Created
June 20, 2014 04:59
-
-
Save chaelim/3bcd0eb1e29b82ddac1e to your computer and use it in GitHub Desktop.
FlushProcessWriteBuffers API disassembly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Opened log file 'FlushProcessWriteBuffers.log' | |
| 0: kd> x nt!*FlushProcessWriteBuffers* | |
| fffff800`0226da70 nt!KeFlushProcessWriteBuffers = <no type information> | |
| fffff800`0225a9d0 nt!NtFlushProcessWriteBuffers = <no type information> | |
| fffff800`022a0720 nt!ZwFlushProcessWriteBuffers = <no type information> | |
| fffff800`0226e3cc nt!KiFlushProcessWriteBuffersTarget = <no type information> | |
| 0: kd> u fffff800`0225a9d0 | |
| nt!NtFlushProcessWriteBuffers: | |
| fffff800`0225a9d0 33c9 xor ecx,ecx | |
| fffff800`0225a9d2 e999300100 jmp nt!KeFlushProcessWriteBuffers (fffff800`0226da70) | |
| fffff800`0225a9d7 90 nop | |
| fffff800`0225a9d8 90 nop | |
| fffff800`0225a9d9 90 nop | |
| fffff800`0225a9da 90 nop | |
| fffff800`0225a9db 90 nop | |
| fffff800`0225a9dc 90 nop | |
| 0: kd> u nt!KeFlushProcessWriteBuffers | |
| nt!KeFlushProcessWriteBuffers: | |
| fffff800`0226da70 48895c2408 mov qword ptr [rsp+8],rbx | |
| fffff800`0226da75 48896c2410 mov qword ptr [rsp+10h],rbp | |
| fffff800`0226da7a 4889742418 mov qword ptr [rsp+18h],rsi | |
| fffff800`0226da7f 57 push rdi | |
| fffff800`0226da80 4883ec40 sub rsp,40h | |
| fffff800`0226da84 440f20c5 mov rbp,cr8 | |
| fffff800`0226da88 b80c000000 mov eax,0Ch | |
| fffff800`0226da8d 440f22c0 mov cr8,rax | |
| fffff800`0226da91 84c9 test cl,cl | |
| fffff800`0226da93 65488b3c2520000000 mov rdi,qword ptr gs:[20h] | |
| fffff800`0226da9c 0f85a4000000 jne nt!KeFlushProcessWriteBuffers+0xd6 (fffff800`0226db46) | |
| fffff800`0226daa2 488b4708 mov rax,qword ptr [rdi+8] | |
| fffff800`0226daa6 488b4868 mov rcx,qword ptr [rax+68h] | |
| fffff800`0226daaa 488b5940 mov rbx,qword ptr [rcx+40h] | |
| fffff800`0226daae 488b4738 mov rax,qword ptr [rdi+38h] | |
| fffff800`0226dab2 48f7d0 not rax | |
| nt!KeFlushProcessWriteBuffers+0x45: | |
| fffff800`0226dab5 4823d8 and rbx,rax | |
| fffff800`0226dab8 4885db test rbx,rbx | |
| fffff800`0226dabb 751d jne nt!KeFlushProcessWriteBuffers+0x6a (fffff800`0226dada) | |
| fffff800`0226dabd 400fb6c5 movzx eax,bpl | |
| fffff800`0226dac1 440f22c0 mov cr8,rax | |
| fffff800`0226dac5 488b5c2450 mov rbx,qword ptr [rsp+50h] | |
| fffff800`0226daca 488b6c2458 mov rbp,qword ptr [rsp+58h] | |
| fffff800`0226dacf 488b742460 mov rsi,qword ptr [rsp+60h] | |
| fffff800`0226dad4 4883c440 add rsp,40h | |
| fffff800`0226dad8 5f pop rdi | |
| fffff800`0226dad9 c3 ret | |
| fffff800`0226dada 488364242000 and qword ptr [rsp+20h],0 | |
| fffff800`0226dae0 488364242800 and qword ptr [rsp+28h],0 | |
| fffff800`0226dae6 488364243000 and qword ptr [rsp+30h],0 | |
| fffff800`0226daec 488d05d9080000 lea rax,[nt!KiFlushProcessWriteBuffersTarget (fffff800`0226e3cc)] | |
| fffff800`0226daf3 488d542420 lea rdx,[rsp+20h] | |
| fffff800`0226daf8 41b908000000 mov r9d,8 | |
| fffff800`0226dafe 4533c0 xor r8d,r8d | |
| fffff800`0226db01 488bcb mov rcx,rbx | |
| fffff800`0226db04 4889442438 mov qword ptr [rsp+38h],rax | |
| fffff800`0226db09 e8824b0400 call nt!KiIpiSendRequest (fffff800`022b2690) <=============== !!! | |
| fffff800`0226db0e 488d43ff lea rax,[rbx-1] | |
| fffff800`0226db12 488db780220000 lea rsi,[rdi+2280h] | |
| fffff800`0226db19 4885c3 test rbx,rax | |
| fffff800`0226db1c 7434 je nt!KeFlushProcessWriteBuffers+0xe2 (fffff800`0226db52) | |
| fffff800`0226db1e 488b06 mov rax,qword ptr [rsi] | |
| fffff800`0226db21 4885c0 test rax,rax | |
| fffff800`0226db24 7497 je nt!KeFlushProcessWriteBuffers+0x4d (fffff800`0226dabd) | |
| fffff800`0226db26 33db xor ebx,ebx | |
| fffff800`0226db28 83c301 add ebx,1 | |
| fffff800`0226db2b 851d6b372000 test dword ptr [nt!HvlLongSpinCountMask (fffff800`0247129c)],ebx | |
| fffff800`0226db31 0f846129ffff je nt! ?? ::FNODOBFM::`string'+0x2f00 (fffff800`02260498) | |
| fffff800`0226db37 f390 pause | |
| fffff800`0226db39 488b06 mov rax,qword ptr [rsi] | |
| fffff800`0226db3c 4885c0 test rax,rax | |
| fffff800`0226db3f 75e7 jne nt!KeFlushProcessWriteBuffers+0xb8 (fffff800`0226db28) | |
| fffff800`0226db41 e977ffffff jmp nt!KeFlushProcessWriteBuffers+0x4d (fffff800`0226dabd) | |
| fffff800`0226db46 488b1d03352000 mov rbx,qword ptr [nt!KeActiveProcessors (fffff800`02471050)] | |
| fffff800`0226db4d e95cffffff jmp nt!KeFlushProcessWriteBuffers+0x3e (fffff800`0226daae) | |
| fffff800`0226db52 488db700230000 lea rsi,[rdi+2300h] | |
| fffff800`0226db59 ebc3 jmp nt!KeFlushProcessWriteBuffers+0xae (fffff800`0226db1e) | |
| fffff800`0226db5b 90 nop | |
| fffff800`0226db5c 90 nop | |
| fffff800`0226db5d 90 nop | |
| fffff800`0226db5e 90 nop | |
| fffff800`0226db5f 90 nop | |
| fffff800`0226db60 90 nop | |
| fffff800`0226db61 90 nop | |
| 0: kd> u nt!KiIpiSendRequest | |
| nt!KiIpiSendRequest: | |
| fffff800`022b2690 4c894c2420 mov qword ptr [rsp+20h],r9 | |
| fffff800`022b2695 4c89442418 mov qword ptr [rsp+18h],r8 | |
| fffff800`022b269a 4889542410 mov qword ptr [rsp+10h],rdx | |
| fffff800`022b269f 53 push rbx | |
| fffff800`022b26a0 55 push rbp | |
| fffff800`022b26a1 56 push rsi | |
| fffff800`022b26a2 57 push rdi | |
| fffff800`022b26a3 4154 push r12 | |
| fffff800`022b26a5 4155 push r13 | |
| fffff800`022b26a7 4156 push r14 | |
| fffff800`022b26a9 4157 push r15 | |
| fffff800`022b26ab 4883ec48 sub rsp,48h | |
| fffff800`022b26af 4c8be9 mov r13,rcx | |
| fffff800`022b26b2 65488b0c2520000000 mov rcx,qword ptr gs:[20h] | |
| fffff800`022b26bb 410fb6d8 movzx ebx,r8b | |
| fffff800`022b26bf 498bf1 mov rsi,r9 | |
| fffff800`022b26c2 488bc2 mov rax,rdx | |
| fffff800`022b26c5 4d8bc8 mov r9,r8 | |
| fffff800`022b26c8 48c1e008 shl rax,8 | |
| fffff800`022b26cc 4c8d8100230000 lea r8,[rcx+2300h] | |
| fffff800`022b26d3 c784249000000000000000 mov dword ptr [rsp+90h],0 | |
| fffff800`022b26de 480bd8 or rbx,rax | |
| fffff800`022b26e1 408ac6 mov al,sil | |
| fffff800`022b26e4 4d8928 mov qword ptr [r8],r13 | |
| fffff800`022b26e7 83e00f and eax,0Fh | |
| fffff800`022b26ea 48c1e308 shl rbx,8 | |
| fffff800`022b26ee 480bd8 or rbx,rax | |
| fffff800`022b26f1 498d45ff lea rax,[r13-1] | |
| fffff800`022b26f5 4985c5 test r13,rax | |
| fffff800`022b26f8 0f8524010000 jne nt!KiIpiSendRequest+0x192 (fffff800`022b2822) | |
| fffff800`022b26fe 480fbaeb07 bts rbx,7 | |
| fffff800`022b2703 440fb76104 movzx r12d,word ptr [rcx+4] | |
| fffff800`022b2708 4c8b7938 mov r15,qword ptr [rcx+38h] | |
| fffff800`022b270c 490fbccd bsf rcx,r13 | |
| fffff800`022b2710 4981c48e000000 add r12,8Eh | |
| fffff800`022b2717 4c89442428 mov qword ptr [rsp+28h],r8 | |
| fffff800`022b271c 894c2420 mov dword ptr [rsp+20h],ecx | |
| fffff800`022b2720 498bed mov rbp,r13 | |
| fffff800`022b2723 4c896c2430 mov qword ptr [rsp+30h],r13 | |
| fffff800`022b2728 4c8d05d178f9ff lea r8,[nt!MmIsSessionAddress <PERF> (nt+0x0) (fffff800`0224a000)] | |
| fffff800`022b272f 49c1e406 shl r12,6 | |
| fffff800`022b2733 498bbcc840762200 mov rdi,qword ptr [r8+rcx*8+227640h] | |
| fffff800`022b273b 0f0d8f80330000 prefetchw [rdi+3380h] | |
| fffff800`022b2742 410f0d0c3c prefetchw [r12+rdi] | |
| fffff800`022b2747 488b8780330000 mov rax,qword ptr [rdi+3380h] | |
| fffff800`022b274e 41be01000000 mov r14d,1 | |
| fffff800`022b2754 49d3e6 shl r14,cl | |
| fffff800`022b2757 4985c7 test r15,rax | |
| fffff800`022b275a 0f854a010000 jne nt!KiIpiSendRequest+0x21a (fffff800`022b28aa) | |
| fffff800`022b2760 4883fe07 cmp rsi,7 | |
| fffff800`022b2764 0f8580000000 jne nt!KiIpiSendRequest+0x15a (fffff800`022b27ea) | |
| fffff800`022b276a 4983f907 cmp r9,7 | |
| fffff800`022b276e 7720 ja nt!KiIpiSendRequest+0x100 (fffff800`022b2790) | |
| fffff800`022b2770 4183f901 cmp r9d,1 | |
| fffff800`022b2774 0f85bb000000 jne nt!KiIpiSendRequest+0x1a5 (fffff800`022b2835) | |
| fffff800`022b277a 488b02 mov rax,qword ptr [rdx] | |
| fffff800`022b277d 8d8efb000000 lea ecx,[rsi+0FBh] | |
| fffff800`022b2783 32cb xor cl,bl | |
| fffff800`022b2785 4989443c08 mov qword ptr [r12+rdi+8],rax | |
| fffff800`022b278a 83e10f and ecx,0Fh | |
| fffff800`022b278d 4833d9 xor rbx,rcx | |
| fffff800`022b2790 49891c3c mov qword ptr [r12+rdi],rbx | |
| fffff800`022b2794 498bc7 mov rax,r15 | |
| fffff800`022b2797 f0480fc18780330000 lock xadd qword ptr [rdi+3380h],rax | |
| fffff800`022b27a0 4885c0 test rax,rax | |
| fffff800`022b27a3 0f85ef000000 jne nt!KiIpiSendRequest+0x208 (fffff800`022b2898) | |
| fffff800`022b27a9 4933ee xor rbp,r14 | |
| fffff800`022b27ac 480fbcc5 bsf rax,rbp | |
| fffff800`022b27b0 8bc8 mov ecx,eax | |
| fffff800`022b27b2 89442420 mov dword ptr [rsp+20h],eax | |
| fffff800`022b27b6 0f8577ffffff jne nt!KiIpiSendRequest+0xa3 (fffff800`022b2733) | |
| fffff800`022b27bc 4883fe08 cmp rsi,8 | |
| fffff800`022b27c0 0f84da000000 je nt!KiIpiSendRequest+0x210 (fffff800`022b28a0) | |
| fffff800`022b27c6 4d85ed test r13,r13 | |
| fffff800`022b27c9 7409 je nt!KiIpiSendRequest+0x144 (fffff800`022b27d4) | |
| fffff800`022b27cb 498bcd mov rcx,r13 | |
| fffff800`022b27ce ff152c090d00 call qword ptr [nt!_imp_HalRequestIpi (fffff800`02383100)] <============= !!!! | |
| fffff800`022b27d4 488b442428 mov rax,qword ptr [rsp+28h] | |
| fffff800`022b27d9 4883c448 add rsp,48h | |
| fffff800`022b27dd 415f pop r15 | |
| fffff800`022b27df 415e pop r14 | |
| fffff800`022b27e1 415d pop r13 | |
| fffff800`022b27e3 415c pop r12 | |
| fffff800`022b27e5 5f pop rdi | |
| fffff800`022b27e6 5e pop rsi | |
| fffff800`022b27e7 5d pop rbp | |
| fffff800`022b27e8 5b pop rbx | |
| fffff800`022b27e9 c3 ret | |
| 0: kd> u fffff800`02383100 | |
| nt!_imp_HalRequestIpi: | |
| fffff800`02383100 90 nop | |
| fffff800`02383101 412102 and dword ptr [r10],eax | |
| fffff800`02383104 00f8 add al,bh | |
| fffff800`02383106 ff ??? | |
| fffff800`02383107 ff88f2200200 dec dword ptr [rax+220F2h] | |
| fffff800`0238310d f8 clc | |
| fffff800`0238310e ff ??? | |
| fffff800`0238310f ff ??? | |
| 0: kd> u poi(fffff800`02383100) | |
| hal!HalRequestIpi: | |
| fffff800`02214190 48895c2408 mov qword ptr [rsp+8],rbx | |
| fffff800`02214195 48897c2410 mov qword ptr [rsp+10h],rdi | |
| fffff800`0221419a 9c pushfq | |
| fffff800`0221419b 4883ec20 sub rsp,20h | |
| fffff800`0221419f 488bd9 mov rbx,rcx | |
| fffff800`022141a2 fa cli | |
| fffff800`022141a3 65488b042520000000 mov rax,qword ptr gs:[20h] | |
| fffff800`022141ac 488b7838 mov rdi,qword ptr [rax+38h] | |
| 0: kd> u | |
| hal!HalRequestIpi+0x20: | |
| fffff800`022141b0 488bc7 mov rax,rdi | |
| fffff800`022141b3 480bc1 or rax,rcx | |
| fffff800`022141b6 483b05f34a0100 cmp rax,qword ptr [hal!HalpActiveProcessors (fffff800`02228cb0)] | |
| fffff800`022141bd 7547 jne hal!HalRequestIpi+0x76 (fffff800`02214206) | |
| fffff800`022141bf 833d9e36010000 cmp dword ptr [hal!HalpEnlightenment+0x4 (fffff800`02227864)],0 | |
| fffff800`022141c6 7513 jne hal!HalRequestIpi+0x4b (fffff800`022141db) | |
| fffff800`022141c8 66666690 xchg ax,ax | |
| fffff800`022141cc 66666690 xchg ax,ax | |
| 0: kd> u | |
| hal!HalRequestIpi+0x40: | |
| fffff800`022141d0 0fba24250003feff0c bt dword ptr [0FFFFFFFFFFFE0300h],0Ch | |
| fffff800`022141d9 72f5 jb hal!HalRequestIpi+0x40 (fffff800`022141d0) | |
| fffff800`022141db 488b158e360100 mov rdx,qword ptr [hal!HalpEnlightenment+0x10 (fffff800`02227870)] | |
| fffff800`022141e2 4885f9 test rcx,rdi | |
| fffff800`022141e5 b8e1000c00 mov eax,0C00E1h | |
| fffff800`022141ea b9e1000800 mov ecx,800E1h | |
| fffff800`022141ef 0f45c1 cmovne eax,ecx | |
| fffff800`022141f2 4885d2 test rdx,rdx | |
| 0: kd> u | |
| hal!HalRequestIpi+0x65: | |
| fffff800`022141f5 7509 jne hal!HalRequestIpi+0x70 (fffff800`02214200) | |
| fffff800`022141f7 8904250003feff mov dword ptr [0FFFFFFFFFFFE0300h],eax | |
| fffff800`022141fe eb11 jmp hal!HalRequestIpi+0x81 (fffff800`02214211) | |
| fffff800`02214200 8bc8 mov ecx,eax | |
| fffff800`02214202 ffd2 call rdx | |
| fffff800`02214204 eb0b jmp hal!HalRequestIpi+0x81 (fffff800`02214211) | |
| fffff800`02214206 bae1080000 mov edx,8E1h | |
| fffff800`0221420b ff15f73f0100 call qword ptr [hal!HalpIpiRoutine (fffff800`02228208)] | |
| 0: kd> u | |
| hal!HalRequestIpi+0x81: | |
| fffff800`02214211 4885fb test rbx,rdi | |
| fffff800`02214214 7415 je hal!HalRequestIpi+0x9b (fffff800`0221422b) | |
| fffff800`02214216 833d4736010000 cmp dword ptr [hal!HalpEnlightenment+0x4 (fffff800`02227864)],0 | |
| fffff800`0221421d 750c jne hal!HalRequestIpi+0x9b (fffff800`0221422b) | |
| fffff800`0221421f 90 nop | |
| fffff800`02214220 0fba24250003feff0c bt dword ptr [0FFFFFFFFFFFE0300h],0Ch | |
| fffff800`02214229 72f5 jb hal!HalRequestIpi+0x90 (fffff800`02214220) | |
| fffff800`0221422b 0fba64242009 bt dword ptr [rsp+20h],9 | |
| 0: kd> u | |
| hal!HalRequestIpi+0xa1: | |
| fffff800`02214231 7301 jae hal!HalRequestIpi+0xa4 (fffff800`02214234) | |
| fffff800`02214233 fb sti | |
| fffff800`02214234 488b5c2430 mov rbx,qword ptr [rsp+30h] | |
| fffff800`02214239 488b7c2438 mov rdi,qword ptr [rsp+38h] | |
| fffff800`0221423e 4883c420 add rsp,20h | |
| fffff800`02214242 59 pop rcx | |
| fffff800`02214243 c3 ret | |
| fffff800`02214244 90 nop | |
| 0: kd> u | |
| hal!HalRequestIpi+0xb5: | |
| fffff800`02214245 90 nop | |
| fffff800`02214246 90 nop | |
| fffff800`02214247 90 nop | |
| fffff800`02214248 90 nop | |
| fffff800`02214249 90 nop | |
| fffff800`0221424a 90 nop | |
| fffff800`0221424b 90 nop | |
| fffff800`0221424c 90 nop | |
| 0: kd> .logclose | |
| Closing open log file FlushProcessWriteBuffers.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment