.text:00000001400F913C KiDispatchCallout proc near ; DATA XREF: .pdata:000000014031F104↓o
.text:00000001400F913C ; sub_1406E6F78+34CC↓o
.text:00000001400F913C
.text:00000001400F913C var_10 = dword ptr -10h
.text:00000001400F913C var_C = dword ptr -0Ch
.text:00000001400F913C var_8 = dword ptr -8
.text:00000001400F913C var_4 = dword ptr -4
.text:00000001400F913C arg_0 = qword ptr 20h
.text:00000001400F913C arg_8 = qword ptr 28h
.text:00000001400F913C arg_10 = qword ptr 30h
.text:00000001400F913C
.text:00000001400F913C 48 89 5C 24 10 mov [rsp-18h+arg_8], rbx
.text:00000001400F9141 48 89 74 24 18 mov [rsp-18h+arg_10], rsi
.text:00000001400F9146 55 push rbp
.text:00000001400F9147 57 push rdi
.text:00000001400F9148 41 56 push r14
.text:00000001400F914A 48 8B EC mov rbp, rsp
.text:00000001400F914D 48 83 EC 30 sub rsp, 30h
.text:00000001400F9151 49 8B 11 mov rdx, [r9]
.text:00000001400F9154 4C 8D 45 18 lea r8, [rbp+18h]
.text:00000001400F9158 49 8B 00 mov rax, [r8]
.text:00000001400F915B 48 33 C2 xor rax, rdx
.text:00000001400F915E 48 33 C1 xor rax, rcx
.text:00000001400F9161 48 89 41 48 mov [rcx+48h], rax
.text:00000001400F9165 49 8B C0 mov rax, r8
.text:00000001400F9168 48 33 C2 xor rax, rdx
.text:00000001400F916B 48 89 41 38 mov [rcx+38h], rax
.text:00000001400F916F 45 0F 20 C6 mov r14, cr8
.text:00000001400F9173 41 B9 02 00 00 00 mov r9d, 2
.text:00000001400F9179 45 0F 22 C1 mov cr8, r9
.text:00000001400F917D 33 DB xor ebx, ebx
.text:00000001400F917F 48 B8 00 00 00 00 00 80 FF FF mov rax, 0FFFF800000000000h
.text:00000001400F9189 C7 45 F0 0B 08 0E 03 mov [rbp+var_10], 30E080Bh
.text:00000001400F9190 49 89 18 mov [r8], rbx
.text:00000001400F9193 4C 8B 52 40 mov r10, [rdx+40h]
.text:00000001400F9197 C7 45 F4 0D 02 07 0C mov [rbp+var_C], 0C07020Dh
.text:00000001400F919E 4C 33 52 20 xor r10, [rdx+20h]
.text:00000001400F91A2 C7 45 F8 06 01 05 0F mov [rbp+var_8], 0F050106h
.text:00000001400F91A9 C7 45 FC 0A 04 00 09 mov [rbp+var_4], 900040Ah
.text:00000001400F91B0 4C 0B D0 or r10, rax
.text:00000001400F91B3 48 8D 55 F0 lea rdx, [rbp+var_10]
.text:00000001400F91B7 45 8D 41 0E lea r8d, [r9+0Eh]
.text:00000001400F91BB 41 8B C2 mov eax, r10d
.text:00000001400F91BE 49 8B F2 mov rsi, r10
.text:00000001400F91C1 4D 8B DA mov r11, r10
.text:00000001400F91C4 83 E0 3F and eax, 3Fh
.text:00000001400F91C7 8A C8 mov cl, al
.text:00000001400F91C9 48 D3 CE ror rsi, cl
.text:00000001400F91CC 48 8D 4D F0 lea rcx, [rbp+var_10]
.text:00000001400F91D0
.text:00000001400F91D0 loc_1400F91D0: ; CODE XREF: KiDispatchCallout+A4↓j
.text:00000001400F91D0 8A 01 mov al, [rcx]
.text:00000001400F91D2 48 FF C1 inc rcx
.text:00000001400F91D5 83 F0 0B xor eax, 0Bh
.text:00000001400F91D8 88 02 mov [rdx], al
.text:00000001400F91DA 48 FF C2 inc rdx
.text:00000001400F91DD 49 FF C8 dec r8
.text:00000001400F91E0 75 EE jnz short loc_1400F91D0
.text:00000001400F91E2 48 8B FB mov rdi, rbx
.text:00000001400F91E5
.text:00000001400F91E5 loc_1400F91E5: ; CODE XREF: KiDispatchCallout+12F↓j
.text:00000001400F91E5 4D 8B 0B mov r9, [r11]
.text:00000001400F91E8 48 8B 05 49 A3 26 00 mov rax, cs:KiWaitNever
.text:00000001400F91EF 45 8B C1 mov r8d, r9d
.text:00000001400F91F2 49 8B D1 mov rdx, r9
.text:00000001400F91F5 8B C8 mov ecx, eax
.text:00000001400F91F7 48 33 D0 xor rdx, rax
.text:00000001400F91FA 41 83 E0 3F and r8d, 3Fh
.text:00000001400F91FE 41 F7 D1 not r9d
.text:00000001400F9201 48 D3 C2 rol rdx, cl
.text:00000001400F9204 41 83 E1 3F and r9d, 3Fh
.text:00000001400F9208 48 33 D6 xor rdx, rsi
.text:00000001400F920B 41 8A C9 mov cl, r9b
.text:00000001400F920E 48 0F CA bswap rdx
.text:00000001400F9211 48 33 15 20 A8 26 00 xor rdx, cs:KiWaitAlways
.text:00000001400F9218 48 03 D7 add rdx, rdi
.text:00000001400F921B 49 89 13 mov [r11], rdx
.text:00000001400F921E BA C8 00 00 00 mov edx, 0C8h
.text:00000001400F9223 2B D3 sub edx, ebx
.text:00000001400F9225 0F AF D3 imul edx, ebx
.text:00000001400F9228 48 D3 CA ror rdx, cl
.text:00000001400F922B 41 8A C8 mov cl, r8b
.text:00000001400F922E 41 B8 10 00 00 00 mov r8d, 10h
.text:00000001400F9234 48 33 F2 xor rsi, rdx
.text:00000001400F9237 48 D3 C6 rol rsi, cl
.text:00000001400F923A 49 03 F2 add rsi, r10
.text:00000001400F923D
.text:00000001400F923D loc_1400F923D: ; CODE XREF: KiDispatchCallout+121↓j
.text:00000001400F923D 41 0F B6 03 movzx eax, byte ptr [r11]
.text:00000001400F9241 49 8B 13 mov rdx, [r11]
.text:00000001400F9244 48 83 E2 F0 and rdx, 0FFFFFFFFFFFFFFF0h
.text:00000001400F9248 83 E0 0F and eax, 0Fh
.text:00000001400F924B 0F B6 4C 05 F0 movzx ecx, byte ptr [rbp+rax+var_10]
.text:00000001400F9250 48 0B D1 or rdx, rcx
.text:00000001400F9253 48 C1 CA 04 ror rdx, 4
.text:00000001400F9257 49 89 13 mov [r11], rdx
.text:00000001400F925A 49 FF C8 dec r8
.text:00000001400F925D 75 DE jnz short loc_1400F923D
.text:00000001400F925F FF C3 inc ebx
.text:00000001400F9261 49 83 C3 08 add r11, 8
.text:00000001400F9265 49 03 FA add rdi, r10
.text:00000001400F9268 83 FB 19 cmp ebx, 19h
.text:00000001400F926B 0F 82 74 FF FF FF jb loc_1400F91E5
.text:00000001400F9271 49 8B 02 mov rax, [r10]
.text:00000001400F9274 48 B9 F5 6F 1B AD 5F 93 44 62 mov rcx, 6244935FAD1B6FF5h
.text:00000001400F927E 45 33 C9 xor r9d, r9d
.text:00000001400F9281 48 33 C1 xor rax, rcx
.text:00000001400F9284 49 8B CA mov rcx, r10
.text:00000001400F9287 48 89 45 20 mov [rbp+arg_0], rax
.text:00000001400F928B 48 B8 DB 27 2A BC 17 A2 15 6A mov rax, 6A15A217BC2A27DBh
.text:00000001400F9295 48 31 45 20 xor [rbp+arg_0], rax
.text:00000001400F9299 41 C7 02 F5 6F 1B AD mov dword ptr [r10], 0AD1B6FF5h
.text:00000001400F92A0 41 81 32 DB 27 2A BC xor dword ptr [r10], 0BC2A27DBh
.text:00000001400F92A7 48 8B 55 20 mov rdx, [rbp+arg_0]
.text:00000001400F92AB 41 FF D2 call r10
.text:00000001400F92AE 41 0F B6 C6 movzx eax, r14b
.text:00000001400F92B2 44 0F 22 C0 mov cr8, rax
.text:00000001400F92B6 48 8B 5C 24 58 mov rbx, [rsp+30h+arg_8]
.text:00000001400F92BB 48 8B 74 24 60 mov rsi, [rsp+30h+arg_10]
.text:00000001400F92C0 48 83 C4 30 add rsp, 30h
.text:00000001400F92C4 41 5E pop r14
.text:00000001400F92C6 5F pop rdi
.text:00000001400F92C7 5D pop rbp
.text:00000001400F92C8 C3 retn
.text:00000001400F92C8 KiDispatchCallout endp.text:0000000140163B44 loc_140163B44: ; DATA XREF: .text:0000000140285944↓o
.text:0000000140163B44 ; .pdata:00000001403261F0↓o ...
.text:0000000140163B44 40 53 push rbx
.text:0000000140163B46 55 push rbp
.text:0000000140163B47 48 83 EC 28 sub rsp, 28h
.text:0000000140163B4B 48 8B EA mov rbp, rdx
.text:0000000140163B4E 88 4D 3C mov [rbp+3Ch], cl
.text:0000000140163B51 84 C9 test cl, cl
.text:0000000140163B53 0F 84 F1 01 00 00 jz loc_140163D4A
.text:0000000140163B59 E9 33 01 00 00 jmp loc_140163C91
.text:0000000140163B5E ; ---------------------------------------------------------------------------
.text:0000000140163B5E
.text:0000000140163B5E loc_140163B5E: ; CODE XREF: ExpCenturyDpcRoutine+367DD↓j
.text:0000000140163B5E 45 33 DB xor r11d, r11d
.text:0000000140163B61 44 89 5D 38 mov [rbp+38h], r11d
.text:0000000140163B65
.text:0000000140163B65 loc_140163B65: ; CODE XREF: ExpCenturyDpcRoutine+366C2↓j
.text:0000000140163B65 4D 8B 01 mov r8, [r9]
.text:0000000140163B68 4C 89 85 C8 00 00 00 mov [rbp+0C8h], r8
.text:0000000140163B6F 48 8B 05 C2 F9 1F 00 mov rax, cs:KiWaitNever
.text:0000000140163B76 48 8B D0 mov rdx, rax
.text:0000000140163B79 49 33 D0 xor rdx, r8
.text:0000000140163B7C 8B C8 mov ecx, eax
.text:0000000140163B7E 48 D3 C2 rol rdx, cl
.text:0000000140163B81 48 33 D3 xor rdx, rbx
.text:0000000140163B84 48 0F CA bswap rdx
.text:0000000140163B87 48 33 15 AA FE 1F 00 xor rdx, cs:KiWaitAlways
.text:0000000140163B8E 49 89 11 mov [r9], rdx
.text:0000000140163B91 41 8B C3 mov eax, r11d
.text:0000000140163B94 49 0F AF C2 imul rax, r10
.text:0000000140163B98 48 03 C2 add rax, rdx
.text:0000000140163B9B 49 89 01 mov [r9], rax
.text:0000000140163B9E 41 8B C8 mov ecx, r8d
.text:0000000140163BA1 F7 D1 not ecx
.text:0000000140163BA3 83 E1 3F and ecx, 3Fh
.text:0000000140163BA6 B8 C8 00 00 00 mov eax, 0C8h
.text:0000000140163BAB 41 2B C3 sub eax, r11d
.text:0000000140163BAE 41 0F AF C3 imul eax, r11d
.text:0000000140163BB2 48 D3 C8 ror rax, cl
.text:0000000140163BB5 48 33 D8 xor rbx, rax
.text:0000000140163BB8 48 89 9D F8 00 00 00 mov [rbp+0F8h], rbx
.text:0000000140163BBF 41 83 E0 3F and r8d, 3Fh
.text:0000000140163BC3 41 8A C8 mov cl, r8b
.text:0000000140163BC6 48 D3 C3 rol rbx, cl
.text:0000000140163BC9 48 89 9D F8 00 00 00 mov [rbp+0F8h], rbx
.text:0000000140163BD0 49 03 DA add rbx, r10
.text:0000000140163BD3 48 89 9D F8 00 00 00 mov [rbp+0F8h], rbx
.text:0000000140163BDA 45 33 C0 xor r8d, r8d
.text:0000000140163BDD 44 89 45 40 mov [rbp+40h], r8d
.text:0000000140163BE1
.text:0000000140163BE1 loc_140163BE1: ; CODE XREF: ExpCenturyDpcRoutine+366AD↓j
.text:0000000140163BE1 41 0F B6 01 movzx eax, byte ptr [r9]
.text:0000000140163BE5 83 E0 0F and eax, 0Fh
.text:0000000140163BE8 0F B6 54 05 28 movzx edx, byte ptr [rbp+rax+28h]
.text:0000000140163BED 49 83 21 F0 and qword ptr [r9], 0FFFFFFFFFFFFFFF0h
.text:0000000140163BF1 49 0B 11 or rdx, [r9]
.text:0000000140163BF4 49 89 11 mov [r9], rdx
.text:0000000140163BF7 48 C1 CA 04 ror rdx, 4
.text:0000000140163BFB 49 89 11 mov [r9], rdx
.text:0000000140163BFE 41 FF C0 inc r8d
.text:0000000140163C01 44 89 45 40 mov [rbp+40h], r8d
.text:0000000140163C05 41 83 F8 10 cmp r8d, 10h
.text:0000000140163C09 72 D6 jb short loc_140163BE1
.text:0000000140163C0B 49 83 C1 08 add r9, 8
.text:0000000140163C0F 4C 89 4D 48 mov [rbp+48h], r9
.text:0000000140163C13 41 FF C3 inc r11d
.text:0000000140163C16 44 89 5D 38 mov [rbp+38h], r11d
.text:0000000140163C1A 41 83 FB 19 cmp r11d, 19h
.text:0000000140163C1E 0F 82 41 FF FF FF jb loc_140163B65
.text:0000000140163C24 48 B9 F5 6F 1B AD 5F 93 44 62 mov rcx, 6244935FAD1B6FF5h
.text:0000000140163C2E 49 8B 02 mov rax, [r10]
.text:0000000140163C31 48 33 C1 xor rax, rcx
.text:0000000140163C34 48 89 85 F8 00 00 00 mov [rbp+0F8h], rax
.text:0000000140163C3B 48 B8 DB 27 2A BC 17 A2 15 6A mov rax, 6A15A217BC2A27DBh
.text:0000000140163C45 48 31 85 F8 00 00 00 xor [rbp+0F8h], rax
.text:0000000140163C4C 4C 89 95 D8 00 00 00 mov [rbp+0D8h], r10
.text:0000000140163C53 41 C6 02 2E mov byte ptr [r10], 2Eh ; '.'
.text:0000000140163C57 41 C6 42 01 48 mov byte ptr [r10+1], 48h ; 'H'
.text:0000000140163C5C 41 C6 42 02 31 mov byte ptr [r10+2], 31h ; '1'
.text:0000000140163C61 41 C6 42 03 11 mov byte ptr [r10+3], 11h
.text:0000000140163C66 45 33 C9 xor r9d, r9d
.text:0000000140163C69 45 33 C0 xor r8d, r8d
.text:0000000140163C6C 48 8B 95 F8 00 00 00 mov rdx, [rbp+0F8h]
.text:0000000140163C73 49 8B CA mov rcx, r10
.text:0000000140163C76 41 FF D2 call r10
.text:0000000140163C79 83 45 20 02 add dword ptr [rbp+20h], 2
.text:0000000140163C7D 48 8D 15 4C 99 FC FF lea rdx, loc_14012D5D0
.text:0000000140163C84 48 8B 8D D0 00 00 00 mov rcx, [rbp+0D0h]
.text:0000000140163C8B E8 70 C0 FD FF call _local_unwind
.text:0000000140163C90 90 nop以上为7601-9600的数据
call r10中的R10 为未解密时的CmpAppendDllSection 两个地方并非100%调用win10 系列
.text:00000001402371B0 KiDispatchCallout proc near ; DATA XREF: .rdata:0000000140055C58↑o
.text:00000001402371B0 ; .pdata:00000001400CBCDC↑o ...
.text:00000001402371B0
.text:00000001402371B0 var_10 = dword ptr -10h
.text:00000001402371B0 var_C = dword ptr -0Ch
.text:00000001402371B0 var_8 = dword ptr -8
.text:00000001402371B0 var_4 = dword ptr -4
.text:00000001402371B0 var_s0 = byte ptr 0
.text:00000001402371B0 arg_0 = qword ptr 30h
.text:00000001402371B0 arg_8 = qword ptr 38h
.text:00000001402371B0 arg_10 = qword ptr 40h
.text:00000001402371B0 arg_18 = qword ptr 48h
.text:00000001402371B0
.text:00000001402371B0 ; FUNCTION CHUNK AT .text:0000000140428502 SIZE 000000A0 BYTES
.text:00000001402371B0
.text:00000001402371B0 48 89 5C 24 10 mov [rsp-28h+arg_8], rbx
.text:00000001402371B5 48 89 74 24 18 mov [rsp-28h+arg_10], rsi
.text:00000001402371BA 55 push rbp
.text:00000001402371BB 57 push rdi
.text:00000001402371BC 41 55 push r13
.text:00000001402371BE 41 56 push r14
.text:00000001402371C0 41 57 push r15
.text:00000001402371C2 48 8B EC mov rbp, rsp
.text:00000001402371C5 48 83 EC 40 sub rsp, 40h
.text:00000001402371C9 49 8B D9 mov rbx, r9
.text:00000001402371CC 48 8B F9 mov rdi, rcx
.text:00000001402371CF E8 40 02 00 00 call KeExitRetpoline
.text:00000001402371D4 4C 8B 13 mov r10, [rbx]
.text:00000001402371D7 4C 8D 5D 28 lea r11, [rbp+28h]
.text:00000001402371DB 49 8B 03 mov rax, [r11]
.text:00000001402371DE 49 33 C2 xor rax, r10
.text:00000001402371E1 48 33 C7 xor rax, rdi
.text:00000001402371E4 48 89 47 48 mov [rdi+48h], rax
.text:00000001402371E8 49 8B C3 mov rax, r11
.text:00000001402371EB 49 33 C2 xor rax, r10
.text:00000001402371EE 48 89 47 38 mov [rdi+38h], rax
.text:00000001402371F2 44 0F 20 C3 mov rbx, cr8
.text:00000001402371F6 41 BD 02 00 00 00 mov r13d, 2
.text:00000001402371FC 45 0F 22 C5 mov cr8, r13
.text:0000000140237200 8B 05 52 54 AC 00 mov eax, cs:KiIrqlFlags
.text:0000000140237206 48 83 CF FF or rdi, 0FFFFFFFFFFFFFFFFh
.text:000000014023720A 85 C0 test eax, eax
.text:000000014023720C 0F 85 F0 12 1F 00 jnz loc_140428502
.text:0000000140237212
.text:0000000140237212 loc_140237212: ; CODE XREF: KiDispatchCallout+1F1354↓j
.text:0000000140237212 ; KiDispatchCallout+1F135D↓j ...
.text:0000000140237212 49 83 23 00 and qword ptr [r11], 0
.text:0000000140237216 48 8D 55 F0 lea rdx, [rbp+var_10]
.text:000000014023721A 49 8B 42 20 mov rax, [r10+20h]
.text:000000014023721E 41 BE 10 00 00 00 mov r14d, 10h
.text:0000000140237224 4D 8B 52 40 mov r10, [r10+40h]
.text:0000000140237228 45 8B C6 mov r8d, r14d
.text:000000014023722B 4C 33 D0 xor r10, rax
.text:000000014023722E C7 45 F0 0B 08 0E 03 mov [rbp+var_10], 30E080Bh
.text:0000000140237235 48 B8 00 00 00 00 00 80 FF FF mov rax, 0FFFF800000000000h
.text:000000014023723F C7 45 F4 0D 02 07 0C mov [rbp+var_C], 0C07020Dh
.text:0000000140237246 4C 0B D0 or r10, rax
.text:0000000140237249 C7 45 F8 06 01 05 0F mov [rbp+var_8], 0F050106h
.text:0000000140237250 41 8B CA mov ecx, r10d
.text:0000000140237253 C7 45 FC 0A 04 00 09 mov [rbp+var_4], 900040Ah
.text:000000014023725A 83 E1 3F and ecx, 3Fh
.text:000000014023725D 49 8B C2 mov rax, r10
.text:0000000140237260 48 D3 C8 ror rax, cl
.text:0000000140237263 4D 8B CA mov r9, r10
.text:0000000140237266 48 89 45 30 mov [rbp+arg_0], rax
.text:000000014023726A 48 8D 4D F0 lea rcx, [rbp+var_10]
.text:000000014023726E
.text:000000014023726E loc_14023726E: ; CODE XREF: KiDispatchCallout+CE↓j
.text:000000014023726E 8A 01 mov al, [rcx]
.text:0000000140237270 48 FF C1 inc rcx
.text:0000000140237273 34 0B xor al, 0Bh
.text:0000000140237275 88 02 mov [rdx], al
.text:0000000140237277 48 FF C2 inc rdx
.text:000000014023727A 49 83 E8 01 sub r8, 1
.text:000000014023727E 75 EE jnz short loc_14023726E
.text:0000000140237280 4C 8B 7D 30 mov r15, [rbp+arg_0]
.text:0000000140237284 41 8D 70 19 lea esi, [r8+19h]
.text:0000000140237288 45 33 DB xor r11d, r11d
.text:000000014023728B
.text:000000014023728B loc_14023728B: ; CODE XREF: KiDispatchCallout+177↓j
.text:000000014023728B 48 8B 05 66 55 AC 00 mov rax, cs:KiWaitNever
.text:0000000140237292 4D 8B 01 mov r8, [r9]
.text:0000000140237295 8B C8 mov ecx, eax
.text:0000000140237297 49 8B D0 mov rdx, r8
.text:000000014023729A 41 F7 D0 not r8d
.text:000000014023729D 48 33 D0 xor rdx, rax
.text:00000001402372A0 41 83 E0 3F and r8d, 3Fh
.text:00000001402372A4 48 D3 C2 rol rdx, cl
.text:00000001402372A7 49 33 D7 xor rdx, r15
.text:00000001402372AA 41 8B CB mov ecx, r11d
.text:00000001402372AD 48 0F CA bswap rdx
.text:00000001402372B0 48 33 15 41 57 AC 00 xor rdx, cs:KiWaitAlways
.text:00000001402372B7 49 8D 04 12 lea rax, [r10+rdx]
.text:00000001402372BB BA C8 00 00 00 mov edx, 0C8h
.text:00000001402372C0 48 03 C8 add rcx, rax
.text:00000001402372C3 41 2B D3 sub edx, r11d
.text:00000001402372C6 41 8B C3 mov eax, r11d
.text:00000001402372C9 48 33 D0 xor rdx, rax
.text:00000001402372CC 49 89 09 mov [r9], rcx
.text:00000001402372CF 41 8B C8 mov ecx, r8d
.text:00000001402372D2 48 D3 CA ror rdx, cl
.text:00000001402372D5 4C 33 FA xor r15, rdx
.text:00000001402372D8 49 D3 C7 rol r15, cl
.text:00000001402372DB 4D 03 FA add r15, r10
.text:00000001402372DE 49 81 F7 0F 69 80 7E xor r15, 7E80690Fh
.text:00000001402372E5 4C 89 7D 30 mov [rbp+arg_0], r15
.text:00000001402372E9 45 85 F6 test r14d, r14d
.text:00000001402372EC 74 25 jz short loc_140237313
.text:00000001402372EE 45 8B C6 mov r8d, r14d
.text:00000001402372F1
.text:00000001402372F1 loc_1402372F1: ; CODE XREF: KiDispatchCallout+161↓j
.text:00000001402372F1 49 8B 11 mov rdx, [r9]
.text:00000001402372F4 48 C1 C2 04 rol rdx, 4
.text:00000001402372F8 0F B6 C2 movzx eax, dl
.text:00000001402372FB 48 83 E2 F0 and rdx, 0FFFFFFFFFFFFFFF0h
.text:00000001402372FF 83 E0 0F and eax, 0Fh
.text:0000000140237302 0F B6 4C 05 F0 movzx ecx, byte ptr [rbp+rax+var_10]
.text:0000000140237307 48 0B D1 or rdx, rcx
.text:000000014023730A 49 89 11 mov [r9], rdx
.text:000000014023730D 49 83 E8 01 sub r8, 1
.text:0000000140237311 75 DE jnz short loc_1402372F1
.text:0000000140237313
.text:0000000140237313 loc_140237313: ; CODE XREF: KiDispatchCallout+13C↑j
.text:0000000140237313 49 83 C1 08 add r9, 8
.text:0000000140237317 41 FF C3 inc r11d
.text:000000014023731A 41 83 FB 19 cmp r11d, 19h
.text:000000014023731E 0F 84 88 00 00 00 jz loc_1402373AC
.text:0000000140237324
.text:0000000140237324 loc_140237324: ; CODE XREF: KiDispatchCallout+256↓j
.text:0000000140237324 44 3B DE cmp r11d, esi
.text:0000000140237327 0F 82 5E FF FF FF jb loc_14023728B
.text:000000014023732D 49 8B 02 mov rax, [r10]
.text:0000000140237330 48 B9 F5 6F 1B AD 5F 93 44 62 mov rcx, 6244935FAD1B6FF5h
.text:000000014023733A 48 33 C1 xor rax, rcx
.text:000000014023733D 45 33 C9 xor r9d, r9d
.text:0000000140237340 48 89 45 30 mov [rbp+arg_0], rax
.text:0000000140237344 48 B9 DB 27 2A BC 17 A2 15 6A mov rcx, 6A15A217BC2A27DBh
.text:000000014023734E 48 8B 45 30 mov rax, [rbp+arg_0]
.text:0000000140237352 45 33 C0 xor r8d, r8d
.text:0000000140237355 48 33 C1 xor rax, rcx
.text:0000000140237358 49 8B CA mov rcx, r10
.text:000000014023735B 48 89 45 30 mov [rbp+arg_0], rax
.text:000000014023735F 41 C7 02 F5 6F 1B AD mov dword ptr [r10], 0AD1B6FF5h
.text:0000000140237366 41 8B 02 mov eax, [r10]
.text:0000000140237369 48 8B 55 30 mov rdx, [rbp+arg_0]
.text:000000014023736D 35 DB 27 2A BC xor eax, 0BC2A27DBh
.text:0000000140237372 41 89 02 mov [r10], eax
.text:0000000140237375 49 8B C2 mov rax, r10
.text:0000000140237378 E8 C3 5D 1C 00 call _guard_dispatch_icall
.text:000000014023737D 8B 05 D5 52 AC 00 mov eax, cs:KiIrqlFlags
.text:0000000140237383 85 C0 test eax, eax
.text:0000000140237385 0F 85 B6 11 1F 00 jnz loc_140428541
.text:000000014023738B
.text:000000014023738B loc_14023738B: ; CODE XREF: KiDispatchCallout+1F1393↓j
.text:000000014023738B ; KiDispatchCallout+1F139F↓j ...
.text:000000014023738B 0F B6 C3 movzx eax, bl
.text:000000014023738E 44 0F 22 C0 mov cr8, rax
.text:0000000140237392 4C 8D 5C 24 40 lea r11, [rsp+40h+var_s0]
.text:0000000140237397 49 8B 5B 38 mov rbx, [r11+38h]
.text:000000014023739B 49 8B 73 40 mov rsi, [r11+40h]
.text:000000014023739F 49 8B E3 mov rsp, r11
.text:00000001402373A2 41 5F pop r15
.text:00000001402373A4 41 5E pop r14
.text:00000001402373A6 41 5D pop r13
.text:00000001402373A8 5F pop rdi
.text:00000001402373A9 5D pop rbp
.text:00000001402373AA C3 retn.text:000000014040D9E2 ExpCenturyDpcRoutine$fin$0: ; DATA XREF: .rdata:0000000140055AB8↑o
.text:000000014040D9E2 ; .pdata:00000001400E39DC↑o
.text:000000014040D9E2 40 53 push rbx
.text:000000014040D9E4 55 push rbp
.text:000000014040D9E5 56 push rsi
.text:000000014040D9E6 57 push rdi
.text:000000014040D9E7 41 56 push r14
.text:000000014040D9E9 48 83 EC 30 sub rsp, 30h
.text:000000014040D9ED 48 8B EA mov rbp, rdx
.text:000000014040D9F0 88 4D 50 mov [rbp+50h], cl
.text:000000014040D9F3 84 C9 test cl, cl
.text:000000014040D9F5 0F 84 AF 02 00 00 jz loc_14040DCAA
.text:000000014040D9FB E9 BB 01 00 00 jmp loc_14040DBBB
.text:000000014040DA00 ; ---------------------------------------------------------------------------
.text:000000014040DA00
.text:000000014040DA00 loc_14040DA00: ; CODE XREF: ExpCenturyDpcRoutine+1D6DE1↓j
.text:000000014040DA00 BF 19 00 00 00 mov edi, 19h
.text:000000014040DA05 89 7D 64 mov [rbp+64h], edi
.text:000000014040DA08 8D 77 F7 lea esi, [rdi-9]
.text:000000014040DA0B 89 75 68 mov [rbp+68h], esi
.text:000000014040DA0E 33 DB xor ebx, ebx
.text:000000014040DA10 89 5D 54 mov [rbp+54h], ebx
.text:000000014040DA13 4C 8B 75 38 mov r14, [rbp+38h]
.text:000000014040DA17
.text:000000014040DA17 loc_14040DA17: ; CODE XREF: ExpCenturyDpcRoutine+1D6C3C↓j
.text:000000014040DA17 4D 8B 0A mov r9, [r10]
.text:000000014040DA1A 4C 89 8D 38 01 00 00 mov [rbp+138h], r9
.text:000000014040DA21 49 8B D1 mov rdx, r9
.text:000000014040DA24 48 8B 05 CD ED 8E 00 mov rax, cs:KiWaitNever
.text:000000014040DA2B 48 33 D0 xor rdx, rax
.text:000000014040DA2E 8B C8 mov ecx, eax
.text:000000014040DA30 48 D3 C2 rol rdx, cl
.text:000000014040DA33 49 33 D6 xor rdx, r14
.text:000000014040DA36 48 0F CA bswap rdx
.text:000000014040DA39 48 33 15 B8 EF 8E 00 xor rdx, cs:KiWaitAlways
.text:000000014040DA40 49 89 12 mov [r10], rdx
.text:000000014040DA43 44 8B C3 mov r8d, ebx
.text:000000014040DA46 48 8D 04 13 lea rax, [rbx+rdx]
.text:000000014040DA4A 49 03 C3 add rax, r11
.text:000000014040DA4D 49 89 02 mov [r10], rax
.text:000000014040DA50 41 F7 D1 not r9d
.text:000000014040DA53 41 83 E1 3F and r9d, 3Fh
.text:000000014040DA57 BA C8 00 00 00 mov edx, 0C8h
.text:000000014040DA5C 2B D3 sub edx, ebx
.text:000000014040DA5E 49 33 D0 xor rdx, r8
.text:000000014040DA61 41 8B C9 mov ecx, r9d
.text:000000014040DA64 48 D3 CA ror rdx, cl
.text:000000014040DA67 4C 33 F2 xor r14, rdx
.text:000000014040DA6A 4C 89 75 38 mov [rbp+38h], r14
.text:000000014040DA6E 49 D3 C6 rol r14, cl
.text:000000014040DA71 4C 89 75 38 mov [rbp+38h], r14
.text:000000014040DA75 4D 03 F3 add r14, r11
.text:000000014040DA78 4C 89 75 38 mov [rbp+38h], r14
.text:000000014040DA7C B8 43 69 00 FB mov eax, 0FB006943h
.text:000000014040DA81 4C 33 F0 xor r14, rax
.text:000000014040DA84 4C 89 75 38 mov [rbp+38h], r14
.text:000000014040DA88 45 33 C0 xor r8d, r8d
.text:000000014040DA8B 44 89 45 60 mov [rbp+60h], r8d
.text:000000014040DA8F 85 F6 test esi, esi
.text:000000014040DA91 74 2E jz short loc_14040DAC1
.text:000000014040DA93
.text:000000014040DA93 loc_14040DA93: ; CODE XREF: ExpCenturyDpcRoutine+1D6C1F↓j
.text:000000014040DA93 49 8B 12 mov rdx, [r10]
.text:000000014040DA96 48 C1 C2 04 rol rdx, 4
.text:000000014040DA9A 49 89 12 mov [r10], rdx
.text:000000014040DA9D 0F B6 C2 movzx eax, dl
.text:000000014040DAA0 83 E0 0F and eax, 0Fh
.text:000000014040DAA3 0F B6 44 05 40 movzx eax, byte ptr [rbp+rax+40h]
.text:000000014040DAA8 48 83 E2 F0 and rdx, 0FFFFFFFFFFFFFFF0h
.text:000000014040DAAC 49 89 12 mov [r10], rdx
.text:000000014040DAAF 48 0B C2 or rax, rdx
.text:000000014040DAB2 49 89 02 mov [r10], rax
.text:000000014040DAB5 41 FF C0 inc r8d
.text:000000014040DAB8 44 89 45 60 mov [rbp+60h], r8d
.text:000000014040DABC 44 3B C6 cmp r8d, esi
.text:000000014040DABF 72 D2 jb short loc_14040DA93
.text:000000014040DAC1
.text:000000014040DAC1 loc_14040DAC1: ; CODE XREF: ExpCenturyDpcRoutine+1D6BF1↑j
.text:000000014040DAC1 49 83 C2 08 add r10, 8
.text:000000014040DAC5 4C 89 95 88 00 00 00 mov [rbp+88h], r10
.text:000000014040DACC FF C3 inc ebx
.text:000000014040DACE 83 FB 19 cmp ebx, 19h
.text:000000014040DAD1 0F 84 80 00 00 00 jz loc_14040DB57
.text:000000014040DAD7
.text:000000014040DAD7 pg_look: ; CODE XREF: ExpCenturyDpcRoutine+1D6D16↓j
.text:000000014040DAD7 89 5D 54 mov [rbp+54h], ebx
.text:000000014040DADA 3B DF cmp ebx, edi
.text:000000014040DADC 0F 82 35 FF FF FF jb loc_14040DA17
.text:000000014040DAE2 48 B9 F5 6F 1B AD 5F 93 44 62 mov rcx, 6244935FAD1B6FF5h
.text:000000014040DAEC 49 8B 03 mov rax, [r11]
.text:000000014040DAEF 48 33 C1 xor rax, rcx
.text:000000014040DAF2 48 89 45 38 mov [rbp+38h], rax
.text:000000014040DAF6 48 8B 45 38 mov rax, [rbp+38h]
.text:000000014040DAFA 48 B9 DB 27 2A BC 17 A2 15 6A mov rcx, 6A15A217BC2A27DBh
.text:000000014040DB04 48 33 C1 xor rax, rcx
.text:000000014040DB07 48 89 45 38 mov [rbp+38h], rax
.text:000000014040DB0B 41 C6 03 2E mov byte ptr [r11], 2Eh ; '.'
.text:000000014040DB0F 41 C6 43 01 48 mov byte ptr [r11+1], 48h ; 'H'
.text:000000014040DB14 41 C6 43 02 31 mov byte ptr [r11+2], 31h ; '1'
.text:000000014040DB19 41 C6 43 03 11 mov byte ptr [r11+3], 11h
.text:000000014040DB1E 45 33 C9 xor r9d, r9d
.text:000000014040DB21 45 33 C0 xor r8d, r8d
.text:000000014040DB24 48 8B 55 38 mov rdx, [rbp+38h]
.text:000000014040DB28 49 8B CB mov rcx, r11
.text:000000014040DB2B 49 8B C3 mov rax, r11
.text:000000014040DB2E E8 0D F6 FE FF call _guard_dispatch_icall
.text:000000014040DB33 C7 45 70 01 00 00 00 mov dword ptr [rbp+70h], 1
.text:000000014040DB3A 8B 45 30 mov eax, [rbp+30h]
.text:000000014040DB3D 83 C0 02 add eax, 2
.text:000000014040DB40 89 45 30 mov [rbp+30h], eax
.text:000000014040DB43 48 8D 15 09 94 E2 FF lea rdx, loc_140236F53
.text:000000014040DB4A 48 8B 8D 58 01 00 00 mov rcx, [rbp+158h]
.text:000000014040DB51 E8 6A ED FB FF call _local_unwind
.text:000000014040DB56 90 nopwin8以上新加入一个了
call _guard_dispatch_icall (Control Flow Guard 控制流防护)所以可以进入
_guard_dispatch_icall来判断地址是否是CmpAppendDllSection 在虚拟机快照测试中 实现成功