sysenter内核入口点代码分析

参考：http://www.mouseos.com/windows/kernel/KiFastCallEntry.html

http://www.mouseos.com/windows/kernel/%E4%B8%80%E4%BA%9B%E9%80%86%E5%90%91%E5%87%BA%E6%9D%A5%E7%9A%84%E5%87%BD%E6%95%B0%E5%AE%9E%E7%8E%B0.html

KiFastCallEntry

nt!KiFastCallEntry:
8053dad0 b923000000      mov     ecx,23h
8053dad5 6a30            push    30h
8053dad7 0fa1            pop     fs
8053dad9 8ed9            mov     ds,cx
8053dadb 8ec1            mov     es,cx
8053dadd 8b0d40f0dfff    mov     ecx,dword ptr ds:[0FFDFF040h]
8053dae3 8b6104          mov     esp,dword ptr [ecx+4]
8053dae6 6a23            push    23h
8053dae8 52              push    edx
8053dae9 9c              pushfd
8053daea 6a02            push    2
8053daec 83c208          add     edx,8
8053daef 9d              popfd
8053daf0 804c240102      or      byte ptr [esp+1],2
8053daf5 6a1b            push    1Bh
8053daf7 ff350403dfff    push    dword ptr ds:[0FFDF0304h]
8053dafd 6a00            push    0
8053daff 55              push    ebp
8053db00 53              push    ebx
8053db01 56              push    esi
8053db02 57              push    edi
8053db03 8b1d1cf0dfff    mov     ebx,dword ptr ds:[0FFDFF01Ch]
8053db09 6a3b            push    3Bh
8053db0b 8bb324010000    mov     esi,dword ptr [ebx+124h]
8053db11 ff33            push    dword ptr [ebx]
8053db13 c703ffffffff    mov     dword ptr [ebx],0FFFFFFFFh
8053db19 8b6e18          mov     ebp,dword ptr [esi+18h]
8053db1c 6a01            push    1
8053db1e 83ec48          sub     esp,48h
8053db21 81ed9c020000    sub     ebp,29Ch
8053db27 c6864001000001  mov     byte ptr [esi+140h],1
8053db2e 3bec            cmp     ebp,esp
8053db30 759a            jne     nt!KiFastCallEntry2+0x47 (8053dacc)
8053db32 83652c00        and     dword ptr [ebp+2Ch],0
8053db36 f6462cff        test    byte ptr [esi+2Ch],0FFh
8053db3a 89ae34010000    mov     dword ptr [esi+134h],ebp
8053db40 0f854afeffff    jne     nt!Dr_FastCallDrSave (8053d990)
8053db46 8b5d60          mov     ebx,dword ptr [ebp+60h]
8053db49 8b7d68          mov     edi,dword ptr [ebp+68h]
8053db4c 89550c          mov     dword ptr [ebp+0Ch],edx
8053db4f c74508000ddbba  mov     dword ptr [ebp+8],0BADB0D00h
8053db56 895d00          mov     dword ptr [ebp],ebx
8053db59 897d04          mov     dword ptr [ebp+4],edi
8053db5c fb              sti
8053db5d 8bf8            mov     edi,eax
8053db5f c1ef08          shr     edi,8
8053db62 83e730          and     edi,30h
8053db65 8bcf            mov     ecx,edi
8053db67 03bee0000000    add     edi,dword ptr [esi+0E0h]
8053db6d 8bd8            mov     ebx,eax
8053db6f 25ff0f0000      and     eax,0FFFh
8053db74 3b4708          cmp     eax,dword ptr [edi+8]
8053db77 0f8345fdffff    jae     nt!KiBBTUnexpectedRange (8053d8c2)
8053db7d 83f910          cmp     ecx,10h
8053db80 751a            jne     nt!KiFastCallEntry+0xcc (8053db9c)
8053db82 8b0d18f0dfff    mov     ecx,dword ptr ds:[0FFDFF018h]
8053db88 33db            xor     ebx,ebx
8053db8a 0b99700f0000    or      ebx,dword ptr [ecx+0F70h]
8053db90 740a            je      nt!KiFastCallEntry+0xcc (8053db9c)
8053db92 52              push    edx
8053db93 50              push    eax
8053db94 ff15c4355580    call    dword ptr [nt!KeGdiFlushUserBatch (805535c4)]
8053db9a 58              pop     eax
8053db9b 5a              pop     edx
8053db9c ff0538f6dfff    inc     dword ptr ds:[0FFDFF638h]
8053dba2 8bf2            mov     esi,edx
8053dba4 8b5f0c          mov     ebx,dword ptr [edi+0Ch]
8053dba7 33c9            xor     ecx,ecx
8053dba9 8a0c18          mov     cl,byte ptr [eax+ebx]
8053dbac 8b3f            mov     edi,dword ptr [edi]
8053dbae 8b1c87          mov     ebx,dword ptr [edi+eax*4]
8053dbb1 2be1            sub     esp,ecx
8053dbb3 c1e902          shr     ecx,2
8053dbb6 8bfc            mov     edi,esp
8053dbb8 3b35b48f5580    cmp     esi,dword ptr [nt!MmUserProbeAddress (80558fb4)]
8053dbbe 0f83a8010000    jae     nt!KiSystemCallExit2+0x9f (8053dd6c)
8053dbc4 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
8053dbc6 ffd3            call    ebx
8053dbc8 8be5            mov     esp,ebp
8053dbca 8b0d24f1dfff    mov     ecx,dword ptr ds:[0FFDFF124h]
8053dbd0 8b553c          mov     edx,dword ptr [ebp+3Ch]
8053dbd3 899134010000    mov     dword ptr [ecx+134h],edx

daniel@daniel-mint ~/bap/bap-0.7/libasmir/apps $ hexdump -C kifastcallentry.dump | cut -b 10-60 | sed -re 's/[0-9a-f]{2}/\x&/g' | sed -re 's/ //g' | sed -e 's/^/"/g' | sed -e 's/$/"/g'
"xb9x23x00x00x00x6ax30x0fxa1x8exd9x8exc1x8bx0dx40"
"xf0xdfxffx8bx61x04x6ax23x52x9cx6ax02x83xc2x08x9d"
"x80x4cx24x01x02x6ax1bxffx35x04x03xdfxffx6ax00x55"
"x53x56x57x8bx1dx1cxf0xdfxffx6ax3bx8bxb3x24x01x00"
"x00xffx33xc7x03xffxffxffxffx8bx6ex18x6ax01x83xec"
"x48x81xedx9cx02x00x00xc6x86x40x01x00x00x01x3bxec"
"x75x9ax83x65x2cx00xf6x46x2cxffx89xaex34x01x00x00"
"x0fx85x4axfexffxffx8bx5dx60x8bx7dx68x89x55x0cxc7"
"x45x08x00x0dxdbxbax89x5dx00x89x7dx04xfbx8bxf8xc1"
"xefx08x83xe7x30x8bxcfx03xbexe0x00x00x00x8bxd8x25"
"xffx0fx00x00x3bx47x08x0fx83x45xfdxffxffx83xf9x10"
"x75x1ax8bx0dx18xf0xdfxffx33xdbx0bx99x70x0fx00x00"
"x74x0ax52x50xffx15xc4x35x55x80x58x5axffx05x38xf6"
"xdfxffx8bxf2x8bx5fx0cx33xc9x8ax0cx18x8bx3fx8bx1c"
"x87x2bxe1xc1xe9x02x8bxfcx3bx35xb4x8fx55x80x0fx83"
"xa8x01x00x00xf3xa5xffxd3x8bxe5x8bx0dx24xf1xdfxff"
"x8bx55x3cx89x91x34x01x00x00"
""

　　

call ebx会最终跳转到真正的System Service服务例程处执行， 如果我们hook了任一SSDT项目，那么它的返回地址一定是在8053dbc8处。