kd>
nt!KiFastCallEntry+0xe3:
8053c7f3 c1e902 shr ecx,2
8053c7f6 8bfc mov edi,esp
8053c7f8 3b35b47b5580 cmp esi,dword ptr [nt!MmUserProbeAddress (80557bb4)]
8053c7fe 0f83a8010000 jae nt!KiSystemCallExit2+0x9f (8053c9ac)
8053c804 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
8053c806 ffd3 call ebx
8053c808 8be5 mov esp,ebp
8053c80a 8b0d24f1dfff mov ecx,dword ptr ds:[0FFDFF124h]
这个是拦截到正常的系统调用
kd> g
Breakpoint 7 hit
nt!KiFastCallEntry+0xf6:
8053c806 ffd3 call ebx
kd> u ebx
nt!NtReplyWaitReceivePortEx:
80599d26 6a78 push 78h
80599d28 68e0914d80 push offset nt!_real+0x1f0 (804d91e0)
80599d2d e8aed3f9ff call nt!_SEH_prolog (805370e0)
80599d32 33db xor ebx,ebx
80599d34 895de0 mov dword ptr [ebp-20h],ebx
80599d37 64a124010000 mov eax,dword ptr fs:[00000124h]
80599d3d 8bc8 mov ecx,eax
80599d3f 894dd4 mov dword ptr [ebp-2Ch],ecx
另外一种触发情况
kd> g
Breakpoint 7 hit
nt!KiFastCallEntry+0xf6:
8053c806 ffd3 call ebx
kd> u ebx
bf80362c 6a24 push 24h
bf80362e 6828b198bf push 0BF98B128h
bf803633 e8b5d4ffff call bf800aed
bf803638 e8fdd3ffff call bf800a3a
bf80363d f74518fcff00fb test dword ptr [ebp+18h],0FB00FFFCh
bf803644 75d3 jne bf803619
bf803646 33f6 xor esi,esi
bf803648 56 push esi
lm 也不知道这个地址 bf80362c 是那个模块的
kd> lm
start end module name
804d7000 806cd280 nt (pdb symbols) c:\work\symbols\ntkrnlpa.pdb\BD8F451F3E754ED8A34B50560CEB08E31\ntkrnlpa.pdb
ed7ea000 ed813f00 kmixer (deferred)
ee262000 ee26d000 PROCEXP152 (deferred)
Unloaded modules:
ed7ea000 ed814000 kmixer.sys
ed8b2000 ed8dc000 kmixer.sys
ed9a2000 ed9cc000 kmixer.sys
ee1e8000 ee212000 kmixer.sys
f7cd9000 f7cda000 drmkaud.sys
f6c88000 f6c95000 DMusic.sys
ee2b2000 ee2d5000 aec.sys
f6c98000 f6ca6000 swmidi.sys
f7b61000 f7b63000 splitter.sys
f7955000 f795a000 Cdaudio.SYS
f7aad000 f7ab0000 Sfloppy.SYS