当前位置:网站首页>APC (II)
APC (II)
2022-04-22 07:40:00 【Misaka10046】
analysis KeInsertQueueApc
BOOLEAN KeInsertQueueApc (
__inout PRKAPC Apc, //APC Structure
__in_opt PVOID SystemArgument1,
__in_opt PVOID SystemArgument2,// Parameters
__in KPRIORITY Increment// priority
)
And then put ntkrnlpa.exe In the IDA Decompile inside , Then find this function .
char __stdcall KeInsertQueueApc(int apc, int SystemArgument1, int SystemArgument2, int Increment)
{
int v4; // edi
volatile signed __int32 *v5; // ebx
char bRet; // [esp+13h] [ebp-Dh]
int spinCount; // [esp+14h] [ebp-Ch]
unsigned __int8 NewIrql; // [esp+18h] [ebp-8h]
_KPRCB *kpcr; // [esp+1Ch] [ebp-4h]
v4 = *(_DWORD *)(apc + 8);
spinCount = 0;
NewIrql = KeRaiseIrqlToDpcLevel();// Improve current IQL Grade is DPC_LEVEL
kpcr = KeGetPcr()->Prcb;
v5 = (volatile signed __int32 *)(v4 + 96);
while ( _InterlockedExchange(v5, 1) )// Lock Make sure the midway process is not interrupted
{
do
{
if ( ++spinCount & HvlLongSpinCountMask || !(HvlEnlightenments & 0x40) )// Verify the added lock
_mm_pause();
else
HvlNotifyLongSpinWait(spinCount);
}
while ( *v5 );
}
if ( *(_DWORD *)(v4 + 184) & 0x20 && *(_BYTE *)(apc + 46) != 1 )
{
*(_DWORD *)(apc + 36) = SystemArgument1;
*(_BYTE *)(apc + 46) = 1;
*(_DWORD *)(apc + 40) = SystemArgument2;
KiInsertQueueApc((signed __int32)kpcr, apc, NewIrql);// This function is used to insert APC The role of
bRet = 1;
}
else
{
bRet = 0;
}
_InterlockedAnd(v5, 0);// Unlock
KiExitDispatcher((int)kpcr, 0, 1, Increment, NewIrql);
return bRet;
}
Then follow up KiInsertQueueApc Function , Continue to check
char __fastcall KiInsertQueueApc(signed __int32 KPCR, int KAPC, unsigned __int8 IRQL)
{
int v3; // edi
int v4; // esi
int v5; // ecx
char v6; // bl
int *v7; // ecx
int v8; // edx
int *v9; // eax
int v10; // ecx
_DWORD *v11; // edx
int *v12; // eax
int v13; // ecx
int *v14; // eax
int v15; // edx
int *v16; // ecx
int v17; // eax
int v18; // ecx
volatile signed __int32 *v19; // ebx
volatile signed __int32 *v20; // edi
int v21; // ebx
char v22; // al
unsigned int v23; // eax
int v24; // esi
unsigned int v25; // ecx
int v26; // eax
_KPRCB *v27; // eax
char v29; // [esp+Fh] [ebp-19h]
char v30; // [esp+Fh] [ebp-19h]
int v31; // [esp+10h] [ebp-18h]
signed __int32 v32; // [esp+14h] [ebp-14h]
int v33; // [esp+18h] [ebp-10h]
__int16 v34; // [esp+1Ch] [ebp-Ch]
__int16 v35; // [esp+1Eh] [ebp-Ah]
int v36; // [esp+24h] [ebp-4h]
v3 = KAPC;
v4 = *(_DWORD *)(KAPC + 8); // Get thread
v32 = KPCR;
if ( *(_BYTE *)(KAPC + 0x2C) == 3 ) // 0x2c KAPC.ApcStateIndex Judge APC The index of
*(_BYTE *)(KAPC + 0x2C) = *(_BYTE *)(v4 + 0x134);// 0x134 Kthread.ApcStateIndex If 3 Then select the current index
v5 = *(_DWORD *)(v4 + 4 * *(char *)(KAPC + 0x2C) + 0x168);// obtain 0x168 Kthread.ApcStatePointer
v6 = *(_BYTE *)(KAPC + 0x2D); // 0x2D KAPC.ApcMode Get whether it's the kernel or the user
if ( *(_DWORD *)(KAPC + 0x1C) ) // 0x1c KAPC.NormalRoutine Determine whether there is a normal function table
{
v29 = 1;
if ( v6 && *(void (__stdcall **)(int, int, int, int, int))(KAPC + 0x14) == PsExitSpecialApc )// 0x14 KAPC.KernelRoutine Determine whether it is to exit the thread APC
{
*(_BYTE *)(v4 + 0x56) = 1;
v7 = (int *)(v5 + 8 * v6); // _KAPC_STATE
v8 = *v7;
v9 = (int *)(v3 + 0xC);
*v9 = *v7;
v9[1] = (int)v7;
*(_DWORD *)(v8 + 4) = v3 + 0xC; // Insert to header node
*v7 = v3 + 0xC;
}
else
{
v10 = v5 + 8 * v6;
v11 = *(_DWORD **)(v10 + 4);
v12 = (int *)(v3 + 12);
*v12 = v10;
v12[1] = (int)v11;
*v11 = v3 + 12;
*(_DWORD *)(v10 + 4) = v3 + 12; // If not, insert it into the tail node
}
}
else
{
v13 = v5 + 8 * v6; // Point to next node
v14 = *(int **)(v13 + 4);
v29 = 0;
while ( v14 != (int *)v13 && v14[4] )
v14 = (int *)v14[1];
v15 = *v14; // KAPC.NormalRoutine
v16 = (int *)(v3 + 12);
*v16 = *v14;
v16[1] = (int)v14;
*(_DWORD *)(v15 + 4) = v3 + 12;
*v14 = v3 + 12;
}
v17 = *(unsigned __int8 *)(v4 + 0x134); // 0x134 Kthread.ApcStateIndex
v18 = *(char *)(v3 + 0x2C); // 0x2c KAPC.ApcStateIndex Judge APC The index of
if ( v18 == v17 ) // Judge whether it is a If it's different, just jump away
{
LOBYTE(v17) = v32;
if ( v4 == *(_DWORD *)(v32 + 4) )
{
if ( !v6 && (!*(_DWORD *)(v4 + 0x84) || !v29 && !*(_WORD *)(v4 + 0x86)) )// +0x084 KernelApcDisable +0x086 SpecialApcDisable Judge whether it is special
//
{
*(_BYTE *)(v4 + 0x55) = 1;
if ( IRQL < 1u ) // interrupt testing APC Is it necessary to carry out
{
*(_DWORD *)(v4 + 60) |= 0x100u; // 0x60 Kthread.ApcQueueLock
return v17;
}
LABEL_55:
LOBYTE(v18) = 1;
LOBYTE(v17) = HalRequestSoftwareInterrupt(v18);// interrupt And then execute APC
return v17;
}
}
else if ( v6 ) // If it's a user APC
{
LOBYTE(v17) = *(_BYTE *)(v4 + 0x68); // Kthread.State
if ( (_BYTE)v17 == 5 ) // Generally, it returns directly to
{
v30 = 0;
v20 = (volatile signed __int32 *)(v4 + 52);
v21 = 0;
while ( _InterlockedExchange(v20, 1) )
{
do
{
if ( ++v21 & HvlLongSpinCountMask || !(HvlEnlightenments & 0x40) )
_mm_pause();
else
HvlNotifyLongSpinWait(v21);
}
while ( *v20 );
}
if ( *(_BYTE *)(v4 + 104) == 5
&& *(_BYTE *)(v4 + 107) == 1
&& (*(_BYTE *)(v4 + 60) & 0x20 || *(_BYTE *)(v4 + 86)) )
{
v22 = KiSignalThread(v32, 192);
*(_BYTE *)(v4 + 56) |= 0x20u;
v30 = v22;
}
LOBYTE(v17) = 0;
_InterlockedAnd(v20, 0);
if ( v30 )
*(_BYTE *)(v4 + 86) = 1;
} // Here we are
}
else
{
*(_BYTE *)(v4 + 0x55) = 1;
_InterlockedExchange(&v33, v32); // initialization
v17 = *(unsigned __int8 *)(v4 + 0x68); // Kthread.State
if ( v17 == 2 )
{
v23 = KeGetCurrentProcessorNumberEx(0); // Get processor number
v18 = *(_DWORD *)(v4 + 0x58);
if ( v23 == v18 )
goto LABEL_55;
v24 = *(_DWORD *)(v4 + 0x58);
v34 = 1;
v35 = 1;
v36 = 0;
v25 = (unsigned int)KiProcessorIndexToNumberMappingTable[v24] >> 6;
v26 = KiProcessorIndexToNumberMappingTable[v24] & 0x3F;
if ( v25 >= 1 )
v34 = v25 + 1;
*(&v36 + v25) |= KiMask32Array[v26]; // Get bitmap
v27 = KeGetPcr()->Prcb;
++v27->IpiSendSoftwareInterruptCount;
LOBYTE(v17) = KiIpiSend(&v34);
}
else if ( v17 == 5 )
{
v31 = 0;
v19 = (volatile signed __int32 *)(v4 + 52);
while ( _InterlockedExchange(v19, 1) )
{
do
{
if ( ++v31 & HvlLongSpinCountMask || !(HvlEnlightenments & 0x40) )
_mm_pause();
else
HvlNotifyLongSpinWait(v31);
}
while ( *v19 );
}
if ( *(_BYTE *)(v4 + 0x68) == 5
&& !*(_BYTE *)(v4 + 0x6A)
&& !*(_WORD *)(v4 + 0x86)
&& (!*(_DWORD *)(v3 + 0x1C) || !*(_WORD *)(v4 + 0x84) && !*(_BYTE *)(v4 + 0x54)) )
{
KiSignalThread(v32, 256);
*(_BYTE *)(v4 + 56) |= 0x10u;
}
LOBYTE(v17) = 0;
_InterlockedAnd(v19, 0);
}
}
}
return v17;
}
版权声明
本文为[Misaka10046]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/04/202204220617111765.html
边栏推荐
- 並發編程的藝術(9):final的使用和原理
- 437. Path sum III
- Ffmpeg Command (vi), video extraction audio video
- 中断门&陷阱门
- Links summary qwq
- Could not resolve com. Nbsp: Library: 1.8 how to solve it
- The way to learn the strongest operator (detailed explanation of C language)
- H. Happy number (binary conversion / nth special number) (2021 Niuke summer multi school training camp 9)
- 页属性
- APC(三)
猜你喜欢
The system log file is too large
信息系统项目管理师---第四章 项目整体管理
2019.1.2版的Idea使用教程
VAD 虚拟内存
Queue (detailed explanation) -- hand tearing queue exercises
SUCTF 2019 EasySQL
Internal class instructions (static, instance, local)
信息系统项目管理师---第四章项目整体管理历年考试题
Drive communication with R3
A. Binary seating (the fifth game of 2021 training League warm-up training competition)
随机推荐
Codeforces Round #774 (Div. 2)
Change DP (ah ah ah)
SQL injection (I)
Installation and configuration of Yapi (Reprint)
Android Room数据库Like模糊查询
Definition and difference between rewriting and overloading
1242 · non overlapping interval
SaltStack实践
DOM document object model
【调用方法】
The system log file is too large
信息安全数学基础
Failed to update PIP all the time? Most of them are network problems!
Bom 浏览器对象模型
调用门
X64基础(一)
2021 learning plan
E. Figure skiing (string sorting / check-in) (Game 5 of 2021 training League warm-up training competition)
Longest ascending sequence
Small game - Sanzi chess