nt!KiSystemCall64:
fffff803`12622cc0 0f01f8 swapgs
fffff803`12622cc3 654889242510000000 mov qword ptr gs:[10h],rsp
fffff803`12622ccc 65488b2425a8010000 mov rsp,qword ptr gs:[1A8h]
fffff803`12622cd5 6a2b push 2Bh
fffff803`12622cd7 65ff342510000000 push qword ptr gs:[10h]
fffff803`12622cdf 4153 push r11
fffff803`12622ce1 6a33 push 33h
fffff803`12622ce3 51 push rcx
fffff803`12622ce4 498bca mov rcx,r10
fffff803`12622ce7 4883ec08 sub rsp,8
fffff803`12622ceb 55 push rbp
fffff803`12622cec 4881ec58010000 sub rsp,158h
fffff803`12622cf3 488dac2480000000 lea rbp,[rsp+80h]
fffff803`12622cfb 48899dc0000000 mov qword ptr [rbp+0C0h],rbx
fffff803`12622d02 4889bdc8000000 mov qword ptr [rbp+0C8h],rdi
fffff803`12622d09 4889b5d0000000 mov qword ptr [rbp+0D0h],rsi
fffff803`12622d10 f60535488f00ff test byte ptr [nt!KeSmapEnabled (fffff803`12f1754c)],0FFh
fffff803`12622d17 740c je nt!KiSystemCall64+0x65 (fffff803`12622d25) Branch
nt!KiSystemCall64+0x59:
fffff803`12622d19 f685f000000001 test byte ptr [rbp+0F0h],1
fffff803`12622d20 7403 je nt!KiSystemCall64+0x65 (fffff803`12622d25) Branch
nt!KiSystemCall64+0x62:
fffff803`12622d22 0f01cb stac
nt!KiSystemCall64+0x65:
fffff803`12622d25 488945b0 mov qword ptr [rbp-50h],rax
fffff803`12622d29 48894db8 mov qword ptr [rbp-48h],rcx
fffff803`12622d2d 488955c0 mov qword ptr [rbp-40h],rdx
fffff803`12622d31 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff803`12622d3a 488b8920020000 mov rcx,qword ptr [rcx+220h]
fffff803`12622d41 488b89e0090000 mov rcx,qword ptr [rcx+9E0h]
fffff803`12622d48 6548890c2570020000 mov qword ptr gs:[270h],rcx
fffff803`12622d51 658a0c2550080000 mov cl,byte ptr gs:[850h]
fffff803`12622d59 65880c2551080000 mov byte ptr gs:[851h],cl
fffff803`12622d61 658a0c2578020000 mov cl,byte ptr gs:[278h]
fffff803`12622d69 65880c2552080000 mov byte ptr gs:[852h],cl
fffff803`12622d71 650fb604257b020000 movzx eax,byte ptr gs:[27Bh]
fffff803`12622d7a 653804257a020000 cmp byte ptr gs:[27Ah],al
fffff803`12622d82 7411 je nt!KiSystemCall64+0xd5 (fffff803`12622d95) Branch
nt!KiSystemCall64+0xc4:
fffff803`12622d84 658804257a020000 mov byte ptr gs:[27Ah],al
fffff803`12622d8c b948000000 mov ecx,48h
fffff803`12622d91 33d2 xor edx,edx
fffff803`12622d93 0f30 wrmsr
nt!KiSystemCall64+0xd5:
fffff803`12622d95 650fb6142578020000 movzx edx,byte ptr gs:[278h]
fffff803`12622d9e f7c208000000 test edx,8
fffff803`12622da4 7413 je nt!KiSystemCall64+0xf9 (fffff803`12622db9) Branch
nt!KiSystemCall64+0xe6:
fffff803`12622da6 b801000000 mov eax,1
fffff803`12622dab 33d2 xor edx,edx
fffff803`12622dad b949000000 mov ecx,49h
fffff803`12622db2 0f30 wrmsr
fffff803`12622db4 e93e010000 jmp nt!KiSystemCall64+0x237 (fffff803`12622ef7) Branch
nt!KiSystemCall64+0xf9:
fffff803`12622db9 f7c202000000 test edx,2
fffff803`12622dbf 0f842f010000 je nt!KiSystemCall64+0x234 (fffff803`12622ef4) Branch
nt!KiSystemCall64+0x105:
fffff803`12622dc5 65f604257902000004 test byte ptr gs:[279h],4
fffff803`12622dce 0f8520010000 jne nt!KiSystemCall64+0x234 (fffff803`12622ef4) Branch
nt!KiSystemCall64+0x114:
fffff803`12622dd4 e80e010000 call nt!KiSystemCall64+0x227 (fffff803`12622ee7)
fffff803`12622dd9 4883c408 add rsp,8
fffff803`12622ddd e80e010000 call nt!KiSystemCall64+0x230 (fffff803`12622ef0)
fffff803`12622de2 4883c408 add rsp,8
fffff803`12622de6 e8eeffffff call nt!KiSystemCall64+0x119 (fffff803`12622dd9)
fffff803`12622deb 4883c408 add rsp,8
fffff803`12622def e8eeffffff call nt!KiSystemCall64+0x122 (fffff803`12622de2)
fffff803`12622df4 4883c408 add rsp,8
fffff803`12622df8 e8eeffffff call nt!KiSystemCall64+0x12b (fffff803`12622deb)
fffff803`12622dfd 4883c408 add rsp,8
fffff803`12622e01 e8eeffffff call nt!KiSystemCall64+0x134 (fffff803`12622df4)
fffff803`12622e06 4883c408 add rsp,8
fffff803`12622e0a e8eeffffff call nt!KiSystemCall64+0x13d (fffff803`12622dfd)
fffff803`12622e0f 4883c408 add rsp,8
fffff803`12622e13 e8eeffffff call nt!KiSystemCall64+0x146 (fffff803`12622e06)
fffff803`12622e18 4883c408 add rsp,8
fffff803`12622e1c e8eeffffff call nt!KiSystemCall64+0x14f (fffff803`12622e0f)
fffff803`12622e21 4883c408 add rsp,8
fffff803`12622e25 e8eeffffff call nt!KiSystemCall64+0x158 (fffff803`12622e18)
fffff803`12622e2a 4883c408 add rsp,8
fffff803`12622e2e e8eeffffff call nt!KiSystemCall64+0x161 (fffff803`12622e21)
fffff803`12622e33 4883c408 add rsp,8
fffff803`12622e37 e8eeffffff call nt!KiSystemCall64+0x16a (fffff803`12622e2a)
fffff803`12622e3c 4883c408 add rsp,8
fffff803`12622e40 e8eeffffff call nt!KiSystemCall64+0x173 (fffff803`12622e33)
fffff803`12622e45 4883c408 add rsp,8
fffff803`12622e49 e8eeffffff call nt!KiSystemCall64+0x17c (fffff803`12622e3c)
fffff803`12622e4e 4883c408 add rsp,8
fffff803`12622e52 e8eeffffff call nt!KiSystemCall64+0x185 (fffff803`12622e45)
fffff803`12622e57 4883c408 add rsp,8
fffff803`12622e5b e8eeffffff call nt!KiSystemCall64+0x18e (fffff803`12622e4e)
fffff803`12622e60 4883c408 add rsp,8
fffff803`12622e64 e8eeffffff call nt!KiSystemCall64+0x197 (fffff803`12622e57)
fffff803`12622e69 4883c408 add rsp,8
fffff803`12622e6d e8eeffffff call nt!KiSystemCall64+0x1a0 (fffff803`12622e60)
fffff803`12622e72 4883c408 add rsp,8
fffff803`12622e76 e8eeffffff call nt!KiSystemCall64+0x1a9 (fffff803`12622e69)
fffff803`12622e7b 4883c408 add rsp,8
fffff803`12622e7f e8eeffffff call nt!KiSystemCall64+0x1b2 (fffff803`12622e72)
fffff803`12622e84 4883c408 add rsp,8
fffff803`12622e88 e8eeffffff call nt!KiSystemCall64+0x1bb (fffff803`12622e7b)
fffff803`12622e8d 4883c408 add rsp,8
fffff803`12622e91 e8eeffffff call nt!KiSystemCall64+0x1c4 (fffff803`12622e84)
fffff803`12622e96 4883c408 add rsp,8
fffff803`12622e9a e8eeffffff call nt!KiSystemCall64+0x1cd (fffff803`12622e8d)
fffff803`12622e9f 4883c408 add rsp,8
fffff803`12622ea3 e8eeffffff call nt!KiSystemCall64+0x1d6 (fffff803`12622e96)
fffff803`12622ea8 4883c408 add rsp,8
fffff803`12622eac e8eeffffff call nt!KiSystemCall64+0x1df (fffff803`12622e9f)
fffff803`12622eb1 4883c408 add rsp,8
fffff803`12622eb5 e8eeffffff call nt!KiSystemCall64+0x1e8 (fffff803`12622ea8)
fffff803`12622eba 4883c408 add rsp,8
fffff803`12622ebe e8eeffffff call nt!KiSystemCall64+0x1f1 (fffff803`12622eb1)
fffff803`12622ec3 4883c408 add rsp,8
fffff803`12622ec7 e8eeffffff call nt!KiSystemCall64+0x1fa (fffff803`12622eba)
fffff803`12622ecc 4883c408 add rsp,8
fffff803`12622ed0 e8eeffffff call nt!KiSystemCall64+0x203 (fffff803`12622ec3)
fffff803`12622ed5 4883c408 add rsp,8
fffff803`12622ed9 e8eeffffff call nt!KiSystemCall64+0x20c (fffff803`12622ecc)
fffff803`12622ede 4883c408 add rsp,8
fffff803`12622ee2 e8eeffffff call nt!KiSystemCall64+0x215 (fffff803`12622ed5)
fffff803`12622ee7 4883c408 add rsp,8
fffff803`12622eeb e8eeffffff call nt!KiSystemCall64+0x21e (fffff803`12622ede)
fffff803`12622ef0 4883c408 add rsp,8
nt!KiSystemCall64+0x234:
fffff803`12622ef4 0faee8 lfence
nt!KiSystemCall64+0x237:
fffff803`12622ef7 65c604255308000000 mov byte ptr gs:[853h],0
fffff803`12622f00 c645ab02 mov byte ptr [rbp-55h],2
fffff803`12622f04 65488b1c2588010000 mov rbx,qword ptr gs:[188h]
fffff803`12622f0d 0f0d8b90000000 prefetchw [rbx+90h]
fffff803`12622f14 0fae5dac stmxcsr dword ptr [rbp-54h]
fffff803`12622f18 650fae142580010000 ldmxcsr dword ptr gs:[180h]
fffff803`12622f21 807b0300 cmp byte ptr [rbx+3],0
fffff803`12622f25 66c785800000000000 mov word ptr [rbp+80h],0
fffff803`12622f2e 0f84d0000000 je nt!KiSystemServiceUser+0x104 (fffff803`12623004) Branch
nt!KiSystemServiceUser+0x34:
fffff803`12622f34 f6430303 test byte ptr [rbx+3],3
fffff803`12622f38 4c8945c8 mov qword ptr [rbp-38h],r8
fffff803`12622f3c 4c894dd0 mov qword ptr [rbp-30h],r9
fffff803`12622f40 7405 je nt!KiSystemServiceUser+0x47 (fffff803`12622f47) Branch
nt!KiSystemServiceUser+0x42:
fffff803`12622f42 e889edfeff call nt!KiSaveDebugRegisterState (fffff803`12611cd0)
nt!KiSystemServiceUser+0x47:
fffff803`12622f47 f6430324 test byte ptr [rbx+3],24h
fffff803`12622f4b 7456 je nt!KiSystemServiceUser+0xa3 (fffff803`12622fa3) Branch
nt!KiSystemServiceUser+0x4d:
fffff803`12622f4d 4c8955e0 mov qword ptr [rbp-20h],r10
fffff803`12622f51 4c8955d8 mov qword ptr [rbp-28h],r10
fffff803`12622f55 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0
fffff803`12622f59 0f294d00 movaps xmmword ptr [rbp],xmm1
fffff803`12622f5d 0f295510 movaps xmmword ptr [rbp+10h],xmm2
fffff803`12622f61 0f295d20 movaps xmmword ptr [rbp+20h],xmm3
fffff803`12622f65 0f296530 movaps xmmword ptr [rbp+30h],xmm4
fffff803`12622f69 0f296d40 movaps xmmword ptr [rbp+40h],xmm5
fffff803`12622f6d fb sti
fffff803`12622f6e 488bcc mov rcx,rsp
fffff803`12622f71 e8aa5b1700 call nt!PsAltSystemCallDispatch (fffff803`12798b20)
fffff803`12622f76 3c01 cmp al,1
fffff803`12622f78 7429 je nt!KiSystemServiceUser+0xa3 (fffff803`12622fa3) Branch
nt!KiSystemServiceUser+0x7a:
fffff803`12622f7a 488b45b0 mov rax,qword ptr [rbp-50h]
fffff803`12622f7e 7c14 jl nt!KiSystemServiceUser+0x94 (fffff803`12622f94) Branch
nt!KiSystemServiceUser+0x80:
fffff803`12622f80 b91c0000c0 mov ecx,0C000001Ch
fffff803`12622f85 33d2 xor edx,edx
fffff803`12622f87 4c8b85e8000000 mov r8,qword ptr [rbp+0E8h]
fffff803`12622f8e e8ed070000 call nt!KiExceptionDispatch (fffff803`12623780)
fffff803`12622f93 cc int 3
nt!KiSystemServiceUser+0x94:
fffff803`12622f94 f6430304 test byte ptr [rbx+3],4
fffff803`12622f98 0f8422020000 je nt!KiSystemServiceExit (fffff803`126231c0) Branch
nt!KiSystemServiceUser+0x9e:
fffff803`12622f9e e992040000 jmp nt!KiSystemServiceExitPico (fffff803`12623435) Branch
nt!KiSystemServiceUser+0xa3:
fffff803`12622fa3 f6430380 test byte ptr [rbx+3],80h
fffff803`12622fa7 7448 je nt!KiSystemServiceUser+0xf1 (fffff803`12622ff1) Branch
nt!KiSystemServiceUser+0xa9:
fffff803`12622fa9 b9020100c0 mov ecx,0C0000102h
fffff803`12622fae 0f32 rdmsr
fffff803`12622fb0 48c1e220 shl rdx,20h
fffff803`12622fb4 480bc2 or rax,rdx
fffff803`12622fb7 483b052aa4c1ff cmp rax,qword ptr [nt!MmUserProbeAddress (fffff803`1223d3e8)]
fffff803`12622fbe 480f430522a4c1ff cmovae rax,qword ptr [nt!MmUserProbeAddress (fffff803`1223d3e8)]
fffff803`12622fc6 483983f0000000 cmp qword ptr [rbx+0F0h],rax
fffff803`12622fcd 7422 je nt!KiSystemServiceUser+0xf1 (fffff803`12622ff1) Branch
nt!KiSystemServiceUser+0xcf:
fffff803`12622fcf 488b93f0010000 mov rdx,qword ptr [rbx+1F0h]
fffff803`12622fd6 0fba6b7408 bts dword ptr [rbx+74h],8
fffff803`12622fdb 66ff8be6010000 dec word ptr [rbx+1E6h]
fffff803`12622fe2 48898280000000 mov qword ptr [rdx+80h],rax
fffff803`12622fe9 fb sti
fffff803`12622fea e8d1120000 call nt!KiUmsCallEntry (fffff803`126242c0)
fffff803`12622fef eb0b jmp nt!KiSystemServiceUser+0xfc (fffff803`12622ffc) Branch
nt!KiSystemServiceUser+0xf1:
fffff803`12622ff1 f6430340 test byte ptr [rbx+3],40h
fffff803`12622ff5 7405 je nt!KiSystemServiceUser+0xfc (fffff803`12622ffc) Branch
nt!KiSystemServiceUser+0xf7:
fffff803`12622ff7 0fba6b7410 bts dword ptr [rbx+74h],10h
nt!KiSystemServiceUser+0xfc:
fffff803`12622ffc 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff803`12623000 4c8b4dd0 mov r9,qword ptr [rbp-30h]
nt!KiSystemServiceUser+0x104:
fffff803`12623004 488b45b0 mov rax,qword ptr [rbp-50h]
fffff803`12623008 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff803`1262300c 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff803`12623010 fb sti
fffff803`12623011 48898b88000000 mov qword ptr [rbx+88h],rcx
fffff803`12623018 898380000000 mov dword ptr [rbx+80h],eax
fffff803`1262301e 6690 xchg ax,ax
fffff803`12623020 4889a390000000 mov qword ptr [rbx+90h],rsp
fffff803`12623027 8bf8 mov edi,eax
fffff803`12623029 c1ef07 shr edi,7
fffff803`1262302c 83e720 and edi,20h
fffff803`1262302f 25ff0f0000 and eax,0FFFh
nt!KiSystemServiceRepeat:
fffff803`12623034 4c8d1585a89f00 lea r10,[nt!KeServiceDescriptorTable (fffff803`1301d8c0)]
fffff803`1262303b 4c8d1dfe498f00 lea r11,[nt!KeServiceDescriptorTableShadow (fffff803`12f17a40)]
fffff803`12623042 f7437880000000 test dword ptr [rbx+78h],80h
fffff803`12623049 7413 je nt!KiSystemServiceRepeat+0x2a (fffff803`1262305e) Branch
nt!KiSystemServiceRepeat+0x17:
fffff803`1262304b f7437800002000 test dword ptr [rbx+78h],200000h
fffff803`12623052 7407 je nt!KiSystemServiceRepeat+0x27 (fffff803`1262305b) Branch
nt!KiSystemServiceRepeat+0x20:
fffff803`12623054 4c8d1d654b8f00 lea r11,[nt!KeServiceDescriptorTableFilter (fffff803`12f17bc0)]
nt!KiSystemServiceRepeat+0x27:
fffff803`1262305b 4d8bd3 mov r10,r11
nt!KiSystemServiceRepeat+0x2a:
fffff803`1262305e 413b443a10 cmp eax,dword ptr [r10+rdi+10h]
fffff803`12623063 0f832c050000 jae nt!KiSystemServiceExitPico+0x160 (fffff803`12623595) Branch
nt!KiSystemServiceRepeat+0x35:
fffff803`12623069 4d8b143a mov r10,qword ptr [r10+rdi]
fffff803`1262306d 4d631c82 movsxd r11,dword ptr [r10+rax*4]
fffff803`12623071 498bc3 mov rax,r11
fffff803`12623074 49c1fb04 sar r11,4
fffff803`12623078 4d03d3 add r10,r11
fffff803`1262307b 83ff20 cmp edi,20h
fffff803`1262307e 7550 jne nt!KiSystemServiceGdiTebAccess+0x49 (fffff803`126230d0) Branch
nt!KiSystemServiceRepeat+0x4c:
fffff803`12623080 4c8b9bf0000000 mov r11,qword ptr [rbx+0F0h]
fffff803`12623087 4183bb4017000000 cmp dword ptr [r11+1740h],0
fffff803`1262308f 743f je nt!KiSystemServiceGdiTebAccess+0x49 (fffff803`126230d0) Branch
nt!KiSystemServiceGdiTebAccess+0xa:
fffff803`12623091 488945b0 mov qword ptr [rbp-50h],rax
fffff803`12623095 48894db8 mov qword ptr [rbp-48h],rcx
fffff803`12623099 488955c0 mov qword ptr [rbp-40h],rdx
fffff803`1262309d 498bd8 mov rbx,r8
fffff803`126230a0 498bf9 mov rdi,r9
fffff803`126230a3 498bf2 mov rsi,r10
fffff803`126230a6 b907000000 mov ecx,7
fffff803`126230ab 33d2 xor edx,edx
fffff803`126230ad 4d33c0 xor r8,r8
fffff803`126230b0 4d33c9 xor r9,r9
fffff803`126230b3 e868052300 call nt!PsInvokeWin32Callout (fffff803`12853620)
fffff803`126230b8 488b45b0 mov rax,qword ptr [rbp-50h]
fffff803`126230bc 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff803`126230c0 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff803`126230c4 4c8bc3 mov r8,rbx
fffff803`126230c7 4c8bcf mov r9,rdi
fffff803`126230ca 4c8bd6 mov r10,rsi
fffff803`126230cd 0f1f00 nop dword ptr [rax]
nt!KiSystemServiceGdiTebAccess+0x49:
fffff803`126230d0 83e00f and eax,0Fh
fffff803`126230d3 0f84b7000000 je nt!KiSystemServiceCopyEnd (fffff803`12623190) Branch
nt!KiSystemServiceGdiTebAccess+0x52:
fffff803`126230d9 c1e003 shl eax,3
fffff803`126230dc 488d642490 lea rsp,[rsp-70h]
fffff803`126230e1 488d7c2418 lea rdi,[rsp+18h]
fffff803`126230e6 488bb500010000 mov rsi,qword ptr [rbp+100h]
fffff803`126230ed 488d7620 lea rsi,[rsi+20h]
fffff803`126230f1 f685f000000001 test byte ptr [rbp+0F0h],1
fffff803`126230f8 7416 je nt!KiSystemServiceGdiTebAccess+0x89 (fffff803`12623110) Branch
nt!KiSystemServiceGdiTebAccess+0x73:
fffff803`126230fa 483b35e7a2c1ff cmp rsi,qword ptr [nt!MmUserProbeAddress (fffff803`1223d3e8)]
fffff803`12623101 480f4335dfa2c1ff cmovae rsi,qword ptr [nt!MmUserProbeAddress (fffff803`1223d3e8)]
fffff803`12623109 0f1f8000000000 nop dword ptr [rax]
nt!KiSystemServiceGdiTebAccess+0x89:
fffff803`12623110 4c8d1d79000000 lea r11,[nt!KiSystemServiceCopyEnd (fffff803`12623190)]
fffff803`12623117 4c2bd8 sub r11,rax
fffff803`1262311a e8e1d06000 call nt!_guard_retpoline_switchtable_jump_r11 (fffff803`12c30200)
fffff803`1262311f cc int 3
fffff803`12623120 488b4670 mov rax,qword ptr [rsi+70h]
fffff803`12623124 48894770 mov qword ptr [rdi+70h],rax
fffff803`12623128 488b4668 mov rax,qword ptr [rsi+68h]
fffff803`1262312c 48894768 mov qword ptr [rdi+68h],rax
fffff803`12623130 488b4660 mov rax,qword ptr [rsi+60h]
fffff803`12623134 48894760 mov qword ptr [rdi+60h],rax
fffff803`12623138 488b4658 mov rax,qword ptr [rsi+58h]
fffff803`1262313c 48894758 mov qword ptr [rdi+58h],rax
fffff803`12623140 488b4650 mov rax,qword ptr [rsi+50h]
fffff803`12623144 48894750 mov qword ptr [rdi+50h],rax
fffff803`12623148 488b4648 mov rax,qword ptr [rsi+48h]
fffff803`1262314c 48894748 mov qword ptr [rdi+48h],rax
fffff803`12623150 488b4640 mov rax,qword ptr [rsi+40h]
fffff803`12623154 48894740 mov qword ptr [rdi+40h],rax
fffff803`12623158 488b4638 mov rax,qword ptr [rsi+38h]
fffff803`1262315c 48894738 mov qword ptr [rdi+38h],rax
fffff803`12623160 488b4630 mov rax,qword ptr [rsi+30h]
fffff803`12623164 48894730 mov qword ptr [rdi+30h],rax
fffff803`12623168 488b4628 mov rax,qword ptr [rsi+28h]
fffff803`1262316c 48894728 mov qword ptr [rdi+28h],rax
fffff803`12623170 488b4620 mov rax,qword ptr [rsi+20h]
fffff803`12623174 48894720 mov qword ptr [rdi+20h],rax
fffff803`12623178 488b4618 mov rax,qword ptr [rsi+18h]
fffff803`1262317c 48894718 mov qword ptr [rdi+18h],rax
fffff803`12623180 488b4610 mov rax,qword ptr [rsi+10h]
fffff803`12623184 48894710 mov qword ptr [rdi+10h],rax
fffff803`12623188 488b4608 mov rax,qword ptr [rsi+8]
fffff803`1262318c 48894708 mov qword ptr [rdi+8],rax
nt!KiSystemServiceCopyEnd:
fffff803`12623190 f70566448f0001000000 test dword ptr [nt!KiDynamicTraceMask (fffff803`12f17600)],1
fffff803`1262319a 0f8593040000 jne nt!KiSystemServiceExitPico+0x1fe (fffff803`12623633) Branch
nt!KiSystemServiceCopyEnd+0x10:
fffff803`126231a0 f705de428f0040000000 test dword ptr [nt!PerfGlobalGroupMask+0x8 (fffff803`12f17488)],40h
fffff803`126231aa 0f85f7040000 jne nt!KiSystemServiceExitPico+0x272 (fffff803`126236a7) Branch
nt!KiSystemServiceCopyEnd+0x20:
fffff803`126231b0 498bc2 mov rax,r10
fffff803`126231b3 e828d16000 call nt!_guard_retpoline_indirect_rax (fffff803`12c302e0)
nt!KiSystemServiceCopyEnd+0x28:
fffff803`126231b8 65ff0425b82e0000 inc dword ptr gs:[2EB8h]
nt!KiSystemServiceExit:
fffff803`126231c0 488b9dc0000000 mov rbx,qword ptr [rbp+0C0h]
fffff803`126231c7 488bbdc8000000 mov rdi,qword ptr [rbp+0C8h]
fffff803`126231ce 488bb5d0000000 mov rsi,qword ptr [rbp+0D0h]
fffff803`126231d5 654c8b1c2588010000 mov r11,qword ptr gs:[188h]
fffff803`126231de f685f000000001 test byte ptr [rbp+0F0h],1
fffff803`126231e5 0f841d020000 je nt!KiSystemServiceExit+0x248 (fffff803`12623408) Branch
nt!KiSystemServiceExit+0x2b:
fffff803`126231eb 440f20c1 mov rcx,tmm
fffff803`126231ef 410a8b4a020000 or cl,byte ptr [r11+24Ah]
fffff803`126231f6 410b8be4010000 or ecx,dword ptr [r11+1E4h]
fffff803`126231fd 0f85fc030000 jne nt!KiSystemServiceExitPico+0x1ca (fffff803`126235ff) Branch
nt!KiSystemServiceExit+0x43:
fffff803`12623203 fa cli
nt!KiSystemServiceExit+0x44:
fffff803`12623204 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff803`1262320d f681c200000003 test byte ptr [rcx+0C2h],3
fffff803`12623214 7459 je nt!KiSystemServiceExit+0xaf (fffff803`1262326f) Branch
nt!KiSystemServiceExit+0x56:
fffff803`12623216 488945b0 mov qword ptr [rbp-50h],rax
fffff803`1262321a 33c0 xor eax,eax
fffff803`1262321c 488945b8 mov qword ptr [rbp-48h],rax
fffff803`12623220 488945c0 mov qword ptr [rbp-40h],rax
fffff803`12623224 488945c8 mov qword ptr [rbp-38h],rax
fffff803`12623228 488945d0 mov qword ptr [rbp-30h],rax
fffff803`1262322c 488945d8 mov qword ptr [rbp-28h],rax
fffff803`12623230 488945e0 mov qword ptr [rbp-20h],rax
fffff803`12623234 660fefc0 pxor xmm0,xmm0
fffff803`12623238 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0
fffff803`1262323c 0f294500 movaps xmmword ptr [rbp],xmm0
fffff803`12623240 0f294510 movaps xmmword ptr [rbp+10h],xmm0
fffff803`12623244 0f294520 movaps xmmword ptr [rbp+20h],xmm0
fffff803`12623248 0f294530 movaps xmmword ptr [rbp+30h],xmm0
fffff803`1262324c 0f294540 movaps xmmword ptr [rbp+40h],xmm0
fffff803`12623250 b901000000 mov ecx,1
fffff803`12623255 440f22c1 mov tmm,rcx
fffff803`12623259 fb sti
fffff803`1262325a e8512affff call nt!KiInitiateUserApc (fffff803`12615cb0)
fffff803`1262325f fa cli
fffff803`12623260 b900000000 mov ecx,0
fffff803`12623265 440f22c1 mov tmm,rcx
fffff803`12623269 488b45b0 mov rax,qword ptr [rbp-50h]
fffff803`1262326d eb95 jmp nt!KiSystemServiceExit+0x44 (fffff803`12623204) Branch
nt!KiSystemServiceExit+0xaf:
fffff803`1262326f 65f604257e02000002 test byte ptr gs:[27Eh],2
fffff803`12623278 740f je nt!KiSystemServiceExit+0xc9 (fffff803`12623289) Branch
nt!KiSystemServiceExit+0xba:
fffff803`1262327a 488945b0 mov qword ptr [rbp-50h],rax
fffff803`1262327e 33c9 xor ecx,ecx
fffff803`12623280 e89b6cedff call nt!KiUpdateStibpPairing (fffff803`124f9f20)
fffff803`12623285 488b45b0 mov rax,qword ptr [rbp-50h]
nt!KiSystemServiceExit+0xc9:
fffff803`12623289 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff803`12623292 f70100000008 test dword ptr [rcx],8000000h
fffff803`12623298 743f je nt!KiSystemServiceExit+0x119 (fffff803`126232d9) Branch
nt!KiSystemServiceExit+0xda:
fffff803`1262329a 488945b0 mov qword ptr [rbp-50h],rax
fffff803`1262329e 33c0 xor eax,eax
fffff803`126232a0 488945b8 mov qword ptr [rbp-48h],rax
fffff803`126232a4 488945c0 mov qword ptr [rbp-40h],rax
fffff803`126232a8 488945c8 mov qword ptr [rbp-38h],rax
fffff803`126232ac 488945d0 mov qword ptr [rbp-30h],rax
fffff803`126232b0 488945d8 mov qword ptr [rbp-28h],rax
fffff803`126232b4 488945e0 mov qword ptr [rbp-20h],rax
fffff803`126232b8 660fefc0 pxor xmm0,xmm0
fffff803`126232bc 0f2945f0 movaps xmmword ptr [rbp-10h],xmm0
fffff803`126232c0 0f294500 movaps xmmword ptr [rbp],xmm0
fffff803`126232c4 0f294510 movaps xmmword ptr [rbp+10h],xmm0
fffff803`126232c8 0f294520 movaps xmmword ptr [rbp+20h],xmm0
fffff803`126232cc 0f294530 movaps xmmword ptr [rbp+30h],xmm0
fffff803`126232d0 0f294540 movaps xmmword ptr [rbp+40h],xmm0
fffff803`126232d4 e807f4feff call nt!KiRestoreSetContextState (fffff803`126126e0)
nt!KiSystemServiceExit+0x119:
fffff803`126232d9 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff803`126232e2 f70100000140 test dword ptr [rcx],40010000h
fffff803`126232e8 742d je nt!KiSystemServiceExit+0x157 (fffff803`12623317) Branch
nt!KiSystemServiceExit+0x12a:
fffff803`126232ea 488945b0 mov qword ptr [rbp-50h],rax
fffff803`126232ee f6410201 test byte ptr [rcx+2],1
fffff803`126232f2 740e je nt!KiSystemServiceExit+0x142 (fffff803`12623302) Branch
nt!KiSystemServiceExit+0x134:
fffff803`126232f4 e887eb1000 call nt!KiCopyCounters (fffff803`12731e80)
fffff803`126232f9 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
nt!KiSystemServiceExit+0x142:
fffff803`12623302 f6410340 test byte ptr [rcx+3],40h
fffff803`12623306 740b je nt!KiSystemServiceExit+0x153 (fffff803`12623313) Branch
nt!KiSystemServiceExit+0x148:
fffff803`12623308 488d6580 lea rsp,[rbp-80h]
fffff803`1262330c 33c9 xor ecx,ecx
fffff803`1262330e e82d120000 call nt!KiUmsExit (fffff803`12624540)
nt!KiSystemServiceExit+0x153:
fffff803`12623313 488b45b0 mov rax,qword ptr [rbp-50h]
nt!KiSystemServiceExit+0x157:
fffff803`12623317 0fae55ac ldmxcsr dword ptr [rbp-54h]
fffff803`1262331b 4d33d2 xor r10,r10
fffff803`1262331e 6683bd8000000000 cmp word ptr [rbp+80h],0
fffff803`12623326 7441 je nt!KiSystemServiceExit+0x1a9 (fffff803`12623369) Branch
nt!KiSystemServiceExit+0x168:
fffff803`12623328 488945b0 mov qword ptr [rbp-50h],rax
fffff803`1262332c e81fe9feff call nt!KiRestoreDebugRegisterState (fffff803`12611c50)
fffff803`12623331 65488b042588010000 mov rax,qword ptr gs:[188h]
fffff803`1262333a 488b80b8000000 mov rax,qword ptr [rax+0B8h]
fffff803`12623341 488b80d8030000 mov rax,qword ptr [rax+3D8h]
fffff803`12623348 480bc0 or rax,rax
fffff803`1262334b 7418 je nt!KiSystemServiceExit+0x1a5 (fffff803`12623365) Branch
nt!KiSystemServiceExit+0x18d:
fffff803`1262334d 6683bdf000000033 cmp word ptr [rbp+0F0h],33h
fffff803`12623355 750e jne nt!KiSystemServiceExit+0x1a5 (fffff803`12623365) Branch
nt!KiSystemServiceExit+0x197:
fffff803`12623357 4c8b95e8000000 mov r10,qword ptr [rbp+0E8h]
fffff803`1262335e 488985e8000000 mov qword ptr [rbp+0E8h],rax
nt!KiSystemServiceExit+0x1a5:
fffff803`12623365 488b45b0 mov rax,qword ptr [rbp-50h]
nt!KiSystemServiceExit+0x1a9:
fffff803`12623369 488945b0 mov qword ptr [rbp-50h],rax
fffff803`1262336d 65c604255308000000 mov byte ptr gs:[853h],0
fffff803`12623376 650fb604257d020000 movzx eax,byte ptr gs:[27Dh]
fffff803`1262337f 653804257a020000 cmp byte ptr gs:[27Ah],al
fffff803`12623387 7411 je nt!KiSystemServiceExit+0x1da (fffff803`1262339a) Branch
nt!KiSystemServiceExit+0x1c9:
fffff803`12623389 658804257a020000 mov byte ptr gs:[27Ah],al
fffff803`12623391 b948000000 mov ecx,48h
fffff803`12623396 33d2 xor edx,edx
fffff803`12623398 0f30 wrmsr
nt!KiSystemServiceExit+0x1da:
fffff803`1262339a 66650fba34257802000002 btr word ptr gs:[278h],2
fffff803`126233a5 730e jae nt!KiSystemServiceExit+0x1f5 (fffff803`126233b5) Branch
nt!KiSystemServiceExit+0x1e7:
fffff803`126233a7 b801000000 mov eax,1
fffff803`126233ac 33d2 xor edx,edx
fffff803`126233ae b949000000 mov ecx,49h
fffff803`126233b3 0f30 wrmsr
nt!KiSystemServiceExit+0x1f5:
fffff803`126233b5 488b45b0 mov rax,qword ptr [rbp-50h]
fffff803`126233b9 4c8b8500010000 mov r8,qword ptr [rbp+100h]
fffff803`126233c0 4c8b8dd8000000 mov r9,qword ptr [rbp+0D8h]
fffff803`126233c7 33d2 xor edx,edx
fffff803`126233c9 660fefc0 pxor xmm0,xmm0
fffff803`126233cd 660fefc9 pxor xmm1,xmm1
fffff803`126233d1 660fefd2 pxor xmm2,xmm2
fffff803`126233d5 660fefdb pxor xmm3,xmm3
fffff803`126233d9 660fefe4 pxor xmm4,xmm4
fffff803`126233dd 660fefed pxor xmm5,xmm5
fffff803`126233e1 488b8de8000000 mov rcx,qword ptr [rbp+0E8h]
fffff803`126233e8 4c8b9df8000000 mov r11,qword ptr [rbp+0F8h]
fffff803`126233ef f6054aa49f0001 test byte ptr [nt!KiKvaShadow (fffff803`1301d840)],1
fffff803`126233f6 0f85c4b96000 jne nt!KiKernelSysretExit (fffff803`12c2edc0) Branch
nt!KiSystemServiceExit+0x23c:
fffff803`126233fc 498be9 mov rbp,r9
fffff803`126233ff 498be0 mov rsp,r8
fffff803`12623402 0f01f8 swapgs
fffff803`12623405 480f07 sysretq
nt!KiSystemServiceExit+0x248:
fffff803`12623408 488b95b8000000 mov rdx,qword ptr [rbp+0B8h]
fffff803`1262340f 49899390000000 mov qword ptr [r11+90h],rdx
fffff803`12623416 8a55a8 mov dl,byte ptr [rbp-58h]
fffff803`12623419 41889332020000 mov byte ptr [r11+232h],dl
fffff803`12623420 fa cli
fffff803`12623421 488be5 mov rsp,rbp
fffff803`12623424 488badd8000000 mov rbp,qword ptr [rbp+0D8h]
fffff803`1262342b 488ba42400010000 mov rsp,qword ptr [rsp+100h]
fffff803`12623433 fb sti
fffff803`12623434 c3 ret
nt!KiSystemServiceExitPico:
fffff803`12623435 654c8b1c2588010000 mov r11,qword ptr gs:[188h]
fffff803`1262343e 440f20c1 mov rcx,tmm
fffff803`12623442 410a8b4a020000 or cl,byte ptr [r11+24Ah]
fffff803`12623449 410b8be4010000 or ecx,dword ptr [r11+1E4h]
fffff803`12623450 0f85a9010000 jne nt!KiSystemServiceExitPico+0x1ca (fffff803`126235ff) Branch
nt!KiSystemServiceExitPico+0x21:
fffff803`12623456 fa cli
fffff803`12623457 488945b0 mov qword ptr [rbp-50h],rax
nt!KiSystemServiceExitPico+0x26:
fffff803`1262345b 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff803`12623464 f681c200000003 test byte ptr [rcx+0C2h],3
fffff803`1262346b 741b je nt!KiSystemServiceExitPico+0x53 (fffff803`12623488) Branch
nt!KiSystemServiceExitPico+0x38:
fffff803`1262346d b901000000 mov ecx,1
fffff803`12623472 440f22c1 mov tmm,rcx
fffff803`12623476 fb sti
fffff803`12623477 e83428ffff call nt!KiInitiateUserApc (fffff803`12615cb0)
fffff803`1262347c b900000000 mov ecx,0
fffff803`12623481 440f22c1 mov tmm,rcx
fffff803`12623485 fa cli
fffff803`12623486 ebd3 jmp nt!KiSystemServiceExitPico+0x26 (fffff803`1262345b) Branch
nt!KiSystemServiceExitPico+0x53:
fffff803`12623488 65f604257e02000002 test byte ptr gs:[27Eh],2
fffff803`12623491 7407 je nt!KiSystemServiceExitPico+0x65 (fffff803`1262349a) Branch
nt!KiSystemServiceExitPico+0x5e:
fffff803`12623493 33c9 xor ecx,ecx
fffff803`12623495 e8866aedff call nt!KiUpdateStibpPairing (fffff803`124f9f20)
nt!KiSystemServiceExitPico+0x65:
fffff803`1262349a 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff803`126234a3 f70100000008 test dword ptr [rcx],8000000h
fffff803`126234a9 7405 je nt!KiSystemServiceExitPico+0x7b (fffff803`126234b0) Branch
nt!KiSystemServiceExitPico+0x76:
fffff803`126234ab e830f2feff call nt!KiRestoreSetContextState (fffff803`126126e0)
nt!KiSystemServiceExitPico+0x7b:
fffff803`126234b0 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
fffff803`126234b9 f6410201 test byte ptr [rcx+2],1
fffff803`126234bd 740e je nt!KiSystemServiceExitPico+0x98 (fffff803`126234cd) Branch
nt!KiSystemServiceExitPico+0x8a:
fffff803`126234bf e8bce91000 call nt!KiCopyCounters (fffff803`12731e80)
fffff803`126234c4 65488b0c2588010000 mov rcx,qword ptr gs:[188h]
nt!KiSystemServiceExitPico+0x98:
fffff803`126234cd 6683bd8000000000 cmp word ptr [rbp+80h],0
fffff803`126234d5 7405 je nt!KiSystemServiceExitPico+0xa7 (fffff803`126234dc) Branch
nt!KiSystemServiceExitPico+0xa2:
fffff803`126234d7 e874e7feff call nt!KiRestoreDebugRegisterState (fffff803`12611c50)
nt!KiSystemServiceExitPico+0xa7:
fffff803`126234dc 65c604255308000000 mov byte ptr gs:[853h],0
fffff803`126234e5 650fb604257d020000 movzx eax,byte ptr gs:[27Dh]
fffff803`126234ee 653804257a020000 cmp byte ptr gs:[27Ah],al
fffff803`126234f6 7411 je nt!KiSystemServiceExitPico+0xd4 (fffff803`12623509) Branch
nt!KiSystemServiceExitPico+0xc3:
fffff803`126234f8 658804257a020000 mov byte ptr gs:[27Ah],al
fffff803`12623500 b948000000 mov ecx,48h
fffff803`12623505 33d2 xor edx,edx
fffff803`12623507 0f30 wrmsr
nt!KiSystemServiceExitPico+0xd4:
fffff803`12623509 66650fba34257802000002 btr word ptr gs:[278h],2
fffff803`12623514 730e jae nt!KiSystemServiceExitPico+0xef (fffff803`12623524) Branch
nt!KiSystemServiceExitPico+0xe1:
fffff803`12623516 b801000000 mov eax,1
fffff803`1262351b 33d2 xor edx,edx
fffff803`1262351d b949000000 mov ecx,49h
fffff803`12623522 0f30 wrmsr
nt!KiSystemServiceExitPico+0xef:
fffff803`12623524 0fae55ac ldmxcsr dword ptr [rbp-54h]
fffff803`12623528 0f2845f0 movaps xmm0,xmmword ptr [rbp-10h]
fffff803`1262352c 0f284d00 movaps xmm1,xmmword ptr [rbp]
fffff803`12623530 0f285510 movaps xmm2,xmmword ptr [rbp+10h]
fffff803`12623534 0f285d20 movaps xmm3,xmmword ptr [rbp+20h]
fffff803`12623538 0f286530 movaps xmm4,xmmword ptr [rbp+30h]
fffff803`1262353c 0f286d40 movaps xmm5,xmmword ptr [rbp+40h]
fffff803`12623540 4c8b5de0 mov r11,qword ptr [rbp-20h]
fffff803`12623544 4c8b55d8 mov r10,qword ptr [rbp-28h]
fffff803`12623548 4c8b4dd0 mov r9,qword ptr [rbp-30h]
fffff803`1262354c 4c8b45c8 mov r8,qword ptr [rbp-38h]
fffff803`12623550 488b55c0 mov rdx,qword ptr [rbp-40h]
fffff803`12623554 488b4db8 mov rcx,qword ptr [rbp-48h]
fffff803`12623558 488b45b0 mov rax,qword ptr [rbp-50h]
fffff803`1262355c 488bb5d0000000 mov rsi,qword ptr [rbp+0D0h]
fffff803`12623563 488bbdc8000000 mov rdi,qword ptr [rbp+0C8h]
fffff803`1262356a 488b9dc0000000 mov rbx,qword ptr [rbp+0C0h]
fffff803`12623571 488be5 mov rsp,rbp
fffff803`12623574 488badd8000000 mov rbp,qword ptr [rbp+0D8h]
fffff803`1262357b 4881c4e8000000 add rsp,0E8h
fffff803`12623582 f605b7a29f0001 test byte ptr [nt!KiKvaShadow (fffff803`1301d840)],1
fffff803`12623589 7405 je nt!KiSystemServiceExitPico+0x15b (fffff803`12623590) Branch
nt!KiSystemServiceExitPico+0x156:
fffff803`1262358b e9f0b56000 jmp nt!KiKernelExit (fffff803`12c2eb80) Branch
nt!KiSystemServiceExitPico+0x15b:
fffff803`12623590 0f01f8 swapgs
fffff803`12623593 48cf iretq
nt!KiSystemServiceExitPico+0x160:
fffff803`12623595 83ff20 cmp edi,20h
fffff803`12623598 755b jne nt!KiSystemServiceExitPico+0x1c0 (fffff803`126235f5) Branch
nt!KiSystemServiceExitPico+0x165:
fffff803`1262359a 894580 mov dword ptr [rbp-80h],eax
fffff803`1262359d 48894d88 mov qword ptr [rbp-78h],rcx
fffff803`126235a1 48895590 mov qword ptr [rbp-70h],rdx
fffff803`126235a5 4c894598 mov qword ptr [rbp-68h],r8
fffff803`126235a9 4c894da0 mov qword ptr [rbp-60h],r9
fffff803`126235ad e86e1effff call nt!KiConvertToGuiThread (fffff803`12615420)
fffff803`126235b2 0bc0 or eax,eax
fffff803`126235b4 8b4580 mov eax,dword ptr [rbp-80h]
fffff803`126235b7 488b4d88 mov rcx,qword ptr [rbp-78h]
fffff803`126235bb 488b5590 mov rdx,qword ptr [rbp-70h]
fffff803`126235bf 4c8b4598 mov r8,qword ptr [rbp-68h]
fffff803`126235c3 4c8b4da0 mov r9,qword ptr [rbp-60h]
fffff803`126235c7 4889a390000000 mov qword ptr [rbx+90h],rsp
fffff803`126235ce 0f8460faffff je nt!KiSystemServiceRepeat (fffff803`12623034) Branch
nt!KiSystemServiceExitPico+0x19f:
fffff803`126235d4 488d3d85448f00 lea rdi,[nt!KeServiceDescriptorTableShadow+0x20 (fffff803`12f17a60)]
fffff803`126235db 8b7710 mov esi,dword ptr [rdi+10h]
fffff803`126235de 488b3f mov rdi,qword ptr [rdi]
fffff803`126235e1 3bc6 cmp eax,esi
fffff803`126235e3 7310 jae nt!KiSystemServiceExitPico+0x1c0 (fffff803`126235f5) Branch
nt!KiSystemServiceExitPico+0x1b0:
fffff803`126235e5 488d3cb7 lea rdi,[rdi+rsi*4]
fffff803`126235e9 0fbe0407 movsx eax,byte ptr [rdi+rax]
fffff803`126235ed 0bc0 or eax,eax
fffff803`126235ef 0f8ecbfbffff jle nt!KiSystemServiceExit (fffff803`126231c0) Branch
nt!KiSystemServiceExitPico+0x1c0:
fffff803`126235f5 b81c0000c0 mov eax,0C000001Ch
fffff803`126235fa e9c1fbffff jmp nt!KiSystemServiceExit (fffff803`126231c0) Branch
nt!KiSystemServiceExitPico+0x1ca:
fffff803`126235ff b94a000000 mov ecx,4Ah
fffff803`12623604 4533c9 xor r9d,r9d
fffff803`12623607 450f20c0 mov r8,tmm
fffff803`1262360b 450bc0 or r8d,r8d
fffff803`1262360e 7514 jne nt!KiSystemServiceExitPico+0x1ef (fffff803`12623624) Branch
nt!KiSystemServiceExitPico+0x1db:
fffff803`12623610 b901000000 mov ecx,1
fffff803`12623615 450fb6834a020000 movzx r8d,byte ptr [r11+24Ah]
fffff803`1262361d 458b8be4010000 mov r9d,dword ptr [r11+1E4h]
nt!KiSystemServiceExitPico+0x1ef:
fffff803`12623624 488b95e8000000 mov rdx,qword ptr [rbp+0E8h]
fffff803`1262362b 4c8bd5 mov r10,rbp
fffff803`1262362e e8cd000000 call nt!KiBugCheckDispatch (fffff803`12623700)
nt!KiSystemServiceExitPico+0x1fe:
fffff803`12623633 4883ec50 sub rsp,50h
fffff803`12623637 48894c2420 mov qword ptr [rsp+20h],rcx
fffff803`1262363c 4889542428 mov qword ptr [rsp+28h],rdx
fffff803`12623641 4c89442430 mov qword ptr [rsp+30h],r8
fffff803`12623646 4c894c2438 mov qword ptr [rsp+38h],r9
fffff803`1262364b 4c89542440 mov qword ptr [rsp+40h],r10
fffff803`12623650 498bca mov rcx,r10
fffff803`12623653 488bd4 mov rdx,rsp
fffff803`12623656 4883c220 add rdx,20h
fffff803`1262365a 49c7c004000000 mov r8,4
fffff803`12623661 4c8bcc mov r9,rsp
fffff803`12623664 4983c170 add r9,70h
fffff803`12623668 e853124b00 call nt!KiTrackSystemCallEntry (fffff803`12ad48c0)
fffff803`1262366d 488945b0 mov qword ptr [rbp-50h],rax
fffff803`12623671 488b4c2420 mov rcx,qword ptr [rsp+20h]
fffff803`12623676 488b542428 mov rdx,qword ptr [rsp+28h]
fffff803`1262367b 4c8b442430 mov r8,qword ptr [rsp+30h]
fffff803`12623680 4c8b4c2438 mov r9,qword ptr [rsp+38h]
fffff803`12623685 4c8b542440 mov r10,qword ptr [rsp+40h]
fffff803`1262368a 4883c450 add rsp,50h
fffff803`1262368e 498bc2 mov rax,r10
fffff803`12623691 e84acc6000 call nt!_guard_retpoline_indirect_rax (fffff803`12c302e0)
fffff803`12623696 488b4db0 mov rcx,qword ptr [rbp-50h]
fffff803`1262369a 488bd0 mov rdx,rax
fffff803`1262369d e83e134b00 call nt!KiTrackSystemCallExit (fffff803`12ad49e0)
fffff803`126236a2 e911fbffff jmp nt!KiSystemServiceCopyEnd+0x28 (fffff803`126231b8) Branch
nt!KiSystemServiceExitPico+0x272:
fffff803`126236a7 4883ec50 sub rsp,50h
fffff803`126236ab 48894c2420 mov qword ptr [rsp+20h],rcx
fffff803`126236b0 4889542428 mov qword ptr [rsp+28h],rdx
fffff803`126236b5 4c89442430 mov qword ptr [rsp+30h],r8
fffff803`126236ba 4c894c2438 mov qword ptr [rsp+38h],r9
fffff803`126236bf 4c89542440 mov qword ptr [rsp+40h],r10
fffff803`126236c4 498bca mov rcx,r10
fffff803`126236c7 e8e4ca1900 call nt!PerfInfoLogSysCallEntry (fffff803`127c01b0)
fffff803`126236cc 488b4c2420 mov rcx,qword ptr [rsp+20h]
fffff803`126236d1 488b542428 mov rdx,qword ptr [rsp+28h]
fffff803`126236d6 4c8b442430 mov r8,qword ptr [rsp+30h]
fffff803`126236db 4c8b4c2438 mov r9,qword ptr [rsp+38h]
fffff803`126236e0 4c8b542440 mov r10,qword ptr [rsp+40h]
fffff803`126236e5 4883c450 add rsp,50h
fffff803`126236e9 498bc2 mov rax,r10
fffff803`126236ec e8efcb6000 call nt!_guard_retpoline_indirect_rax (fffff803`12c302e0)
fffff803`126236f1 488bc8 mov rcx,rax
fffff803`126236f4 e857cb1900 call nt!PerfInfoLogSysCallExit (fffff803`127c0250)
fffff803`126236f9 e9bafaffff jmp nt!KiSystemServiceCopyEnd+0x28 (fffff803`126231b8) Branch
nt!KiKernelExit:
fffff803`12c2eb80 50 push rax
fffff803`12c2eb81 52 push rdx
fffff803`12c2eb82 488d442438 lea rax,[rsp+38h]
fffff803`12c2eb87 65488b142538000000 mov rdx,qword ptr gs:[38h]
fffff803`12c2eb90 488da200420000 lea rsp,[rdx+4200h]
fffff803`12c2eb97 65488b142588010000 mov rdx,qword ptr gs:[188h]
fffff803`12c2eba0 488b9220020000 mov rdx,qword ptr [rdx+220h]
fffff803`12c2eba7 488b9288030000 mov rdx,qword ptr [rdx+388h]
fffff803`12c2ebae ff70f8 push qword ptr [rax-8]
fffff803`12c2ebb1 ff70f0 push qword ptr [rax-10h]
fffff803`12c2ebb4 ff70e8 push qword ptr [rax-18h]
fffff803`12c2ebb7 ff70e0 push qword ptr [rax-20h]
fffff803`12c2ebba ff70d8 push qword ptr [rax-28h]
fffff803`12c2ebbd 654889242510900000 mov qword ptr gs:[9010h],rsp
fffff803`12c2ebc6 488be2 mov rsp,rdx
fffff803`12c2ebc9 488b50c8 mov rdx,qword ptr [rax-38h]
fffff803`12c2ebcd 488b40d0 mov rax,qword ptr [rax-30h]
fffff803`12c2ebd1 65f704251890000002000000 test dword ptr gs:[9018h],2
fffff803`12c2ebdd 7527 jne nt!KiKernelExit+0x86 (fffff803`12c2ec06) Branch
nt!KiKernelExit+0x5f:
fffff803`12c2ebdf 0fbae400 bt esp,0
fffff803`12c2ebe3 731e jae nt!KiKernelExit+0x83 (fffff803`12c2ec03) Branch
nt!KiKernelExit+0x65:
fffff803`12c2ebe5 65f704251890000001000000 test dword ptr gs:[9018h],1
fffff803`12c2ebf1 7507 jne nt!KiKernelExit+0x7a (fffff803`12c2ebfa) Branch
nt!KiKernelExit+0x73:
fffff803`12c2ebf3 480fbaec3f bts rsp,3Fh
fffff803`12c2ebf8 eb09 jmp nt!KiKernelExit+0x83 (fffff803`12c2ec03) Branch
nt!KiKernelExit+0x7a:
fffff803`12c2ebfa 6583242518900000fe and dword ptr gs:[9018h],0FFFFFFFEh
nt!KiKernelExit+0x83:
fffff803`12c2ec03 0f22dc mov tmm,rsp
nt!KiKernelExit+0x86:
fffff803`12c2ec06 65488b242510900000 mov rsp,qword ptr gs:[9010h]
fffff803`12c2ec0f 65f704251890000002000000 test dword ptr gs:[9018h],2
fffff803`12c2ec1b 7505 jne nt!KiKernelExit+0xa2 (fffff803`12c2ec22) Branch
nt!KiKernelExit+0x9d:
fffff803`12c2ec1d 0f006c2420 verw word ptr [rsp+20h]
nt!KiKernelExit+0xa2:
fffff803`12c2ec22 0f01f8 swapgs
fffff803`12c2ec25 48cf iretq
nt!KiKernelSysretExit:
fffff803`12c2edc0 658b242518900000 mov esp,dword ptr gs:[9018h]
fffff803`12c2edc8 0fbae401 bt esp,1
fffff803`12c2edcc 7236 jb nt!KiKernelSysretExit+0x44 (fffff803`12c2ee04) Branch
nt!KiKernelSysretExit+0xe:
fffff803`12c2edce 65488b2c2588010000 mov rbp,qword ptr gs:[188h]
fffff803`12c2edd7 488bad20020000 mov rbp,qword ptr [rbp+220h]
fffff803`12c2edde 488bad88030000 mov rbp,qword ptr [rbp+388h]
fffff803`12c2ede5 0fbae500 bt ebp,0
fffff803`12c2ede9 7316 jae nt!KiKernelSysretExit+0x41 (fffff803`12c2ee01) Branch
nt!KiKernelSysretExit+0x2b:
fffff803`12c2edeb 0fbae400 bt esp,0
fffff803`12c2edef 7207 jb nt!KiKernelSysretExit+0x38 (fffff803`12c2edf8) Branch
nt!KiKernelSysretExit+0x31:
fffff803`12c2edf1 480fbaed3f bts rbp,3Fh
fffff803`12c2edf6 eb09 jmp nt!KiKernelSysretExit+0x41 (fffff803`12c2ee01) Branch
nt!KiKernelSysretExit+0x38:
fffff803`12c2edf8 6583242518900000fe and dword ptr gs:[9018h],0FFFFFFFEh
nt!KiKernelSysretExit+0x41:
fffff803`12c2ee01 0f22dd mov tmm,rbp
nt!KiKernelSysretExit+0x44:
fffff803`12c2ee04 498be9 mov rbp,r9
fffff803`12c2ee07 0fbae401 bt esp,1
fffff803`12c2ee0b 7209 jb nt!KiKernelSysretExit+0x56 (fffff803`12c2ee16) Branch
nt!KiKernelSysretExit+0x4d:
fffff803`12c2ee0d 650f002c252a900000 verw word ptr gs:[902Ah]
nt!KiKernelSysretExit+0x56:
fffff803`12c2ee16 498be0 mov rsp,r8
fffff803`12c2ee19 0f01f8 swapgs
fffff803`12c2ee1c 480f07 sysretq.text:0000000140405BB9 loc_140405BB9: ; CODE XREF: KiSystemCall64+E4↑j
.text:0000000140405BB9 F7 C2 02 00 00 00 test edx, 2
.text:0000000140405BBF 0F 84 2F 01 00 00 jz loc_140405CF4
.text:0000000140405BC5 65 F6 04 25 79 02 00 00 04 test byte ptr gs:279h, 4
.text:0000000140405BCE 0F 85 20 01 00 00 jnz loc_140405CF4
.text:0000000140405BD4 E8 0E 01 00 00 call loc_140405CE7
.text:0000000140405BD9
.text:0000000140405BD9 loc_140405BD9: ; CODE XREF: KiSystemCall64+126↓p
.text:0000000140405BD9 48 83 C4 08 add rsp, 8
.text:0000000140405BDD E8 0E 01 00 00 call loc_140405CF0
.text:0000000140405BE2
.text:0000000140405BE2 loc_140405BE2: ; CODE XREF: KiSystemCall64+12F↓p
.text:0000000140405BE2 48 83 C4 08 add rsp, 8
.text:0000000140405BE6 E8 EE FF FF FF call loc_140405BD9
.text:0000000140405BEB
.text:0000000140405BEB loc_140405BEB: ; CODE XREF: KiSystemCall64+138↓p
.text:0000000140405BEB 48 83 C4 08 add rsp, 8
.text:0000000140405BEF E8 EE FF FF FF call loc_140405BE2
.text:0000000140405BF4
.text:0000000140405BF4 loc_140405BF4: ; CODE XREF: KiSystemCall64+141↓p
.text:0000000140405BF4 48 83 C4 08 add rsp, 8
.text:0000000140405BF8 E8 EE FF FF FF call loc_140405BEB
.text:0000000140405BFD
.text:0000000140405BFD loc_140405BFD: ; CODE XREF: KiSystemCall64+14A↓p
.text:0000000140405BFD 48 83 C4 08 add rsp, 8
.text:0000000140405C01 E8 EE FF FF FF call loc_140405BF4
.text:0000000140405C06
.text:0000000140405C06 loc_140405C06: ; CODE XREF: KiSystemCall64+153↓p
.text:0000000140405C06 48 83 C4 08 add rsp, 8
.text:0000000140405C0A E8 EE FF FF FF call loc_140405BFD
.text:0000000140405C0F
.text:0000000140405C0F loc_140405C0F: ; CODE XREF: KiSystemCall64+15C↓p
.text:0000000140405C0F 48 83 C4 08 add rsp, 8
.text:0000000140405C13 E8 EE FF FF FF call loc_140405C06
.text:0000000140405C18
.text:0000000140405C18 loc_140405C18: ; CODE XREF: KiSystemCall64+165↓p
.text:0000000140405C18 48 83 C4 08 add rsp, 8
.text:0000000140405C1C E8 EE FF FF FF call loc_140405C0F
.text:0000000140405C21
.text:0000000140405C21 loc_140405C21: ; CODE XREF: KiSystemCall64+16E↓p
.text:0000000140405C21 48 83 C4 08 add rsp, 8
.text:0000000140405C25 E8 EE FF FF FF call loc_140405C18
.text:0000000140405C2A
.text:0000000140405C2A loc_140405C2A: ; CODE XREF: KiSystemCall64+177↓p
.text:0000000140405C2A 48 83 C4 08 add rsp, 8
.text:0000000140405C2E E8 EE FF FF FF call loc_140405C21
.text:0000000140405C33
.text:0000000140405C33 loc_140405C33: ; CODE XREF: KiSystemCall64+180↓p
.text:0000000140405C33 48 83 C4 08 add rsp, 8
.text:0000000140405C37 E8 EE FF FF FF call loc_140405C2A
.text:0000000140405C3C
.text:0000000140405C3C loc_140405C3C: ; CODE XREF: KiSystemCall64+189↓p
.text:0000000140405C3C 48 83 C4 08 add rsp, 8
.text:0000000140405C40 E8 EE FF FF FF call loc_140405C33
.text:0000000140405C45
.text:0000000140405C45 loc_140405C45: ; CODE XREF: KiSystemCall64+192↓p
.text:0000000140405C45 48 83 C4 08 add rsp, 8
.text:0000000140405C49 E8 EE FF FF FF call loc_140405C3C
.text:0000000140405C4E
.text:0000000140405C4E loc_140405C4E: ; CODE XREF: KiSystemCall64+19B↓p
.text:0000000140405C4E 48 83 C4 08 add rsp, 8
.text:0000000140405C52 E8 EE FF FF FF call loc_140405C45
.text:0000000140405C57
.text:0000000140405C57 loc_140405C57: ; CODE XREF: KiSystemCall64+1A4↓p
.text:0000000140405C57 48 83 C4 08 add rsp, 8
.text:0000000140405C5B E8 EE FF FF FF call loc_140405C4E
.text:0000000140405C60
.text:0000000140405C60 loc_140405C60: ; CODE XREF: KiSystemCall64+1AD↓p
.text:0000000140405C60 48 83 C4 08 add rsp, 8
.text:0000000140405C64 E8 EE FF FF FF call loc_140405C57
.text:0000000140405C69
.text:0000000140405C69 loc_140405C69: ; CODE XREF: KiSystemCall64+1B6↓p
.text:0000000140405C69 48 83 C4 08 add rsp, 8
.text:0000000140405C6D E8 EE FF FF FF call loc_140405C60
.text:0000000140405C72
.text:0000000140405C72 loc_140405C72: ; CODE XREF: KiSystemCall64+1BF↓p
.text:0000000140405C72 48 83 C4 08 add rsp, 8
.text:0000000140405C76 E8 EE FF FF FF call loc_140405C69
.text:0000000140405C7B
.text:0000000140405C7B loc_140405C7B: ; CODE XREF: KiSystemCall64+1C8↓p
.text:0000000140405C7B 48 83 C4 08 add rsp, 8
.text:0000000140405C7F E8 EE FF FF FF call loc_140405C72
.text:0000000140405C84
.text:0000000140405C84 loc_140405C84: ; CODE XREF: KiSystemCall64+1D1↓p
.text:0000000140405C84 48 83 C4 08 add rsp, 8
.text:0000000140405C88 E8 EE FF FF FF call loc_140405C7B
.text:0000000140405C8D
.text:0000000140405C8D loc_140405C8D: ; CODE XREF: KiSystemCall64+1DA↓p
.text:0000000140405C8D 48 83 C4 08 add rsp, 8
.text:0000000140405C91 E8 EE FF FF FF call loc_140405C84
.text:0000000140405C96
.text:0000000140405C96 loc_140405C96: ; CODE XREF: KiSystemCall64+1E3↓p
.text:0000000140405C96 48 83 C4 08 add rsp, 8
.text:0000000140405C9A E8 EE FF FF FF call loc_140405C8D
.text:0000000140405C9F
.text:0000000140405C9F loc_140405C9F: ; CODE XREF: KiSystemCall64+1EC↓p
.text:0000000140405C9F 48 83 C4 08 add rsp, 8
.text:0000000140405CA3 E8 EE FF FF FF call loc_140405C96
.text:0000000140405CA8
.text:0000000140405CA8 loc_140405CA8: ; CODE XREF: KiSystemCall64+1F5↓p
.text:0000000140405CA8 48 83 C4 08 add rsp, 8
.text:0000000140405CAC E8 EE FF FF FF call loc_140405C9F
.text:0000000140405CB1
.text:0000000140405CB1 loc_140405CB1: ; CODE XREF: KiSystemCall64+1FE↓p
.text:0000000140405CB1 48 83 C4 08 add rsp, 8
.text:0000000140405CB5 E8 EE FF FF FF call loc_140405CA8
.text:0000000140405CBA
.text:0000000140405CBA loc_140405CBA: ; CODE XREF: KiSystemCall64+207↓p
.text:0000000140405CBA 48 83 C4 08 add rsp, 8
.text:0000000140405CBE E8 EE FF FF FF call loc_140405CB1
.text:0000000140405CC3
.text:0000000140405CC3 loc_140405CC3: ; CODE XREF: KiSystemCall64+210↓p
.text:0000000140405CC3 48 83 C4 08 add rsp, 8
.text:0000000140405CC7 E8 EE FF FF FF call loc_140405CBA
.text:0000000140405CCC
.text:0000000140405CCC loc_140405CCC: ; CODE XREF: KiSystemCall64+219↓p
.text:0000000140405CCC 48 83 C4 08 add rsp, 8
.text:0000000140405CD0 E8 EE FF FF FF call loc_140405CC3
.text:0000000140405CD5
.text:0000000140405CD5 loc_140405CD5: ; CODE XREF: KiSystemCall64+222↓p
.text:0000000140405CD5 48 83 C4 08 add rsp, 8
.text:0000000140405CD9 E8 EE FF FF FF call loc_140405CCC
.text:0000000140405CDE
.text:0000000140405CDE loc_140405CDE: ; CODE XREF: KiSystemCall64+22B↓p
.text:0000000140405CDE 48 83 C4 08 add rsp, 8
.text:0000000140405CE2 E8 EE FF FF FF call loc_140405CD5
.text:0000000140405CE7
.text:0000000140405CE7 loc_140405CE7: ; CODE XREF: KiSystemCall64+114↑p
.text:0000000140405CE7 48 83 C4 08 add rsp, 8
.text:0000000140405CEB E8 EE FF FF FF call loc_140405CDE
.text:0000000140405CF0
.text:0000000140405CF0 loc_140405CF0: ; CODE XREF: KiSystemCall64+11D↑p
.text:0000000140405CF0 48 83 C4 08 add rsp, 8
.text:0000000140405CF4
.text:0000000140405CF4 loc_140405CF4: ; CODE XREF: KiSystemCall64+FF↑j
.text:0000000140405CF4 ; KiSystemCall64+10E↑j
.text:0000000140405CF4 0F AE E8 lfence
.text:0000000140405CF7
.text:0000000140405CF7 loc_140405CF7: ; CODE XREF: KiSystemCall64+F4↑j
.text:0000000140405CF7 65 C6 04 25 53 08 00 00 00 mov byte ptr gs:853h, 0
.text:0000000140405D00这个看起来毫无意义的代码其实是针对漏洞补丁 幽灵再现:谁也无法阻挡Spectre漏洞了 - 安全牛 (aqniu.com)
.text:0000000140405F90 KiSystemServiceCopyEnd: ; CODE XREF: KiSystemCall64+413↑j
.text:0000000140405F90 ; DATA XREF: KiSystemServiceHandler+27↑o ...
.text:0000000140405F90 F7 05 66 66 8F 00 01 00 00 00 test cs:KiDynamicTraceMask, 1
.text:0000000140405F9A 0F 85 93 04 00 00 jnz loc_140406433
.text:0000000140405FA0 F7 05 DE 64 8F 00 40 00 00 00 test dword ptr cs:PerfGlobalGroupMask+8, 40h
.text:0000000140405FAA 0F 85 F7 04 00 00 jnz loc_1404064A7
.text:0000000140405FB0 49 8B C2 mov rax, r10
.text:0000000140405FB3 FF D0 call rax
.text:0000000140405FB5 0F 1F 00 nop dword ptr [rax]
.text:0000000140405FB8
.text:0000000140405FB8 loc_140405FB8: ; CODE XREF: KiSystemCall64+9E2↓j
.text:0000000140405FB8 ; KiSystemCall64+A39↓j
.text:0000000140405FB8 65 FF 04 25 B8 2E 00 00 inc dword ptr gs:2EB8hnt!KiSystemServiceCopyEnd:
fffff803`12623190 f70566448f0001000000 test dword ptr [nt!KiDynamicTraceMask (fffff803`12f17600)],1
fffff803`1262319a 0f8593040000 jne nt!KiSystemServiceExitPico+0x1fe (fffff803`12623633) Branch
nt!KiSystemServiceCopyEnd+0x10:
fffff803`126231a0 f705de428f0040000000 test dword ptr [nt!PerfGlobalGroupMask+0x8 (fffff803`12f17488)],40h
fffff803`126231aa 0f85f7040000 jne nt!KiSystemServiceExitPico+0x272 (fffff803`126236a7) Branch
nt!KiSystemServiceCopyEnd+0x20:
fffff803`126231b0 498bc2 mov rax,r10
fffff803`126231b3 e828d16000 call nt!_guard_retpoline_indirect_rax (fffff803`12c302e0)
nt!KiSystemServiceCopyEnd+0x28:
fffff803`126231b8 65ff0425b82e0000 inc dword ptr gs:[2EB8h]可以发现IDA中的代码跟实际运行代码不一样
RETPOL:0000000140A142A0 __guard_retpoline_indirect_cfg_rax proc near
RETPOL:0000000140A142A0 ; DATA XREF: .pdata:000000014012C828↑o
RETPOL:0000000140A142A0 ; __unwind { // __guard_retpoline_icall_handler
RETPOL:0000000140A142A0 49 BB 68 18 E0 40 01 00 00 00 mov r11, offset _guard_icall_bitmap
RETPOL:0000000140A142AA 4D 8B 1B mov r11, [r11]
RETPOL:0000000140A142AD 48 85 C0 test rax, rax
RETPOL:0000000140A142B0 0F 8D A2 00 00 00 jge loc_140A14358
RETPOL:0000000140A142B6 4D 85 DB test r11, r11
RETPOL:0000000140A142B9 74 25 jz short __guard_retpoline_indirect_rax
RETPOL:0000000140A142BB 4C 8B D0 mov r10, rax
RETPOL:0000000140A142BE 49 C1 EA 09 shr r10, 9
RETPOL:0000000140A142C2 4F 8B 1C D3 mov r11, [r11+r10*8]
RETPOL:0000000140A142C6 4C 8B D0 mov r10, rax
RETPOL:0000000140A142C9 49 C1 EA 03 shr r10, 3
RETPOL:0000000140A142CD A8 0F test al, 0Fh
RETPOL:0000000140A142CF 0F 85 6C 00 00 00 jnz loc_140A14341
RETPOL:0000000140A142D5 4D 0F A3 D3 bt r11, r10
RETPOL:0000000140A142D9 0F 83 79 00 00 00 jnb loc_140A14358
RETPOL:0000000140A142DF 90 nop
RETPOL:0000000140A142E0
RETPOL:0000000140A142E0 __guard_retpoline_indirect_rax: ; CODE XREF: __guard_retpoline_indirect_cfg_rax+19↑j
RETPOL:0000000140A142E0 ; __guard_retpoline_indirect_cfg_rax+B6↓j
RETPOL:0000000140A142E0 49 BB 00 CC CF 40 01 00 00 00 mov r11, offset _retpoline_image_bitmap
RETPOL:0000000140A142EA 4D 8B 1B mov r11, [r11]
RETPOL:0000000140A142ED 4D 85 DB test r11, r11
RETPOL:0000000140A142F0 74 49 jz short loc_140A1433B
RETPOL:0000000140A142F2 4C 8B D0 mov r10, rax
RETPOL:0000000140A142F5 49 C1 EA 10 shr r10, 10h
RETPOL:0000000140A142F9 4D 0F A3 13 bt [r11], r10
RETPOL:0000000140A142FD 73 26 jnb short loc_140A14325
RETPOL:0000000140A142FF E8 1C 00 00 00 call loc_140A14320
RETPOL:0000000140A14304 CC int 3 ; Trap to Debugger
RETPOL:0000000140A14304 ; ---------------------------------------------------------------------------
RETPOL:0000000140A14305 66 66 66 66 66 66 66 0F 1F 84 00 00 00 00 00 66+ align 20h
RETPOL:0000000140A14320
RETPOL:0000000140A14320 loc_140A14320: ; CODE XREF: __guard_retpoline_indirect_cfg_rax+5F↑p
RETPOL:0000000140A14320 48 89 04 24 mov [rsp+0], rax
RETPOL:0000000140A14324 C3 retn
RETPOL:0000000140A14325 ; ---------------------------------------------------------------------------
RETPOL:0000000140A14325
RETPOL:0000000140A14325 loc_140A14325: ; CODE XREF: __guard_retpoline_indirect_cfg_rax+5D↑j
RETPOL:0000000140A14325 65 80 0C 25 53 08 00 00 01 or byte ptr gs:853h, 1
RETPOL:0000000140A1432E 65 F6 04 25 53 08 00 00 02 test byte ptr gs:853h, 2
RETPOL:0000000140A14337 75 02 jnz short loc_140A1433B
RETPOL:0000000140A14339 EB 65 jmp short __guard_retpoline_exit_indirect_rax
RETPOL:0000000140A1433B ; ---------------------------------------------------------------------------
RETPOL:0000000140A1433B
RETPOL:0000000140A1433B loc_140A1433B: ; CODE XREF: __guard_retpoline_indirect_cfg_rax+50↑j
RETPOL:0000000140A1433B ; __guard_retpoline_indirect_cfg_rax+97↑j
RETPOL:0000000140A1433B 0F AE E8 lfence
RETPOL:0000000140A1433E 48 FF E0 jmp rax
RETPOL:0000000140A14341 ; ---------------------------------------------------------------------------
RETPOL:0000000140A14341
RETPOL:0000000140A14341 loc_140A14341: ; CODE XREF: __guard_retpoline_indirect_cfg_rax+2F↑j
RETPOL:0000000140A14341 49 0F BA F2 00 btr r10, 0
RETPOL:0000000140A14346 4D 0F A3 D3 bt r11, r10
RETPOL:0000000140A1434A 73 0C jnb short loc_140A14358
RETPOL:0000000140A1434C 49 83 CA 01 or r10, 1
RETPOL:0000000140A14350 4D 0F A3 D3 bt r11, r10
RETPOL:0000000140A14354 73 02 jnb short loc_140A14358
RETPOL:0000000140A14356 EB 88 jmp short __guard_retpoline_indirect_rax
RETPOL:0000000140A14358 ; ---------------------------------------------------------------------------
RETPOL:0000000140A14358
RETPOL:0000000140A14358 loc_140A14358: ; CODE XREF: __guard_retpoline_indirect_cfg_rax+10↑j
RETPOL:0000000140A14358 ; __guard_retpoline_indirect_cfg_rax+39↑j ...
RETPOL:0000000140A14358 48 8B C8 mov rcx, rax
RETPOL:0000000140A1435B 48 B8 90 D0 3F 40 01 00 00 00 mov rax, offset _guard_icall_bugcheck
RETPOL:0000000140A14365 E8 16 00 00 00 call loc_140A14380
RETPOL:0000000140A1436A CC int 3 ; Trap to Debugger
RETPOL:0000000140A1436A ; ---------------------------------------------------------------------------
RETPOL:0000000140A1436B 66 66 66 66 66 66 66 0F 1F 84 00 00 00 00 00 66+ align 20h
RETPOL:0000000140A14380
RETPOL:0000000140A14380 loc_140A14380: ; CODE XREF: __guard_retpoline_indirect_cfg_rax+C5↑p
RETPOL:0000000140A14380 48 89 04 24 mov [rsp+0], rax
RETPOL:0000000140A14384 C3 retn
RETPOL:0000000140A14384 ; } // starts at 140A142A0
RETPOL:0000000140A14384 __guard_retpoline_indirect_cfg_rax endp
RETPOL:0000000140A14384
RETPOL:0000000140A14384 ; ---------------------------------------------------------------------------
RETPOL:0000000140A14385 algn_140A14385: ; DATA XREF: .pdata:000000014012C828↑o
RETPOL:0000000140A14385 CC CC CC CC CC CC 66 66 66 66 66 66 66 0F 1F 84+ align 20h
RETPOL:0000000140A143A0
RETPOL:0000000140A143A0 ; =============== S U B R O U T I N E =======================================
RETPOL:0000000140A143A0
RETPOL:0000000140A143A0
RETPOL:0000000140A143A0 __guard_retpoline_exit_indirect_rax proc near__guard_retpoline_indirect_cfg_rax 这个函数还是CFG控制流保护 检测寄存器 retpoline也跟幽灵漏洞有关
{所以改回去就可以了