realdomdom · May 21, 2022 12:09
diff --git a/stuffz b/stuffz
 u ntdll!ZwReadFile
 ntdll!NtReadFile:
 77f761e8 b8b7000000       mov     eax,0xb7
 77f761ed ba0003fe7f       mov     edx,0x7ffe0300
 77f761f2 ffd2             call    edx
 77f761f4 c22400           ret     0x24

 ln 0x7ffe0300
 (7ffe0300)   SharedUserData!SystemCallStub  
 Exact matches:
    SharedUserData!SystemCallStub

 u SharedUserData!SystemCallStub
 SharedUserData!SystemCallStub:
 7ffe0300 8bd4             mov     edx,esp
 7ffe0302 0f34             sysenter 
 7ffe0304 c3               ret

 SYSENTER_EIP_MSR -> MSR 0x176

 rdmsr 176
 msr[176] = 00000000:8053a270

 (XP SP1!)

 ln 8053a270
 (8053a270)   nt!KiFastCallEntry   |  (8053a2fb)   nt!KiSystemService
 Exact matches:
    nt!KiFastCallEntry

 ...
 053a2f9 eb5c jmp     nt!KiSystemService+0x5c (8053a357)


 0: 0x805912c2  (nt!NtAcceptConnectPort)
 1: 0x805d87b0  (nt!NtAccessCheck)
 2: 0x805dc3e4  (nt!NtAccessCheckAndAuditAlarm)
 ...
 b7: 0x8056b2ec  (nt!NtReadFile)
 ...

 u nt!NtReadFile
 nt!NtReadFile:
 8056b2ec 6a58             push    0x58
 8056b2ee 6858044e80       push    0x804e0458
 8056b2f3 e8e09ffcff       call    nt!_SEH_prolog (805352d8)
 8056b2f8 33ff             xor     edi,edi
 8056b2fa 897de4           mov     [ebp-0x1c],edi
 8056b2fd 897de0           mov     [ebp-0x20],edi
 8056b300 897dd8           mov     [ebp-0x28],edi
 8056b303 897ddc           mov     [ebp-0x24],edi
 8056b306 64a124010000     mov     eax,fs:[00000124]
 8056b30c 8945d4           mov     [ebp-0x2c],eax
 8056b30f 8a8040010000     mov     al,[eax+0x140]
 8056b315 8845d0           mov     [ebp-0x30],al
 8056b318 57               push    edi
 8056b319 8d45cc           lea     eax,[ebp-0x34]
 8056b31c 50               push    eax
 8056b31d ff75d0           push    dword ptr [ebp-0x30]

 >------------------------------------------------------------<

 u nt!NtReadFile
 nt!NtReadFile:
 8056b2ec 6a58             push    0x58
 8056b2ee 6858044e80       push    0x804e0458
 8056b2f3 e8e09ffcff       call    nt!_SEH_prolog (805352d8)
 8056b2f8 33ff             xor     edi,edi
 ...

 u nt!ZwReadFile
 nt!ZwReadFile:
 80504d4c b8b7000000       mov     eax,0xb7
 80504d51 8d542404         lea     edx,[esp+0x4]
 80504d55 9c               pushfd
 80504d56 6a08             push    0x8
 80504d58 e89e550300       call    nt!KiSystemService (8053a2fb)
 80504d5d c22400           ret     0x24
	u ntdll!ZwReadFile
	ntdll!NtReadFile:
	77f761e8 b8b7000000 mov eax,0xb7
	77f761ed ba0003fe7f mov edx,0x7ffe0300
	77f761f2 ffd2 call edx
	77f761f4 c22400 ret 0x24

	ln 0x7ffe0300
	(7ffe0300) SharedUserData!SystemCallStub
	Exact matches:
	SharedUserData!SystemCallStub

	u SharedUserData!SystemCallStub
	SharedUserData!SystemCallStub:
	7ffe0300 8bd4 mov edx,esp
	7ffe0302 0f34 sysenter
	7ffe0304 c3 ret

	SYSENTER_EIP_MSR -> MSR 0x176

	rdmsr 176
	msr[176] = 00000000:8053a270

	(XP SP1!)

	ln 8053a270
	(8053a270) nt!KiFastCallEntry \| (8053a2fb) nt!KiSystemService
	Exact matches:
	nt!KiFastCallEntry

	...
	053a2f9 eb5c jmp nt!KiSystemService+0x5c (8053a357)


	0: 0x805912c2 (nt!NtAcceptConnectPort)
	1: 0x805d87b0 (nt!NtAccessCheck)
	2: 0x805dc3e4 (nt!NtAccessCheckAndAuditAlarm)
	...
	b7: 0x8056b2ec (nt!NtReadFile)
	...

	u nt!NtReadFile
	nt!NtReadFile:
	8056b2ec 6a58 push 0x58
	8056b2ee 6858044e80 push 0x804e0458
	8056b2f3 e8e09ffcff call nt!_SEH_prolog (805352d8)
	8056b2f8 33ff xor edi,edi
	8056b2fa 897de4 mov [ebp-0x1c],edi
	8056b2fd 897de0 mov [ebp-0x20],edi
	8056b300 897dd8 mov [ebp-0x28],edi
	8056b303 897ddc mov [ebp-0x24],edi
	8056b306 64a124010000 mov eax,fs:[00000124]
	8056b30c 8945d4 mov [ebp-0x2c],eax
	8056b30f 8a8040010000 mov al,[eax+0x140]
	8056b315 8845d0 mov [ebp-0x30],al
	8056b318 57 push edi
	8056b319 8d45cc lea eax,[ebp-0x34]
	8056b31c 50 push eax
	8056b31d ff75d0 push dword ptr [ebp-0x30]

	>------------------------------------------------------------<

	u nt!NtReadFile
	nt!NtReadFile:
	8056b2ec 6a58 push 0x58
	8056b2ee 6858044e80 push 0x804e0458
	8056b2f3 e8e09ffcff call nt!_SEH_prolog (805352d8)
	8056b2f8 33ff xor edi,edi
	...

	u nt!ZwReadFile
	nt!ZwReadFile:
	80504d4c b8b7000000 mov eax,0xb7
	80504d51 8d542404 lea edx,[esp+0x4]
	80504d55 9c pushfd
	80504d56 6a08 push 0x8
	80504d58 e89e550300 call nt!KiSystemService (8053a2fb)
	80504d5d c22400 ret 0x24