360晶核保护-浅谈实现原理-深入检测并让其失效

360晶核保护系列

Baklib
狐白 最后一次编辑 接近 3 年前
737

浅谈

当谈到360晶核时,就听着很高大上高端,并且支持AMD INTEL处理器,【所谓的独创的国际领先防护技术,利用CPU的硬件虚拟化机制,增强您电脑的安全防护,专为64位系统】到底是什么技术呢 那就让我们一探究竟.

虚拟化技术

一谈到虚拟化技术,就不得不提到看着很吓人的 “无痕” 例如无痕隐藏内存 无痕HOOK等等 我们不深入研究

SYSCALL

syscall这个指令应该很熟悉,是系统调用,如SSDT,SSSDT函数都会经过这个指令
那么这个指令原理是什么呢,来看手册
最终Rip指向的是MSR_STAR 在window中就是KiSystemCall64
.text:0000000140405AC0 KiSystemCall64 proc near ; DATA XREF: .pdata:00000001400E3874↑o .text:0000000140405AC0 ; sub_1403E6754+21↑o ... .text:0000000140405AC0 .text:0000000140405AC0 var_1E8 = byte ptr -1E8h .text:0000000140405AC0 var_1C0 = qword ptr -1C0h .text:0000000140405AC0 var_1B8 = qword ptr -1B8h .text:0000000140405AC0 var_1B0 = qword ptr -1B0h .text:0000000140405AC0 var_1A8 = qword ptr -1A8h .text:0000000140405AC0 var_1A0 = qword ptr -1A0h .text:0000000140405AC0 var_110 = qword ptr -110h .text:0000000140405AC0 var_90 = qword ptr -90h .text:0000000140405AC0 .text:0000000140405AC0 ; __unwind { // KiSystemServiceHandler .text:0000000140405AC0 0F 01 F8 swapgs .text:0000000140405AC3 65 48 89 24 25 10 00 00 00 mov gs:10h, rsp .text:0000000140405ACC 65 48 8B 24 25 A8 01 00 00 mov rsp, gs:1A8h .text:0000000140405AD5 6A 2B push 2Bh ; '+' .text:0000000140405AD7 65 FF 34 25 10 00 00 00 push qword ptr gs:10h .text:0000000140405ADF 41 53 push r11 .text:0000000140405AE1 6A 33 push 33h ; '3' .text:0000000140405AE3 51 push rcx .text:0000000140405AE4 49 8B CA mov rcx, r10 .text:0000000140405AE7 48 83 EC 08 sub rsp, 8 .text:0000000140405AEB 55 push rbp .text:0000000140405AEC 48 81 EC 58 01 00 00 sub rsp, 158h .text:0000000140405AF3 48 8D AC 24 80 00 00 00 lea rbp, [rsp+190h+var_110] .text:0000000140405AFB 48 89 9D C0 00 00 00 mov [rbp+0C0h], rbx .text:0000000140405B02 48 89 BD C8 00 00 00 mov [rbp+0C8h], rdi .text:0000000140405B09 48 89 B5 D0 00 00 00 mov [rbp+0D0h], rsi .text:0000000140405B10 F6 05 35 6A 8F 00 FF test byte ptr cs:KeSmapEnabled, 0FFh .text:0000000140405B17 74 0C jz short loc_140405B25 .text:0000000140405B19 F6 85 F0 00 00 00 01 test byte ptr [rbp+0F0h], 1 .text:0000000140405B20 74 03 jz short loc_140405B25 .text:0000000140405B22 0F 01 CB stac .text:0000000140405B25 .text:0000000140405B25 loc_140405B25: ; CODE XREF: KiSystemCall64+57↑j .text:0000000140405B25 ; KiSystemCall64+60↑j .text:0000000140405B25 48 89 45 B0 mov [rbp-50h], rax .text:0000000140405B29 48 89 4D B8 mov [rbp-48h], rcx .text:0000000140405B2D 48 89 55 C0 mov [rbp-40h], rdx .text:0000000140405B31 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:0000000140405B3A 48 8B 89 20 02 00 00 mov rcx, [rcx+220h] .text:0000000140405B41 48 8B 89 E0 09 00 00 mov rcx, [rcx+9E0h] .text:0000000140405B48 65 48 89 0C 25 70 02 00 00 mov gs:270h, rcx .text:0000000140405B51 65 8A 0C 25 50 08 00 00 mov cl, gs:850h .text:0000000140405B59 65 88 0C 25 51 08 00 00 mov gs:851h, cl .text:0000000140405B61 65 8A 0C 25 78 02 00 00 mov cl, gs:278h .text:0000000140405B69 65 88 0C 25 52 08 00 00 mov gs:852h, cl .text:0000000140405B71 65 0F B6 04 25 7B 02 00 00 movzx eax, byte ptr gs:27Bh .text:0000000140405B7A 65 38 04 25 7A 02 00 00 cmp gs:27Ah, al .text:0000000140405B82 74 11 jz short loc_140405B95 .text:0000000140405B84 65 88 04 25 7A 02 00 00 mov gs:27Ah, al .text:0000000140405B8C B9 48 00 00 00 mov ecx, 48h ; 'H' .text:0000000140405B91 33 D2 xor edx, edx .text:0000000140405B93 0F 30 wrmsr .text:0000000140405B95 .text:0000000140405B95 loc_140405B95: ; CODE XREF: KiSystemCall64+C2↑j .text:0000000140405B95 65 0F B6 14 25 78 02 00 00 movzx edx, byte ptr gs:278h .text:0000000140405B9E F7 C2 08 00 00 00 test edx, 8 .text:0000000140405BA4 74 13 jz short loc_140405BB9 .text:0000000140405BA6 B8 01 00 00 00 mov eax, 1 .text:0000000140405BAB 33 D2 xor edx, edx .text:0000000140405BAD B9 49 00 00 00 mov ecx, 49h ; 'I' .text:0000000140405BB2 0F 30 wrmsr .text:0000000140405BB4 E9 3E 01 00 00 jmp loc_140405CF7 .text:0000000140405BB9 ; --------------------------------------------------------------------------- .text:0000000140405BB9 .text:0000000140405BB9 loc_140405BB9: ; CODE XREF: KiSystemCall64+E4↑j .text:0000000140405BB9 F7 C2 02 00 00 00 test edx, 2 .text:0000000140405BBF 0F 84 2F 01 00 00 jz loc_140405CF4 .text:0000000140405BC5 65 F6 04 25 79 02 00 00 04 test byte ptr gs:279h, 4 .text:0000000140405BCE 0F 85 20 01 00 00 jnz loc_140405CF4 .text:0000000140405BD4 E8 0E 01 00 00 call loc_140405CE7 .text:0000000140405BD9 .text:0000000140405BD9 loc_140405BD9: ; CODE XREF: KiSystemCall64+126↓p .text:0000000140405BD9 48 83 C4 08 add rsp, 8 .text:0000000140405BDD E8 0E 01 00 00 call loc_140405CF0 .text:0000000140405BE2 .text:0000000140405BE2 loc_140405BE2: ; CODE XREF: KiSystemCall64+12F↓p .text:0000000140405BE2 48 83 C4 08 add rsp, 8 .text:0000000140405BE6 E8 EE FF FF FF call loc_140405BD9 .text:0000000140405BEB .text:0000000140405BEB loc_140405BEB: ; CODE XREF: KiSystemCall64+138↓p .text:0000000140405BEB 48 83 C4 08 add rsp, 8 .text:0000000140405BEF E8 EE FF FF FF call loc_140405BE2 .text:0000000140405BF4 .text:0000000140405BF4 loc_140405BF4: ; CODE XREF: KiSystemCall64+141↓p .text:0000000140405BF4 48 83 C4 08 add rsp, 8 .text:0000000140405BF8 E8 EE FF FF FF call loc_140405BEB .text:0000000140405BFD .text:0000000140405BFD loc_140405BFD: ; CODE XREF: KiSystemCall64+14A↓p .text:0000000140405BFD 48 83 C4 08 add rsp, 8 .text:0000000140405C01 E8 EE FF FF FF call loc_140405BF4 .text:0000000140405C06 .text:0000000140405C06 loc_140405C06: ; CODE XREF: KiSystemCall64+153↓p .text:0000000140405C06 48 83 C4 08 add rsp, 8 .text:0000000140405C0A E8 EE FF FF FF call loc_140405BFD .text:0000000140405C0F .text:0000000140405C0F loc_140405C0F: ; CODE XREF: KiSystemCall64+15C↓p .text:0000000140405C0F 48 83 C4 08 add rsp, 8 .text:0000000140405C13 E8 EE FF FF FF call loc_140405C06 .text:0000000140405C18 .text:0000000140405C18 loc_140405C18: ; CODE XREF: KiSystemCall64+165↓p .text:0000000140405C18 48 83 C4 08 add rsp, 8 .text:0000000140405C1C E8 EE FF FF FF call loc_140405C0F .text:0000000140405C21 .text:0000000140405C21 loc_140405C21: ; CODE XREF: KiSystemCall64+16E↓p .text:0000000140405C21 48 83 C4 08 add rsp, 8 .text:0000000140405C25 E8 EE FF FF FF call loc_140405C18 .text:0000000140405C2A .text:0000000140405C2A loc_140405C2A: ; CODE XREF: KiSystemCall64+177↓p .text:0000000140405C2A 48 83 C4 08 add rsp, 8 .text:0000000140405C2E E8 EE FF FF FF call loc_140405C21 .text:0000000140405C33 .text:0000000140405C33 loc_140405C33: ; CODE XREF: KiSystemCall64+180↓p .text:0000000140405C33 48 83 C4 08 add rsp, 8 .text:0000000140405C37 E8 EE FF FF FF call loc_140405C2A .text:0000000140405C3C .text:0000000140405C3C loc_140405C3C: ; CODE XREF: KiSystemCall64+189↓p .text:0000000140405C3C 48 83 C4 08 add rsp, 8 .text:0000000140405C40 E8 EE FF FF FF call loc_140405C33 .text:0000000140405C45 .text:0000000140405C45 loc_140405C45: ; CODE XREF: KiSystemCall64+192↓p .text:0000000140405C45 48 83 C4 08 add rsp, 8 .text:0000000140405C49 E8 EE FF FF FF call loc_140405C3C .text:0000000140405C4E .text:0000000140405C4E loc_140405C4E: ; CODE XREF: KiSystemCall64+19B↓p .text:0000000140405C4E 48 83 C4 08 add rsp, 8 .text:0000000140405C52 E8 EE FF FF FF call loc_140405C45 .text:0000000140405C57 .text:0000000140405C57 loc_140405C57: ; CODE XREF: KiSystemCall64+1A4↓p .text:0000000140405C57 48 83 C4 08 add rsp, 8 .text:0000000140405C5B E8 EE FF FF FF call loc_140405C4E .text:0000000140405C60 .text:0000000140405C60 loc_140405C60: ; CODE XREF: KiSystemCall64+1AD↓p .text:0000000140405C60 48 83 C4 08 add rsp, 8 .text:0000000140405C64 E8 EE FF FF FF call loc_140405C57 .text:0000000140405C69 .text:0000000140405C69 loc_140405C69: ; CODE XREF: KiSystemCall64+1B6↓p .text:0000000140405C69 48 83 C4 08 add rsp, 8 .text:0000000140405C6D E8 EE FF FF FF call loc_140405C60 .text:0000000140405C72 .text:0000000140405C72 loc_140405C72: ; CODE XREF: KiSystemCall64+1BF↓p .text:0000000140405C72 48 83 C4 08 add rsp, 8 .text:0000000140405C76 E8 EE FF FF FF call loc_140405C69 .text:0000000140405C7B .text:0000000140405C7B loc_140405C7B: ; CODE XREF: KiSystemCall64+1C8↓p .text:0000000140405C7B 48 83 C4 08 add rsp, 8 .text:0000000140405C7F E8 EE FF FF FF call loc_140405C72 .text:0000000140405C84 .text:0000000140405C84 loc_140405C84: ; CODE XREF: KiSystemCall64+1D1↓p .text:0000000140405C84 48 83 C4 08 add rsp, 8 .text:0000000140405C88 E8 EE FF FF FF call loc_140405C7B .text:0000000140405C8D .text:0000000140405C8D loc_140405C8D: ; CODE XREF: KiSystemCall64+1DA↓p .text:0000000140405C8D 48 83 C4 08 add rsp, 8 .text:0000000140405C91 E8 EE FF FF FF call loc_140405C84 .text:0000000140405C96 .text:0000000140405C96 loc_140405C96: ; CODE XREF: KiSystemCall64+1E3↓p .text:0000000140405C96 48 83 C4 08 add rsp, 8 .text:0000000140405C9A E8 EE FF FF FF call loc_140405C8D .text:0000000140405C9F .text:0000000140405C9F loc_140405C9F: ; CODE XREF: KiSystemCall64+1EC↓p .text:0000000140405C9F 48 83 C4 08 add rsp, 8 .text:0000000140405CA3 E8 EE FF FF FF call loc_140405C96 .text:0000000140405CA8 .text:0000000140405CA8 loc_140405CA8: ; CODE XREF: KiSystemCall64+1F5↓p .text:0000000140405CA8 48 83 C4 08 add rsp, 8 .text:0000000140405CAC E8 EE FF FF FF call loc_140405C9F .text:0000000140405CB1 .text:0000000140405CB1 loc_140405CB1: ; CODE XREF: KiSystemCall64+1FE↓p .text:0000000140405CB1 48 83 C4 08 add rsp, 8 .text:0000000140405CB5 E8 EE FF FF FF call loc_140405CA8 .text:0000000140405CBA .text:0000000140405CBA loc_140405CBA: ; CODE XREF: KiSystemCall64+207↓p .text:0000000140405CBA 48 83 C4 08 add rsp, 8 .text:0000000140405CBE E8 EE FF FF FF call loc_140405CB1 .text:0000000140405CC3 .text:0000000140405CC3 loc_140405CC3: ; CODE XREF: KiSystemCall64+210↓p .text:0000000140405CC3 48 83 C4 08 add rsp, 8 .text:0000000140405CC7 E8 EE FF FF FF call loc_140405CBA .text:0000000140405CCC .text:0000000140405CCC loc_140405CCC: ; CODE XREF: KiSystemCall64+219↓p .text:0000000140405CCC 48 83 C4 08 add rsp, 8 .text:0000000140405CD0 E8 EE FF FF FF call loc_140405CC3 .text:0000000140405CD5 .text:0000000140405CD5 loc_140405CD5: ; CODE XREF: KiSystemCall64+222↓p .text:0000000140405CD5 48 83 C4 08 add rsp, 8 .text:0000000140405CD9 E8 EE FF FF FF call loc_140405CCC .text:0000000140405CDE .text:0000000140405CDE loc_140405CDE: ; CODE XREF: KiSystemCall64+22B↓p .text:0000000140405CDE 48 83 C4 08 add rsp, 8 .text:0000000140405CE2 E8 EE FF FF FF call loc_140405CD5 .text:0000000140405CE7 .text:0000000140405CE7 loc_140405CE7: ; CODE XREF: KiSystemCall64+114↑p .text:0000000140405CE7 48 83 C4 08 add rsp, 8 .text:0000000140405CEB E8 EE FF FF FF call loc_140405CDE .text:0000000140405CF0 .text:0000000140405CF0 loc_140405CF0: ; CODE XREF: KiSystemCall64+11D↑p .text:0000000140405CF0 48 83 C4 08 add rsp, 8 .text:0000000140405CF4 .text:0000000140405CF4 loc_140405CF4: ; CODE XREF: KiSystemCall64+FF↑j .text:0000000140405CF4 ; KiSystemCall64+10E↑j .text:0000000140405CF4 0F AE E8 lfence .text:0000000140405CF7 .text:0000000140405CF7 loc_140405CF7: ; CODE XREF: KiSystemCall64+F4↑j .text:0000000140405CF7 65 C6 04 25 53 08 00 00 00 mov byte ptr gs:853h, 0 .text:0000000140405D00 .text:0000000140405D00 KiSystemServiceUser: ; CODE XREF: KiSystemService+237↑j .text:0000000140405D00 ; KiSystemCall64Shadow+258↓j .text:0000000140405D00 C6 45 AB 02 mov byte ptr [rbp-55h], 2 .text:0000000140405D04 65 48 8B 1C 25 88 01 00 00 mov rbx, gs:188h .text:0000000140405D0D 0F 0D 8B 90 00 00 00 prefetchw byte ptr [rbx+90h] .text:0000000140405D14 0F AE 5D AC stmxcsr dword ptr [rbp-54h] .text:0000000140405D18 65 0F AE 14 25 80 01 00 00 ldmxcsr dword ptr gs:180h .text:0000000140405D21 80 7B 03 00 cmp byte ptr [rbx+3], 0 .text:0000000140405D25 66 C7 85 80 00 00 00 00 00 mov word ptr [rbp+80h], 0 .text:0000000140405D2E 0F 84 D0 00 00 00 jz loc_140405E04 .text:0000000140405D34 F6 43 03 03 test byte ptr [rbx+3], 3 .text:0000000140405D38 4C 89 45 C8 mov [rbp-38h], r8 .text:0000000140405D3C 4C 89 4D D0 mov [rbp-30h], r9 .text:0000000140405D40 74 05 jz short loc_140405D47 .text:0000000140405D42 E8 A9 ED FE FF call KiSaveDebugRegisterState .text:0000000140405D47 .text:0000000140405D47 loc_140405D47: ; CODE XREF: KiSystemCall64+280↑j .text:0000000140405D47 F6 43 03 24 test byte ptr [rbx+3], 24h .text:0000000140405D4B 74 56 jz short loc_140405DA3 .text:0000000140405D4D 4C 89 55 E0 mov [rbp-20h], r10 .text:0000000140405D51 4C 89 55 D8 mov [rbp-28h], r10 .text:0000000140405D55 0F 29 45 F0 movaps xmmword ptr [rbp-10h], xmm0 .text:0000000140405D59 0F 29 4D 00 movaps xmmword ptr [rbp+0], xmm1 .text:0000000140405D5D 0F 29 55 10 movaps xmmword ptr [rbp+10h], xmm2 .text:0000000140405D61 0F 29 5D 20 movaps xmmword ptr [rbp+20h], xmm3 .text:0000000140405D65 0F 29 65 30 movaps xmmword ptr [rbp+30h], xmm4 .text:0000000140405D69 0F 29 6D 40 movaps xmmword ptr [rbp+40h], xmm5 .text:0000000140405D6D FB sti .text:0000000140405D6E 48 8B CC mov rcx, rsp .text:0000000140405D71 E8 BA 68 17 00 call PsAltSystemCallDispatch .text:0000000140405D76 3C 01 cmp al, 1 .text:0000000140405D78 74 29 jz short loc_140405DA3 .text:0000000140405D7A 48 8B 45 B0 mov rax, [rbp-50h] .text:0000000140405D7E 7C 14 jl short loc_140405D94 .text:0000000140405D80 B9 1C 00 00 C0 mov ecx, 0C000001Ch .text:0000000140405D85 33 D2 xor edx, edx .text:0000000140405D87 4C 8B 85 E8 00 00 00 mov r8, [rbp+0E8h] .text:0000000140405D8E E8 ED 07 00 00 call KiExceptionDispatch .text:0000000140405D93 CC int 3 ; Trap to Debugger .text:0000000140405D94 ; --------------------------------------------------------------------------- .text:0000000140405D94 .text:0000000140405D94 loc_140405D94: ; CODE XREF: KiSystemCall64+2BE↑j .text:0000000140405D94 F6 43 03 04 test byte ptr [rbx+3], 4 .text:0000000140405D98 0F 84 22 02 00 00 jz KiSystemServiceExit .text:0000000140405D9E E9 92 04 00 00 jmp KiSystemServiceExitPico .text:0000000140405DA3 ; --------------------------------------------------------------------------- .text:0000000140405DA3 .text:0000000140405DA3 loc_140405DA3: ; CODE XREF: KiSystemCall64+28B↑j .text:0000000140405DA3 ; KiSystemCall64+2B8↑j .text:0000000140405DA3 F6 43 03 80 test byte ptr [rbx+3], 80h .text:0000000140405DA7 74 48 jz short loc_140405DF1 .text:0000000140405DA9 B9 02 01 00 C0 mov ecx, 0C0000102h .text:0000000140405DAE 0F 32 rdmsr .text:0000000140405DB0 48 C1 E2 20 shl rdx, 20h .text:0000000140405DB4 48 0B C2 or rax, rdx .text:0000000140405DB7 48 3B 05 AA B5 C1 FF cmp rax, cs:MmUserProbeAddress .text:0000000140405DBE 48 0F 43 05 A2 B5 C1 FF cmovnb rax, cs:MmUserProbeAddress .text:0000000140405DC6 48 39 83 F0 00 00 00 cmp [rbx+0F0h], rax .text:0000000140405DCD 74 22 jz short loc_140405DF1 .text:0000000140405DCF 48 8B 93 F0 01 00 00 mov rdx, [rbx+1F0h] .text:0000000140405DD6 0F BA 6B 74 08 bts dword ptr [rbx+74h], 8 .text:0000000140405DDB 66 FF 8B E6 01 00 00 dec word ptr [rbx+1E6h] .text:0000000140405DE2 48 89 82 80 00 00 00 mov [rdx+80h], rax .text:0000000140405DE9 FB sti .text:0000000140405DEA E8 D1 12 00 00 call KiUmsCallEntry .text:0000000140405DEF EB 0B jmp short loc_140405DFC .text:0000000140405DF1 ; --------------------------------------------------------------------------- .text:0000000140405DF1 .text:0000000140405DF1 loc_140405DF1: ; CODE XREF: KiSystemCall64+2E7↑j .text:0000000140405DF1 ; KiSystemCall64+30D↑j .text:0000000140405DF1 F6 43 03 40 test byte ptr [rbx+3], 40h .text:0000000140405DF5 74 05 jz short loc_140405DFC .text:0000000140405DF7 0F BA 6B 74 10 bts dword ptr [rbx+74h], 10h .text:0000000140405DFC .text:0000000140405DFC loc_140405DFC: ; CODE XREF: KiSystemCall64+32F↑j .text:0000000140405DFC ; KiSystemCall64+335↑j .text:0000000140405DFC 4C 8B 45 C8 mov r8, [rbp-38h] .text:0000000140405E00 4C 8B 4D D0 mov r9, [rbp-30h] .text:0000000140405E04 .text:0000000140405E04 loc_140405E04: ; CODE XREF: KiSystemCall64+26E↑j .text:0000000140405E04 48 8B 45 B0 mov rax, [rbp-50h] .text:0000000140405E08 48 8B 4D B8 mov rcx, [rbp-48h] .text:0000000140405E0C 48 8B 55 C0 mov rdx, [rbp-40h] .text:0000000140405E10 FB sti .text:0000000140405E11 48 89 8B 88 00 00 00 mov [rbx+88h], rcx .text:0000000140405E18 89 83 80 00 00 00 mov [rbx+80h], eax .text:0000000140405E1E 66 90 xchg ax, ax .text:0000000140405E20 .text:0000000140405E20 KiSystemServiceStart: ; DATA XREF: KiServiceInternal+5A↑o .text:0000000140405E20 ; .data:0000000140C00340↓o .text:0000000140405E20 48 89 A3 90 00 00 00 mov [rbx+90h], rsp .text:0000000140405E27 8B F8 mov edi, eax .text:0000000140405E29 C1 EF 07 shr edi, 7 .text:0000000140405E2C 83 E7 20 and edi, 20h .text:0000000140405E2F 25 FF 0F 00 00 and eax, 0FFFh .text:0000000140405E34 .text:0000000140405E34 KiSystemServiceRepeat: ; CODE XREF: KiSystemCall64+90E↓j .text:0000000140405E34 4C 8D 15 85 BA 9F 00 lea r10, KeServiceDescriptorTable .text:0000000140405E3B 4C 8D 1D FE 6B 8F 00 lea r11, KeServiceDescriptorTableShadow .text:0000000140405E42 F7 43 78 80 00 00 00 test dword ptr [rbx+78h], 80h .text:0000000140405E49 74 13 jz short loc_140405E5E .text:0000000140405E4B F7 43 78 00 00 20 00 test dword ptr [rbx+78h], 200000h .text:0000000140405E52 74 07 jz short loc_140405E5B .text:0000000140405E54 4C 8D 1D 65 6D 8F 00 lea r11, KeServiceDescriptorTableFilter .text:0000000140405E5B .text:0000000140405E5B loc_140405E5B: ; CODE XREF: KiSystemCall64+392↑j .text:0000000140405E5B 4D 8B D3 mov r10, r11 .text:0000000140405E5E .text:0000000140405E5E loc_140405E5E: ; CODE XREF: KiSystemCall64+389↑j .text:0000000140405E5E 41 3B 44 3A 10 cmp eax, [r10+rdi+10h] .text:0000000140405E63 0F 83 2C 05 00 00 jnb loc_140406395 .text:0000000140405E69 4D 8B 14 3A mov r10, [r10+rdi] .text:0000000140405E6D 4D 63 1C 82 movsxd r11, dword ptr [r10+rax*4] .text:0000000140405E71 49 8B C3 mov rax, r11 .text:0000000140405E74 49 C1 FB 04 sar r11, 4 .text:0000000140405E78 4D 03 D3 add r10, r11 .text:0000000140405E7B 83 FF 20 cmp edi, 20h ; ' ' .text:0000000140405E7E 75 50 jnz short loc_140405ED0 .text:0000000140405E80 4C 8B 9B F0 00 00 00 mov r11, [rbx+0F0h] .text:0000000140405E87 .text:0000000140405E87 KiSystemServiceGdiTebAccess: ; DATA XREF: KiSystemServiceHandler+D↑o .text:0000000140405E87 41 83 BB 40 17 00 00 00 cmp dword ptr [r11+1740h], 0 .text:0000000140405E8F 74 3F jz short loc_140405ED0 .text:0000000140405E91 48 89 45 B0 mov [rbp-50h], rax .text:0000000140405E95 48 89 4D B8 mov [rbp-48h], rcx .text:0000000140405E99 48 89 55 C0 mov [rbp-40h], rdx .text:0000000140405E9D 49 8B D8 mov rbx, r8 .text:0000000140405EA0 49 8B F9 mov rdi, r9 .text:0000000140405EA3 49 8B F2 mov rsi, r10 .text:0000000140405EA6 B9 07 00 00 00 mov ecx, 7 .text:0000000140405EAB 33 D2 xor edx, edx .text:0000000140405EAD 4D 33 C0 xor r8, r8 .text:0000000140405EB0 4D 33 C9 xor r9, r9 .text:0000000140405EB3 E8 D8 F7 2F 00 call PsInvokeWin32Callout .text:0000000140405EB8 48 8B 45 B0 mov rax, [rbp-50h] .text:0000000140405EBC 48 8B 4D B8 mov rcx, [rbp-48h] .text:0000000140405EC0 48 8B 55 C0 mov rdx, [rbp-40h] .text:0000000140405EC4 4C 8B C3 mov r8, rbx .text:0000000140405EC7 4C 8B CF mov r9, rdi .text:0000000140405ECA 4C 8B D6 mov r10, rsi .text:0000000140405ECD 0F 1F 00 nop dword ptr [rax] .text:0000000140405ED0 .text:0000000140405ED0 loc_140405ED0: ; CODE XREF: KiSystemCall64+3BE↑j .text:0000000140405ED0 ; KiSystemCall64+3CF↑j .text:0000000140405ED0 83 E0 0F and eax, 0Fh .text:0000000140405ED3 0F 84 B7 00 00 00 jz KiSystemServiceCopyEnd .text:0000000140405ED9 C1 E0 03 shl eax, 3 .text:0000000140405EDC 48 8D 64 24 90 lea rsp, [rsp-70h] .text:0000000140405EE1 48 8D 7C 24 18 lea rdi, [rsp+200h+var_1E8] .text:0000000140405EE6 48 8B B5 00 01 00 00 mov rsi, [rbp+100h] .text:0000000140405EED 48 8D 76 20 lea rsi, [rsi+20h] .text:0000000140405EF1 F6 85 F0 00 00 00 01 test byte ptr [rbp+0F0h], 1 .text:0000000140405EF8 74 16 jz short loc_140405F10 .text:0000000140405EFA 48 3B 35 67 B4 C1 FF cmp rsi, cs:MmUserProbeAddress .text:0000000140405F01 48 0F 43 35 5F B4 C1 FF cmovnb rsi, cs:MmUserProbeAddress .text:0000000140405F09 0F 1F 80 00 00 00 00 nop dword ptr [rax+00000000h] .text:0000000140405F10 .text:0000000140405F10 loc_140405F10: ; CODE XREF: KiSystemCall64+438↑j .text:0000000140405F10 4C 8D 1D 79 00 00 00 lea r11, KiSystemServiceCopyEnd .text:0000000140405F17 4C 2B D8 sub r11, rax .text:0000000140405F1A 41 FF E3 jmp r11 .text:0000000140405F1A ; --------------------------------------------------------------------------- .text:0000000140405F1D CC CC CC align 20h .text:0000000140405F20 .text:0000000140405F20 KiSystemServiceCopyStart: ; DATA XREF: KiSystemServiceHandler+1A↑o .text:0000000140405F20 48 8B 46 70 mov rax, [rsi+70h] .text:0000000140405F24 48 89 47 70 mov [rdi+70h], rax .text:0000000140405F28 48 8B 46 68 mov rax, [rsi+68h] .text:0000000140405F2C 48 89 47 68 mov [rdi+68h], rax .text:0000000140405F30 48 8B 46 60 mov rax, [rsi+60h] .text:0000000140405F34 48 89 47 60 mov [rdi+60h], rax .text:0000000140405F38 48 8B 46 58 mov rax, [rsi+58h] .text:0000000140405F3C 48 89 47 58 mov [rdi+58h], rax .text:0000000140405F40 48 8B 46 50 mov rax, [rsi+50h] .text:0000000140405F44 48 89 47 50 mov [rdi+50h], rax .text:0000000140405F48 48 8B 46 48 mov rax, [rsi+48h] .text:0000000140405F4C 48 89 47 48 mov [rdi+48h], rax .text:0000000140405F50 48 8B 46 40 mov rax, [rsi+40h] .text:0000000140405F54 48 89 47 40 mov [rdi+40h], rax .text:0000000140405F58 48 8B 46 38 mov rax, [rsi+38h] .text:0000000140405F5C 48 89 47 38 mov [rdi+38h], rax .text:0000000140405F60 48 8B 46 30 mov rax, [rsi+30h] .text:0000000140405F64 48 89 47 30 mov [rdi+30h], rax .text:0000000140405F68 48 8B 46 28 mov rax, [rsi+28h] .text:0000000140405F6C 48 89 47 28 mov [rdi+28h], rax .text:0000000140405F70 48 8B 46 20 mov rax, [rsi+20h] .text:0000000140405F74 48 89 47 20 mov [rdi+20h], rax .text:0000000140405F78 48 8B 46 18 mov rax, [rsi+18h] .text:0000000140405F7C 48 89 47 18 mov [rdi+18h], rax .text:0000000140405F80 48 8B 46 10 mov rax, [rsi+10h] .text:0000000140405F84 48 89 47 10 mov [rdi+10h], rax .text:0000000140405F88 48 8B 46 08 mov rax, [rsi+8] .text:0000000140405F8C 48 89 47 08 mov [rdi+8], rax .text:0000000140405F90 .text:0000000140405F90 KiSystemServiceCopyEnd: ; CODE XREF: KiSystemCall64+413↑j .text:0000000140405F90 ; DATA XREF: KiSystemServiceHandler+27↑o ... .text:0000000140405F90 F7 05 66 66 8F 00 01 00 00 00 test cs:KiDynamicTraceMask, 1 .text:0000000140405F9A 0F 85 93 04 00 00 jnz loc_140406433 .text:0000000140405FA0 F7 05 DE 64 8F 00 40 00 00 00 test dword ptr cs:PerfGlobalGroupMask+8, 40h .text:0000000140405FAA 0F 85 F7 04 00 00 jnz loc_1404064A7 .text:0000000140405FB0 49 8B C2 mov rax, r10 .text:0000000140405FB3 FF D0 call rax .text:0000000140405FB5 0F 1F 00 nop dword ptr [rax] .text:0000000140405FB8 .text:0000000140405FB8 loc_140405FB8: ; CODE XREF: KiSystemCall64+9E2↓j .text:0000000140405FB8 ; KiSystemCall64+A39↓j .text:0000000140405FB8 65 FF 04 25 B8 2E 00 00 inc dword ptr gs:2EB8h .text:0000000140405FC0 .text:0000000140405FC0 KiSystemServiceExit: ; CODE XREF: KiSystemCall64+2D8↑j .text:0000000140405FC0 ; KiSystemCall64+92F↓j ... .text:0000000140405FC0 48 8B 9D C0 00 00 00 mov rbx, [rbp+0C0h] .text:0000000140405FC7 48 8B BD C8 00 00 00 mov rdi, [rbp+0C8h] .text:0000000140405FCE 48 8B B5 D0 00 00 00 mov rsi, [rbp+0D0h] .text:0000000140405FD5 65 4C 8B 1C 25 88 01 00 00 mov r11, gs:188h .text:0000000140405FDE F6 85 F0 00 00 00 01 test byte ptr [rbp+0F0h], 1 .text:0000000140405FE5 0F 84 1D 02 00 00 jz loc_140406208 .text:0000000140405FEB 44 0F 20 C1 mov rcx, cr8 .text:0000000140405FEF 41 0A 8B 4A 02 00 00 or cl, [r11+24Ah] .text:0000000140405FF6 41 0B 8B E4 01 00 00 or ecx, [r11+1E4h] .text:0000000140405FFD 0F 85 FC 03 00 00 jnz loc_1404063FF .text:0000000140406003 FA cli .text:0000000140406004 .text:0000000140406004 loc_140406004: ; CODE XREF: KiSystemCall64+5AD↓j .text:0000000140406004 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:000000014040600D F6 81 C2 00 00 00 03 test byte ptr [rcx+0C2h], 3 .text:0000000140406014 74 59 jz short loc_14040606F .text:0000000140406016 48 89 45 B0 mov [rbp-50h], rax .text:000000014040601A 33 C0 xor eax, eax .text:000000014040601C 48 89 45 B8 mov [rbp-48h], rax .text:0000000140406020 48 89 45 C0 mov [rbp-40h], rax .text:0000000140406024 48 89 45 C8 mov [rbp-38h], rax .text:0000000140406028 48 89 45 D0 mov [rbp-30h], rax .text:000000014040602C 48 89 45 D8 mov [rbp-28h], rax .text:0000000140406030 48 89 45 E0 mov [rbp-20h], rax .text:0000000140406034 66 0F EF C0 pxor xmm0, xmm0 .text:0000000140406038 0F 29 45 F0 movaps xmmword ptr [rbp-10h], xmm0 .text:000000014040603C 0F 29 45 00 movaps xmmword ptr [rbp+0], xmm0 .text:0000000140406040 0F 29 45 10 movaps xmmword ptr [rbp+10h], xmm0 .text:0000000140406044 0F 29 45 20 movaps xmmword ptr [rbp+20h], xmm0 .text:0000000140406048 0F 29 45 30 movaps xmmword ptr [rbp+30h], xmm0 .text:000000014040604C 0F 29 45 40 movaps xmmword ptr [rbp+40h], xmm0 .text:0000000140406050 B9 01 00 00 00 mov ecx, 1 .text:0000000140406055 44 0F 22 C1 mov cr8, rcx .text:0000000140406059 FB sti .text:000000014040605A E8 71 2A FF FF call KiInitiateUserApc .text:000000014040605F FA cli .text:0000000140406060 B9 00 00 00 00 mov ecx, 0 .text:0000000140406065 44 0F 22 C1 mov cr8, rcx .text:0000000140406069 48 8B 45 B0 mov rax, [rbp-50h] .text:000000014040606D EB 95 jmp short loc_140406004 .text:000000014040606F ; --------------------------------------------------------------------------- .text:000000014040606F .text:000000014040606F loc_14040606F: ; CODE XREF: KiSystemCall64+554↑j .text:000000014040606F 65 F6 04 25 7E 02 00 00 02 test byte ptr gs:27Eh, 2 .text:0000000140406078 74 0F jz short loc_140406089 .text:000000014040607A 48 89 45 B0 mov [rbp-50h], rax .text:000000014040607E 33 C9 xor ecx, ecx .text:0000000140406080 E8 5B EA E5 FF call KiUpdateStibpPairing .text:0000000140406085 48 8B 45 B0 mov rax, [rbp-50h] .text:0000000140406089 .text:0000000140406089 loc_140406089: ; CODE XREF: KiSystemCall64+5B8↑j .text:0000000140406089 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:0000000140406092 F7 01 00 00 00 08 test dword ptr [rcx], 8000000h .text:0000000140406098 74 3F jz short loc_1404060D9 .text:000000014040609A 48 89 45 B0 mov [rbp-50h], rax .text:000000014040609E 33 C0 xor eax, eax .text:00000001404060A0 48 89 45 B8 mov [rbp-48h], rax .text:00000001404060A4 48 89 45 C0 mov [rbp-40h], rax .text:00000001404060A8 48 89 45 C8 mov [rbp-38h], rax .text:00000001404060AC 48 89 45 D0 mov [rbp-30h], rax .text:00000001404060B0 48 89 45 D8 mov [rbp-28h], rax .text:00000001404060B4 48 89 45 E0 mov [rbp-20h], rax .text:00000001404060B8 66 0F EF C0 pxor xmm0, xmm0 .text:00000001404060BC 0F 29 45 F0 movaps xmmword ptr [rbp-10h], xmm0 .text:00000001404060C0 0F 29 45 00 movaps xmmword ptr [rbp+0], xmm0 .text:00000001404060C4 0F 29 45 10 movaps xmmword ptr [rbp+10h], xmm0 .text:00000001404060C8 0F 29 45 20 movaps xmmword ptr [rbp+20h], xmm0 .text:00000001404060CC 0F 29 45 30 movaps xmmword ptr [rbp+30h], xmm0 .text:00000001404060D0 0F 29 45 40 movaps xmmword ptr [rbp+40h], xmm0 .text:00000001404060D4 E8 27 F4 FE FF call KiRestoreSetContextState .text:00000001404060D9 .text:00000001404060D9 loc_1404060D9: ; CODE XREF: KiSystemCall64+5D8↑j .text:00000001404060D9 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:00000001404060E2 F7 01 00 00 01 40 test dword ptr [rcx], 40010000h .text:00000001404060E8 74 2D jz short loc_140406117 .text:00000001404060EA 48 89 45 B0 mov [rbp-50h], rax .text:00000001404060EE F6 41 02 01 test byte ptr [rcx+2], 1 .text:00000001404060F2 74 0E jz short loc_140406102 .text:00000001404060F4 E8 97 F8 10 00 call KiCopyCounters .text:00000001404060F9 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:0000000140406102 .text:0000000140406102 loc_140406102: ; CODE XREF: KiSystemCall64+632↑j .text:0000000140406102 F6 41 03 40 test byte ptr [rcx+3], 40h .text:0000000140406106 74 0B jz short loc_140406113 .text:0000000140406108 48 8D 65 80 lea rsp, [rbp-80h] .text:000000014040610C 33 C9 xor ecx, ecx .text:000000014040610E E8 2D 12 00 00 call KiUmsExit .text:0000000140406113 .text:0000000140406113 loc_140406113: ; CODE XREF: KiSystemCall64+646↑j .text:0000000140406113 48 8B 45 B0 mov rax, [rbp-50h] .text:0000000140406117 .text:0000000140406117 loc_140406117: ; CODE XREF: KiSystemCall64+628↑j .text:0000000140406117 0F AE 55 AC ldmxcsr dword ptr [rbp-54h] .text:000000014040611B 4D 33 D2 xor r10, r10 .text:000000014040611E 66 83 BD 80 00 00 00 00 cmp word ptr [rbp+80h], 0 .text:0000000140406126 74 41 jz short loc_140406169 .text:0000000140406128 48 89 45 B0 mov [rbp-50h], rax .text:000000014040612C E8 3F E9 FE FF call KiRestoreDebugRegisterState .text:0000000140406131 65 48 8B 04 25 88 01 00 00 mov rax, gs:188h .text:000000014040613A 48 8B 80 B8 00 00 00 mov rax, [rax+0B8h] .text:0000000140406141 48 8B 80 D8 03 00 00 mov rax, [rax+3D8h] .text:0000000140406148 48 0B C0 or rax, rax .text:000000014040614B 74 18 jz short loc_140406165 .text:000000014040614D 66 83 BD F0 00 00 00 33 cmp word ptr [rbp+0F0h], 33h ; '3' .text:0000000140406155 75 0E jnz short loc_140406165 .text:0000000140406157 4C 8B 95 E8 00 00 00 mov r10, [rbp+0E8h] .text:000000014040615E 48 89 85 E8 00 00 00 mov [rbp+0E8h], rax .text:0000000140406165 .text:0000000140406165 loc_140406165: ; CODE XREF: KiSystemCall64+68B↑j .text:0000000140406165 ; KiSystemCall64+695↑j .text:0000000140406165 48 8B 45 B0 mov rax, [rbp-50h] .text:0000000140406169 .text:0000000140406169 loc_140406169: ; CODE XREF: KiSystemCall64+666↑j .text:0000000140406169 48 89 45 B0 mov [rbp-50h], rax .text:000000014040616D 65 C6 04 25 53 08 00 00 00 mov byte ptr gs:853h, 0 .text:0000000140406176 65 0F B6 04 25 7D 02 00 00 movzx eax, byte ptr gs:27Dh .text:000000014040617F 65 38 04 25 7A 02 00 00 cmp gs:27Ah, al .text:0000000140406187 74 11 jz short loc_14040619A .text:0000000140406189 65 88 04 25 7A 02 00 00 mov gs:27Ah, al .text:0000000140406191 B9 48 00 00 00 mov ecx, 48h ; 'H' .text:0000000140406196 33 D2 xor edx, edx .text:0000000140406198 0F 30 wrmsr .text:000000014040619A .text:000000014040619A loc_14040619A: ; CODE XREF: KiSystemCall64+6C7↑j .text:000000014040619A 66 65 0F BA 34 25 78 02 00 00 02 btr word ptr gs:278h, 2 .text:00000001404061A5 73 0E jnb short loc_1404061B5 .text:00000001404061A7 B8 01 00 00 00 mov eax, 1 .text:00000001404061AC 33 D2 xor edx, edx .text:00000001404061AE B9 49 00 00 00 mov ecx, 49h ; 'I' .text:00000001404061B3 0F 30 wrmsr .text:00000001404061B5 .text:00000001404061B5 loc_1404061B5: ; CODE XREF: KiSystemCall64+6E5↑j .text:00000001404061B5 48 8B 45 B0 mov rax, [rbp-50h] .text:00000001404061B9 4C 8B 85 00 01 00 00 mov r8, [rbp+100h] .text:00000001404061C0 4C 8B 8D D8 00 00 00 mov r9, [rbp+0D8h] .text:00000001404061C7 33 D2 xor edx, edx .text:00000001404061C9 66 0F EF C0 pxor xmm0, xmm0 .text:00000001404061CD 66 0F EF C9 pxor xmm1, xmm1 .text:00000001404061D1 66 0F EF D2 pxor xmm2, xmm2 .text:00000001404061D5 66 0F EF DB pxor xmm3, xmm3 .text:00000001404061D9 66 0F EF E4 pxor xmm4, xmm4 .text:00000001404061DD 66 0F EF ED pxor xmm5, xmm5 .text:00000001404061E1 48 8B 8D E8 00 00 00 mov rcx, [rbp+0E8h] .text:00000001404061E8 4C 8B 9D F8 00 00 00 mov r11, [rbp+0F8h] .text:00000001404061EF F6 05 4A B6 9F 00 01 test cs:KiKvaShadow, 1 .text:00000001404061F6 0F 85 C4 CB 60 00 jnz KiKernelSysretExit .text:00000001404061FC 49 8B E9 mov rbp, r9 .text:00000001404061FF 49 8B E0 mov rsp, r8 .text:0000000140406202 0F 01 F8 swapgs .text:0000000140406205 48 0F 07 sysret .text:0000000140406208 ; --------------------------------------------------------------------------- .text:0000000140406208 .text:0000000140406208 loc_140406208: ; CODE XREF: KiSystemCall64+525↑j .text:0000000140406208 48 8B 95 B8 00 00 00 mov rdx, [rbp+0B8h] .text:000000014040620F 49 89 93 90 00 00 00 mov [r11+90h], rdx .text:0000000140406216 8A 55 A8 mov dl, [rbp-58h] .text:0000000140406219 41 88 93 32 02 00 00 mov [r11+232h], dl .text:0000000140406220 FA cli .text:0000000140406221 48 8B E5 mov rsp, rbp .text:0000000140406224 48 8B AD D8 00 00 00 mov rbp, [rbp+0D8h] .text:000000014040622B 48 8B A4 24 00 01 00 00 mov rsp, [rsp+190h+var_90] .text:0000000140406233 FB sti .text:0000000140406234 C3 retn .text:0000000140406235 ; --------------------------------------------------------------------------- .text:0000000140406235 .text:0000000140406235 KiSystemServiceExitPico: ; CODE XREF: KiSystemCall64+2DE↑j .text:0000000140406235 65 4C 8B 1C 25 88 01 00 00 mov r11, gs:188h .text:000000014040623E 44 0F 20 C1 mov rcx, cr8 .text:0000000140406242 41 0A 8B 4A 02 00 00 or cl, [r11+24Ah] .text:0000000140406249 41 0B 8B E4 01 00 00 or ecx, [r11+1E4h] .text:0000000140406250 0F 85 A9 01 00 00 jnz loc_1404063FF .text:0000000140406256 FA cli .text:0000000140406257 48 89 45 B0 mov [rbp-50h], rax .text:000000014040625B .text:000000014040625B loc_14040625B: ; CODE XREF: KiSystemCall64+7C6↓j .text:000000014040625B 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:0000000140406264 F6 81 C2 00 00 00 03 test byte ptr [rcx+0C2h], 3 .text:000000014040626B 74 1B jz short loc_140406288 .text:000000014040626D B9 01 00 00 00 mov ecx, 1 .text:0000000140406272 44 0F 22 C1 mov cr8, rcx .text:0000000140406276 FB sti .text:0000000140406277 E8 54 28 FF FF call KiInitiateUserApc .text:000000014040627C B9 00 00 00 00 mov ecx, 0 .text:0000000140406281 44 0F 22 C1 mov cr8, rcx .text:0000000140406285 FA cli .text:0000000140406286 EB D3 jmp short loc_14040625B .text:0000000140406288 ; --------------------------------------------------------------------------- .text:0000000140406288 .text:0000000140406288 loc_140406288: ; CODE XREF: KiSystemCall64+7AB↑j .text:0000000140406288 65 F6 04 25 7E 02 00 00 02 test byte ptr gs:27Eh, 2 .text:0000000140406291 74 07 jz short loc_14040629A .text:0000000140406293 33 C9 xor ecx, ecx .text:0000000140406295 E8 46 E8 E5 FF call KiUpdateStibpPairing .text:000000014040629A .text:000000014040629A loc_14040629A: ; CODE XREF: KiSystemCall64+7D1↑j .text:000000014040629A 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:00000001404062A3 F7 01 00 00 00 08 test dword ptr [rcx], 8000000h .text:00000001404062A9 74 05 jz short loc_1404062B0 .text:00000001404062AB E8 50 F2 FE FF call KiRestoreSetContextState .text:00000001404062B0 .text:00000001404062B0 loc_1404062B0: ; CODE XREF: KiSystemCall64+7E9↑j .text:00000001404062B0 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:00000001404062B9 F6 41 02 01 test byte ptr [rcx+2], 1 .text:00000001404062BD 74 0E jz short loc_1404062CD .text:00000001404062BF E8 CC F6 10 00 call KiCopyCounters .text:00000001404062C4 65 48 8B 0C 25 88 01 00 00 mov rcx, gs:188h .text:00000001404062CD .text:00000001404062CD loc_1404062CD: ; CODE XREF: KiSystemCall64+7FD↑j .text:00000001404062CD 66 83 BD 80 00 00 00 00 cmp word ptr [rbp+80h], 0 .text:00000001404062D5 74 05 jz short loc_1404062DC .text:00000001404062D7 E8 94 E7 FE FF call KiRestoreDebugRegisterState .text:00000001404062DC .text:00000001404062DC loc_1404062DC: ; CODE XREF: KiSystemCall64+815↑j .text:00000001404062DC 65 C6 04 25 53 08 00 00 00 mov byte ptr gs:853h, 0 .text:00000001404062E5 65 0F B6 04 25 7D 02 00 00 movzx eax, byte ptr gs:27Dh .text:00000001404062EE 65 38 04 25 7A 02 00 00 cmp gs:27Ah, al .text:00000001404062F6 74 11 jz short loc_140406309 .text:00000001404062F8 65 88 04 25 7A 02 00 00 mov gs:27Ah, al .text:0000000140406300 B9 48 00 00 00 mov ecx, 48h ; 'H' .text:0000000140406305 33 D2 xor edx, edx .text:0000000140406307 0F 30 wrmsr .text:0000000140406309 .text:0000000140406309 loc_140406309: ; CODE XREF: KiSystemCall64+836↑j .text:0000000140406309 66 65 0F BA 34 25 78 02 00 00 02 btr word ptr gs:278h, 2 .text:0000000140406314 73 0E jnb short loc_140406324 .text:0000000140406316 B8 01 00 00 00 mov eax, 1 .text:000000014040631B 33 D2 xor edx, edx .text:000000014040631D B9 49 00 00 00 mov ecx, 49h ; 'I' .text:0000000140406322 0F 30 wrmsr .text:0000000140406324 .text:0000000140406324 loc_140406324: ; CODE XREF: KiSystemCall64+854↑j .text:0000000140406324 0F AE 55 AC ldmxcsr dword ptr [rbp-54h] .text:0000000140406328 0F 28 45 F0 movaps xmm0, xmmword ptr [rbp-10h] .text:000000014040632C 0F 28 4D 00 movaps xmm1, xmmword ptr [rbp+0] .text:0000000140406330 0F 28 55 10 movaps xmm2, xmmword ptr [rbp+10h] .text:0000000140406334 0F 28 5D 20 movaps xmm3, xmmword ptr [rbp+20h] .text:0000000140406338 0F 28 65 30 movaps xmm4, xmmword ptr [rbp+30h] .text:000000014040633C 0F 28 6D 40 movaps xmm5, xmmword ptr [rbp+40h] .text:0000000140406340 4C 8B 5D E0 mov r11, [rbp-20h] .text:0000000140406344 4C 8B 55 D8 mov r10, [rbp-28h] .text:0000000140406348 4C 8B 4D D0 mov r9, [rbp-30h] .text:000000014040634C 4C 8B 45 C8 mov r8, [rbp-38h] .text:0000000140406350 48 8B 55 C0 mov rdx, [rbp-40h] .text:0000000140406354 48 8B 4D B8 mov rcx, [rbp-48h] .text:0000000140406358 48 8B 45 B0 mov rax, [rbp-50h] .text:000000014040635C 48 8B B5 D0 00 00 00 mov rsi, [rbp+0D0h] .text:0000000140406363 48 8B BD C8 00 00 00 mov rdi, [rbp+0C8h] .text:000000014040636A 48 8B 9D C0 00 00 00 mov rbx, [rbp+0C0h] .text:0000000140406371 48 8B E5 mov rsp, rbp .text:0000000140406374 48 8B AD D8 00 00 00 mov rbp, [rbp+0D8h] .text:000000014040637B 48 81 C4 E8 00 00 00 add rsp, 0E8h .text:0000000140406382 F6 05 B7 B4 9F 00 01 test cs:KiKvaShadow, 1 .text:0000000140406389 74 05 jz short loc_140406390 .text:000000014040638B E9 F0 C7 60 00 jmp KiKernelExit .text:0000000140406390 ; --------------------------------------------------------------------------- .text:0000000140406390 .text:0000000140406390 loc_140406390: ; CODE XREF: KiSystemCall64+8C9↑j .text:0000000140406390 0F 01 F8 swapgs .text:0000000140406393 48 CF iretq .text:0000000140406395 ; --------------------------------------------------------------------------- .text:0000000140406395 .text:0000000140406395 loc_140406395: ; CODE XREF: KiSystemCall64+3A3↑j .text:0000000140406395 83 FF 20 cmp edi, 20h ; ' ' .text:0000000140406398 75 5B jnz short loc_1404063F5 .text:000000014040639A 89 45 80 mov [rbp-80h], eax .text:000000014040639D 48 89 4D 88 mov [rbp-78h], rcx .text:00000001404063A1 48 89 55 90 mov [rbp-70h], rdx .text:00000001404063A5 4C 89 45 98 mov [rbp-68h], r8 .text:00000001404063A9 4C 89 4D A0 mov [rbp-60h], r9 .text:00000001404063AD E8 8E 1E FF FF call KiConvertToGuiThread .text:00000001404063B2 0B C0 or eax, eax .text:00000001404063B4 8B 45 80 mov eax, [rbp-80h] .text:00000001404063B7 48 8B 4D 88 mov rcx, [rbp-78h] .text:00000001404063BB 48 8B 55 90 mov rdx, [rbp-70h] .text:00000001404063BF 4C 8B 45 98 mov r8, [rbp-68h] .text:00000001404063C3 4C 8B 4D A0 mov r9, [rbp-60h] .text:00000001404063C7 48 89 A3 90 00 00 00 mov [rbx+90h], rsp .text:00000001404063CE 0F 84 60 FA FF FF jz KiSystemServiceRepeat .text:00000001404063D4 48 8D 3D 85 66 8F 00 lea rdi, xmmword_140CFCA60 .text:00000001404063DB 8B 77 10 mov esi, [rdi+10h] .text:00000001404063DE 48 8B 3F mov rdi, [rdi] .text:00000001404063E1 3B C6 cmp eax, esi .text:00000001404063E3 73 10 jnb short loc_1404063F5 .text:00000001404063E5 48 8D 3C B7 lea rdi, [rdi+rsi*4] .text:00000001404063E9 0F BE 04 07 movsx eax, byte ptr [rdi+rax] .text:00000001404063ED 0B C0 or eax, eax .text:00000001404063EF 0F 8E CB FB FF FF jle KiSystemServiceExit .text:00000001404063F5 .text:00000001404063F5 loc_1404063F5: ; CODE XREF: KiSystemCall64+8D8↑j .text:00000001404063F5 ; KiSystemCall64+923↑j .text:00000001404063F5 B8 1C 00 00 C0 mov eax, 0C000001Ch .text:00000001404063FA E9 C1 FB FF FF jmp KiSystemServiceExit .text:00000001404063FF ; --------------------------------------------------------------------------- .text:00000001404063FF .text:00000001404063FF loc_1404063FF: ; CODE XREF: KiSystemCall64+53D↑j .text:00000001404063FF ; KiSystemCall64+790↑j .text:00000001404063FF B9 4A 00 00 00 mov ecx, 4Ah ; 'J' .text:0000000140406404 45 33 C9 xor r9d, r9d .text:0000000140406407 45 0F 20 C0 mov r8, cr8 .text:000000014040640B 45 0B C0 or r8d, r8d .text:000000014040640E 75 14 jnz short loc_140406424 .text:0000000140406410 B9 01 00 00 00 mov ecx, 1 .text:0000000140406415 45 0F B6 83 4A 02 00 00 movzx r8d, byte ptr [r11+24Ah] .text:000000014040641D 45 8B 8B E4 01 00 00 mov r9d, [r11+1E4h] .text:0000000140406424 .text:0000000140406424 loc_140406424: ; CODE XREF: KiSystemCall64+94E↑j .text:0000000140406424 48 8B 95 E8 00 00 00 mov rdx, [rbp+0E8h] .text:000000014040642B 4C 8B D5 mov r10, rbp .text:000000014040642E E8 CD 00 00 00 call KiBugCheckDispatch .text:0000000140406433 ; --------------------------------------------------------------------------- .text:0000000140406433 .text:0000000140406433 loc_140406433: ; CODE XREF: KiSystemCall64+4DA↑j .text:0000000140406433 48 83 EC 50 sub rsp, 50h .text:0000000140406437 48 89 4C 24 20 mov [rsp+1E0h+var_1C0], rcx .text:000000014040643C 48 89 54 24 28 mov [rsp+1E0h+var_1B8], rdx .text:0000000140406441 4C 89 44 24 30 mov [rsp+1E0h+var_1B0], r8 .text:0000000140406446 4C 89 4C 24 38 mov [rsp+1E0h+var_1A8], r9 .text:000000014040644B 4C 89 54 24 40 mov [rsp+1E0h+var_1A0], r10 .text:0000000140406450 49 8B CA mov rcx, r10 .text:0000000140406453 48 8B D4 mov rdx, rsp .text:0000000140406456 48 83 C2 20 add rdx, 20h ; ' ' .text:000000014040645A 49 C7 C0 04 00 00 00 mov r8, 4 .text:0000000140406461 4C 8B CC mov r9, rsp .text:0000000140406464 49 83 C1 70 add r9, 70h ; 'p' .text:0000000140406468 E8 C3 2B 4B 00 call KiTrackSystemCallEntry .text:000000014040646D 48 89 45 B0 mov [rbp-50h], rax .text:0000000140406471 48 8B 4C 24 20 mov rcx, [rsp+1E0h+var_1C0] .text:0000000140406476 48 8B 54 24 28 mov rdx, [rsp+1E0h+var_1B8] .text:000000014040647B 4C 8B 44 24 30 mov r8, [rsp+1E0h+var_1B0] .text:0000000140406480 4C 8B 4C 24 38 mov r9, [rsp+1E0h+var_1A8] .text:0000000140406485 4C 8B 54 24 40 mov r10, [rsp+1E0h+var_1A0] .text:000000014040648A 48 83 C4 50 add rsp, 50h .text:000000014040648E 49 8B C2 mov rax, r10 .text:0000000140406491 FF D0 call rax .text:0000000140406493 0F 1F 00 nop dword ptr [rax] .text:0000000140406496 48 8B 4D B0 mov rcx, [rbp-50h] .text:000000014040649A 48 8B D0 mov rdx, rax .text:000000014040649D E8 AE 2C 4B 00 call KiTrackSystemCallExit .text:00000001404064A2 E9 11 FB FF FF jmp loc_140405FB8 .text:00000001404064A7 ; --------------------------------------------------------------------------- .text:00000001404064A7 .text:00000001404064A7 loc_1404064A7: ; CODE XREF: KiSystemCall64+4EA↑j .text:00000001404064A7 48 83 EC 50 sub rsp, 50h .text:00000001404064AB 48 89 4C 24 20 mov [rsp+1E0h+var_1C0], rcx .text:00000001404064B0 48 89 54 24 28 mov [rsp+1E0h+var_1B8], rdx .text:00000001404064B5 4C 89 44 24 30 mov [rsp+1E0h+var_1B0], r8 .text:00000001404064BA 4C 89 4C 24 38 mov [rsp+1E0h+var_1A8], r9 .text:00000001404064BF 4C 89 54 24 40 mov [rsp+1E0h+var_1A0], r10 .text:00000001404064C4 49 8B CA mov rcx, r10 .text:00000001404064C7 E8 F4 D7 19 00 call PerfInfoLogSysCallEntry .text:00000001404064CC 48 8B 4C 24 20 mov rcx, [rsp+1E0h+var_1C0] .text:00000001404064D1 48 8B 54 24 28 mov rdx, [rsp+1E0h+var_1B8] .text:00000001404064D6 4C 8B 44 24 30 mov r8, [rsp+1E0h+var_1B0] .text:00000001404064DB 4C 8B 4C 24 38 mov r9, [rsp+1E0h+var_1A8] .text:00000001404064E0 4C 8B 54 24 40 mov r10, [rsp+1E0h+var_1A0] .text:00000001404064E5 48 83 C4 50 add rsp, 50h .text:00000001404064E9 49 8B C2 mov rax, r10 .text:00000001404064EC FF D0 call rax .text:00000001404064EE 0F 1F 00 nop dword ptr [rax] .text:00000001404064F1 48 8B C8 mov rcx, rax .text:00000001404064F4 E8 67 D8 19 00 call PerfInfoLogSysCallExit .text:00000001404064F9 E9 BA FA FF FF jmp loc_140405FB8 .text:00000001404064FE ; --------------------------------------------------------------------------- .text:00000001404064FE C3 retn .text:00000001404064FE ; } // starts at 140405AC0 .text:00000001404064FE KiSystemCall64 endp ; sp-analysis failed
如果我们写入MSR_STAR 改变KiSystemCall64的地址 进入我们的KiSystemCall64 实现Hook
这个代码就是这么写__writemsr(MSR_STAR ,KiSystemCall64); 然后这就牵扯到PatchGuard了
PatchGuard会检测MSR_STAR 是否被更改,而虚拟化可以vmcall handler中拦截__readmsr(MSR_STAR) 骗过PatchGuard

360晶核检测

那么360晶核就是原理就是Hook MSR_STAR,至于PG是否检测,估计是干掉了PG,因为只简单的做了处理,在高版本win10中会有一种方法检测到
INITKDBG:0000000140A0DFD0 KiErrata704Present proc near ; CODE XREF: sub_1403D8B80+B157↑p INITKDBG:0000000140A0DFD0 ; FsRtlMdlReadCompleteDevEx+BC61↑p INITKDBG:0000000140A0DFD0 ; DATA XREF: ... INITKDBG:0000000140A0DFD0 INITKDBG:0000000140A0DFD0 var_18 = qword ptr -18h INITKDBG:0000000140A0DFD0 anonymous_0 = dword ptr -8 INITKDBG:0000000140A0DFD0 INITKDBG:0000000140A0DFD0 B9 84 00 00 C0 mov ecx, 0C0000084h INITKDBG:0000000140A0DFD5 0F 32 rdmsr INITKDBG:0000000140A0DFD7 52 push rdx INITKDBG:0000000140A0DFD8 50 push rax INITKDBG:0000000140A0DFD9 25 FF FE FF FF and eax, 0FFFFFEFFh INITKDBG:0000000140A0DFDE 0F 30 wrmsr INITKDBG:0000000140A0DFE0 9C pushfq INITKDBG:0000000140A0DFE1 81 0C 24 00 01 00 00 or dword ptr [rsp+18h+var_18], 100h INITKDBG:0000000140A0DFE8 9D popfq INITKDBG:0000000140A0DFE9 0F 05 syscall ; Low latency system call INITKDBG:0000000140A0DFEB 4C 8B D1 mov r10, rcx INITKDBG:0000000140A0DFEE B9 84 00 00 C0 mov ecx, 0C0000084h INITKDBG:0000000140A0DFF3 58 pop rax INITKDBG:0000000140A0DFF4 5A pop rdx INITKDBG:0000000140A0DFF5 0F 30 wrmsr INITKDBG:0000000140A0DFF7 49 8B C2 mov rax, r10 INITKDBG:0000000140A0DFFA C3 retn INITKDBG:0000000140A0DFFA KiErrata704Present endp
KiErrata704Present是可以检测到的,原理就是单步进入syscall (KiSystemCall64)在判断这个地址是否是KiSystemCall64 至于为什么修改SFMASK MSR,是为了保证TF不被复位

判断晶核是否工作

这里使用全局钩子来做对比 晶核模式下360会对全局钩子做出拦截

寻找360晶核的KiSystemCall64

在每个CPU核心下检测一次
CPU0
low analysis was incomplete, some code may be missing ffffc204`4bd36198 ff2500000000 jmp qword ptr [ffffc204`4bd3619e] Branch ffffc204`4bd3619e f5 cmc ffffc204`4bd3619f ffc8 dec eax ffffc204`4bd361a1 6905f8ffff0000000000 imul eax,dword ptr [ffffc204`4cd361a3],0 ffffc204`4bd361ab 0000 add byte ptr [rax],al ffffc204`4bd361ad 0000 add byte ptr [rax],al ffffc204`4bd361af 0000 add byte ptr [rax],al ffffc204`4bd361b1 0000 add byte ptr [rax],al ffffc204`4bd361b3 0000 add byte ptr [rax],al ffffc204`4bd361b5 0000 add byte ptr [rax],al ffffc204`4bd361b7 000f add byte ptr [rdi],cl ffffc204`4bd361b8 0f01f8 swapgs ffffc204`4bd361b9 01f8 add eax,edi ffffc204`4bd361bb 654889242510000000 mov qword ptr gs:[10h],rsp ffffc204`4bd361c4 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h] ffffc204`4bd361cd 6a2b push 2Bh ffffc204`4bd361cf 65ff342510000000 push qword ptr gs:[10h] ffffc204`4bd361d7 4153 push r11 ffffc204`4bd361d9 6a33 push 33h ffffc204`4bd361db 51 push rcx ffffc204`4bd361dc 498bca mov rcx,r10 ffffc204`4bd361df 4883ec08 sub rsp,8 ffffc204`4bd361e3 55 push rbp ffffc204`4bd361e4 4881ec58010000 sub rsp,158h ffffc204`4bd361eb 488dac2480000000 lea rbp,[rsp+80h] ffffc204`4bd361f3 48899dc0000000 mov qword ptr [rbp+0C0h],rbx ffffc204`4bd361fa 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi ffffc204`4bd36201 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi ffffc204`4bd36208 50 push rax ffffc204`4bd36209 488b0528050000 mov rax,qword ptr [ffffc204`4bd36738] ffffc204`4bd36210 f600ff test byte ptr [rax],0FFh ffffc204`4bd36213 58 pop rax ffffc204`4bd36214 740c je ffffc204`4bd36222 Branch ffffc204`4bd36216 f685f000000001 test byte ptr [rbp+0F0h],1 ffffc204`4bd3621d 7403 je ffffc204`4bd36222 Branch ffffc204`4bd3621f 0f01cb stac ffffc204`4bd36222 488945b0 mov qword ptr [rbp-50h],rax ffffc204`4bd36226 48894db8 mov qword ptr [rbp-48h],rcx ffffc204`4bd3622a 488955c0 mov qword ptr [rbp-40h],rdx ffffc204`4bd3622e 65488b0c2588010000 mov rcx,qword ptr gs:[188h] ffffc204`4bd36237 488b8920020000 mov rcx,qword ptr [rcx+220h] ffffc204`4bd3623e 488b8960080000 mov rcx,qword ptr [rcx+860h] ffffc204`4bd36245 6548890c2570020000 mov qword ptr gs:[270h],rcx ffffc204`4bd3624e 658a0c2550080000 mov cl,byte ptr gs:[850h] ffffc204`4bd36256 65880c2551080000 mov byte ptr gs:[851h],cl ffffc204`4bd3625e 658a0c2578020000 mov cl,byte ptr gs:[278h] ffffc204`4bd36266 65880c2552080000 mov byte ptr gs:[852h],cl ffffc204`4bd3626e 650fb604257b020000 movzx eax,byte ptr gs:[27Bh] ffffc204`4bd36277 653804257a020000 cmp byte ptr gs:[27Ah],al ffffc204`4bd3627f 7411 je ffffc204`4bd36292 Branch ffffc204`4bd36281 658804257a020000 mov byte ptr gs:[27Ah],al ffffc204`4bd36289 b948000000 mov ecx,48h ffffc204`4bd3628e 33d2 xor edx,edx ffffc204`4bd36290 0f30 wrmsr ffffc204`4bd36292 650fb6142578020000 movzx edx,byte ptr gs:[278h] ffffc204`4bd3629b f7c208000000 test edx,8 ffffc204`4bd362a1 7413 je ffffc204`4bd362b6 Branch ffffc204`4bd362a3 b801000000 mov eax,1 ffffc204`4bd362a8 33d2 xor edx,edx ffffc204`4bd362aa b949000000 mov ecx,49h ffffc204`4bd362af 0f30 wrmsr ffffc204`4bd362b1 e93e010000 jmp ffffc204`4bd363f4 Branch ffffc204`4bd362b6 f7c202000000 test edx,2 ffffc204`4bd362bc 0f842f010000 je ffffc204`4bd363f1 Branch ffffc204`4bd362c2 65f604257902000004 test byte ptr gs:[279h],4 ffffc204`4bd362cb 0f8520010000 jne ffffc204`4bd363f1 Branch ffffc204`4bd362d1 e80e010000 call ffffc204`4bd363e4 ffffc204`4bd362d6 4883c408 add rsp,8 ffffc204`4bd362da e80e010000 call ffffc204`4bd363ed ffffc204`4bd362df 4883c408 add rsp,8 ffffc204`4bd362e3 e8eeffffff call ffffc204`4bd362d6 ffffc204`4bd362e8 4883c408 add rsp,8 ffffc204`4bd362ec e8eeffffff call ffffc204`4bd362df ffffc204`4bd362f1 4883c408 add rsp,8 ffffc204`4bd362f5 e8eeffffff call ffffc204`4bd362e8 ffffc204`4bd362fa 4883c408 add rsp,8 ffffc204`4bd362fe e8eeffffff call ffffc204`4bd362f1 ffffc204`4bd36303 4883c408 add rsp,8 ffffc204`4bd36307 e8eeffffff call ffffc204`4bd362fa ffffc204`4bd3630c 4883c408 add rsp,8 ffffc204`4bd36310 e8eeffffff call ffffc204`4bd36303 ffffc204`4bd36315 4883c408 add rsp,8 ffffc204`4bd36319 e8eeffffff call ffffc204`4bd3630c ffffc204`4bd3631e 4883c408 add rsp,8 ffffc204`4bd36322 e8eeffffff call ffffc204`4bd36315 ffffc204`4bd36327 4883c408 add rsp,8 ffffc204`4bd3632b e8eeffffff call ffffc204`4bd3631e ffffc204`4bd36330 4883c408 add rsp,8 ffffc204`4bd36334 e8eeffffff call ffffc204`4bd36327 ffffc204`4bd36339 4883c408 add rsp,8 ffffc204`4bd3633d e8eeffffff call ffffc204`4bd36330 ffffc204`4bd36342 4883c408 add rsp,8 ffffc204`4bd36346 e8eeffffff call ffffc204`4bd36339 ffffc204`4bd3634b 4883c408 add rsp,8 ffffc204`4bd3634f e8eeffffff call ffffc204`4bd36342 ffffc204`4bd36354 4883c408 add rsp,8 ffffc204`4bd36358 e8eeffffff call ffffc204`4bd3634b ffffc204`4bd3635d 4883c408 add rsp,8 ffffc204`4bd36361 e8eeffffff call ffffc204`4bd36354 ffffc204`4bd36366 4883c408 add rsp,8 ffffc204`4bd3636a e8eeffffff call ffffc204`4bd3635d ffffc204`4bd3636f 4883c408 add rsp,8 ffffc204`4bd36373 e8eeffffff call ffffc204`4bd36366 ffffc204`4bd36378 4883c408 add rsp,8 ffffc204`4bd3637c e8eeffffff call ffffc204`4bd3636f ffffc204`4bd36381 4883c408 add rsp,8 ffffc204`4bd36385 e8eeffffff call ffffc204`4bd36378 ffffc204`4bd3638a 4883c408 add rsp,8 ffffc204`4bd3638e e8eeffffff call ffffc204`4bd36381 ffffc204`4bd36393 4883c408 add rsp,8 ffffc204`4bd36397 e8eeffffff call ffffc204`4bd3638a ffffc204`4bd3639c 4883c408 add rsp,8 ffffc204`4bd363a0 e8eeffffff call ffffc204`4bd36393 ffffc204`4bd363a5 4883c408 add rsp,8 ffffc204`4bd363a9 e8eeffffff call ffffc204`4bd3639c ffffc204`4bd363ae 4883c408 add rsp,8 ffffc204`4bd363b2 e8eeffffff call ffffc204`4bd363a5 ffffc204`4bd363b7 4883c408 add rsp,8 ffffc204`4bd363bb e8eeffffff call ffffc204`4bd363ae ffffc204`4bd363c0 4883c408 add rsp,8 ffffc204`4bd363c4 e8eeffffff call ffffc204`4bd363b7 ffffc204`4bd363c9 4883c408 add rsp,8 ffffc204`4bd363cd e8eeffffff call ffffc204`4bd363c0 ffffc204`4bd363d2 4883c408 add rsp,8 ffffc204`4bd363d6 e8eeffffff call ffffc204`4bd363c9 ffffc204`4bd363db 4883c408 add rsp,8 ffffc204`4bd363df e8eeffffff call ffffc204`4bd363d2 ffffc204`4bd363e4 4883c408 add rsp,8 ffffc204`4bd363e8 e8eeffffff call ffffc204`4bd363db ffffc204`4bd363ed 4883c408 add rsp,8 ffffc204`4bd363f1 0faee8 lfence ffffc204`4bd363f4 65c604255308000000 mov byte ptr gs:[853h],0 ffffc204`4bd363fd c645ab02 mov byte ptr [rbp-55h],2 ffffc204`4bd36401 65488b1c2588010000 mov rbx,qword ptr gs:[188h] ffffc204`4bd3640a 0f0d8b90000000 prefetchw [rbx+90h] ffffc204`4bd36411 0fae5dac stmxcsr dword ptr [rbp-54h] ffffc204`4bd36415 650fae142580010000 ldmxcsr dword ptr gs:[180h] ffffc204`4bd3641e 807b0300 cmp byte ptr [rbx+3],0 ffffc204`4bd36422 66c785800000000000 mov word ptr [rbp+80h],0 ffffc204`4bd3642b 0f84a8000000 je ffffc204`4bd364d9 Branch ffffc204`4bd36431 f6430303 test byte ptr [rbx+3],3 ffffc204`4bd36435 4c8945c8 mov qword ptr [rbp-38h],r8 ffffc204`4bd36439 4c894dd0 mov qword ptr [rbp-30h],r9 ffffc204`4bd3643d 7405 je ffffc204`4bd36444 Branch ffffc204`4bd3643f e834fdffff call ffffc204`4bd36178 ffffc204`4bd36444 f6430304 test byte ptr [rbx+3],4 ffffc204`4bd36448 742e je ffffc204`4bd36478 Branch ffffc204`4bd3644a 4c8955e0 mov qword ptr [rbp-20h],r10 ffffc204`4bd3644e 4c8955d8 mov qword ptr [rbp-28h],r10 ffffc204`4bd36452 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0 ffffc204`4bd36456 0f294d00 movaps xmmword ptr [rbp],xmm1 ffffc204`4bd3645a 0f295510 movaps xmmword ptr [rbp+10h],xmm2 ffffc204`4bd3645e 0f295d20 movaps xmmword ptr [rbp+20h],xmm3 ffffc204`4bd36462 0f296530 movaps xmmword ptr [rbp+30h],xmm4 ffffc204`4bd36466 0f296d40 movaps xmmword ptr [rbp+40h],xmm5 ffffc204`4bd3646a fb sti ffffc204`4bd3646b 488bcc mov rcx,rsp ffffc204`4bd3646e ff25ac020000 jmp qword ptr [ffffc204`4bd36720] ffffc204`4bd36478 f6430380 test byte ptr [rbx+3],80h ffffc204`4bd3647c 7448 je ffffc204`4bd364c6 Branch ffffc204`4bd3647e b9020100c0 mov ecx,0C0000102h ffffc204`4bd36483 0f32 rdmsr ffffc204`4bd36485 48c1e220 shl rdx,20h ffffc204`4bd36489 480bc2 or rax,rdx ffffc204`4bd3648c 483b059d020000 cmp rax,qword ptr [ffffc204`4bd36730] ffffc204`4bd36493 480f430595020000 cmovae rax,qword ptr [ffffc204`4bd36730] ffffc204`4bd3649b 483983f0000000 cmp qword ptr [rbx+0F0h],rax ffffc204`4bd364a2 7422 je ffffc204`4bd364c6 Branch ffffc204`4bd364a4 488b93f0010000 mov rdx,qword ptr [rbx+1F0h] ffffc204`4bd364ab 0fba6b7408 bts dword ptr [rbx+74h],8 ffffc204`4bd364b0 66ff8be6010000 dec word ptr [rbx+1E6h] ffffc204`4bd364b7 48898280000000 mov qword ptr [rdx+80h],rax ffffc204`4bd364be fb sti ffffc204`4bd364bf e8c4fcffff call ffffc204`4bd36188 ffffc204`4bd364c4 eb0b jmp ffffc204`4bd364d1 Branch ffffc204`4bd364c6 f6430340 test byte ptr [rbx+3],40h ffffc204`4bd364ca 7405 je ffffc204`4bd364d1 Branch ffffc204`4bd364cc 0fba6b7410 bts dword ptr [rbx+74h],10h ffffc204`4bd364d1 4c8b45c8 mov r8,qword ptr [rbp-38h] ffffc204`4bd364d5 4c8b4dd0 mov r9,qword ptr [rbp-30h] ffffc204`4bd364d9 488b45b0 mov rax,qword ptr [rbp-50h] ffffc204`4bd364dd 488b4db8 mov rcx,qword ptr [rbp-48h] ffffc204`4bd364e1 488b55c0 mov rdx,qword ptr [rbp-40h] ffffc204`4bd364e5 fb sti ffffc204`4bd364e6 48898b88000000 mov qword ptr [rbx+88h],rcx ffffc204`4bd364ed 898380000000 mov dword ptr [rbx+80h],eax ffffc204`4bd364f3 66660f1f840000000000 nop word ptr [rax+rax] ffffc204`4bd364fd 4889a390000000 mov qword ptr [rbx+90h],rsp ffffc204`4bd36504 8bf8 mov edi,eax ffffc204`4bd36506 c1ef07 shr edi,7 ffffc204`4bd36509 83e720 and edi,20h ffffc204`4bd3650c 25ff0f0000 and eax,0FFFh ffffc204`4bd36511 49ba8088046a05f8ffff mov r10,offset nt!KeServiceDescriptorTable (fffff805`6a048880) ffffc204`4bd3651b 49bb800a036a05f8ffff mov r11,offset nt!KeServiceDescriptorTableShadow (fffff805`6a030a80) ffffc204`4bd36525 f7437880000000 test dword ptr [rbx+78h],80h ffffc204`4bd3652c 7416 je ffffc204`4bd36544 Branch ffffc204`4bd3652e f7437800002000 test dword ptr [rbx+78h],200000h ffffc204`4bd36535 740a je ffffc204`4bd36541 Branch ffffc204`4bd36537 49bbc00a036a05f8ffff mov r11,offset nt!KeServiceDescriptorTableFilter (fffff805`6a030ac0) ffffc204`4bd36541 4d8bd3 mov r10,r11 ffffc204`4bd36544 413b443a10 cmp eax,dword ptr [r10+rdi+10h] ffffc204`4bd36549 0f8349fcffff jae ffffc204`4bd36198 Branch ffffc204`4bd3654f 4d8b143a mov r10,qword ptr [r10+rdi] ffffc204`4bd36553 4d631c82 movsxd r11,dword ptr [r10+rax*4] ffffc204`4bd36557 ff2500000000 jmp qword ptr [ffffc204`4bd3655d] Branch ffffc204`4bd3655d 247c and al,7Ch ffffc204`4bd3655f e76c out 6Ch,eax ffffc204`4bd36561 05f8ffff00 add eax,0FFFFF8h ffffc204`4bd36566 0000 add byte ptr [rax],al ffffc204`4bd36568 0000 add byte ptr [rax],al ffffc204`4bd3656a 0000 add byte ptr [rax],al ffffc204`4bd3656c 0000 add byte ptr [rax],al ffffc204`4bd3656e 0000 add byte ptr [rax],al ffffc204`4bd36570 0000 add byte ptr [rax],al ffffc204`4bd36572 0000 add byte ptr [rax],al ffffc204`4bd36574 0000 add byte ptr [rax],al ffffc204`4bd36576 0000 add byte ptr [rax],al ffffc204`4bd36578 0000 add byte ptr [rax],al ffffc204`4bd3657a 0000 add byte ptr [rax],al ffffc204`4bd3657c 0000 add byte ptr [rax],al ffffc204`4bd3657e 0000 add byte ptr [rax],al ffffc204`4bd36580 0000 add byte ptr [rax],al ffffc204`4bd36582 0000 add byte ptr [rax],al ffffc204`4bd36584 0000 add byte ptr [rax],al ffffc204`4bd36586 0000 add byte ptr [rax],al ffffc204`4bd36588 0000 add byte ptr [rax],al ffffc204`4bd3658a 0000 add byte ptr [rax],al ffffc204`4bd3658c 0000 add byte ptr [rax],al ffffc204`4bd3658e 0000 add byte ptr [rax],al ffffc204`4bd36590 0000 add byte ptr [rax],al ffffc204`4bd36592 0000 add byte ptr [rax],al ffffc204`4bd36594 0000 add byte ptr [rax],al ffffc204`4bd36596 0000 add byte ptr [rax],al ffffc204`4bd36598 0000 add byte ptr [rax],al ffffc204`4bd3659a 0000 add byte ptr [rax],al ffffc204`4bd3659c 0000 add byte ptr [rax],al ffffc204`4bd3659e 0000 add byte ptr [rax],al ffffc204`4bd365a0 0000 add byte ptr [rax],al ffffc204`4bd365a2 0000 add byte ptr [rax],al ffffc204`4bd365a4 0000 add byte ptr [rax],al ffffc204`4bd365a6 0000 add byte ptr [rax],al ffffc204`4bd365a8 0000 add byte ptr [rax],al ffffc204`4bd365aa 0000 add byte ptr [rax],al ffffc204`4bd365ac 0000 add byte ptr [rax],al ffffc204`4bd365ae 0000 add byte ptr [rax],al ffffc204`4bd365b0 0000 add byte ptr [rax],al ffffc204`4bd365b2 0000 add byte ptr [rax],al ffffc204`4bd365b4 0000 add byte ptr [rax],al ffffc204`4bd365b6 0000 add byte ptr [rax],al ffffc204`4bd365b8 0000 add byte ptr [rax],al ffffc204`4bd365ba 0000 add byte ptr [rax],al ffffc204`4bd365bc 0000 add byte ptr [rax],al ffffc204`4bd365be 0000 add byte ptr [rax],al ffffc204`4bd365c0 0000 add byte ptr [rax],al ffffc204`4bd365c2 0000 add byte ptr [rax],al ffffc204`4bd365c4 0000 add byte ptr [rax],al ffffc204`4bd365c6 0000 add byte ptr [rax],al ffffc204`4bd365c8 0000 add byte ptr [rax],al ffffc204`4bd365ca 0000 add byte ptr [rax],al ffffc204`4bd365cc 0000 add byte ptr [rax],al ffffc204`4bd365ce 0000 add byte ptr [rax],al ffffc204`4bd365d0 0000 add byte ptr [rax],al ffffc204`4bd365d2 0000 add byte ptr [rax],al ffffc204`4bd365d4 0000 add byte ptr [rax],al ffffc204`4bd365d6 0000 add byte ptr [rax],al ffffc204`4bd365d8 0000 add byte ptr [rax],al ffffc204`4bd365da 0000 add byte ptr [rax],al ffffc204`4bd365dc 0000 add byte ptr [rax],al ffffc204`4bd365de 0000 add byte ptr [rax],al ffffc204`4bd365e0 0000 add byte ptr [rax],al ffffc204`4bd365e2 0000 add byte ptr [rax],al ffffc204`4bd365e4 0000 add byte ptr [rax],al ffffc204`4bd365e6 0000 add byte ptr [rax],al ffffc204`4bd365e8 0000 add byte ptr [rax],al ffffc204`4bd365ea 0000 add byte ptr [rax],al ffffc204`4bd365ec 0000 add byte ptr [rax],al ffffc204`4bd365ee 0000 add byte ptr [rax],al ffffc204`4bd365f0 0000 add byte ptr [rax],al ffffc204`4bd365f2 0000 add byte ptr [rax],al ffffc204`4bd365f4 0000 add byte ptr [rax],al ffffc204`4bd365f6 0000 add byte ptr [rax],al ffffc204`4bd365f8 0000 add byte ptr [rax],al ffffc204`4bd365fa 0000 add byte ptr [rax],al ffffc204`4bd365fc 0000 add byte ptr [rax],al ffffc204`4bd365fe 0000 add byte ptr [rax],al ffffc204`4bd36600 0000 add byte ptr [rax],al ffffc204`4bd36602 0000 add byte ptr [rax],al ffffc204`4bd36604 0000 add byte ptr [rax],al ffffc204`4bd36606 0000 add byte ptr [rax],al ffffc204`4bd36608 0000 add byte ptr [rax],al ffffc204`4bd3660a 0000 add byte ptr [rax],al ffffc204`4bd3660c 0000 add byte ptr [rax],al ffffc204`4bd3660e 0000 add byte ptr [rax],al ffffc204`4bd36610 0000 add byte ptr [rax],al ffffc204`4bd36612 0000 add byte ptr [rax],al ffffc204`4bd36614 0000 add byte ptr [rax],al ffffc204`4bd36616 0000 add byte ptr [rax],al ffffc204`4bd36618 0000 add byte ptr [rax],al ffffc204`4bd3661a 0000 add byte ptr [rax],al ffffc204`4bd3661c 0000 add byte ptr [rax],al ffffc204`4bd3661e 0000 add byte ptr [rax],al ffffc204`4bd36620 0000 add byte ptr [rax],al ffffc204`4bd36622 0000 add byte ptr [rax],al ffffc204`4bd36624 0000 add byte ptr [rax],al ffffc204`4bd36626 0000 add byte ptr [rax],al ffffc204`4bd36628 0000 add byte ptr [rax],al ffffc204`4bd3662a 0000 add byte ptr [rax],al ffffc204`4bd3662c 0000 add byte ptr [rax],al ffffc204`4bd3662e 0000 add byte ptr [rax],al ffffc204`4bd36630 0000 add byte ptr [rax],al ffffc204`4bd36632 0000 add byte ptr [rax],al ffffc204`4bd36634 0000 add byte ptr [rax],al ffffc204`4bd36636 0000 add byte ptr [rax],al ffffc204`4bd36638 0000 add byte ptr [rax],al ffffc204`4bd3663a 0000 add byte ptr [rax],al ffffc204`4bd3663c 0000 add byte ptr [rax],al ffffc204`4bd3663e 0000 add byte ptr [rax],al ffffc204`4bd36640 0000 add byte ptr [rax],al ffffc204`4bd36642 0000 add byte ptr [rax],al ffffc204`4bd36644 0000 add byte ptr [rax],al ffffc204`4bd36646 0000 add byte ptr [rax],al ffffc204`4bd36648 0000 add byte ptr [rax],al ffffc204`4bd3664a 0000 add byte ptr [rax],al ffffc204`4bd3664c 0000 add byte ptr [rax],al ffffc204`4bd3664e 0000 add byte ptr [rax],al ffffc204`4bd36650 0000 add byte ptr [rax],al ffffc204`4bd36652 0000 add byte ptr [rax],al ffffc204`4bd36654 0000 add byte ptr [rax],al ffffc204`4bd36656 0000 add byte ptr [rax],al ffffc204`4bd36658 0000 add byte ptr [rax],al ffffc204`4bd3665a 0000 add byte ptr [rax],al ffffc204`4bd3665c 0000 add byte ptr [rax],al ffffc204`4bd3665e 0000 add byte ptr [rax],al ffffc204`4bd36660 0000 add byte ptr [rax],al ffffc204`4bd36662 0000 add byte ptr [rax],al ffffc204`4bd36664 0000 add byte ptr [rax],al ffffc204`4bd36666 0000 add byte ptr [rax],al ffffc204`4bd36668 0000 add byte ptr [rax],al ffffc204`4bd3666a 0000 add byte ptr [rax],al ffffc204`4bd3666c 0000 add byte ptr [rax],al ffffc204`4bd3666e 0000 add byte ptr [rax],al ffffc204`4bd36670 0000 add byte ptr [rax],al ffffc204`4bd36672 0000 add byte ptr [rax],al ffffc204`4bd36674 0000 add byte ptr [rax],al ffffc204`4bd36676 0000 add byte ptr [rax],al ffffc204`4bd36678 0000 add byte ptr [rax],al ffffc204`4bd3667a 0000 add byte ptr [rax],al ffffc204`4bd3667c 0000 add byte ptr [rax],al ffffc204`4bd3667e 0000 add byte ptr [rax],al ffffc204`4bd36680 0000 add byte ptr [rax],al ffffc204`4bd36682 0000 add byte ptr [rax],al ffffc204`4bd36684 0000 add byte ptr [rax],al ffffc204`4bd36686 0000 add byte ptr [rax],al ffffc204`4bd36688 0000 add byte ptr [rax],al ffffc204`4bd3668a 0000 add byte ptr [rax],al ffffc204`4bd3668c 0000 add byte ptr [rax],al ffffc204`4bd3668e 0000 add byte ptr [rax],al ffffc204`4bd36690 0000 add byte ptr [rax],al ffffc204`4bd36692 0000 add byte ptr [rax],al ffffc204`4bd36694 0000 add byte ptr [rax],al ffffc204`4bd36696 0000 add byte ptr [rax],al ffffc204`4bd36698 0000 add byte ptr [rax],al ffffc204`4bd3669a 0000 add byte ptr [rax],al ffffc204`4bd3669c 0000 add byte ptr [rax],al ffffc204`4bd3669e 0000 add byte ptr [rax],al ffffc204`4bd366a0 0000 add byte ptr [rax],al ffffc204`4bd366a2 0000 add byte ptr [rax],al ffffc204`4bd366a4 0000 add byte ptr [rax],al ffffc204`4bd366a6 0000 add byte ptr [rax],al ffffc204`4bd366a8 0000 add byte ptr [rax],al ffffc204`4bd366aa 0000 add byte ptr [rax],al ffffc204`4bd366ac 0000 add byte ptr [rax],al ffffc204`4bd366ae 0000 add byte ptr [rax],al ffffc204`4bd366b0 0000 add byte ptr [rax],al ffffc204`4bd366b2 0000 add byte ptr [rax],al ffffc204`4bd366b4 0000 add byte ptr [rax],al ffffc204`4bd366b6 0000 add byte ptr [rax],al ffffc204`4bd366b8 0000 add byte ptr [rax],al ffffc204`4bd366ba 0000 add byte ptr [rax],al ffffc204`4bd366bc 0000 add byte ptr [rax],al ffffc204`4bd366be 0000 add byte ptr [rax],al ffffc204`4bd366c0 0000 add byte ptr [rax],al ffffc204`4bd366c2 0000 add byte ptr [rax],al ffffc204`4bd366c4 0000 add byte ptr [rax],al ffffc204`4bd366c6 0000 add byte ptr [rax],al ffffc204`4bd366c8 0000 add byte ptr [rax],al ffffc204`4bd366ca 0000 add byte ptr [rax],al ffffc204`4bd366cc 0000 add byte ptr [rax],al ffffc204`4bd366ce 0000 add byte ptr [rax],al ffffc204`4bd366d0 0000 add byte ptr [rax],al ffffc204`4bd366d2 0000 add byte ptr [rax],al ffffc204`4bd366d4 0000 add byte ptr [rax],al ffffc204`4bd366d6 0000 add byte ptr [rax],al ffffc204`4bd366d8 0000 add byte ptr [rax],al ffffc204`4bd366da 0000 add byte ptr [rax],al ffffc204`4bd366dc 0000 add byte ptr [rax],al ffffc204`4bd366de 0000 add byte ptr [rax],al ffffc204`4bd366e0 0000 add byte ptr [rax],al ffffc204`4bd366e2 0000 add byte ptr [rax],al ffffc204`4bd366e4 0000 add byte ptr [rax],al ffffc204`4bd366e6 0000 add byte ptr [rax],al ffffc204`4bd366e8 0000 add byte ptr [rax],al ffffc204`4bd366ea 0000 add byte ptr [rax],al ffffc204`4bd366ec 0000 add byte ptr [rax],al ffffc204`4bd366ee 0000 add byte ptr [rax],al ffffc204`4bd366f0 0000 add byte ptr [rax],al ffffc204`4bd366f2 0000 add byte ptr [rax],al ffffc204`4bd366f4 0000 add byte ptr [rax],al ffffc204`4bd366f6 0000 add byte ptr [rax],al ffffc204`4bd366f8 0000 add byte ptr [rax],al ffffc204`4bd366fa 0000 add byte ptr [rax],al ffffc204`4bd366fc 0000 add byte ptr [rax],al ffffc204`4bd366fe 0000 add byte ptr [rax],al ffffc204`4bd36700 0000 add byte ptr [rax],al ffffc204`4bd36702 0000 add byte ptr [rax],al ffffc204`4bd36704 0000 add byte ptr [rax],al ffffc204`4bd36706 0000 add byte ptr [rax],al ffffc204`4bd36708 0000 add byte ptr [rax],al ffffc204`4bd3670a 0000 add byte ptr [rax],al ffffc204`4bd3670c 0000 add byte ptr [rax],al ffffc204`4bd3670e 0000 add byte ptr [rax],al ffffc204`4bd36710 0000 add byte ptr [rax],al ffffc204`4bd36712 0000 add byte ptr [rax],al ffffc204`4bd36714 0000 add byte ptr [rax],al ffffc204`4bd36716 0000 add byte ptr [rax],al
CPU1
ffffc204`4bd38198 ff2500000000 jmp qword ptr [ffffc204`4bd3819e] Branch ffffc204`4bd3819e f5 cmc ffffc204`4bd3819f ffc8 dec eax ffffc204`4bd381a1 6905f8ffff0000000000 imul eax,dword ptr [ffffc204`4cd381a3],0 ffffc204`4bd381ab 0000 add byte ptr [rax],al ffffc204`4bd381ad 0000 add byte ptr [rax],al ffffc204`4bd381af 0000 add byte ptr [rax],al ffffc204`4bd381b1 0000 add byte ptr [rax],al ffffc204`4bd381b3 0000 add byte ptr [rax],al ffffc204`4bd381b5 0000 add byte ptr [rax],al ffffc204`4bd381b7 000f add byte ptr [rdi],cl ffffc204`4bd381b8 0f01f8 swapgs ffffc204`4bd381b9 01f8 add eax,edi ffffc204`4bd381bb 654889242510000000 mov qword ptr gs:[10h],rsp ffffc204`4bd381c4 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h] ffffc204`4bd381cd 6a2b push 2Bh ffffc204`4bd381cf 65ff342510000000 push qword ptr gs:[10h] ffffc204`4bd381d7 4153 push r11 ffffc204`4bd381d9 6a33 push 33h ffffc204`4bd381db 51 push rcx ffffc204`4bd381dc 498bca mov rcx,r10 ffffc204`4bd381df 4883ec08 sub rsp,8 ffffc204`4bd381e3 55 push rbp ffffc204`4bd381e4 4881ec58010000 sub rsp,158h ffffc204`4bd381eb 488dac2480000000 lea rbp,[rsp+80h] ffffc204`4bd381f3 48899dc0000000 mov qword ptr [rbp+0C0h],rbx ffffc204`4bd381fa 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi ffffc204`4bd38201 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi ffffc204`4bd38208 50 push rax ffffc204`4bd38209 488b0528050000 mov rax,qword ptr [ffffc204`4bd38738] ffffc204`4bd38210 f600ff test byte ptr [rax],0FFh ffffc204`4bd38213 58 pop rax ffffc204`4bd38214 740c je ffffc204`4bd38222 Branch ffffc204`4bd38216 f685f000000001 test byte ptr [rbp+0F0h],1 ffffc204`4bd3821d 7403 je ffffc204`4bd38222 Branch ffffc204`4bd3821f 0f01cb stac ffffc204`4bd38222 488945b0 mov qword ptr [rbp-50h],rax ffffc204`4bd38226 48894db8 mov qword ptr [rbp-48h],rcx ffffc204`4bd3822a 488955c0 mov qword ptr [rbp-40h],rdx ffffc204`4bd3822e 65488b0c2588010000 mov rcx,qword ptr gs:[188h] ffffc204`4bd38237 488b8920020000 mov rcx,qword ptr [rcx+220h] ffffc204`4bd3823e 488b8960080000 mov rcx,qword ptr [rcx+860h] ffffc204`4bd38245 6548890c2570020000 mov qword ptr gs:[270h],rcx ffffc204`4bd3824e 658a0c2550080000 mov cl,byte ptr gs:[850h] ffffc204`4bd38256 65880c2551080000 mov byte ptr gs:[851h],cl ffffc204`4bd3825e 658a0c2578020000 mov cl,byte ptr gs:[278h] ffffc204`4bd38266 65880c2552080000 mov byte ptr gs:[852h],cl ffffc204`4bd3826e 650fb604257b020000 movzx eax,byte ptr gs:[27Bh] ffffc204`4bd38277 653804257a020000 cmp byte ptr gs:[27Ah],al ffffc204`4bd3827f 7411 je ffffc204`4bd38292 Branch ffffc204`4bd38281 658804257a020000 mov byte ptr gs:[27Ah],al ffffc204`4bd38289 b948000000 mov ecx,48h ffffc204`4bd3828e 33d2 xor edx,edx ffffc204`4bd38290 0f30 wrmsr ffffc204`4bd38292 650fb6142578020000 movzx edx,byte ptr gs:[278h] ffffc204`4bd3829b f7c208000000 test edx,8 ffffc204`4bd382a1 7413 je ffffc204`4bd382b6 Branch ffffc204`4bd382a3 b801000000 mov eax,1 ffffc204`4bd382a8 33d2 xor edx,edx ffffc204`4bd382aa b949000000 mov ecx,49h ffffc204`4bd382af 0f30 wrmsr ffffc204`4bd382b1 e93e010000 jmp ffffc204`4bd383f4 Branch ffffc204`4bd382b6 f7c202000000 test edx,2 ffffc204`4bd382bc 0f842f010000 je ffffc204`4bd383f1 Branch ffffc204`4bd382c2 65f604257902000004 test byte ptr gs:[279h],4 ffffc204`4bd382cb 0f8520010000 jne ffffc204`4bd383f1 Branch ffffc204`4bd382d1 e80e010000 call ffffc204`4bd383e4 ffffc204`4bd382d6 4883c408 add rsp,8 ffffc204`4bd382da e80e010000 call ffffc204`4bd383ed ffffc204`4bd382df 4883c408 add rsp,8 ffffc204`4bd382e3 e8eeffffff call ffffc204`4bd382d6 ffffc204`4bd382e8 4883c408 add rsp,8 ffffc204`4bd382ec e8eeffffff call ffffc204`4bd382df ffffc204`4bd382f1 4883c408 add rsp,8 ffffc204`4bd382f5 e8eeffffff call ffffc204`4bd382e8 ffffc204`4bd382fa 4883c408 add rsp,8 ffffc204`4bd382fe e8eeffffff call ffffc204`4bd382f1 ffffc204`4bd38303 4883c408 add rsp,8 ffffc204`4bd38307 e8eeffffff call ffffc204`4bd382fa ffffc204`4bd3830c 4883c408 add rsp,8 ffffc204`4bd38310 e8eeffffff call ffffc204`4bd38303 ffffc204`4bd38315 4883c408 add rsp,8 ffffc204`4bd38319 e8eeffffff call ffffc204`4bd3830c ffffc204`4bd3831e 4883c408 add rsp,8 ffffc204`4bd38322 e8eeffffff call ffffc204`4bd38315 ffffc204`4bd38327 4883c408 add rsp,8 ffffc204`4bd3832b e8eeffffff call ffffc204`4bd3831e ffffc204`4bd38330 4883c408 add rsp,8 ffffc204`4bd38334 e8eeffffff call ffffc204`4bd38327 ffffc204`4bd38339 4883c408 add rsp,8 ffffc204`4bd3833d e8eeffffff call ffffc204`4bd38330 ffffc204`4bd38342 4883c408 add rsp,8 ffffc204`4bd38346 e8eeffffff call ffffc204`4bd38339 ffffc204`4bd3834b 4883c408 add rsp,8 ffffc204`4bd3834f e8eeffffff call ffffc204`4bd38342 ffffc204`4bd38354 4883c408 add rsp,8 ffffc204`4bd38358 e8eeffffff call ffffc204`4bd3834b ffffc204`4bd3835d 4883c408 add rsp,8 ffffc204`4bd38361 e8eeffffff call ffffc204`4bd38354 ffffc204`4bd38366 4883c408 add rsp,8 ffffc204`4bd3836a e8eeffffff call ffffc204`4bd3835d ffffc204`4bd3836f 4883c408 add rsp,8 ffffc204`4bd38373 e8eeffffff call ffffc204`4bd38366 ffffc204`4bd38378 4883c408 add rsp,8 ffffc204`4bd3837c e8eeffffff call ffffc204`4bd3836f ffffc204`4bd38381 4883c408 add rsp,8 ffffc204`4bd38385 e8eeffffff call ffffc204`4bd38378 ffffc204`4bd3838a 4883c408 add rsp,8 ffffc204`4bd3838e e8eeffffff call ffffc204`4bd38381 ffffc204`4bd38393 4883c408 add rsp,8 ffffc204`4bd38397 e8eeffffff call ffffc204`4bd3838a ffffc204`4bd3839c 4883c408 add rsp,8 ffffc204`4bd383a0 e8eeffffff call ffffc204`4bd38393 ffffc204`4bd383a5 4883c408 add rsp,8 ffffc204`4bd383a9 e8eeffffff call ffffc204`4bd3839c ffffc204`4bd383ae 4883c408 add rsp,8 ffffc204`4bd383b2 e8eeffffff call ffffc204`4bd383a5 ffffc204`4bd383b7 4883c408 add rsp,8 ffffc204`4bd383bb e8eeffffff call ffffc204`4bd383ae ffffc204`4bd383c0 4883c408 add rsp,8 ffffc204`4bd383c4 e8eeffffff call ffffc204`4bd383b7 ffffc204`4bd383c9 4883c408 add rsp,8 ffffc204`4bd383cd e8eeffffff call ffffc204`4bd383c0 ffffc204`4bd383d2 4883c408 add rsp,8 ffffc204`4bd383d6 e8eeffffff call ffffc204`4bd383c9 ffffc204`4bd383db 4883c408 add rsp,8 ffffc204`4bd383df e8eeffffff call ffffc204`4bd383d2 ffffc204`4bd383e4 4883c408 add rsp,8 ffffc204`4bd383e8 e8eeffffff call ffffc204`4bd383db ffffc204`4bd383ed 4883c408 add rsp,8 ffffc204`4bd383f1 0faee8 lfence ffffc204`4bd383f4 65c604255308000000 mov byte ptr gs:[853h],0 ffffc204`4bd383fd c645ab02 mov byte ptr [rbp-55h],2 ffffc204`4bd38401 65488b1c2588010000 mov rbx,qword ptr gs:[188h] ffffc204`4bd3840a 0f0d8b90000000 prefetchw [rbx+90h] ffffc204`4bd38411 0fae5dac stmxcsr dword ptr [rbp-54h] ffffc204`4bd38415 650fae142580010000 ldmxcsr dword ptr gs:[180h] ffffc204`4bd3841e 807b0300 cmp byte ptr [rbx+3],0 ffffc204`4bd38422 66c785800000000000 mov word ptr [rbp+80h],0 ffffc204`4bd3842b 0f84a8000000 je ffffc204`4bd384d9 Branch ffffc204`4bd38431 f6430303 test byte ptr [rbx+3],3 ffffc204`4bd38435 4c8945c8 mov qword ptr [rbp-38h],r8 ffffc204`4bd38439 4c894dd0 mov qword ptr [rbp-30h],r9 ffffc204`4bd3843d 7405 je ffffc204`4bd38444 Branch ffffc204`4bd3843f e834fdffff call ffffc204`4bd38178 ffffc204`4bd38444 f6430304 test byte ptr [rbx+3],4 ffffc204`4bd38448 742e je ffffc204`4bd38478 Branch ffffc204`4bd3844a 4c8955e0 mov qword ptr [rbp-20h],r10 ffffc204`4bd3844e 4c8955d8 mov qword ptr [rbp-28h],r10 ffffc204`4bd38452 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0 ffffc204`4bd38456 0f294d00 movaps xmmword ptr [rbp],xmm1 ffffc204`4bd3845a 0f295510 movaps xmmword ptr [rbp+10h],xmm2 ffffc204`4bd3845e 0f295d20 movaps xmmword ptr [rbp+20h],xmm3 ffffc204`4bd38462 0f296530 movaps xmmword ptr [rbp+30h],xmm4 ffffc204`4bd38466 0f296d40 movaps xmmword ptr [rbp+40h],xmm5 ffffc204`4bd3846a fb sti ffffc204`4bd3846b 488bcc mov rcx,rsp ffffc204`4bd3846e ff25ac020000 jmp qword ptr [ffffc204`4bd38720] ffffc204`4bd38478 f6430380 test byte ptr [rbx+3],80h ffffc204`4bd3847c 7448 je ffffc204`4bd384c6 Branch ffffc204`4bd3847e b9020100c0 mov ecx,0C0000102h ffffc204`4bd38483 0f32 rdmsr ffffc204`4bd38485 48c1e220 shl rdx,20h ffffc204`4bd38489 480bc2 or rax,rdx ffffc204`4bd3848c 483b059d020000 cmp rax,qword ptr [ffffc204`4bd38730] ffffc204`4bd38493 480f430595020000 cmovae rax,qword ptr [ffffc204`4bd38730] ffffc204`4bd3849b 483983f0000000 cmp qword ptr [rbx+0F0h],rax ffffc204`4bd384a2 7422 je ffffc204`4bd384c6 Branch ffffc204`4bd384a4 488b93f0010000 mov rdx,qword ptr [rbx+1F0h] ffffc204`4bd384ab 0fba6b7408 bts dword ptr [rbx+74h],8 ffffc204`4bd384b0 66ff8be6010000 dec word ptr [rbx+1E6h] ffffc204`4bd384b7 48898280000000 mov qword ptr [rdx+80h],rax ffffc204`4bd384be fb sti ffffc204`4bd384bf e8c4fcffff call ffffc204`4bd38188 ffffc204`4bd384c4 eb0b jmp ffffc204`4bd384d1 Branch ffffc204`4bd384c6 f6430340 test byte ptr [rbx+3],40h ffffc204`4bd384ca 7405 je ffffc204`4bd384d1 Branch ffffc204`4bd384cc 0fba6b7410 bts dword ptr [rbx+74h],10h ffffc204`4bd384d1 4c8b45c8 mov r8,qword ptr [rbp-38h] ffffc204`4bd384d5 4c8b4dd0 mov r9,qword ptr [rbp-30h] ffffc204`4bd384d9 488b45b0 mov rax,qword ptr [rbp-50h] ffffc204`4bd384dd 488b4db8 mov rcx,qword ptr [rbp-48h] ffffc204`4bd384e1 488b55c0 mov rdx,qword ptr [rbp-40h] ffffc204`4bd384e5 fb sti ffffc204`4bd384e6 48898b88000000 mov qword ptr [rbx+88h],rcx ffffc204`4bd384ed 898380000000 mov dword ptr [rbx+80h],eax ffffc204`4bd384f3 66660f1f840000000000 nop word ptr [rax+rax] ffffc204`4bd384fd 4889a390000000 mov qword ptr [rbx+90h],rsp ffffc204`4bd38504 8bf8 mov edi,eax ffffc204`4bd38506 c1ef07 shr edi,7 ffffc204`4bd38509 83e720 and edi,20h ffffc204`4bd3850c 25ff0f0000 and eax,0FFFh ffffc204`4bd38511 49ba8088046a05f8ffff mov r10,offset nt!KeServiceDescriptorTable (fffff805`6a048880) ffffc204`4bd3851b 49bb800a036a05f8ffff mov r11,offset nt!KeServiceDescriptorTableShadow (fffff805`6a030a80) ffffc204`4bd38525 f7437880000000 test dword ptr [rbx+78h],80h ffffc204`4bd3852c 7416 je ffffc204`4bd38544 Branch ffffc204`4bd3852e f7437800002000 test dword ptr [rbx+78h],200000h ffffc204`4bd38535 740a je ffffc204`4bd38541 Branch ffffc204`4bd38537 49bbc00a036a05f8ffff mov r11,offset nt!KeServiceDescriptorTableFilter (fffff805`6a030ac0) ffffc204`4bd38541 4d8bd3 mov r10,r11 ffffc204`4bd38544 413b443a10 cmp eax,dword ptr [r10+rdi+10h] ffffc204`4bd38549 0f8349fcffff jae ffffc204`4bd38198 Branch ffffc204`4bd3854f 4d8b143a mov r10,qword ptr [r10+rdi] ffffc204`4bd38553 4d631c82 movsxd r11,dword ptr [r10+rax*4] ffffc204`4bd38557 ff2500000000 jmp qword ptr [ffffc204`4bd3855d] Branch ffffc204`4bd3855d 247c and al,7Ch ffffc204`4bd3855f e76c out 6Ch,eax ffffc204`4bd38561 05f8ffff00 add eax,0FFFFF8h ffffc204`4bd38566 0000 add byte ptr [rax],al ffffc204`4bd38568 0000 add byte ptr [rax],al ffffc204`4bd3856a 0000 add byte ptr [rax],al ffffc204`4bd3856c 0000 add byte ptr [rax],al ffffc204`4bd3856e 0000 add byte ptr [rax],al ffffc204`4bd38570 0000 add byte ptr [rax],al ffffc204`4bd38572 0000 add byte ptr [rax],al ffffc204`4bd38574 0000 add byte ptr [rax],al ffffc204`4bd38576 0000 add byte ptr [rax],al ffffc204`4bd38578 0000 add byte ptr [rax],al ffffc204`4bd3857a 0000 add byte ptr [rax],al ffffc204`4bd3857c 0000 add byte ptr [rax],al ffffc204`4bd3857e 0000 add byte ptr [rax],al ffffc204`4bd38580 0000 add byte ptr [rax],al ffffc204`4bd38582 0000 add byte ptr [rax],al ffffc204`4bd38584 0000 add byte ptr [rax],al ffffc204`4bd38586 0000 add byte ptr [rax],al ffffc204`4bd38588 0000 add byte ptr [rax],al ffffc204`4bd3858a 0000 add byte ptr [rax],al ffffc204`4bd3858c 0000 add byte ptr [rax],al ffffc204`4bd3858e 0000 add byte ptr [rax],al ffffc204`4bd38590 0000 add byte ptr [rax],al ffffc204`4bd38592 0000 add byte ptr [rax],al ffffc204`4bd38594 0000 add byte ptr [rax],al ffffc204`4bd38596 0000 add byte ptr [rax],al ffffc204`4bd38598 0000 add byte ptr [rax],al ffffc204`4bd3859a 0000 add byte ptr [rax],al ffffc204`4bd3859c 0000 add byte ptr [rax],al ffffc204`4bd3859e 0000 add byte ptr [rax],al ffffc204`4bd385a0 0000 add byte ptr [rax],al ffffc204`4bd385a2 0000 add byte ptr [rax],al ffffc204`4bd385a4 0000 add byte ptr [rax],al ffffc204`4bd385a6 0000 add byte ptr [rax],al ffffc204`4bd385a8 0000 add byte ptr [rax],al ffffc204`4bd385aa 0000 add byte ptr [rax],al ffffc204`4bd385ac 0000 add byte ptr [rax],al
KiSystemCall64
0: kd> UF KiSystemCall64 Flow analysis was incomplete, some code may be missing nt!KiSystemCall64: fffff805`69c8f740 0f01f8 swapgs fffff805`69c8f743 654889242510000000 mov qword ptr gs:[10h],rsp fffff805`69c8f74c 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h] fffff805`69c8f755 6a2b push 2Bh fffff805`69c8f757 65ff342510000000 push qword ptr gs:[10h] fffff805`69c8f75f 4153 push r11 fffff805`69c8f761 6a33 push 33h fffff805`69c8f763 51 push rcx fffff805`69c8f764 498bca mov rcx,r10 fffff805`69c8f767 4883ec08 sub rsp,8 fffff805`69c8f76b 55 push rbp fffff805`69c8f76c 4881ec58010000 sub rsp,158h fffff805`69c8f773 488dac2480000000 lea rbp,[rsp+80h] fffff805`69c8f77b 48899dc0000000 mov qword ptr [rbp+0C0h],rbx fffff805`69c8f782 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi fffff805`69c8f789 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi fffff805`69c8f790 f605290d3a00ff test byte ptr [nt!KeSmapEnabled (fffff805`6a0304c0)],0FFh fffff805`69c8f797 740c je nt!KiSystemCall64+0x65 (fffff805`69c8f7a5) Branch nt!KiSystemCall64+0x59: fffff805`69c8f799 f685f000000001 test byte ptr [rbp+0F0h],1 fffff805`69c8f7a0 7403 je nt!KiSystemCall64+0x65 (fffff805`69c8f7a5) Branch nt!KiSystemCall64+0x62: fffff805`69c8f7a2 0f01cb stac nt!KiSystemCall64+0x65: fffff805`69c8f7a5 488945b0 mov qword ptr [rbp-50h],rax fffff805`69c8f7a9 48894db8 mov qword ptr [rbp-48h],rcx fffff805`69c8f7ad 488955c0 mov qword ptr [rbp-40h],rdx fffff805`69c8f7b1 65488b0c2588010000 mov rcx,qword ptr gs:[188h] fffff805`69c8f7ba 488b8920020000 mov rcx,qword ptr [rcx+220h] fffff805`69c8f7c1 488b8960080000 mov rcx,qword ptr [rcx+860h] fffff805`69c8f7c8 6548890c2570020000 mov qword ptr gs:[270h],rcx fffff805`69c8f7d1 658a0c2550080000 mov cl,byte ptr gs:[850h] fffff805`69c8f7d9 65880c2551080000 mov byte ptr gs:[851h],cl fffff805`69c8f7e1 658a0c2578020000 mov cl,byte ptr gs:[278h] fffff805`69c8f7e9 65880c2552080000 mov byte ptr gs:[852h],cl fffff805`69c8f7f1 650fb604257b020000 movzx eax,byte ptr gs:[27Bh] fffff805`69c8f7fa 653804257a020000 cmp byte ptr gs:[27Ah],al fffff805`69c8f802 7411 je nt!KiSystemCall64+0xd5 (fffff805`69c8f815) Branch nt!KiSystemCall64+0xc4: fffff805`69c8f804 658804257a020000 mov byte ptr gs:[27Ah],al fffff805`69c8f80c b948000000 mov ecx,48h fffff805`69c8f811 33d2 xor edx,edx fffff805`69c8f813 0f30 wrmsr nt!KiSystemCall64+0xd5: fffff805`69c8f815 650fb6142578020000 movzx edx,byte ptr gs:[278h] fffff805`69c8f81e f7c208000000 test edx,8 fffff805`69c8f824 7413 je nt!KiSystemCall64+0xf9 (fffff805`69c8f839) Branch nt!KiSystemCall64+0xe6: fffff805`69c8f826 b801000000 mov eax,1 fffff805`69c8f82b 33d2 xor edx,edx fffff805`69c8f82d b949000000 mov ecx,49h fffff805`69c8f832 0f30 wrmsr fffff805`69c8f834 e93e010000 jmp nt!KiSystemCall64+0x237 (fffff805`69c8f977) Branch nt!KiSystemCall64+0xf9: fffff805`69c8f839 f7c202000000 test edx,2 fffff805`69c8f83f 0f842f010000 je nt!KiSystemCall64+0x234 (fffff805`69c8f974) Branch nt!KiSystemCall64+0x105: fffff805`69c8f845 65f604257902000004 test byte ptr gs:[279h],4 fffff805`69c8f84e 0f8520010000 jne nt!KiSystemCall64+0x234 (fffff805`69c8f974) Branch nt!KiSystemCall64+0x114: fffff805`69c8f854 e80e010000 call nt!KiSystemCall64+0x227 (fffff805`69c8f967) fffff805`69c8f859 4883c408 add rsp,8 fffff805`69c8f85d e80e010000 call nt!KiSystemCall64+0x230 (fffff805`69c8f970) fffff805`69c8f862 4883c408 add rsp,8 fffff805`69c8f866 e8eeffffff call nt!KiSystemCall64+0x119 (fffff805`69c8f859) fffff805`69c8f86b 4883c408 add rsp,8 fffff805`69c8f86f e8eeffffff call nt!KiSystemCall64+0x122 (fffff805`69c8f862) fffff805`69c8f874 4883c408 add rsp,8 fffff805`69c8f878 e8eeffffff call nt!KiSystemCall64+0x12b (fffff805`69c8f86b) fffff805`69c8f87d 4883c408 add rsp,8 fffff805`69c8f881 e8eeffffff call nt!KiSystemCall64+0x134 (fffff805`69c8f874) fffff805`69c8f886 4883c408 add rsp,8 fffff805`69c8f88a e8eeffffff call nt!KiSystemCall64+0x13d (fffff805`69c8f87d) fffff805`69c8f88f 4883c408 add rsp,8 fffff805`69c8f893 e8eeffffff call nt!KiSystemCall64+0x146 (fffff805`69c8f886) fffff805`69c8f898 4883c408 add rsp,8 fffff805`69c8f89c e8eeffffff call nt!KiSystemCall64+0x14f (fffff805`69c8f88f) fffff805`69c8f8a1 4883c408 add rsp,8 fffff805`69c8f8a5 e8eeffffff call nt!KiSystemCall64+0x158 (fffff805`69c8f898) fffff805`69c8f8aa 4883c408 add rsp,8 fffff805`69c8f8ae e8eeffffff call nt!KiSystemCall64+0x161 (fffff805`69c8f8a1) fffff805`69c8f8b3 4883c408 add rsp,8 fffff805`69c8f8b7 e8eeffffff call nt!KiSystemCall64+0x16a (fffff805`69c8f8aa) fffff805`69c8f8bc 4883c408 add rsp,8 fffff805`69c8f8c0 e8eeffffff call nt!KiSystemCall64+0x173 (fffff805`69c8f8b3) fffff805`69c8f8c5 4883c408 add rsp,8 fffff805`69c8f8c9 e8eeffffff call nt!KiSystemCall64+0x17c (fffff805`69c8f8bc) fffff805`69c8f8ce 4883c408 add rsp,8 fffff805`69c8f8d2 e8eeffffff call nt!KiSystemCall64+0x185 (fffff805`69c8f8c5) fffff805`69c8f8d7 4883c408 add rsp,8 fffff805`69c8f8db e8eeffffff call nt!KiSystemCall64+0x18e (fffff805`69c8f8ce) fffff805`69c8f8e0 4883c408 add rsp,8 fffff805`69c8f8e4 e8eeffffff call nt!KiSystemCall64+0x197 (fffff805`69c8f8d7) fffff805`69c8f8e9 4883c408 add rsp,8 fffff805`69c8f8ed e8eeffffff call nt!KiSystemCall64+0x1a0 (fffff805`69c8f8e0) fffff805`69c8f8f2 4883c408 add rsp,8 fffff805`69c8f8f6 e8eeffffff call nt!KiSystemCall64+0x1a9 (fffff805`69c8f8e9) fffff805`69c8f8fb 4883c408 add rsp,8 fffff805`69c8f8ff e8eeffffff call nt!KiSystemCall64+0x1b2 (fffff805`69c8f8f2) fffff805`69c8f904 4883c408 add rsp,8 fffff805`69c8f908 e8eeffffff call nt!KiSystemCall64+0x1bb (fffff805`69c8f8fb) fffff805`69c8f90d 4883c408 add rsp,8 fffff805`69c8f911 e8eeffffff call nt!KiSystemCall64+0x1c4 (fffff805`69c8f904) fffff805`69c8f916 4883c408 add rsp,8 fffff805`69c8f91a e8eeffffff call nt!KiSystemCall64+0x1cd (fffff805`69c8f90d) fffff805`69c8f91f 4883c408 add rsp,8 fffff805`69c8f923 e8eeffffff call nt!KiSystemCall64+0x1d6 (fffff805`69c8f916) fffff805`69c8f928 4883c408 add rsp,8 fffff805`69c8f92c e8eeffffff call nt!KiSystemCall64+0x1df (fffff805`69c8f91f) fffff805`69c8f931 4883c408 add rsp,8 fffff805`69c8f935 e8eeffffff call nt!KiSystemCall64+0x1e8 (fffff805`69c8f928) fffff805`69c8f93a 4883c408 add rsp,8 fffff805`69c8f93e e8eeffffff call nt!KiSystemCall64+0x1f1 (fffff805`69c8f931) fffff805`69c8f943 4883c408 add rsp,8 fffff805`69c8f947 e8eeffffff call nt!KiSystemCall64+0x1fa (fffff805`69c8f93a) fffff805`69c8f94c 4883c408 add rsp,8 fffff805`69c8f950 e8eeffffff call nt!KiSystemCall64+0x203 (fffff805`69c8f943) fffff805`69c8f955 4883c408 add rsp,8 fffff805`69c8f959 e8eeffffff call nt!KiSystemCall64+0x20c (fffff805`69c8f94c) fffff805`69c8f95e 4883c408 add rsp,8 fffff805`69c8f962 e8eeffffff call nt!KiSystemCall64+0x215 (fffff805`69c8f955) fffff805`69c8f967 4883c408 add rsp,8 fffff805`69c8f96b e8eeffffff call nt!KiSystemCall64+0x21e (fffff805`69c8f95e) fffff805`69c8f970 4883c408 add rsp,8 nt!KiSystemCall64+0x234: fffff805`69c8f974 0faee8 lfence nt!KiSystemCall64+0x237: fffff805`69c8f977 65c604255308000000 mov byte ptr gs:[853h],0 fffff805`69c8f980 c645ab02 mov byte ptr [rbp-55h],2 fffff805`69c8f984 65488b1c2588010000 mov rbx,qword ptr gs:[188h] fffff805`69c8f98d 0f0d8b90000000 prefetchw [rbx+90h] fffff805`69c8f994 0fae5dac stmxcsr dword ptr [rbp-54h] fffff805`69c8f998 650fae142580010000 ldmxcsr dword ptr gs:[180h] fffff805`69c8f9a1 807b0300 cmp byte ptr [rbx+3],0 fffff805`69c8f9a5 66c785800000000000 mov word ptr [rbp+80h],0 fffff805`69c8f9ae 0f84a8000000 je nt!KiSystemServiceUser+0xdc (fffff805`69c8fa5c) Branch nt!KiSystemServiceUser+0x34: fffff805`69c8f9b4 f6430303 test byte ptr [rbx+3],3 fffff805`69c8f9b8 4c8945c8 mov qword ptr [rbp-38h],r8 fffff805`69c8f9bc 4c894dd0 mov qword ptr [rbp-30h],r9 fffff805`69c8f9c0 7405 je nt!KiSystemServiceUser+0x47 (fffff805`69c8f9c7) Branch nt!KiSystemServiceUser+0x42: fffff805`69c8f9c2 e819effeff call nt!KiSaveDebugRegisterState (fffff805`69c7e8e0) nt!KiSystemServiceUser+0x47: fffff805`69c8f9c7 f6430304 test byte ptr [rbx+3],4 fffff805`69c8f9cb 742e je nt!KiSystemServiceUser+0x7b (fffff805`69c8f9fb) Branch nt!KiSystemServiceUser+0x4d: fffff805`69c8f9cd 4c8955e0 mov qword ptr [rbp-20h],r10 fffff805`69c8f9d1 4c8955d8 mov qword ptr [rbp-28h],r10 fffff805`69c8f9d5 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0 fffff805`69c8f9d9 0f294d00 movaps xmmword ptr [rbp],xmm1 fffff805`69c8f9dd 0f295510 movaps xmmword ptr [rbp+10h],xmm2 fffff805`69c8f9e1 0f295d20 movaps xmmword ptr [rbp+20h],xmm3 fffff805`69c8f9e5 0f296530 movaps xmmword ptr [rbp+30h],xmm4 fffff805`69c8f9e9 0f296d40 movaps xmmword ptr [rbp+40h],xmm5 fffff805`69c8f9ed fb sti fffff805`69c8f9ee 488bcc mov rcx,rsp fffff805`69c8f9f1 e81a886f00 call nt!PsPicoSystemCallDispatch (fffff805`6a388210) fffff805`69c8f9f6 e99a040000 jmp nt!KiSystemServiceExitPico (fffff805`69c8fe95) Branch nt!KiSystemServiceUser+0x7b: fffff805`69c8f9fb f6430380 test byte ptr [rbx+3],80h fffff805`69c8f9ff 7448 je nt!KiSystemServiceUser+0xc9 (fffff805`69c8fa49) Branch nt!KiSystemServiceUser+0x81: fffff805`69c8fa01 b9020100c0 mov ecx,0C0000102h fffff805`69c8fa06 0f32 rdmsr fffff805`69c8fa08 48c1e220 shl rdx,20h fffff805`69c8fa0c 480bc2 or rax,rdx fffff805`69c8fa0f 483b0572ec1a00 cmp rax,qword ptr [nt!MmUserProbeAddress (fffff805`69e3e688)] fffff805`69c8fa16 480f43056aec1a00 cmovae rax,qword ptr [nt!MmUserProbeAddress (fffff805`69e3e688)] fffff805`69c8fa1e 483983f0000000 cmp qword ptr [rbx+0F0h],rax fffff805`69c8fa25 7422 je nt!KiSystemServiceUser+0xc9 (fffff805`69c8fa49) Branch nt!KiSystemServiceUser+0xa7: fffff805`69c8fa27 488b93f0010000 mov rdx,qword ptr [rbx+1F0h] fffff805`69c8fa2e 0fba6b7408 bts dword ptr [rbx+74h],8 fffff805`69c8fa33 66ff8be6010000 dec word ptr [rbx+1E6h] fffff805`69c8fa3a 48898280000000 mov qword ptr [rdx+80h],rax fffff805`69c8fa41 fb sti fffff805`69c8fa42 e8f9120000 call nt!KiUmsCallEntry (fffff805`69c90d40) fffff805`69c8fa47 eb0b jmp nt!KiSystemServiceUser+0xd4 (fffff805`69c8fa54) Branch nt!KiSystemServiceUser+0xc9: fffff805`69c8fa49 f6430340 test byte ptr [rbx+3],40h fffff805`69c8fa4d 7405 je nt!KiSystemServiceUser+0xd4 (fffff805`69c8fa54) Branch nt!KiSystemServiceUser+0xcf: fffff805`69c8fa4f 0fba6b7410 bts dword ptr [rbx+74h],10h nt!KiSystemServiceUser+0xd4: fffff805`69c8fa54 4c8b45c8 mov r8,qword ptr [rbp-38h] fffff805`69c8fa58 4c8b4dd0 mov r9,qword ptr [rbp-30h] nt!KiSystemServiceUser+0xdc: fffff805`69c8fa5c 488b45b0 mov rax,qword ptr [rbp-50h] fffff805`69c8fa60 488b4db8 mov rcx,qword ptr [rbp-48h] fffff805`69c8fa64 488b55c0 mov rdx,qword ptr [rbp-40h] fffff805`69c8fa68 fb sti fffff805`69c8fa69 48898b88000000 mov qword ptr [rbx+88h],rcx fffff805`69c8fa70 898380000000 mov dword ptr [rbx+80h],eax fffff805`69c8fa76 66660f1f840000000000 nop word ptr [rax+rax] fffff805`69c8fa80 4889a390000000 mov qword ptr [rbx+90h],rsp fffff805`69c8fa87 8bf8 mov edi,eax fffff805`69c8fa89 c1ef07 shr edi,7 fffff805`69c8fa8c 83e720 and edi,20h fffff805`69c8fa8f 25ff0f0000 and eax,0FFFh

如何让360晶核失效

一般情况下,可以在头部做FF25远跳到KiSystemCall64即可

后续

安装全局钩子并没有被拦截
测试系统环境 :window10 18362.19h1
360安全卫士:13.0.0.2001
  最后发个huoji120 (Huoji's) (github.com)的模拟微软的kisystemcall64过程  win7-win10 2004 x64  
extern g_orig_system_call:dq extern g_hook_enable:DB extern g_arg_tble:DB extern g_hook_table:DQ extern g_KiServiceCopyEndPtr:DQ extern g_CountNumCheckPtr:DQ extern g_KeServiceDescriptorTable:DQ extern g_KiSystemServiceRepeatPtr:DQ extern g_KiSaveDebugRegisterState:DQ extern g_KiUmsCallEntry:DQ extern g_is_win7:DQ MAX_SYSCALL_INDEX = 1000h USERMD_STACK_GS = 10h KERNEL_STACK_GS = 1A8h .code fake_kisystemcall64 proc swapgs ;int 3 mov gs:[USERMD_STACK_GS], rsp cmp rax, MAX_SYSCALL_INDEX jge KiSystemCall64 lea rsp, offset g_hook_enable cmp byte ptr [rsp + rax], 0 jne KiSystemCall64_Emulate fake_kisystemcall64 endp KiSystemCall64 PROC mov rsp, gs:[USERMD_STACK_GS] swapgs jmp [g_orig_system_call] KiSystemCall64 ENDP KiSystemCall64_Emulate PROC mov rsp, gs:[KERNEL_STACK_GS] ; set kernel stack pointer push 2Bh ; push dummy SS selector push qword ptr gs:[10h] ; push user stack pointer push r11 ; push previous EFLAGS push 33h ; push dummy 64-bit CS selector push rcx ; push return address mov rcx, r10 ; set first argument value sub rsp, 8h ; allocate dummy error code push rbp ; save standard register sub rsp, 158h ; allocate fixed frame lea rbp, [rsp+80h] ; set frame pointer mov [rbp+0C0h], rbx ; save nonvolatile registers mov [rbp+0C8h], rdi ; mov [rbp+0D0h], rsi ; mov byte ptr [rbp-55h], 2h ; set service active mov rbx, gs:[188h] ; get current thread address prefetchw byte ptr [rbx+90h] ; prefetch with write intent stmxcsr dword ptr [rbp-54h] ; save current MXCSR ldmxcsr dword ptr gs:[180h] ; set default MXCSR cmp byte ptr [rbx+3], 0 ; test if debug enabled mov word ptr [rbp+80h], 0 ; assume debug not enabled jz KiSS05 ; if z, debug not enabled mov [rbp-50h], rax ; save service argument registers mov [rbp-48h], rcx ; mov [rbp-40h], rdx ; mov [rbp-38h], r8 ; mov [rbp-30h], r9 ; je a2 call [g_KiSaveDebugRegisterState] align 10h a2: test byte ptr [rbx+3],80h je a3 mov ecx,0C0000102h rdmsr shl rdx,20h or rax,rdx a3: cmp qword ptr [rbx+0B8h],rax je B0 cmp qword ptr [rbx+1B0h],rax je B0 mov rdx,qword ptr [rbx+1B8h] bts dword ptr [rbx+4Ch],0Bh dec word ptr [rbx+1C4h] mov qword ptr [rdx+80h],rax sti call [g_KiUmsCallEntry] jmp FA0 B0: test byte ptr [rbx+3],40h je FA0 lock bts dword ptr [rbx+100h],8 FA0: mov rax,qword ptr [rbp-50h] mov rcx,qword ptr [rbp-48h] mov rdx,qword ptr [rbp-40h] mov r8,qword ptr [rbp-38h] mov r9,qword ptr [rbp-30h] xchg ax,ax KiSS05: sti cmp byte ptr [g_is_win7], 0 jne NO_WIN7; mov [rbx+88h], rcx mov [rbx+80h], eax jmp KiSystemServiceStart_Emulate NO_WIN7: mov qword ptr [rbx+1E0h],rcx mov dword ptr [rbx+1F8h],eax KiSystemCall64_Emulate ENDP KiSystemServiceStart_Emulate PROC mov [rbx+90h], rsp mov edi, eax shr edi, 7 and edi, 20h and eax, 0FFFh KiSystemServiceStart_Emulate ENDP KiSystemServiceRepeat_Emulate PROC ; RAX = [IN ] syscall index ; RAX = [OUT] number of parameters ; R10 = [OUT] function address ; R11 = [I/O] trashed lea r11, offset g_hook_table mov r10, qword ptr [r11 + rax * 8h] lea r11, offset g_arg_tble movzx rax, byte ptr [r11 + rax] ; RAX = paramter count jmp [g_KiServiceCopyEndPtr] ;bug not check paramter count and jmp KiSystemServiceRepeat_Emulate ENDP endCHAR g_hook_enable[MAX_SYSCALL_INDEX]; CHAR g_arg_tble[MAX_SYSCALL_INDEX]; PVOID g_hook_table[MAX_SYSCALL_INDEX]; ..... NTSTATUS set_hook_function(IN ULONG index, IN PVOID hookPtr) { NTSTATUS status = STATUS_SUCCESS; if (index > MAX_SYSCALL_INDEX || hookPtr == NULL) { DebugPrint("\n[DebugMessage] STATUS_INVALID_PARAMETER!\n"); return STATUS_INVALID_PARAMETER; } KIRQL irql = KeGetCurrentIrql(); if (irql < DISPATCH_LEVEL) irql = KeRaiseIrqlToDpcLevel(); LONG argumentsCount = (g_SSDT->pServiceTable[index] & 0xF) << 3; InterlockedExchange8(&g_arg_tble[index], (CHAR)argumentsCount); InterlockedExchange64((PLONG64)&g_hook_table[index], (LONG64)hookPtr); InterlockedExchange8(&g_hook_enable[index], TRUE); if (KeGetCurrentIrql() > irql) KeLowerIrql(irql); return status; }