Created
June 20, 2014 04:55
-
-
Save chaelim/ec362cfbfa72728b57ee to your computer and use it in GitHub Desktop.
InterLockedSList internals (Kernel exception handler trick)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ======================================================================== | |
| FIND PAGE FAULT IDT (KiTrap0E) | |
| ======================================================================== | |
| kd> !pcr 0 | |
| Find "KPCR for Processor 0 at fffff80001176000:" | |
| kd> dt _KPCR fffff80001176000 | |
| Find "+0?38 IdtBase : 0xfffff800`03694070 _KIDTENTRY64" | |
| kd> r? $t0=(_KIDTENTRY64 *)0xfffff800`03694070; .for (r $t1=0; @$t1 <= 13; r? $t0=(_KIDTENTRY64 *)@$t0+1) { .printf "Interrupt vector %d (0x%x):\n", @$t1, @$t1; ln @@c++(@$t0->OffsetHigh*0x100000000 + @$t0->OffsetMiddle*0x10000 + @$t0->OffsetLow); r $t1=$t1+1 } | |
| Interrupt vector 14 (0xe): | |
| (fffff800`01040180) nt!KiPageFault | (fffff800`010404c0) | |
| OR | |
| kd> !pcr 0 | |
| KPCR for Processor 0 at fffff80001176000: | |
| ...... | |
| kd> dt _KPCR fffff80001176000 | |
| ... | |
| +0¡¿038 IdtBase : 0xfffff800`00124070 _KIDTENTRY64 | |
| ... | |
| kd> dt _KIDTENTRY64 0xfffff800`00124070 | |
| ======================================================================== | |
| 0: kd> u | |
| nt!KiPageFault+0x231: | |
| fffff800`02478171 8945a0 mov dword ptr [rbp-60h],eax | |
| fffff800`02478174 7509 jne nt!KiPageFault+0x23f | |
| (fffff800`0247817f) | |
| fffff800`02478176 b901000000 mov ecx,1 | |
| fffff800`0247817b 440f22c1 mov cr8,rcx | |
| fffff800`0247817f 488d4d80 lea rcx,[rbp-80h] | |
| fffff800`02478183 e878600000 call nt!KiCheckForSListAddress | |
| (fffff800`0247e200) <== | |
| fffff800`02478188 8b4da0 mov ecx,dword ptr [rbp-60h] | |
| fffff800`0247818b 0bc9 or ecx,ecx | |
| fffff800`0242a888 mov rax,qword ptr [nt! | |
| KeUserPopEntrySListResumeWow64 (fffff800`02646460)] | |
| fffff800`0242a88f jmp nt!KiCheckForSListAddress+0x3c | |
| (fffff800`0247e23c) | |
| 0: kd> uf nt!KiCheckForSListAddress | |
| fffff800`0247e200 movzx eax,word ptr [rcx+170h] | |
| fffff800`0247e207 mov rdx,qword ptr [rcx+168h] | |
| fffff800`0247e20e cmp ax,33h | |
| fffff800`0247e212 je nt!KiCheckForSListAddress+0x44 | |
| (fffff800`0247e244) | |
| nt!KiCheckForSListAddress+0x14: | |
| fffff800`0247e214 cmp ax,23h | |
| fffff800`0247e218 je nt!KiCheckForSListAddress+0x65 | |
| (fffff800`0247e265) | |
| nt!KiCheckForSListAddress+0x1a: | |
| fffff800`0247e21a cmp rdx,qword ptr [nt! | |
| KiInterlockedPopEntrySListResumeEntryPoint (fffff800`02646458)] | |
| fffff800`0247e221 ja nt!KiCheckForSListAddress+0x26 | |
| (fffff800`0247e226) | |
| nt!KiCheckForSListAddress+0x23: | |
| fffff800`0247e223 ret 0 | |
| nt!KiCheckForSListAddress+0x26: | |
| fffff800`0247e226 cmp rdx,qword ptr [nt! | |
| KiInterlockedPopEntrySListEndEntryPoint (fffff800`02646860)] | |
| fffff800`0247e22d ja nt!KiCheckForSListAddress+0x23 | |
| (fffff800`0247e223) | |
| nt!KiCheckForSListAddress+0x2f: | |
| fffff800`0247e22f cmp ax,10h | |
| fffff800`0247e233 jne nt!KiCheckForSListAddress+0x23 | |
| (fffff800`0247e223) | |
| nt!KiCheckForSListAddress+0x35: | |
| fffff800`0247e235 mov rax,qword ptr [nt! | |
| KiInterlockedPopEntrySListResumeEntryPoint (fffff800`02646458)] | |
| nt!KiCheckForSListAddress+0x3c: | |
| fffff800`0247e23c mov qword ptr [rcx+168h],rax | |
| fffff800`0247e243 ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment