 nt!KiFastCallEntry 的封装：

nt!KiSystemService:
80541441 6a00            push    0
80541443 55              push    ebp
80541444 53              push    ebx
80541445 56              push    esi
80541446 57              push    edi
80541447 0fa0            push    fs
80541449 bb30000000      mov     ebx,30h
8054144e 668ee3          mov     fs,bx
80541451 64ff3500000000 push    dword ptr fs:[0]
80541458 64c70500000000ffffffff mov dword ptr fs:[0],0FFFFFFFFh
80541463 648b3524010000 mov     esi,dword ptr fs:[124h]
8054146a ffb640010000    push    dword ptr [esi+140h]
80541470 83ec48          sub     esp,48h
80541473 8b5c246c        mov     ebx,dword ptr [esp+6Ch]
80541477 83e301          and     ebx,1
8054147a 889e40010000    mov     byte ptr [esi+140h],bl
80541480 8bec            mov     ebp,esp
80541482 8b9e34010000    mov     ebx,dword ptr [esi+134h]
80541488 895d3c          mov     dword ptr [ebp+3Ch],ebx
8054148b 89ae34010000    mov     dword ptr [esi+134h],ebp
80541491 fc              cld
80541492 8b5d60          mov     ebx,dword ptr [ebp+60h]
80541495 8b7d68          mov     edi,dword ptr [ebp+68h]
80541498 89550c          mov     dword ptr [ebp+0Ch],edx
8054149b c74508000ddbba mov     dword ptr [ebp+8],0BADB0D00h
805414a2 895d00          mov     dword ptr [ebp],ebx
805414a5 897d04          mov     dword ptr [ebp+4],edi
805414a8 f6462cff        test    byte ptr [esi+2Ch],0FFh
805414ac 0f858afeffff    jne     nt!Dr_kss_a (8054133c)
805414b2 fb              sti
805414b3 e9e7000000      jmp     nt!KiFastCallEntry+0x8f (8054159f)
........

用中断计数工具查看会发现 IDT 0x2E 不会被系统主动触发(从中断系统走)。如图：

Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

merry 2009-04-13, 18:33 下午
请问王宇
你用的中断计数工具是什么名字？

Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

merry 2009-04-14, 09:18 上午
看到王宇的回复后，做实验加以验证。
从我做实验的结果来看，确实看到是从nt!KiSystemService无条件转移(jmp)到nt!KiFastCallEntry 中继续执行，这让我更迷惑了。

MSR 176 指向nt!KiFastCallEntry ：
1) 在win2000时，nt!KiFastCallEntry执行完再执行nt!KiSystemService，进行系统服务分发(Service Dispatcher)。
2) 然而在winxp时，nt!KiFastCallEntry函数不跳转到nt!KiSystemService，反而是nt!KiSystemService跳转到nt!KiFastCallEntry。那么，既然nt!KiFastCallEntry函数不转移到nt!KiSystemService，nt!KiSystemService如何获得CPU执行机会？
假设nt!KiSystemService获得了执行机会，为什么没有进行系统服务分发，却又要跳回nt!KiFastCallEntry？

谢谢！

Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

王宇 2009-04-15, 10:08 上午
昨天不在，见到了 HD Moore。呵呵楼主没想清楚

在 Win-2000 下不支持所谓的 msr，nt!KiSystemService 例程就是最终"服务派遣"的实现者。此时 nt!KiFastCallEntry 函数虽然存在，但不会被调用(试验看就是这样的)，从反汇编来看即使被调用了它也只是前者的一个封装。

Win-2000 之后，nt!KiFastCallEntry 函数变成了核心，所以"服务派遣"工作改由它来实现。但 idt 0x2E 的处理例程 (nt!KiSystemService) 依然存在，为的是方便那些 "在不支持 SYSENTER / SYSCALL 的老处理器上安装 Win-XP+" 的机器可以工作(它们还要依靠中断陷入内核)。此时 nt!KiSystemService 是 nt!KiFastCallEntry 的封装，从实验来看，系统不会主动走中断调用 nt!KiSystemService。

Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

merry 2009-04-15, 13:07 下午
     呵呵！看来那天晚上我做实验状态有问题.

    因为你前面的回复已经很清楚：win2000不支持Fast System Call(sysenter等指令)，所以不应该说"在win2000上，MSR 176指向nt!KiFastCallEntry".

     另外，你所说的"封装"(eg.:nt!KiSystemService 是 nt!KiFastCallEntry 的封装)是指：
              nt!KiSystemService就是 nt!KiFastCallEntry 的stub吗？

     下图是我从一篇英文pdf文档中看到并修改后upload,你看一下画红圈是否有问题。（那篇英文pdf文档出处已记不得）
        http://clouddisk.co.cc/files/get/m5D_NKur0Z/ad.jpg
      （因为不知道论坛如何上传图片，所以放到网络免费硬盘clouddisk,在网页中Image Preview部分可以看到原图的缩略图，如要看全图，需等待几十秒）

Re: KiFastCallEntry为何没有进入KiSystemService, 却直接进入KiServiceExit?

王宇 2009-04-15, 16:37 下午
这种示意图没必要当真的呵呵